InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court says tech company not liable for app in crypto theft
On September 2, the U.S. District Court for the Northern District of California granted a defendant California tech company’s motion to dismiss a putative class action filed by users who claimed their cryptocurrency was stolen after they downloaded a “phishing” program that posed as a legitimate digital wallet. Plaintiffs alleged that the illegitimate app (developed by a third-party and not the defendant) caused them to lose thousands of dollars in cryptocurrency. Claiming that the app was a spoofing and phishing program that obtained consumers’ cryptocurrency account information and routed that information to hackers’ personal accounts, plaintiffs sued, asserting claims under the federal Computer Fraud and Abuse Act, Electronic Communications Privacy Act, California Consumer Privacy Act, California’s Unfair Competition Law, California Consumer Privacy Act, California Consumer Legal Remedies Act, Maryland Wiretap and Electronic Surveillance Act, Maryland Personal Information Protection Act, and Maryland Consumer Protection Act. The defendant moved to dismiss, arguing that it was immune from liability under § 230(c)(1) of the Communications Decency Act. The court agreed with the defendant, ruling that it is granted protection under the Act because it qualifies as an “interactive computer service provider” within the meaning of the statute, is treated as a publisher, and provides information from another information content provider. “Here, plaintiffs’ computer fraud and privacy claims are based on [defendant’s] reproduction of an app [] intended for public consumption, via the App Store,” the court wrote. “But, as [defendant] notes, its review and authorization of the [] app for distribution on the App Store is inherently publishing activity.” Moreover, the court concluded that, among other things, the defendant’s liability provision contained within its terms, which states that it is not liable for conduct of a third party, is valid and enforceable.
District Court preliminarily approves TCPA class action settlement
On March 3, the U.S. District for the Central District of California granted final approval of a TCPA class action settlement with a satellite TV company. According to a memorandum in support of plaintiff’s motion for preliminary approval of class action settlement and certification, the plaintiff class alleged that the defendant violated the TCPA by using an artificial or prerecorded voice to call cell phones without the prior express consent of class members, consisting of about 22,000 individuals. The settlement class includes all people who received non-emergency calls from the defendant and four of its debt collection companies “regarding a debt allegedly owed to [the defendant], to a cellular telephone through the use of an artificial or prerecorded voice, and who has not been a [defendant] customer at any time since October 1, 2004.” The settlement requires the defendant to pay an all-cash non-reversionary sum of $17 million. The settlement could also approach or exceed $500 in damages per call for class members who make claims and includes an award of attorney fees of up to $5.61 million, or 33 percent of the settlement fund, in addition to litigation costs. Specifically, the settlement would provide $606.06 per call for settlement class members who received calls from two of the defendant’s debt collectors, and those members will get two shares of the pro rata distribution. Settlement class members who received calls from two other of the defendant’s debt collectors will get $303.03 per call and one share of the pro rata distribution.
District Court grants final approval in TCPA class action
On September 1, the U.S. District Court for the Central District of California granted final approval of a class action settlement in a TCPA suit. According to the plaintiffs’ motion for preliminary approval of the class action settlement, the plaintiffs are non-customers who the defendant contacted as part of its efforts to collect on the account of a defendant’s customer and who had not consented to calls from the defendant. The plaintiffs further alleged that the defendant used its autodialer to place those calls and conveyed prerecorded messages to third parties who had not consented to receive such calls, and that through analysis of the defendant’s records, broad notice to class members, and a robust claims verification procedure, it was possible to provide notice to non-customer class members. According to the settlement, the class includes any customer in the U.S. who received automated, non-emergency calls from the defendant on their cell phones from March 2012 through March 2022, and was not a party to an agreement with the defendant. The settlement noted that class members are expected to get between $75 and $250 per person, stating that “this estimated settlement range compares very favorably with other 'wrong number' settlements . . . , and with the $500 penalty for violation of the TCPA.”
3rd Circuit vacates dismissal of data breach suit
On September 2, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of a class action alleging that a defendant pharmaceutical research company’s negligence led to a data breach. According to the opinion, the plaintiff, who is a former employee of the defendant’s subsidiary, provided her sensitive personal and financial information in exchange for the defendant’s agreement, pursuant to the plaintiff’s employment agreement, to “take appropriate measures to protect the confidentiality and security” of this information. After plaintiff ended her employment with the company, a hacking group accessed the defendant’s servers through a phishing attack and stole sensitive information pertaining to current and former employees. In addition to exfiltrating the data, the hackers installed malware to encrypt the data stored on the defendant’s servers and held the decryption tools for ransom. The defendant informed current and former employees of the breach and encouraged them to take precautionary measures. To mitigate potential harm, the plaintiff took immediate action by conducting a review of her financial records and credit reports for unauthorized activity, among other things. As a result of the breach, the plaintiff alleged that she has sustained a variety of injuries—primarily the risk of identity theft and fraud—in addition to the investment of time and money to mitigate potential harm. The district court granted the defendant's motion to dismiss based on lack of Article III standing, concluding “that [the plaintiff's] risk of future harm was not imminent, but ‘speculative,’ because she had not yet experienced actual identity theft or fraud.”
