InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.
DOJ resolves SCRA violations with credit union
On March 11, the DOJ announced a settlement with a credit union resolving allegations that the credit union violated the Servicemembers Civil Relief Act (SCRA) by charging excessive interest on servicemembers’ loans and repossessing servicemembers’ cars without first obtaining a court order. According to the DOJ’s complaint, which was filed concurrently with the proposed settlement, the credit union allegedly charged interest exceeding 6 percent to 21 servicemembers who qualified for SCRA interest rate benefits. Under the SCRA, creditors are required to reduce the interest rate on retail installment sales contracts to 6 percent in certain circumstances. However, the DOJ asserted that in at least one instance, a servicemember was told that “reducing the interest rate would increase her monthly payment.” The DOJ also alleged that the credit union repossessed three servicemembers’ vehicles without court orders, including one instance where the vehicle was repossessed from a military base.
The consent order, which is pending court approval, requires the credit union to pay nearly $70,000 to the affected servicemembers, along with a $40,000 civil penalty. The credit union is also, among other things, prohibited from (i) charging interest rate exceeding 6 percent during a period of military service; (ii) reamortizing any retail installment sales contracts connected to a request for SCRA interest rate benefits; (iii) “failing or refusing to credit early alert periods of military service when applying such benefits”; and (iv) repossessing SCRA-protected servicemembers’ vehicles without first obtaining a court order or valid SCRA waiver. The settlement also requires the credit union to review and update its SCRA policies and procedures to prevent future violations and to provide SCRA compliance training to its employees.
FTC fines payment processor $2.3 million for helping online discount clubs bilk consumers
On March 10, the FTC reached a settlement with a payment processing company and two senior officers (collectively, “defendants”) whereby the company would pay $2.3 million in restitution as part of their role in allegedly helping the operators of a group of marketing entities enroll consumers into online discount clubs and debit more than $40 million from consumers’ bank accounts for membership without their authorization. As previously covered by InfoBytes, the FTC’s 2017 complaint claimed that the online discount clubs claimed to offer services to consumers in need of payday, cash advance, or installment loans, but instead enrolled consumers in a coupon service that charged initial fees ranging from $49.89 to $99.49, as well as monthly recurring fees of up to $19.95. However, the FTC’s complaint stated that “99.5 percent of the consumers being illegally charged for the ‘discount clubs’ never accessed any coupons, and that tens of thousands called the defendants to try and cancel the charges, while thousands more disputed the charges directly with their banks.” The FTC accused the defendants of providing “substantial assistance or support” in the way of payment processing services while “knowing or consciously avoiding knowing” that the actions being supported were in violation of the Telemarketing Sales Rule (TSR). The FTC further detailed how defendants ignored several indications of fraudulent activity, including the consistently high return rates generated by the discount club transactions and that a primary client of their services had already been the subject of previous FTC enforcement actions for engaging in similar conduct.
Under the terms of the settlement, which is pending court approval, the defendants are banned from, among other things, (i) processing remotely created payment orders; (ii) processing payments on behalf of clients whose business involves outbound telemarketing, discount clubs, or offers to help consumers with payday loans; (iii) processing payments on behalf of any client that the defendants know or should know is engaging in deceptive or unfair acts or practices or violating the TSR; and (iv) processing payments for any existing or prospective clients without first conducting a reasonable screening to ensure clients are not violating federal law.
District Court preliminarily approves $4.75 million data breach settlement
On March 3, the U.S. District Court for the Western District of Texas preliminarily approved a $4.75 million class action settlement resolving claims between a pharmacy benefits manager and consumers in six different proposed class actions filed in Texas and California. The court also conditionally certified a nationwide settlement class and a California settlement subclass. According to the memorandum in support of the plaintiffs’ motion for preliminary approval of the settlement, plaintiffs claimed the company acted negligently by failing to implement reasonable safeguards for protecting customers’ personally identifiable information and preventing a 2021 data breach, which exposed their sensitive, protected health information. The plaintiffs also alleged that the company breached California privacy and consumer protection laws. If the settlement is granted final approval, the company will be required to create a $4.75 million settlement, and “develop, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality” of customers’ personal data. The company may also be responsible for a portion of attorneys’ fees, costs, and service awards.
11th Circuit affirms $7.5 million settlement on overdraft appeal
On February 16, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s class certification and approval of a $7.5 million settlement, which resolved allegations that, after merging with another national bank, the former bank (defendant) improperly assessed and collected overdraft fees. According to the opinion, a customer accused the bank of “high-to-low” posting that restructured customers’ debit transactions so that high value debits posted before low value ones, increasing the chance of overdrafts. After the defendant merged with the national bank in 2012, the national bank agreed to the $7.5 million settlement to resolve the claims. A class member (interested party-appellant) appealed the order. The interested party-appellant claimed “that the court abused its discretion by finding that the settlement class’s representative … adequately represented her (and her proposed subclass’s) interests and that the settlement class’s claims were typical of hers (and her proposed subclass’s).”
The 11th Circuit disagreed and found that the district court did not abuse its discretion because the plaintiff classes “suffered identical injuries” based on the defendant’s alleged high-to-low restructuring practices. Additionally, the appellate court found that “[t]he district court didn’t abuse its discretion by finding [the settlement class’s representative’s] claims were typical of those of the class.” The court also found that “[t]he district court could reasonably conclude that any difference in the value of the plaintiffs’ claims was too speculative or too small to create a fundamental conflict of interest.”
