Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court preliminarily approves $3.7 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.

    Privacy/Cyber Risk & Data Security Courts State Issues Class Action Data Breach California Settlement

  • District Court says Massachusetts law will apply in choice-of-law privacy dispute

    Privacy, Cyber Risk & Data Security

    On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security program was inadequate and that the security risks associated with the Personal Information went unmitigated, allowing [] cybercriminals to gain access.” During discovery, the defendant (headquartered in South Carolina) stated that its U.S. data centers are located in Massachusetts, Texas, California, and New Jersey, and that the particular servers that housed the plaintiffs’ data (and were the initial entry point for the ransomware attack) are physically located in Massachusetts. While both parties stipulated to the application of South Carolina choice-of-law principles generally, the plaintiffs specifically requested that South Carolina law be applied to their common law claims of negligence, negligence per se, and invasion of privacy since it was the state where defendant executives made the cybersecurity-related decisions that allegedly allowed the data breach to occur. However, the defendant countered that the law of each state where a plaintiff resides should apply to that specific plaintiff’s common law tort claims because the “damages were felt in their respective home states.” Both parties presented an alternative argument that if the court found the primary choice-of-law theory to be unfounded, then Massachusetts law would be appropriate as “Massachusetts was the state where the last act necessary took place because that is where the data servers were housed.”

    In determining which state’s common-law principles apply, the court stated that even if some of the cybersecurity decisions were made in South Carolina, the personal information was stored on servers in Massachusetts. Moreover, the “alleged decisions made in South Carolina may have contributed to the breach, but they were not the last act necessary to establish the cause of action,” the court wrote, noting that in order for the defendant to be potentially liable, the data servers would need to be breached. The court further concluded that “South Carolina’s choice of law rules dictate that where an injury occurs, not where the result of the injury is felt or discovered is the proper standard to determine the last act necessary to complete the tort.” As such, the court stated that Massachusetts law will apply as that is where the data breach occurred.

    Privacy/Cyber Risk & Data Security Courts State Issues Massachusetts South Carolina Class Action

  • District Court approves $2.5 million settlement over prerecorded telemarketing messages

    Courts

    On June 24, the U.S. District Court for the Central District of California granted final approval of a $2.5 million class action settlement resolving claims that an auto dealer group and marketing director (collectively, “defendants”) violated the TCPA by sending “prerecorded telemarketing messages” to consumers’ cell phones without receiving consumers’ express written consent. According to the second amended complaint, the plaintiff sued the defendants after he allegedly received unsolicited prerecorded text messages advertising one of the auto group’s dealerships. Under the terms of the agreement, class members (comprised of consumers who were sent prerecorded messages from the defendants, auto dealerships managed by the defendant, or anyone acting on the defendant’s behalf, including employees, agents, third-party contractors, and sub-contractors) will receive a portion of the $2.5 million settlement. The settlement amount also provides for up to $625,700 in attorneys’ fees, nearly $12,600 for costs, and $125,000 for the settlement administrator. The class representative will be given a $5,000 service award. Additionally, the defendants and dealerships are required to “adopt policies and procedures regarding compliance with the TCPA and the National Do Not Call Registry.”

    Courts Settlement TCPA Class Action

  • District Court gives final approval in TCPA class action settlement

    Courts

    On June 24, the U.S. District Court for the Eastern District of New York granted final approval of a $38.5 million settlement in a class action against a national gas service company and other gas companies (collectively, defendants) for allegedly violating the TCPA in connection with calls made to cell phones. As previously covered by InfoBytes, the plaintiff’s memorandum of law requested preliminary approval of the class action settlement. The settlement establishes a settlement class of all U.S. residents who “from March 9, 2011 until October 29, 2021, received a telephone call on a cellular telephone using a prerecorded message or artificial voice” regarding several topics including: (i) the payment or status of bills; (ii) an “important matter” regarding current or past bills and other related issues; and (iii) a disconnect notice concerning a current or past utility account. Under the terms of the settlement, the defendants will provide monetary relief to claiming class members in an estimated amount between $50 and $150. The settlement will additionally require the companies to implement new training programs and procedures to prevent any future TCPA violations. The settlement permits counsel for the proposed class to seek up to 33 percent of the settlement fund to cover attorney fees and expenses.

    Courts Class Action Settlement Robocalls TCPA Consumer Finance

  • District Court approves $1.4 million FCRA settlement

    Courts

    On June 17, the U.S. District Court for the Southern District of California granted final approval of a class action settlement resolving claims that a hospitality company violated the FCRA and various California laws. According to the order, plaintiffs filed a putative class action alleging that the company violated the FCRA by failing to make proper disclosures and obtain proper authorization during its hiring process. Additionally, the plaintiffs claimed that the company’s background check forms were allegedly defective because they “contained information for multiple states for whom background checks were run” in violation of California’s Investigative Consumer Reporting Agencies Act and other California laws. Under the terms of the settlement, the defendant will pay nearly $1.4 million, of which class members will receive $821,714 in total ($63.29 per class member), $10,127 will go towards settlement administration costs, $349,392 will cover attorneys’ fees, and $5,000 will be paid to each of the two named plaintiffs.

