InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses EFTA claims over prepaid debit card fraud
On August 11, the U.S. District Court for the District of Maryland dismissed a putative class action alleging violations of the EFTA and state privacy and consumer protection laws brought against a national bank on behalf of consumers who were issued prepaid debit cards providing pandemic unemployment benefits. The named plaintiff—a self-employed individual who did not qualify for state unemployment insurance but who was eligible to receive temporary Pandemic Unemployment Assistance (PUA) benefits—alleged that he lost nearly $15,000 when an unauthorized user fraudulently used a prepaid debit card containing PUA funds that were intended for him. The court dismissed the class claims with respect to the EFTA and Regulation E, finding that the Covid-19 pandemic was a “qualified disaster” under applicable law and regulations (i.e. PUA payments were “qualified disaster relief payments”), and that as such, the payments satisfied the CFPB’s official interpretation of Regulation E and were excluded from the definition of a “prepaid account.” The court further explained that while relevant CFPB regulations define an “account” to include a prepaid account, Regulation E excludes “any ‘account that is directly or indirectly established through a third party and loaded only with qualified disaster relief payments.’” Because the prepaid debit card in question was established through a third party and was loaded only with PUA funds, it did not meet the definition of a “prepaid account” and therefore fell outside the EFTA’s definition of a covered account. The court also disagreed with the plaintiff’s contention that PUA payments were authorized by Congress in the CARES Act due to the public health emergency rather than a disaster.
5th Circuit overturns decision in FDCPA suit
On August 15, the U.S. Court of Appeals for the Fifth Circuit overturned a district court’s grant of class certification in an FDCPA case, ruling that the plaintiff lacked standing. According to the opinion, the plaintiff incurred a debt after failing to pay her utility bills. The city hired a law firm who tried to collect the debt by sending the plaintiff a form letter demanding payment. Her debt had become delinquent four years and one day before the defendant sent its letter, which, under Texas law is “unenforceable.” The plaintiff filed suit against the law firm alleging that it had violated the FDCPA by making a misrepresentation in connection with an attempt to collect her debt. The plaintiff also sought to represent a class of Texas consumers who received the same form letter from the defendant regarding their time-barred debts. The district court rejected the defendant’s claim that the plaintiff lacked standing to bring suit, holding “that the violation of the plaintiff’s statutory rights under the FDCPA constituted a concrete injury-in-fact because those rights were substantive, not procedural.” The district court also “maintained that [the plaintiff’s] confusion qualified as a concrete injury-in-fact.”
On the appeal, the 5th Circuit reversed, finding that the plaintiff did not suffer a concrete injury and therefore lacked standing. The court held that the Supreme Court’s ruling in TransUnion v. Ramirez (covered by InfoBytes here) foreclosed the plaintiff’s theories that a violation of statutory rights under the FDCPA or accidentally paying a time-barred debt are concrete injuries. The appellate court noted that consulting with an attorney and not making a payment is not a concrete injury under Article III, stating that it is “not aware of any tort that makes a person liable for wasting another’s time.”
District Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final approval of the class action settlement, the defendants notified the SEC, various states’ attorneys general, and thousands of affected customers about two data breaches that occurred through their website on two different occasions. The plaintiffs alleged that the incident allowed hackers to “scrape[]” many of the defendants’ consumers’ names from the website by infecting the ecommerce platform with a “malicious code,” and stole the personally identifiable information of approximately 40,000 customers. According to the settlement, the deal will provide that class members can receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest, and up to $80 in costs for obtaining credit monitoring and identity theft protection, among other things. The district court also approved $2,500 payments to the lead plaintiffs as service awards.
Class certification granted in TCPA suit against satellite provider
On August 1, the U.S. District Court for the Northern District of West Virginia granted a plaintiff’s motion for class certification in an action against a satellite TV company (defendant) for allegedly placing unwanted telemarketing robocalls. According to the order, the plaintiffs alleged that the defendant retained a communications company to sell the defendant’s services and that the communications company purchased a list of leads and phone numbers from a third party to make telemarketing calls. According to the plaintiffs, the communications company failed to scrub the list for numbers on the national do-not-call list and called those numbers in violation of the TCPA. The district court noted that “[t]here are two overriding questions in this case: (1) whether [the communications company] contacted class members listed on the do-not-call registry; and (2) whether [the defendant] is liable for [the communication company’s] actions.” The district court further noted that “[a]ny individual issues or defenses are limited and easily resolved with aggregate data from defendant []." In agreeing with the “plaintiffs’ contention that this is a ‘model case for the application of the class action mechanism,’” the district court certified a nationwide class of nearly 114,000 individuals whose telephone numbers were listed on the do-not-call list and who received more than one telemarketing call within any 12-month period at any time from the communications company to promote the defendant.