On the appeal, the 3rd Circuit noted that the district court “erred in dismissing [the plaintiff’s] contract claims, which are raised in Counts III (breach of implied contract) and IV (breach of contract),” arising from her employment agreement. The appellate court wrote that the plaintiff “has alleged an injury stemming from the breach—the risk of identity theft or fraud—that is sufficiently imminent and concrete,” because the defendant “expressly contracted to ‘take appropriate measures to protect the confidentiality and security’ of plaintiff’s information in [the plaintiff’s] employment agreement.” The appellate court also noted that in an “increasingly digitalized world, an employer's duty to protect its employees’ sensitive information has significantly broadened.” The 3rd Circuit vacated the judgment on all counts and remanded the dispute to the district court for consideration of the merits of the claims.
District Court preliminarily approves $2.25 million settlement resolving credit card upgrade claims
On August 29, the U.S. District Court for the District of New Jersey preliminarily approved a class action settlement in which a national bank agreed to pay $2.25 million to resolve misleading credit card upgrade claims made to secured credit card holders. Plaintiffs alleged in their motion for preliminary approval that they each signed an agreement with the bank that said if they used and maintained a secured credit card account for seven consecutive billing months without defaulting they would be eligible to automatically “graduate” to an unsecured credit card. Transitioning to an unsecured credit card allows customers to regain control of the collateral deposits and receive a prorated refund of the annual fee they paid while they had secured cards, plaintiffs asserted. Plaintiffs claimed that while the bank’s “form contract and promotional materials promised a meaningful review of secured card accounts after seven months in good standing that review, in fact, did not occur in a fashion consistent with the parties’ contract.” The bank denied the claims. According to court documents, this past January the bank amended the graduation provision at issue in its agreement for secured credit cards to “more adequately disclose how a cardholder becomes eligible for an unsecured credit card.” The court deemed the proposed settlement to be “fair, adequate and reasonable to the settlement class,” and granted class certification. If granted final approval, class members would be awarded a portion of the annual fee paid on their secured credit card.
3rd Circuit: District Court erred in applying ascertainability precedent when denying class action certification
On August 24, the U.S. Court of Appeals for the Third Circuit vacated a ruling denying class certification in an action concerning inaccurate consumer reports, holding that the district court misinterpreted Section 1681g(a) of the FCRA and erred in applying the appellate court’s ascertainability precedent. According to the plaintiffs, the defendant, a consumer reporting agency (CRA), provided inaccurate consumer reports as part of a rental application process. The plaintiffs further alleged that the defendant refused to correct the information on the reports unless plaintiffs “obtained proof of the error from [the defendant’s] sources” despite failing to provide the identity of the sources to the plaintiffs. Plaintiffs responded by filed a putative class action alleging the defendant “violated its obligation under the FCRA to disclose on request ‘[a]ll information in the consumer’s file at the time of the request’ and ‘the sources of that information.’” However, the district court denied class certification on the grounds that class members “failed to satisfy Rule 23(b)(3)’s predominance and superiority requirements and that their proposed class and subclass were not, in any event, ascertainable.”
On appeal, the 3rd Circuit closely reviewed when the provisions of § 1681g(a) were applicable. The appellate court first determined the disclosure requirements of § 1681g(a) could only be triggered by a direct request from a consumer, and not a third-party request as the plaintiffs had argued. In so doing, the appellate court found that the district court was “right to distinguish between consumers who made direct requests under § 1681g and consumers who received courtesy copies of the property managers’ Rental Reports,” and affirmed the denial of the “All Requests” class sought by plaintiffs. The appellate court next determined that the district court incorrectly narrowed the disclosure requirements of § 1681g(a) to where a request was specifically made for a consumer’s “file” as opposed to a request for a “report.” The appellate court concluded that “[n]othing in the statute’s text, context, purpose, or history indicates that any magic words are required for a consumer to effect a ‘request’ under § 1681g(a) or that a consumer’s request for ‘my consumer report’ is any less effective at triggering the CRA’s disclosure obligations than a request for ‘my file.’” As a result, the appellate court vacated the district court’s finding as to the predominance requirement of class certification and remanded for the district court “to consider whether Rule 23(b)(3)’s predominance and superiority requirements are satisfied with respect to” consumers in a purported subclass who had made a direct request for a report or file.
The appellate court concluded by determining the district court had additionally errored in its analysis of ascertainability of the proposed class by requiring too high a standard for administrative feasibility. The district court had ruled that where identification of putative class members would require a file-by-file review, ascertainability was “not administratively feasible.” The appellate court disagreed, stating that ascertainability does not mean that “no level of inquiry as to the identity of class members can ever be undertaken,” as it “would make Rule 23(b)(3) class certification all but impossible.” The appellate court instead held that “a straightforward ‘yes-or-no’ review of existing records to identify class members is administratively feasible even if it requires review of individual records with cross-referencing of voluminous data from multiple sources.”