    Courts Consumer Finance Credit Report FCRA Class Action Settlement State Issues California

  • District Court certifies class in website accessibility ADA suit

    Courts

    On June 10, the U.S. District Court for the Western District of Pennsylvania certified a putative class action against an online apparel company related to alleged violations of the Americans with Disabilities Act (ADA). The plaintiff claimed that he was unable to access the defendant’s website because the website did not facilitate access to customers using screen readers or other auxiliary aids. This lack of access made the website not fully accessible to individuals who are blind or visually impaired—a “violation of the effective communications and equal access requirements of Title III” of the ADA. The plaintiff sued, seeking to include a class of similarly situated blind and visually impaired individuals who use screen readers or other auxiliary aids to access the defendant’s website and/or mobile app. According to the plaintiff, the defendant failed to have in place adequate policies and practices to ensure its website was fully accessible, and that, although the defendant maintains a single brick-and-mortar location, most of its sales are digital. In certifying the class, the court determined, among other things, that the defendant’s “website and other digital properties affected all members of the class, and thus the class as a whole shares the same interest in obtaining the injunctive relief provided by the settlement—prospective changes to [defendant’s] digital properties.” The court also preliminarily approved the proposed class action settlement, which requires, among other things, that the defendant make several changes to its policies and procedures to ensure accessibility of its digital properties and to make sure it complies with the Web Content Accessibility Guidelines 2.1.

    Courts Americans with Disabilities Act Class Action Settlement

  • District Court grants preliminary approval of class action settlement in data breach case

    Courts

    On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a 2019 phishing attack. According to the plaintiffs’ supplemental memorandum in support of preliminary approval of settlement, the defendant notified the plaintiffs (as well as the attorneys general of several states) that a successful phishing campaign was launched against them. The phishing scheme resulted in cybercriminals being able to “access” and “download” a report containing the unencrypted personally identifiable information (PII) of 52,846 plaintiffs. The plaintiffs alleged that as a result of the data security incident they suffered concrete injuries, including, inter alia, identity theft, the exposure of their PII to cybercriminals, a substantial risk of identity theft, and actual losses. Under the terms of the preliminarily approved settlement, class members are eligible to enroll in three years of identity protection and credit monitoring, and may receive reimbursement of out-of-pocket expenses and compensation for up to three hours spent dealing with the security incident.

    Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Settlement

  • 3rd Circuit: Student loan servicer’s calling system is not an autodialer under the TCPA

    Courts

    On June 14, the U.S. Court of Appeals for the Third Circuit affirmed a district court’s ruling in favor of a defendant student loan servicer, holding that it is not enough for telecommunication equipment to be capable of using a random or sequential number generator to dial telephone numbers in order to meet the definition of an automatic telephone dialing system (autodialer). Instead, to constitute a violation of the TCPA, the telecommunication system must actually employ such random- or sequential-number generation when placing the actual call. The plaintiffs filed a putative class action complaint against the defendant alleging it used an autodialer to call class members’ cell phones without their prior express consent. The defendant countered that the TCPA claims fail because its calling system “lacked the capacity to generate random or sequential telephone numbers and then dial those numbers.” As such, it could not be an autodialer. The district court granted summary judgment in favor of the defendant, ruling that the defendant did not use an autodialer to place the calls at issue as the calling system did not have “the necessary present capacity to store or produce telephone numbers using a random or sequential number generator.”

    On appeal, the 3rd Circuit disagreed with the district court’s finding that the defendant’s telecommunication system was not an autodialer, noting that the district court used too narrow a definition of the term “equipment” and holding that “an [autodialer] may include several devices that when combined have the capacity to store or produce telephone numbers using a random or sequential number generator and to dial those numbers.” Thus, the 3rd Circuit held that the district court erred in accepting defendant’s argument that the defendant’s telephone system was not an autodialer because the defendant’s SQL Server (which was capable of generating random and sequential numbers) was independent of the defendant’s dialing system.

    Nonetheless, the 3rd Circuit affirmed the district court’s ruling on the basis that it did not matter whether the defendant’s calling system could be classified as an autodialer under the TCPA because the phone numbers were drawn from a contact list stored on the defendant’s SQL Server and not randomly generated. As such, the appellate court held that the plaintiffs’ claims fail because the defendant did not actually use random- or sequential-number generation when it placed the specific calls in question.