11th Circuit reverses class action settlement in TCPA case
On July 27, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s approval of a class action certification and settlement agreement in an TCPA action after determining that the plaintiff lacked Article III standing in light of the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez (covered by InfoBytes here). According to the opinion, the plaintiff sued the defendant, alleging it violated the TCPA by calling and texting her “solely to market its services and products through a prohibited automatic telephone dialing system.” After the case was consolidated, and after negotiating with the defendant, the plaintiffs submitted a proposed class settlement agreement that established a settlement fund of $35 million to the 1.26 million settlement class members, who would receive either a $35 cash payment or a $150 voucher for the defendant’s services. The district court had noted Salcedo v. Hanna, in which the 11th Circuit held “that receipt of a single unwanted text message was not a sufficiently concrete injury to give rise to Article III standing,” and that “the proposed class definition included individuals who received only one text message from [the defendant].” The district court determined that “even though some of the included class members would not have a viable claim in the Eleventh Circuit, they do have a viable claim in their respective Circuit [because of a circuit split]. Thus, [the defendant] is entitled to settle those claims in this class action although this Court would find them meritless had they been brought individually in the Eleventh Circuit”
On appeal, the 11th Circuit noted that TransUnion LLC v. Ramirez held that “every class member must have Article III standing in order to recover individual damages.” The appellate court further noted that “TransUnion says that we can’t award damages to plaintiffs who do not have Article III standing. And Article III standing goes to the heart of our jurisdiction to hear cases in the first place. It further stated that the court “cannot … check [its] Article III requirements at the door of the class action. Any class definition that includes members who would never have standing under our precedent is a class definition that cannot stand.”
Court grants final approval of privacy class action settlement
On July 20, the U.S. District Court for the Northern District of California granted final approval of a class action settlement in a suit against a fintech company alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. As previously covered by InfoBytes, the district court granted preliminary approval of the $58 million settlement in November. In granting final approval of the settlement, the court determined it was adequate, and noted that the plaintiffs’ claim that the defendant’s practices breached California’s anti-phishing law was “relatively untested.” In addition to the $58 million settlement fund, the settlement provides for injunctive relief.
District Court grants final approval in a FCRA case remanded by the 9th Circuit
On December 15, the U.S. District Court for the Northern District of California granted final approval of a plaintiff’s motion for preliminary approval in a class action settlement in a FCRA case. In a class action against a credit reporting agency (CRA) for allegedly violating FCRA by erroneously linking class members to criminals and terrorists with similar names in a database maintained by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), the district court ruled that all class members had standing to assert their FCRA claims. The jury returned a verdict for the plaintiffs and awarded punitive damages. As previously covered by InfoBytes, in February 2020, the 9th Circuit reduced the punitive damages award and affirmed the district court’s ruling that all class members had standing due to, among other things, the CRA’s alleged “reckless handling of information from OFAC,” which subjected class members to “a real risk of harm.” As previously covered by InfoBytes, in April 2020, the 9th Circuit granted a joint motion to stay the mandate pending the CRA’s filing of a petition for writ of certiorari with the U.S. Supreme Court. The Supreme Court granted the CRA’s petition for certiorari and reversed the 9th Circuit’s finding on standing, holding that the class members whose credit reports were not provided to third-party businesses did not suffer a concrete harm and thus did not have standing to assert their “reasonable procedures” claims under the FCRA. The Court also held that none of the class members had standing to pursue the disclosure claims under the FCRA because they had not “suffered a concrete harm.” The Ninth Circuit remanded to the district court for further proceedings consistent with the Supreme Court’s ruling.
The parties participated in a mediation and reached a class-wide settlement. The plaintiff moved for preliminary approval, which the district court granted on July 19. The settlement class is composed of two categories of individuals: (1) the 1,853 class members that the defendant CRA identified in its pre-trial stipulation as individuals for whom the defendant had delivered a credit report containing OFAC data to a third-party, and (2) class members from the remaining group of 6,332 individuals not identified in the stipulation who submit a claim demonstrating publication of OFAC data to a third-party during the class period. The Settlement agreement, among other things, requires the defendant to establish a settlement fund of $9 million, which includes attorney fees and costs.