District Court approves class action settlement against securities trading platform and broker-dealer
On May 16, the U.S. District Court for the Northern District of California granted final approval of a settlement in a class action against a securities trading platform and broker-dealer (defendant) for allegedly allowing unauthorized users access to customers’ accounts. As described in plaintiffs’ motion for preliminary approval of settlement, class members alleged the defendant “lacked security measures used by other broker-dealer online systems,” which allowed “thousands of [the defendant’s] customer accounts [to be] accessed by unauthorized users.” Based on these allegations, class members brought claims for negligence, breach of contract, and violations of various state consumer privacy, competition, and advertising laws. Under the terms of the settlement, the defendant must provide cash payments of up to $260 each to settlement class members who submit a claim, up to a total amount of $500,000. Additionally, among other things, the defendant must “provide two years of credit monitoring and identity theft protection services to those who elect to receive it,” must “maintain improvements to its security protocols and policies to decrease the risk of unauthorized access to its customers’ accounts,” and must “respond effectively to instances of potential unauthorized access” in the future.
District Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach may have exposed the personal financial information (PFI) of approximately 10,300 individuals, including names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information. Class members alleged that defendants failed to adequately protect the PFI of current and former employees and their beneficiaries, and that the resulting data breach “was a direct result of defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect PFI.” If granted final approval, the settlement will provide each class member the opportunity to make a claim for up to $3,500 in reimbursements for out-of-pocket expenses actually incurred, and compensation for up to four hours of lost time spent remedying issues fairly traceable to the data breach at $18 per hour. Additionally, class members will be given 18 months of credit monitoring protections.
California appellate court overturns ruling for collector that stapled note to summons
On August 23, the California Sixth Appellate District overturned summary judgment in favor of a collector (defendant) that was sued for FDCPA and the Rosenthal Fair Debt Collection Practices Act violations. According to the court, the plaintiff incurred an unpaid medical debt, which was referred to the defendant for collection. The defendant sent the plaintiff eight letters; however, the plaintiff was allegedly not aware that the hospital assigned the debt to a debt collector and did not pay the debt. The defendant filed a collection suit against the plaintiff, seeking to recover the unpaid medical debt. The defendant stapled a typewritten note to the summons, which read, “If you have any questions regarding this matter, please contact: []” in English and Spanish. The plaintiff filed a complaint, accusing the defendant of violating the FDCPA and the Rosenthal Act, alleging that “it was unlawful for [the defendant] to send the attachment with the summons and the complaint because the attachment appeared to be a message from the court and did not contain language disclosing that it was sent by a debt collector.” The trial court granted the defendant’s motion for summary judgment, ruling that the communication was lawful, and denied the plaintiff’s cross-request for summary judgment.
On the appeal, the defendant argued that "the attachment is not a ‘communication’ within the meaning of either statute, on the theory that the attachment itself says nothing about the debt." However, the appellate court wrote that the note was not sent “in a vacuum: The attachment, summons, and complaint comprised a collection of documents delivered by a process server—personally to [the plaintiff’s] girlfriend and then by mail to [the plaintiff].” The appellate court further noted that the reference to “this matter” in the note “unmistakably signified the litigation initiated by the accompanying complaint pleading [the plaintiff’s] indebtedness and the amount and source of indebtedness in a common count cause of action.” With regard to whether the note was a communication in connection with the collection of a debt, the appellate court noted that it “fail[ed] to conceive of any subject other than debt collection [the defendant] might think the communication was in connection with. The message in the attachment refers to the existence of a debt, conveys information regarding the debt, and serves the purpose of debt collection by enticing the recipient to contact the debt collector.” The appellate court concluded that “[b]y omitting the mandatory disclosure that this attachment was from [the defendant], a debt collector, [the defendant] made it reasonably likely that the least sophisticated consumer would believe the suggestion to call [the defendant] was from the court that issued the summons to which the suggestion was affixed. [The defendant’s] communication was therefore deceptive.”
District Court approves $84 million payment processing settlement
On August 17, the U.S. District Court for the District of Nebraska granted final approval of an $84 million class action settlement resolving allegations that a payment processing company’s billing practices overcharged merchants. Class members retained the company to process credit card payments and claimed that the company allegedly charged fees that did not align with the terms of their contracts. Class members accused the company of Racketeer Influenced and Corrupt Organizations Act violations, breach of contract, and fraudulent concealment related to allegations that the company assessed noncompliance fees, increased contractual credit card discount rates, and shifted credit card transactions from lower-cost rate tiers to higher-cost rate tiers. Under the terms of the settlement, the company will pay up to $84 million into a settlement fund, which will provide cash benefits to class members and cover administrative costs, attorney fees, and other expenses.