InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.
Ex-NFL players no longer part of CFPB, New York suit on high-cost loans
On June 27, the CFPB and New York attorney general filed an amended complaint in the U.S. District Court for the Southern District of New York, removing references to a New Jersey-based finance company’s arrangements with seven former NFL players in an action concerning whether the company and its affiliates (collectively, “defendants”) mischaracterized high-cost loans as assignments of future payment rights. As previously covered by InfoBytes, the agencies filed a lawsuit in 2017 claiming, among other things, that the defendants misled World Trade Center attack first responders and professional football players in selling expensive advances on benefits to which they were entitled and mischaracterized extensions of credit as assignments of future payment rights, thereby misleading their victims into repaying far more than they received. Specifically, the initial filing in 2017 alleges that the defendants (i) used “confusing contracts” to prevent the individuals from understanding the terms and costs of the transactions; (ii) lied to the individuals by telling them the companies could secure their payouts more quickly; (iii) misrepresented how quickly they would receive payments from the companies, and (iv) collected interest at an illegal rate. The amended complaint removes all references to defendants’ arrangements with the ex-NFL players, but maintains claims related to financing deals signed with first responders to the World Trade Center attack.
The court issued an order on June 28 accepting the agencies’ unopposed motion to file the amended complaint to “remove references to NFL player consumers and to remove allegations in Count VIII” related to alleged violations of New York General Obligations Law § 13-101 concerning personal injury claims. No additional details on the reasons for the removals are provided.
The amended complaint follows a March order issued by the district court (covered by InfoBytes here) in which it ruled that the CFPB could proceed with its 2017 enforcement action. In 2020, the U.S. Court of Appeals for the Second Circuit vacated the district court’s 2018 order (covered by InfoBytes here), which had dismissed the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company. The 2nd Circuit remanded the case to the district court, determining that the U.S. Supreme Court’s ruling in Seila Law LLC v. CFPB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling.
Insurers consider biometric exclusions as privacy cases increase
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric Information Privacy Act (BIPA), as “more courts began ruling that individuals need not show actual injury to allege BIPA violations.” The article explained that insurance carriers now “argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements.” This issue is poised to become increasingly important to carriers and policyholders as additional states seek to regulate biometric privacy. The article noted that in the first quarter of 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington also have biometric laws, but without a private right of action.
District Court says Massachusetts law will apply in choice-of-law privacy dispute
On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security program was inadequate and that the security risks associated with the Personal Information went unmitigated, allowing [] cybercriminals to gain access.” During discovery, the defendant (headquartered in South Carolina) stated that its U.S. data centers are located in Massachusetts, Texas, California, and New Jersey, and that the particular servers that housed the plaintiffs’ data (and were the initial entry point for the ransomware attack) are physically located in Massachusetts. While both parties stipulated to the application of South Carolina choice-of-law principles generally, the plaintiffs specifically requested that South Carolina law be applied to their common law claims of negligence, negligence per se, and invasion of privacy since it was the state where defendant executives made the cybersecurity-related decisions that allegedly allowed the data breach to occur. However, the defendant countered that the law of each state where a plaintiff resides should apply to that specific plaintiff’s common law tort claims because the “damages were felt in their respective home states.” Both parties presented an alternative argument that if the court found the primary choice-of-law theory to be unfounded, then Massachusetts law would be appropriate as “Massachusetts was the state where the last act necessary took place because that is where the data servers were housed.”
In determining which state’s common-law principles apply, the court stated that even if some of the cybersecurity decisions were made in South Carolina, the personal information was stored on servers in Massachusetts. Moreover, the “alleged decisions made in South Carolina may have contributed to the breach, but they were not the last act necessary to establish the cause of action,” the court wrote, noting that in order for the defendant to be potentially liable, the data servers would need to be breached. The court further concluded that “South Carolina’s choice of law rules dictate that where an injury occurs, not where the result of the injury is felt or discovered is the proper standard to determine the last act necessary to complete the tort.” As such, the court stated that Massachusetts law will apply as that is where the data breach occurred.
