Lawyers or business people who feel they have been hearing about a lot more consumer protection class actions lately have good reason for that feeling. A recent report by Lex Machina, part of LexisNexis, highlights an extraordinary increase in federal consumer protection class actions over the last decade. The number of such class actions almost tripled, even though consumer protection suits generally (i.e., suits other than class actions) increased by less than 20% over the period studied, 2009 through 2018. The number of class action filings focused on consumer protection issues rose from 1,223 in 2009 to 3,382 in 2018. Though 2019 filings have not been compiled and verified as of this time, observers widely expect a number similar to, or larger than, 2018.
In its “Consumer Protection Litigation Report,” Lex Machina noted that cases involving data privacy issues and unwanted text messages were most responsible for the increase. Plaintiffs’ attorneys evidently perceive the potential for substantial company liability in data breach cases. At the same time, consumers and regulators alike are communicating higher expectations for companies’ data security systems and privacy measures. Regulators, in particular, are increasing the pressure on companies to bolster and protect their privacy and security practices and standards. This has created an opportunity for private plaintiffs and their counsel. In certain circumstances, they can contend that, among other things, a company’s alleged failure to conform to “accepted best practices” (as manifested, perhaps, in statutes like the much-discussed California Consumer Privacy Act) contributed to the injuries suffered by the putative class.
Consumer protection class actions in the period studied were, of course, hardly limited to data breach cases. Class actions alleging violations of the Telephone Consumer Protection Act (TCPA), for example, rose 740%, and ones asserting Fair Credit Reporting Act (FCRA) claims increased by more than 150%. TCPA lawsuits in recent years have most often focused on text messages sent to cellphones. FCRA suits over the last few years have reflected consumers’ higher expectations that their data will be kept private, not sold, or widely shared.
Financial services companies may be among the companies most vulnerable to putative class actions focused on supposed data privacy violations. They generally have access to customers’ sensitive financial information, not to mention other personally identifiable information (such as social security numbers, address information, and sometimes health-related information) of employees and customers. Many companies in the financial services industry also sell, transfer or assign financial instruments (residential mortgage loans, as one example), and in so doing, must convey to the receiving company underlying data sets (such as loan files) rife with confidential personal information. As such, providers of financial services are both an inviting target for hackers, and unfortunately have many opportunities to inadvertently place private customer data in the wrong hands, or to violate customers’ expectations of privacy in some other way.
The good news for companies in that industry is that the increase in consumer protection (and consumer finance) related class actions does not result from any lack of arguments available to defense counsel in such cases. Indeed, defense counsel have had notable successes of late, both with respect to challenging class certification and contesting liability. As a recent decision from the United States Court of Appeals for the Ninth Circuit makes clear, plaintiffs alleging consumer finance-related misconduct typically cannot simply avoid establishing the basics of their claims, even when they are afforded rights of action under applicable statutes.
In Davis v. Mandarich Law Group, the Ninth Circuit provided a useful reminder: district courts must consider and address whether a plaintiff suffered an actual or imminent, concrete, particularized injury as a result of the defendant’s alleged misconduct. Plaintiff Marla Davis filed a putative class action alleging that defendant Mandarich Law Group violated the Fair Debt Collection Practices Act (FDCPA) by sending Davis a communication that was inconsistent with a cited California statutory provision. In addition, Davis claimed that Mandarich’s conduct was “false, deceptive, or misleading,” and constituted debt collection by “unfair or unconscionable means” under applicable federal statutes.
Davis had initially prevailed, both in arbitration and in district court, which confirmed the arbitrator’s decision. In appellate proceedings, Mandarich raised the issue of standing. The Ninth Circuit determined that there was a “serious question” as to whether Davis had adequately alleged an injury in fact. It likewise questioned whether she could do so even if permitted to amend her complaint. On those grounds, the Ninth Circuit remanded the case to the district court to determine whether Davis had the requisite standing. The upshot of this case is that the potential availability to consumers of federal statutory remedies, including those provided under the FDCPA, does not relieve those consumers of the necessity of establishing in court that they have suffered a concrete injury. The need to establish a concrete injury may, in turn, serve to diminish the chance that a plaintiff can maintain a class action, because an injury that is different in nature (or in other key respects) from injuries allegedly suffered by other putative class members is often one that should not or cannot be dealt with as part of a class action.
Financial services companies thus should take appropriate measures to ensure that their privacy-related practices are in step with consumer and regulator expectations, and recognize that part of the urgency of doing so results from the staggering increase in consumer protection-related putative class actions. If sued or threatened with a suit of this type, though, companies must not lose sight of the fact that they have numerous legal and factual defenses at their disposal in most instances.