InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
D.C. reaches $2.54 million settlement with online delivery company
On August 17, the Superior Court of the District of Columbia issued a consent order and judgment against an online delivery company resolving claims that it charged consumers millions of dollars in deceptive service fees. According to a press release issued by the D.C. AG, from 2016 until 2018, the company allegedly misled consumers into believing that service fees charged on their orders were tips that went to delivery workers. Instead, these fees went to the company to subsidize operating expenses. Without admitting any wrongdoing, the company agreed to pay $1.8 million to the district to go towards restitution and cover litigation costs. The company also agreed it will not seek refunds of $739,057 in previously disputed sales tax payments and will collect and remit sales tax on the total amount of the sales price it charges consumers going forward. Additionally, the company will cease making any misrepresentations about the nature of fees on consumer orders.
District Court approves $84 million payment processing settlement
On August 17, the U.S. District Court for the District of Nebraska granted final approval of an $84 million class action settlement resolving allegations that a payment processing company’s billing practices overcharged merchants. Class members retained the company to process credit card payments and claimed that the company allegedly charged fees that did not align with the terms of their contracts. Class members accused the company of Racketeer Influenced and Corrupt Organizations Act violations, breach of contract, and fraudulent concealment related to allegations that the company assessed noncompliance fees, increased contractual credit card discount rates, and shifted credit card transactions from lower-cost rate tiers to higher-cost rate tiers. Under the terms of the settlement, the company will pay up to $84 million into a settlement fund, which will provide cash benefits to class members and cover administrative costs, attorney fees, and other expenses.
District Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final approval of the class action settlement, the defendants notified the SEC, various states’ attorneys general, and thousands of affected customers about two data breaches that occurred through their website on two different occasions. The plaintiffs alleged that the incident allowed hackers to “scrape[]” many of the defendants’ consumers’ names from the website by infecting the ecommerce platform with a “malicious code,” and stole the personally identifiable information of approximately 40,000 customers. According to the settlement, the deal will provide that class members can receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest, and up to $80 in costs for obtaining credit monitoring and identity theft protection, among other things. The district court also approved $2,500 payments to the lead plaintiffs as service awards.
District Court grants final approval to forgive $6 billion in student loans
On November 15, the U.S. District Court for the Northern District of California granted final approval to a class action settlement to forgive certain federal student loan borrower debt. According to the motion for preliminary approval, the plaintiffs are federal student loan borrowers who filed borrower defense (BD) applications with the Department of Education, requesting that the Department discharge their federal student loans because of misconduct committed by their schools. They brought the case to challenge the Department’s delay in making decisions on BD applications. The motion noted that the plaintiffs alleged, “the Department’s inaction was due to a deliberate and uniform policy abandoning BD decision making, a choice that caused a mounting backlog.” In a supplemental complaint filed after discovery, plaintiffs further alleged that the Department “adopted an unlawful policy that presumptively denied BD applications regardless of their merit, and then, pursuant to this policy, sent tens of thousands of legally insufficient denial notices (the ‘Form Denial Notices’) to borrowers, including some of the Named Plaintiffs.” The class consists of approximately 264,000 people who have a BD application pending as of June 22, 2022. The “automatic relief group” consists of applicants who attended one of more than 150 colleges for which the Department found common evidence of institutional misconduct. The motion also noted “it has determined that every class member whose relevant loan debt is associated with those schools should be provided presumptive relief under the settlement due to strong indicia regarding substantial misconduct by the listed schools, whether credibly alleged or in some instances proven, and the high rate of class members with applications related to the listed schools.” Under the terms of the settlement, $6 billion in loans will be canceled for the borrowers.
OFAC sanctions Iranian petrochemical network
On August 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13846 against companies used by one of Iran’s largest petrochemical brokers to facilitate the sale of Iranian petroleum and petrochemical products from Iran to East Asia. The designations follow OFAC sanctions announced on July 6 against a network of individuals and entities for facilitating the delivery and sale of hundreds of millions of dollars’ worth of Iranian petroleum and petrochemical products from Iranian companies to East Asia through a web of Gulf-based front companies (covered by InfoBytes here). As a result of the sanctions, all property and interests in property of the sanctioned persons subject to U.S. jurisdiction, as well as any entities owned 50 percent or more by such persons, are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from entering into transactions with the sanctioned persons. Additionally, OFAC warned that “any foreign financial institution that knowingly facilitates a significant transaction for any of the individuals or entities designated today could be subject to U.S. sanctions.”
State AGs announce settlement to resolve alleged data security breach
On July 26, a coalition of state attorneys general, co-led by the New Jersey AG and Pennsylvania AG, announced a settlement with a Pennsylvania-based convenience store chain related to an alleged data breach that compromised payment cards of consumers. According to the Assurance of Voluntary Compliance, the company experienced a breach of security between April 2019 and December 2019 that exposed consumer payment card data, including customers’ card numbers, expiration dates and cardholder names in New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia, as well as Washington, D.C. The AGs alleged that the company “failed to employ reasonable data security measures,” in violation of the states’ Consumer Protection Acts and Personal Information Protection Acts. Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay an $8 million fine, of which New Jersey is to receive approximately $2.5 million. The settlement also requires the company to strengthen its network protections and take measures to better protect consumer payment data.
Court grants final approval of privacy class action settlement
On July 20, the U.S. District Court for the Northern District of California granted final approval of a class action settlement in a suit against a fintech company alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. As previously covered by InfoBytes, the district court granted preliminary approval of the $58 million settlement in November. In granting final approval of the settlement, the court determined it was adequate, and noted that the plaintiffs’ claim that the defendant’s practices breached California’s anti-phishing law was “relatively untested.” In addition to the $58 million settlement fund, the settlement provides for injunctive relief.
OFAC settles with bank for alleged Foreign Narcotics Kingpin Sanctions Regulations violations
On July 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $430,500 settlement with a subsidiary of a national bank for allegedly processing transactions in violation of the Foreign Narcotics Kingpin Sanctions Regulations. According to OFAC’s web notice, between May 2018 and July 2018, the bank allegedly processed 214 transactions totaling $155,189, in violation of OFAC’s Kingpin sanctions. Specifically, OFAC noted that the processed transactions were for an account whose supplemental card holder was designated in connection with illegal drug distribution and money laundering.
In arriving at the settlement amount of $430,500, OFAC considered various aggravating factors, including that the bank “is a large and sophisticated financial institution with a global presence,” and “conferred $155,189.42 in economic benefit to an account associated with a [person] who was designated for involvement in illegal drug distribution and money laundering.” OFAC also considered various mitigating factors, including that the bank cooperated with OFAC throughout the investigation, and has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
District Court approves contact tracing suit settlement
On October 31, the U.S. District Court for the Northern District of California granted plaintiffs’ motion for attorneys' fees, expenses, and service awards related to a class action settlement alleging that an internet platform (defendant) violated the California Confidentiality of Medical Information Act, as well as other state laws through its “contact tracing” system that operated on consumers’ mobile devices. According to the motion, the defendant co-designed a digital contact tracing system to combat the spread of COVID-19 on mobile devices using the defendant’s mobile device operating system. The plaintiffs alleged that the defendant unlawfully exposed confidential medical information and personally identifying information through this system. Furthermore, the plaintiffs alleged that the defendant's system was "fundamentally flawed in its design and implementation" because it left users’ private medical and personally identifying information unprotected on mobile device “system logs” to which the defendant and third parties had routine access. Under the terms of the settlement, class counsel will receive approximately $1.95 million in attorneys’ fees and $56,457.44 in expenses. Additionally, the defendant must pay service awards to class representatives.
District Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.