District Court approves $2.5 million settlement over prerecorded telemarketing messages
On June 24, the U.S. District Court for the Central District of California granted final approval of a $2.5 million class action settlement resolving claims that an auto dealer group and marketing director (collectively, “defendants”) violated the TCPA by sending “prerecorded telemarketing messages” to consumers’ cell phones without receiving consumers’ express written consent. According to the second amended complaint, the plaintiff sued the defendants after he allegedly received unsolicited prerecorded text messages advertising one of the auto group’s dealerships. Under the terms of the agreement, class members (comprised of consumers who were sent prerecorded messages from the defendants, auto dealerships managed by the defendant, or anyone acting on the defendant’s behalf, including employees, agents, third-party contractors, and sub-contractors) will receive a portion of the $2.5 million settlement. The settlement amount also provides for up to $625,700 in attorneys’ fees, nearly $12,600 for costs, and $125,000 for the settlement administrator. The class representative will be given a $5,000 service award. Additionally, the defendants and dealerships are required to “adopt policies and procedures regarding compliance with the TCPA and the National Do Not Call Registry.”
District Court gives final approval in TCPA class action settlement
On June 24, the U.S. District Court for the Eastern District of New York granted final approval of a $38.5 million settlement in a class action against a national gas service company and other gas companies (collectively, defendants) for allegedly violating the TCPA in connection with calls made to cell phones. As previously covered by InfoBytes, the plaintiff’s memorandum of law requested preliminary approval of the class action settlement. The settlement establishes a settlement class of all U.S. residents who “from March 9, 2011 until October 29, 2021, received a telephone call on a cellular telephone using a prerecorded message or artificial voice” regarding several topics including: (i) the payment or status of bills; (ii) an “important matter” regarding current or past bills and other related issues; and (iii) a disconnect notice concerning a current or past utility account. Under the terms of the settlement, the defendants will provide monetary relief to claiming class members in an estimated amount between $50 and $150. The settlement will additionally require the companies to implement new training programs and procedures to prevent any future TCPA violations. The settlement permits counsel for the proposed class to seek up to 33 percent of the settlement fund to cover attorney fees and expenses.
District Court grants summary judgment for debt collector over dunning emails
On June 23, the U.S. District Court for the Northern District of Illinois granted a defendant’s motion for summary judgment, ruling that dunning emails sent to collect unpaid credit card debt did not violate the FDCPA. The plaintiff received an email from the defendant stating that it was attempting to collect the debt on behalf of the creditor, and that due to the age of her debt, the creditor could not sue her for it. While the email stated that “making a payment on a time-barred debt has the potential to restart the statute of limitations for suit on the debt,” it went on to say that it was the creditor’s policy “never to file suit on a debt after the original statute of limitations has expired” and that it never sells such debt. A few days later, the defendant sent the plaintiff an email attempting to collect a separate debt owed to a different creditor. The plaintiff’s attorney sent a letter informing the defendant that she represented plaintiff and requested that plaintiff not be contacted again. After the plaintiff received a third email from the defendant, she sued alleging the defendant violated Section 1692e by urging her to pay a debt without disclosing that the defendant could not sue or report the debt. She further alleged that the defendant violated the FDCPA by continuing to send communications even after the defendant knew she was represented by an attorney. The plaintiff argued that she suffered an injury—and had standing—because she refrained from making purchases and because the defendant had wasted her time.
The court disagreed, writing that the plaintiff failed to put forth evidence demonstrating some form of financial harm in order to have Article III standing. The court observed that “[o]ne does not suffer a monetary injury by refraining from making a purchase; one still has her money if she refrains from making a purchase. Paying too much for an item constitutes an economic injury but refraining from paying for an item does not. At best, plaintiff’s action might have left her with a feeling of want or desire, but such feelings are not concrete injuries.” Moreover, “[e]ven if plaintiff could be thought to have suffered an injury, her decision to refrain from any particular purchase is not fairly traceable to defendant,” the court wrote. And though the court found standing on her claim related to defendant’s continued contact, the court held that “Section 1692c(a)(2) applies only where the debt collector knows the consumer is represented by an attorney with respect to the specific debt being collected.” The defendant needed to be informed that the attorney was representing the plaintiff on both creditors’ debts for the third email to be a violation of the FDCPA, the court concluded.
