Data Privacy Class Action Lawsuits Pose a Rising Threat to the Financial Industry
Increased regulatory pressures and higher expectations for companies’ defenses against cyberattacks make financial institutions vulnerable to class action lawsuits.
- Consumer protection class action lawsuits have increased in frequency over the past decade—and many are related to data privacy.
- The regulatory climate and increased consumer expectations of privacy are driving the increase in class action lawsuits.
- Financial services companies are vulnerable to class action suits because of the sensitive customer data they handle.
- Maintaining the best available protection against cyberattacks is imperative for financial services companies.
Consumer protection class action lawsuits have almost tripled over the past decade, with data privacy issues responsible for many cases. This rise in lawsuits has hit the financial services industry particularly hard. The vast amount of sensitive data handled in financial transactions and the industry’s struggle in adopting leading technologies to combat data breaches are contributing factors.
Financial services companies are attractive targets for hackers, given their practice of obtaining and selling or transferring files of personally identifiable information (PII) to third parties. They are also subject to lawsuits due to the number of high-profile data breaches within the financial services industry and an increase in regulatory activity.
Regulators and consumers alike are demanding greater protection of sensitive data. In some cases, a company’s failure to conform to “accepted” best practices—especially if state legislatures have codified those practices—can be used against them in a class action suit.
Trends in consumer protection class action lawsuits
Data breach cases are by no means the only type of recent consumer protection class actions, although they tend to receive significant media coverage when they occur. Other common types of class action suits in this category are those alleging violations of the Telephone Consumer Protection Act (TCPA) and the Fair Credit Reporting Act (FCRA).
Experts expect that pandemic-related cases will be the focus of class actions during the next year and beyond. While many of these concern employment practices and lawsuits against PPP lenders, the increase in online activity during the lockdown is predicted to yield more cybersecurity failures and numerous data privacy suits.
One recent case that may cause worry among financial services companies involves the ransomware attack on American Bank Systems (ABS). The breach affected 53 GB of sensitive data from multiple banks and mortgage companies. ABS was then hit with a class action lawsuit alleging its failure to sufficiently protect its customers’ information and disclose the breach in a timely manner. A similar data breach case involving Capital One and Amazon Web Services was filed in Virginia in March 2020.
Fintech companies are also targets for data breaches—and potential lawsuits—because of the vast personal and transaction-level data they collect from users. In May 2020, data aggregator Plaid, whose software is used by thousands of apps, including Venmo, Coinbase, and Square, was named in a class action lawsuit filed in the U.S. District Court for the Northern District of California. Soon after, four additional class action suits were consolidated and re-named as In Re Plaid Inc. Privacy Litigation (Docket No. 4:20-cv-03056-DMR.) The complaint alleges Plaid used its access through the apps to illegally collect private user financial data and sell it to other parties.
In August 2020, also in the Northern District of California, an individual plaintiff sued financial portfolio management solutions provider Envestnet and its subsidiary, finance data aggregator Yodlee (a Plaid competitor), in a similar class action complaint. That plaintiff claimed the companies’ (alleged) failure to protect her financial data by selling and sharing it via unencrypted files places her and all Class members at “a significant risk of fraud and identity theft.” As of March 2021, after several motions to dismiss that were partially granted and partially denied, the California court allowed the plaintiffs to file a second amended complaint and demand a jury trial.
Data breach and privacy class action lawsuits tend to follow a similar pattern: plaintiffs allege missteps by an organization relating to how it handles data security. These allegations range from the business’s failure to disclose its data collection and sharing practices to its lack of implementing “reasonable security procedures.”
Preventative practices for financial institutions
Any company that handles sensitive consumer data is obligated to take proven security measures against cyberattacks and data breaches. For financial institutions, the penalties for failing to do so are steep.
Companies handling consumer data must comply with a multitude of federal and state regulations. On the national level, the Federal Trade Commission enforces Gramm-Leach-Bliley Act provisions, which require financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data.
The Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act of 2003, added provisions to improve the accuracy of consumers’ credit-related records. The Right to Financial Privacy Act, first enacted in 1978, establishes procedures government authorities must follow when requesting a customer’s financial records from a financial institution, and imposes duties and limitations upon the institution before releasing information.
States have also enacted legislation to safeguard consumer data—in some cases, going further than federal regulations. Both the landmark California Consumer Privacy Act (CCPA) and California’s Financial Information Privacy Act (CalFIPA), which was passed by the legislature “to afford persons greater privacy protections than those provided in . . . the federal Gramm-Leach-Bliley Act,” serve this purpose. Many more states, including Texas, have passed aggressive data breach notification laws in the past few years in response to widespread cyberattacks involving consumer PII.
Financial institutions need to use the most advanced technology and processes available to guard against compromises to their consumers’ data privacy. Relying on past solutions is inadequate, as hackers’ tools and techniques evolve quickly. The best way to avoid being the target of a class action lawsuit—or successfully defend against one—is by investing in and maintaining best-in-class cybersecurity measures. Documenting their implementation and maintenance is also crucial.
Companies in the financial industry should ensure that their privacy practices are in step with consumer and regulatory expectations. They should update their plans for responding to cybersecurity incidents, including their means of informing the public of data breaches. For fintech companies, business and compliance teams should work together to ensure their product is secure—both now and in the future.
The increasing threat of data breaches, compounded by greater online traffic, should make safeguarding consumer data a critical priority. Nevertheless, the exploding rate of cybercrime means that even well-secured and compliant institutions are not immune to a breach. In all cases, the best legal defense relies on showing that robust steps were taken to avoid or mitigate any damage.
When a financial services or fintech company becomes the target of a cybersecurity legal action, there are numerous defenses at their disposal. Seeking the counsel of attorneys experienced in both the financial services industry and class action lawsuits is essential.
Johnston Clem Gifford’s litigation team regularly represents clients in complex class actions, multidistrict litigations, and mission-critical cases. We are trusted advisors to our clients and thought leaders for the financial services legal market. Contact us online or by calling (214) 974-8000.