    While agreeing with the decision to affirm, one of the judges argued that the majority focused on the wrong question. “In my view, the fundamental question is: what is an [autodialer] under Section 227(a)(1)? I would hold that a dialing system must actually use a random or sequential number generator to store or produce numbers in order to qualify as an [autodialer] under § 227(a)(1),” the concurring judge wrote. “Because [defendant’s] dialing system did not do so, it is not an [autodialer], and [defendant] is entitled to summary judgment.”

    Courts Appellate Third Circuit TCPA Robocalls Class Action Autodialer

  • 9th Circuit to rehear en banc whether tribal lenders can arbitrate RICO claims

    Courts

    On June 6, a majority of nonrecused active judges on the U.S. Court of Appeals for the Ninth Circuit vacated a previously issued opinion that said tribal lenders could arbitrate Racketeer Influenced and Corrupt Organizations Act (RICO) class action claims, saying it will rehear the case en banc. As previously covered by InfoBytes, last September the 9th Circuit panel majority concluded that “an agreement delegating to an arbitrator the gateway question of whether the underlying arbitration agreement is enforceable must be upheld unless that specific delegation provision is itself unenforceable.” The panel reviewed whether California residents who received loans from an online lender were allowed to pursue class RICO claims based on allegations that they were charged interest rates exceeding state limits from lenders claiming tribal immunity. The district court granted class certification and ruled that the entire arbitration agreement, including provisions containing a class action waiver, was unenforceable. On appeal, the panel majority cited to the U.S. Supreme Court’s decision in Rent-A-Center, West, Inc. v. Jackson, which determined, among other things, that when a party challenges an entire agreement—not just an arbitration provision—deciding “gateway” issues such as enforceability must be delegated to an arbitrator. “[W]hen there is a clear delegation provision, that question is . . . for the arbitrator to decide so long as the delegation provision itself does not eliminate parties’ rights to purse their federal remedies,” the majority wrote. The dissenting judge held, however, that the panel majority “misunderstood the effect of the choice-of-law provisions in the agreements,” arguing that the provisions curtail an arbitrator’s authority by allowing application of “only tribal law and a small and irrelevant subset of federal law,” thus preventing an arbitrator “from applying the law necessary to determine whether the delegation provisions and the arbitration agreements are valid.” He further contended that the panel majority’s decision diverged from decisions reached by several sister circuits, which “have consistently condemned the arbitration agreements embedded in tribal internet payday loan agreements, including those used by the very same lenders as in this case.”

    Courts Appellate Ninth Circuit Class Action Arbitration Interest Rate Usury RICO Consumer Finance

  • Judges disagree that “psychological states” can never support standing under FDCPA

    Courts

    On June 8, a majority of judges on the U.S. Court of Appeals for the Seventh Circuit denied a plaintiff-appellee’s petition for rehearing en banc in a case concerning the collection of time-barred debt. In April, the 7th Circuit vacated a $350,000 jury award against a debt collector in an FDCPA action, holding that the plaintiff lacked Article III standing. The defendant sent the plaintiff a letter offering to resolve her defaulted credit card debt at a discount. The letter included a disclosure stating that “because of the age of the debt” it would not sue or report the debt to a credit agency and that payment or nonpayment would not affect her credit score. The plaintiff sued, claiming the letter “surprised and confused” her and was in violation of Sections 1692e(2), 1692e(10), and 1692f of the FDCPA. The district court certified a class and granted summary judgment in favor of the plaintiff “reasoning that the misleading nature of the letter risked real harm to the interests that Congress sought to protect with the FDCPA.” A jury awarded the class $350,000 in damages. On appeal, the panel disagreed, explaining that the plaintiff never made a payment as a result of receiving the letter, nor did she “promise to do so or otherwise act to her detriment in response to anything in or omitted from the letter.” Calling the defendant to dispute the debt and contacting an attorney for legal advice “are not legally cognizable harms” and not enough to provide the “basis for a lawsuit,” the court wrote, adding that “[p]sychological states induced by a debt collector’s letter” are not enough to establish standing.

    The majority of the 7th Circuit agreed with the panel’s ruling and voted not to hold an en banc rehearing. However, four judges dissented, arguing that the plaintiff’s claims “should easily satisfy” standing requirements established by the U.S. Supreme Court. “The emotional distress, confusion, and anxiety suffered by [plaintiff] in response to this zombie debt collection effort fit well within the harms that would be expected from many of the abusive practices,” the dissent said. “That’s true regardless of whether the debtor actually made a payment or took some other tangible action in response to them.” According to the dissent, the majority is “painting with too broad a brush” in finding that “[e]motional distress and other ‘psychological states’ can never support standing under the FDCPA.” This reasoning also overlooks close historical parallels in common and constitutional law that provide remedies for intangible injuries caused by many violations of the FDCPA and other consumer-protection statutes, the dissent added.

    Courts Appellate Seventh Circuit FDCPA Debt Collection Consumer Finance Class Action

Pages

Upcoming Events