Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court preliminarily approves $3.7 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.

    Privacy/Cyber Risk & Data Security Courts State Issues Class Action Data Breach California Settlement

  • NYDFS imposes $5 million fine against cruise line for cybersecurity violations

    Privacy, Cyber Risk & Data Security

    On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.

    The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues NYDFS State Regulators Enforcement Settlement Data Breach 23 NYCRR Part 500

  • FTC finalizes action against e-commerce platform for data breach cover up

    Federal Issues

    On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.

    Federal Issues Privacy/Cyber Risk & Data Security FTC Enforcement Data Breach FTC Act Deceptive UDAP

  • States reach $1.25 million data breach settlement with cruise line

    State Issues

    On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”

    Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.

    State Issues Enforcement State Attorney General Data Breach Settlement Privacy/Cyber Risk & Data Security

  • District Court grants preliminary approval of class action settlement in data breach case

    Courts

    On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a 2019 phishing attack. According to the plaintiffs’ supplemental memorandum in support of preliminary approval of settlement, the defendant notified the plaintiffs (as well as the attorneys general of several states) that a successful phishing campaign was launched against them. The phishing scheme resulted in cybercriminals being able to “access” and “download” a report containing the unencrypted personally identifiable information (PII) of 52,846 plaintiffs. The plaintiffs alleged that as a result of the data security incident they suffered concrete injuries, including, inter alia, identity theft, the exposure of their PII to cybercriminals, a substantial risk of identity theft, and actual losses. Under the terms of the preliminarily approved settlement, class members are eligible to enroll in three years of identity protection and credit monitoring, and may receive reimbursement of out-of-pocket expenses and compensation for up to three hours spent dealing with the security incident.

    Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Settlement

  • District Court approves data breach settlement

    Courts

    On June 8, the U.S. District Court for the Southern District of New York granted a plaintiffs’ motion for final approval of a class action settlement resolving claims that several retail businesses failed to establish reasonable safeguards that led to a data breach. According to the opinion, the plaintiff alleged that a syndicate accessed cardholder information and sold it on the so-called dark web. The plaintiffs also claimed that the breach caused them to spend time monitoring their accounts, safeguarding account information, and, for some plaintiffs, resolving fraudulent charges and withdrawals. The settlement provides for two different levels of payments to affected consumers. Tier 1 claimants, who must provide proof of a payment transaction during the period of the breach and confirm that they spent time monitoring account information after the breach, will receive $30. Tier 2 claimants will be reimbursed for documented out-of-pocket expenses incurred as a result of the breach, such as costs and expenses related to identity theft or fraud, late fees, and unauthorized charges and withdrawals, in an amount not to exceed $5,000. The total amount to be paid to class members is approximately $278,000.

    Courts Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Settlement Class Action

  • District Court granted final approval of a $63 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On June 7, the U.S. District Court for the District of Columbia granted final approval of a class action settlement resolving claims that a government agency and its contractor (collectively, defendants) did not detect hackers because they failed to establish reasonable safeguards that led to a data breach. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, a data breach occurred in June 2015 that compromised financial records, Social Security numbers, and other personal information of anyone who underwent a background check at the agency since 2000. The agency allegedly controlled numerous electronic systems without valid authorizations, failed to implement multi-factor authentication for accessing systems, failed to patch, segment, and continuously monitor systems, and failed to implement centralized data security protocols. According to the plaintiff’s motion, the settlement (if granted final approval) would require the U.S. government to pay $60 million of the settlement fund and the contractor to pay $3 million. The settlement agreement provides that “[e]ach valid claim will be paid at $700, except that if the actual amount of documented loss exceeds $700, the claim will be paid in that amount, up to $10,000.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Class Action Settlement

  • District Court: Company must face data breach claims

    Courts

    On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in part and denying in part defendant’s motion to dismiss, the court declined to dismiss several of the plaintiffs’ claims for negligence, ruling that the second amended complaint sufficiently alleged that the defendant employed inadequate data security and that plaintiffs suffered an actual injury as a result of the data breach because the monitoring services offered by the defendant were insufficient and offered for too short of time causing certain plaintiffs to purchase additional identity protection products and/or services. However, other negligence claims were dismissed after the court determined that some of the plaintiffs failed to allege any actual damages or out-of-pocket expenses. Additionally, while the court allowed several state law claims to proceed, it dismissed claims brought under the California Consumer Protection Act due to the plaintiff’s failure to provide the requisite pre-suit notice within the 30-day time period as required by law, finding the failure could not be cured by the passage of time. Other state law claims, involving violations of the Wisconsin Deceptive Trade Practices Act and Pennsylvania Unfair Trade Practices and Consumer Protection Law, were also dismissed due to a failure to articulate cognizable losses.

    Courts State Issues California Privacy/Cyber Risk & Data Security Class Action Data Breach

  • FTC addresses importance of effective incident response and breach disclosure

    Privacy, Cyber Risk & Data Security

    On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”

    Privacy/Cyber Risk & Data Security Federal Issues FTC FTC Act Data Breach Consumer Protection

  • Defendants to pay $5.7 million for alleged data breach

    Privacy, Cyber Risk & Data Security

    On October 17, the U.S. District Court for the Northern District of Ohio granted final approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment card information from more than 700 franchised restaurants. According to the order, in 2017, a data breach compromised the defendant’s customer payment data, which resulted in multiple lawsuits that were settled. In the current case, the plaintiffs sued the defendant for negligence related to insecure systems that led to the data breach. The plaintiffs alleged that the defendant’s negligence required financial institutions to spend resources to respond to the breach. Under the terms of the settlement, the defendant is required to pay under a per-card formula up to $5.73 million to resolve class member claims, which would include up to $3 million to pay class members’ claims ($1.00 per reissued card and $1.50 per card experiencing fraud within four weeks of the breach). The defendant is required to pay up to $500,000 for settlement administration, up to $30,000 for class representative service awards, and up to $2.2 million for attorneys’ fees and expenses.

    Privacy/Cyber Risk & Data Security Courts Class Action Data Breach Settlement

Pages

Upcoming Events