Florida appeals court: Injury required for FACTA standing
On July 13, a Florida District Court of Appeals affirmed the dismissal of Fair and Accurate Credit Transactions Act (FACTA) class claims brought against a defendant shoe company after determining that the lead plaintiff lacked standing because he suffered no “distinct or palpable” injury. The plaintiff first filed a class action suit in federal court, claiming a receipt he received from the company included 10 digits of his credit card number—a violation of FACTA’s truncation requirement, which only permits the last five digits to be printed on a receipt. The plaintiff did not allege that his credit card was used, lost, or stolen in any way, nor was evidence presented to show there was any danger of his credit card being used. The suit was stayed pending the resolution of a different FACTA dispute in the U.S. Court of Appeals for the Eleventh Circuit. As previously covered by InfoBytes, a split en banc 11th Circuit concluded that the plaintiffs in that separate action lacked standing because they did not allege any concrete harm and vacated a $6.3 million settlement. Specifically, the en banc majority rejected the named plaintiff’s argument that “receipt of a noncompliant receipt itself is a concrete injury,” and noted that “nothing in FACTA suggests some kind of intrinsic worth in a compliant receipt.”
Following the 11th Circuit decision, the parties agreed to dismiss the federal action and remanded a later-filed action to state court where the plaintiff argued that “state standing was plenary and therefore less restrictive than federal standing.” The trial court disagreed and granted the defendant’s motion to dismiss, ruling that “Florida requires a concrete injury to have standing,” and “alleging a mere statutory violation does not convey standing per se.” The trial court ruled that “obtaining a receipt in alleged violation of FACTA does not satisfy this requirement,” and the appeals court agreed, holding that, among other things, no actual damages occurred since nothing was alleged to have been charged to the plaintiff’s account, nor was there the imminent possibility of injury because the plaintiff retained possession of the receipt. In its opinion, the appellate court cited the U.S. Supreme Court’s decisions in Spokeo and TransUnion with approval, noting that “individuals ‘must allege some threatened or actual injury resulting from the putatively illegal action.’”
4th Circuit says foreign debit fee contract language is ambiguous
On July 7, the U.S. Court of Appeals for the Fourth Circuit held that a class action breach of contract suit related to foreign debit card fees charged by a credit union may proceed. Class members claimed that the credit union’s contract allows fees only when customers make debit card purchases in a foreign country—not when customers make a purchase while they are physically in the U.S. even if the merchant is abroad. According to the contract’s disclosure agreement and fee schedule, debit card transactions “made in a foreign country” and non-credit union “Point-of-sale and ATM transactions made in a foreign country” will incur a one percent fee.
In vacating the district court’s ruling that the card contracts clearly prohibited these fees, the 4th Circuit concluded that the contract’s language is ambiguous and subject to different interpretations. While class members and the credit union both cited dictionary definitions in support of their arguments, the appellate court said the contract’s language “simply does not clarify whether the location of the account holder or the seller determines whether the transactions are made in foreign countries.” In an online context, the 4th Circuit pointed to questions posed by the 7th Circuit: “Where is the point of sale for such a purchase—the consumer’s computer? the vendor’s headquarters? the vendor’s server? cyberspace generally?” The 4th Circuit further noted that the contracts could have been clearly drafted to explain whether online transactions were “made in foreign countries” if they were between account holders physically in the U.S. and foreign sellers but “were not.”
District Court approves contact tracing suit settlement
On October 31, the U.S. District Court for the Northern District of California granted plaintiffs’ motion for attorneys' fees, expenses, and service awards related to a class action settlement alleging that an internet platform (defendant) violated the California Confidentiality of Medical Information Act, as well as other state laws through its “contact tracing” system that operated on consumers’ mobile devices. According to the motion, the defendant co-designed a digital contact tracing system to combat the spread of COVID-19 on mobile devices using the defendant’s mobile device operating system. The plaintiffs alleged that the defendant unlawfully exposed confidential medical information and personally identifying information through this system. Furthermore, the plaintiffs alleged that the defendant's system was "fundamentally flawed in its design and implementation" because it left users’ private medical and personally identifying information unprotected on mobile device “system logs” to which the defendant and third parties had routine access. Under the terms of the settlement, class counsel will receive approximately $1.95 million in attorneys’ fees and $56,457.44 in expenses. Additionally, the defendant must pay service awards to class representatives.