District Court grants defendant’s judgment in FDCPA suit over dispute response
On June 21, the U.S. District Court for the Western District of North Carolina granted a defendant’s motion for judgment on the pleadings in an FDCPA case concerning dispute responses over a debt. According to the order, the defendants—who represented a bank—sent a letter to the plaintiff attempting to collect an unpaid credit card debt. The letter included information about the creditor, the outstanding balance, and a validation notice. The plaintiff disputed the debt and requested validation of charges, payments, and credits on the account. The defendants responded with another letter, providing information about the original creditor and the balance of the unpaid debt. The plaintiff then sent another letter to the defendants requesting the original account agreement, all original account level documentation, and a “wet ink signature of the contractual obligation.” The defendants filed a collection suit against the plaintiff. The plaintiff filed suit in response, alleging the collection lawsuit violated the FDCPA and North Carolina state law because it “unjustly” condemned and vilified plaintiff for his non-payment of the alleged debt.
The court found that the “[p]laintiff’s allegations misconstrue the obligations of the debt collector in verifying the debt.” The court also noted that the FDCPA did not require the defendants provide “account level documentation,” stating that “[v]erification only requires a showing that the amount demanded ‘is what the creditor is claiming is owed,’ not conclusive proof of the debt.”
District Court approves $1.4 million FCRA settlement
On June 17, the U.S. District Court for the Southern District of California granted final approval of a class action settlement resolving claims that a hospitality company violated the FCRA and various California laws. According to the order, plaintiffs filed a putative class action alleging that the company violated the FCRA by failing to make proper disclosures and obtain proper authorization during its hiring process. Additionally, the plaintiffs claimed that the company’s background check forms were allegedly defective because they “contained information for multiple states for whom background checks were run” in violation of California’s Investigative Consumer Reporting Agencies Act and other California laws. Under the terms of the settlement, the defendant will pay nearly $1.4 million, of which class members will receive $821,714 in total ($63.29 per class member), $10,127 will go towards settlement administration costs, $349,392 will cover attorneys’ fees, and $5,000 will be paid to each of the two named plaintiffs.
5th Circuit remands nonjudicial foreclosure suit back to state court
On June 16, the U.S. Court of Appeals for the Fifth Circuit held that a plaintiff borrower’s requested damages in a foreclosure lawsuit did not exceed the federal jurisdictional threshold amount of $75,000, and sent the case back to Texas state court. The plaintiff sued the financial institution in state court after it sought a nonjudicial foreclosure on his house, asserting violations of the Texas Debt Collection Act, breach of the common-law duty of cooperation, fraud, and negligent misrepresentation. The suit was removed to the U.S. District Court for the Northern District of Texas, with the defendant arguing that the suit automatically stayed its nonjudicial foreclosure sale, thus putting the value of the house ($427,662) as the amount in dispute, instead of the plaintiff’s requested relief of $74,500. The plaintiff moved to remand the case to state court on the premise “that the amount in controversy could not exceed the stipulated maximum of $74,500.” The district court denied the plaintiff’s motion, ruling that it “had to measure the amount in controversy ‘by the value of the object of the litigation,’” and not by what the plaintiff’s complaint says the damages were not to exceed.
In reversing and remanding the case to state court, the 5th Circuit concluded that, because the defendant did not show that the automatic stay brought the house’s value into controversy, it “failed to establish by a preponderance of the evidence that the amount in controversy exceeded $75,000.” The appellate court agreed with the plaintiff’s assertion that the house was simply collateral and “thus irrelevant to the amount in controversy,” writing that “[i]t is well-settled that neither the collateral effect of a suit nor the collateral effect of a judgment may count toward the amount in controversy.” The 5th Circuit also determined that the plaintiff expressly stipulated in both his original state-court petition and in a declaration “that he is seeking total damages not to exceed $74,500,” and that this stipulation is legally binding.