CFTC orders unregistered respondents to pay $2.6 million for fraudulent solicitations
On February 23, the CFTC announced a $2.6 million settlement with a North Carolina-based company and its president for allegedly acting as unregistered commodity trading advisors and commodity pool operators, and for advertising without making required disclosures. Among other things, the respondents allegedly engaged in binary options solicitation and trading fraud through the operation of two webpages and related social media channels. According to the CFTC, the respondents made numerous false statements to solicit business, which claimed that traders could choose from the company owner’s winning strategies to earn significant profits. However, the CFTC stated that the owner was not actually a successful trader and had an overall losing trading record. Additionally, the respondents distributed client testimonials and training videos without providing disclosures required under CFTC regulations. As a result, ten participants lost roughly $410,000 in a managed account trading pool, while approximately 1,600 customers lost at least $945,000 through fraudulent solicitations for binary options signals, trainings, and strategy course offerings. While the respondents did not admit or deny any of the allegations, they agreed to pay $409,965 in restitution, $896,673 in disgorgement, and a $1,306,638 civil monetary penalty. Additionally, the respondents must cease and desist from any further violations of the Commodity Exchange Act or CFTC regulations. The order also permanently bans the respondents from trading on, or trading subject to, the rules of any CFTC-registered entity, and from engaging in any activities requiring CFTC registration. Respondents are also prohibited from, directly or indirectly, entering into any transactions involving commodity interests.
District Court approves $14.8 million cloud subscription settlement
On August 4, the U.S. District Court for the Northern District of California approved a $14.8 million class action settlement resolving claims that a major technology company allegedly misled users about its cloud storage practices. In 2020, plaintiffs filed an amended complaint alleging the company breached its agreement with customers by hosting user data on third-party servers without providing proper notice, which resulted in overcharges. The plaintiffs alleged that the “selection of a cloud storage provider is a significant and material consideration as it involves entrusting all of a user’s stored data—including sensitive information like photographs, documents of all kinds, and e-mail content—to be stored by the cloud storage provider,” and that “users have an interest in who is offering this storage and taking custody of their data.” Plaintiffs claimed that, while the company assured users that it was the provider of the purchased cloud storage service, it was actually reselling cloud storage space on other third parties’ cloud facilities and charging users a “premium” for believing their data was being stored by the company. Approximately 16.9 million class members will receive individual settlement payments based on the overall payments made by each user for his or her cloud subscription during the class period. In granting final approval of the settlement, the court noted that the deal is fair, reasonable, and adequate.
Consulting firm agrees to $4.95 million settlement to resolve class data breach claims
On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment agencies in Illinois, Colorado, and Ohio. According to the class’s supplemental brief in support of their motion for final approval, the allegedly poorly designed websites were subject to a data breach that resulted in unauthorized access to unemployment seekers’ personally identifiable information. The parties agreed to a nationwide settlement class of 237,675 individuals in Illinois, Colorado, and Ohio. These individuals were notified by their state employment agencies that certain personal information submitted when applying for pandemic-related unemployment claims may have been inadvertently exposed in a data breach. Under the terms of the settlement, the defendant agreed to establish a $4.95 million settlement fund to compensate eligible claimants, and will pay more than $1.6 million in attorneys’ fees and costs, as well as class member service awards.
District Court approves settlement of class claiming privacy violations
On February 11, the U.S. District Court for the Central District of California granted approval of a $217 million class action settlement, resolving allegations that the Transportation Corridor Agencies (TCA) and their contractors (collectively, “defendants”) allegedly repeatedly used their access to drivers’ personal information to share data. According to the plaintiffs’ motion for final approval of the settlement, the defendants allegedly provided toll violation information to the California Department of Motor Vehicles so the agency could prevent drivers' vehicle registration renewals until the outstanding tolls were paid, in violation of California law. According to the settlement, the TCA is required to forgive $135 million in penalties and pay $29 million in cash awards. Each class representative will receive $15,000 from TCA, and class counsel will receive $17.5 million. Among other things, TCA must also increase the time to pay unpaid toll citations from five to seven days and update its privacy policies to include a list of the categories of personal identifying information sent to third parties. The toll operator is required to pay $11.95 million in cash to class members as part of the settlement, in addition to $3,000 to each class representative and $3 million to class counsel. Additionally, Orange County Transportation Authorities are required to forgive $40 million in penalties and pay $1 million in cash and will be required to reduce the maximum toll violation.
SEC, states reach $100 million settlement over crypto lending product
On February 14, the SEC and state regulators reached a $100 million settlement with a New Jersey-based financial services company in parallel actions to resolve allegations that the company failed to register the offers and sales of its retail credit lending product—marking the SEC’s “first-of-its-kind action” taken with respect to crypto lending platforms. According to the SEC, the company offered a product whereby retail investors lent crypto assets to the company “in exchange for the company’s promise to provide a variable monthly interest payment.” Among other things, the SEC found that because the company’s product are securities under applicable law, the company was required to register its offers and sales of the product or qualify for an exemption—both of which the company failed to do. The company also allegedly violated the Securities Act by making misleading statements on its website concerning its collateral practices and the level of risk in its loan portfolio and lending activity. Additionally, the company allegedly violated the Investment Company Act by engaging in interstate commerce while failing to register as an investment company with the SEC. While the company neither admitted nor denied the findings, it agreed to pay $50 million to the SEC and another $50 million to 32 states to settle similar charges. The company also agreed to cease engaging in unregistered offers and sales of its product, and will stop offering or selling its product in the U.S. Additionally, the company’s parent company stated its intention to register the offer and sale of a new lending product under the Securities Act.