InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois Appeals Court vacates $4.3 million FACTA class action settlement
On September 6, the Illinois Appellate Court, 5th District, vacated a circuit court’s $4.3 million settlement in a class action brought against a merchant for allegedly violating the Fair and Accurate Credit Transaction Act (FACTA) when it printed the first six and last four digits of customers’ 16-digit credit card account numbers on receipts. The appeals court held, among other things, that the “record is devoid of facts that would have permitted a reasoned judgment that the class settlement was fair, reasonable and in the best interests of all affected.” Under FACTA, merchants are prohibited from including on a receipt more than the last five digits of a consumer’s credit card number, and a credit card’s expiration date. A class action suit claiming the merchant violated the restriction was originally filed in New York federal court, but the preliminarily approved settlement was later dismissed after objectors argued that the plaintiffs lacked standing. The named plaintiff requested dismissal of the federal action and subsequently filed suit immediately after in Illinois state court, asking the court to adopt a settlement agreement identical to the one that had been preliminarily approved by the federal court. The objector appealed once again, challenging, among other things, (i) the named plaintiff’s ability to adequately represent the settlement class; (ii) the original class notice, which she argued was insufficient to cover the state court settlement; and (iii) the “fairness, reasonableness, and adequacy of the ‘coupon settlement,’” in which class members received $12 merchant gift cards, while the named plaintiff received $4,000 and class counsel was awarded $500,000.
On appeal, the appeals court disagreed with the objector’s contention that the named plaintiff lacked standing to represent the class because he kept his receipt and therefore had not been injured under FACTA, but found “a number of red flags” regarding the sub-class of more than 350,000 members of the merchant’s loyalty program, questioning whether the named plaintiff was an adequate representative for those class members since there was nothing in the record indicating whether he was a member of the program. Moreover, the appeals court agreed with the objector that the original class notice provided under the federal settlement did not sufficiently protect the due process rights of the settlement class, and that “due process requires the giving of notice anew of the pending state court settlement to absent class members so that they have the opportunity to protect their own interests.” The appeals court remanded the case to allow the trial court to more carefully scrutinize the terms of the settlement, stating that “we are unable to determine whether the trial court evaluated the merits of the cause of action, the prospects and problems of litigating the cause or the fairness of the terms of compromise.” The appeals court also ordered the trial court to further explain its findings that the $500,000 attorneys’ fee award and $4,000 lead plaintiff award are reasonable given the possibility that not every class member will use the coupon.
District Court allows majority of privacy invasion class action claims to proceed against social media company
On September 9, the U.S. District Court for the Northern District of California granted in part and denied in part a social media company’s motion to dismiss a multidistrict class action alleging the company failed to prevent third parties from accessing and misusing private data of its users, in violation of the Stored Communications Act (SCA), the Video Privacy Protection Act (VPPA), and various state laws. In the consolidated action, the plaintiffs allege that the company (i) made sensitive user information—including basic facts such as gender, age, and address; and substantive content such as photos, videos, and religious and political views—available to third parties without user consent; and (ii) failed to prevent those same third parties from selling or otherwise misusing the information. The company moved to dismiss the action, arguing, among other things, that “people have no legitimate privacy interest in any information they make available to their friends on social media.”
The district court disagreed, concluding that most of the plaintiffs’ claims should survive, and that the company “could not be more wrong” in its argument that its users lose all privacy interest in the information they share with their friends on social media. The court asserted that when a user shares information with a limited audience, they “retain privacy rights and can sue someone for violating them.” The court also rejected the company’s argument that the plaintiffs did not have standing to sue in federal court because they could not show “tangible negative consequences from the dissemination of [the] information.” The court noted that privacy invasion is a redressable injury in itself and does not need a secondary economic injury to confer standing. Additionally, while the court recognized that the company’s argument that the users consented to this practice has “some legal force,” it cannot “defeat the lawsuit entirely, at least at the pleading stage.” Therefore, the court denied the motion as to the VPPA and narrowed certain claims under the SCA and California state laws, mostly with regard to claims on behalf of users who signed up for the service after 2009, who purportedly authorized the company to share information through their friends with app developers.
FTC approves settlement with software provider over FTC Act and GLBA data security failures
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
As previously covered by InfoBytes, in its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, which resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The approved settlement requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the settlement requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
Video-sharing site reaches $170 million settlement with FTC and New York AG
On September 4, the FTC and the New York Attorney General announced (see here and here) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the complaint, the video-sharing site allegedly collected personal information in the form of “persistent identifiers” from viewers of child-directed channels without first obtaining verifiable parental consent. The persistent identifiers allegedly generated millions of dollars in revenue by delivering targeted ads to viewers. The FTC and New York AG allege, among other things, that the defendants knew the video-sharing site hosted numerous child-directed channels but told advertisers that the video-sharing site contains general audience content, even informing one advertising company that it did not have users younger than 13 on its platform and therefore channels on its platform did not need to comply with COPPA.
Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13—including through the use of persistent identifiers for targeted advertising purposes—unless the company has explicit parental consent. Furthermore, third parties—such as advertising networks—must also comply with COPPA where they have actual knowledge that personal information is being collected directly from users of child-directed websites and online services.
While neither admitting nor denying the allegations, except as specifically stated within the settlement, the defendants will, among other things, (i) pay a $136 million penalty to the FTC and a $34 million penalty to New York; (ii) change their business practices to comply with COPPA; (iii) maintain a system for channel owners to designate their child-directed content on the video-sharing site; and (iv) disclose their data collection practices and obtain verifiable parental consent prior to collecting personal information from children. According to the FTC, the $136 million penalty is “by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”
FFIEC urges standardized cybersecurity approach
On August 28, the FFIEC issued a press release emphasizing the benefits of implementing a standardized cybersecurity preparedness approach. The FFIEC noted that firms who adopt a standardized approach are “better able to track their progress over time, and share information and best practices with other financial institutions and with regulators.” Highlighted are several standardized tools for financial institutions to use when assessing and improving their level of cybersecurity preparedness, including the FFIEC Cybersecurity Assessment Tool, the Financial Services Sector Coordinating Council Cybersecurity Profile, the National Institute of Standards and Technology Cybersecurity Framework, and the Center for Internet Security Critical Security Controls.
Democratic members ask FSOC to deem cloud providers as "systemically important"
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based storage systems for the financial industry as systemically important financial market utilities. The letter is in response to the recent data breach announcement by a national bank (covered by InfoBytes here), where an alleged former employee of the bank’s cloud-based storage system gained unauthorized access to the personal information of credit card customers and people who had applied for credit card products. According to the Congresswomen, 57 percent of the cloud services market is “cornered by” three main providers, and “a lack of substitutability for the services provided by these very few firms creates systemic risk.” The letter argues that cloud services are not currently subject to an enforced regulatory regime and, “[w]ithout a dedicated regulatory regime proportional and tailored to their very unique structure and risks, cloud comparing companies will continue to evade supervision.”
District Court: No negligent misrepresentation claims in smart-TV privacy suit
On August 20, the U.S. District Court for the District of New Jersey dismissed without prejudice a proposed class action alleging consumer fraud claims. Specifically, in 2017, the plaintiffs filed a complaint alleging that smart televisions manufactured by the defendants surreptitiously collected consumer data such as programs viewed and when they were viewed, along with certain identifying information including IP addresses and zip codes. This information, the plaintiffs contended, was sold to third parties who used the data to advertise to the same consumers, in violation of the (i) New Jersey Consumer Fraud Act (NJCFA); (ii) Florida's Deceptive and Unfair Trade Practices Act (FDUTPA); (iii) the Video Privacy Protection Act; (iv) the Wiretap Act; and (v) common law negligent misrepresentation. In response to the defendants’ motion to dismiss, the court held that the claims were pled with sufficient particularity under the Federal Rules of Civil Procedure to withstand a motion to dismiss, but dismissed the state consumer fraud claims, reasoning that the plaintiffs failed to adequately allege their damages. The court ruled that the FDUTPA and NJCFA claims failed because the plaintiffs had not alleged actual damages, rejecting plaintiffs’ assertions that the invasion of their privacy counted as damages because there was no out-of-pocket loss. Additionally, the court dismissed the plaintiffs’ federal Video Privacy Protection Act, reasoning that the information allegedly collected did not constitute personally identifiable information under 3rd Circuit precedent. By contrast, the court allowed the Wiretap Act allegations to proceed after determining the plaintiffs “adequately alleged that their ‘content’ was intercepted.” Finally, with respect to the common law negligent misrepresentation claim, the court agreed with the defendants that the plaintiffs failed to allege that a special relationship existed between the plaintiffs and the defendants that could support a negligent misrepresentation claim.
State AGs and VSPs to collaborate on robocalls
On August 22, North Carolina Attorney General Josh Stein announced a bipartisan agreement between 51 state attorneys general and 12 voice service providers, adopting eight principles for fighting illegal robocalls and preventing consumer fraud. Under the principles, the voice providers will: (i) offer no-cost call-blocking technology, including easy-to-use call blocking and labeling tools; (ii) implement STIR/SHAKEN call authentication (as previously covered by InfoBytes, in June the FCC adopted a Notice of Proposed Rulemaking requiring voice providers to implement the caller ID authentication framework); (iii) analyze and monitor high-volume voice network traffic for robocall patterns; (iv) investigate suspicious calls and calling patterns and take appropriate action; (v) confirm identities of new commercial customers; (vi) require traceback cooperation in new and renegotiated contracts; (vii) provide for timely and comprehensive law enforcement efforts through cooperation in traceback investigations; and (viii) communicate with state attorneys general about recognized robocall scams and trends and potential solutions. AG Stein noted that the principles will also “make it easier for attorneys general to investigate and prosecute bad actors.”
District Court approves final call-taping settlement
On August 21, the U.S. District Court for the Central District of California issued an order granting final approval of a settlement reached between a class of California consumers and a mortgage company. The approval of the settlement resolves allegations that the company contacted delinquent borrowers and had conversations involving personal and confidential financial information without first informing the consumers that the conversations would be recorded. The plaintiffs filed a complaint in 2015 alleging that the company violated sections of the California Penal Code that prohibit the intentional recording of conversations without obtaining the knowledge or consent of the other party. According to the plaintiffs, the company used scripts that instructed its agents to carry on discussions with consumers prior to providing the call recording advisory. Among other provisions, the settlement terms award $1.6 million in attorneys’ fees, approximately $25,046 in reimbursement of litigation expenses, service awards of $10,000 to each class representative, and up to $200,000 to the settlement claims administrator for its work in distributing settlement money to class members (the company is required to establish a settlement fund in the amount of $6.5 million).
CSBS launches online tools to navigate state rules
On August 21, the Conference of State Bank Supervisors (CSBS) launched three online tools designed to assist financial institutions navigate the state regulatory landscape and protect against cyber risks. The tools are: (i) a portal of state agency guidance for nonbank financial services companies; (ii) an interactive map of agent-of-the-payee exemptions, which identifies the states that do not require a money transmitter license for receiving a payment on behalf of a third party; and (iii) a cybersecurity 101 resource center for banks and nonbanks that features a guide to help financial institutions develop comprehensive cybersecurity programs. The tools were created as part of the CSBS Vision 2020, which is geared towards streamlining the state regulatory system to support business innovation and harmonize licensing and supervisory practices, while still protecting the rights of consumers.