A class has been certified in a case involving a data breach at a debt collection operation that compromised the personal information of 640,000 individuals, but the judge denied a motion to settle the case because the proposed settlement — $2.45 million to those who were injured — did not include any reference to how much the plaintiff’s attorneys would receive.
The Background: Back in 2022, a third-party exfiltrated personal identifiable information from the defendant’s computer system. Approximately 640,906 individuals had their information compromised as a result of the attack.
- The information that was compromised included the first and last names, home and email addresses, Social Security numbers, phone numbers, bank account information, and payment card details.
- The breach occurred in June 2022, but the defendant did not notify anyone until October of that year.
- The plaintiffs filed suit, alleging the information was stolen because the defendant improperly stored it and did not encrypt it.
- In filing their suit, the plaintiffs sought to include anyone who received a notification from the defendant that their personal information may have been compromised as a result of this data security incident.
The Ruling: While the two sides agreed on how much the plaintiffs should receive as part of the settlement, the judge denied putting her stamp of approval on the terms because there was no reference to how much the plaintiffs’ attorneys would make for their role in the proceedings.
- “Without knowing how much of the settlement fund might be requested, members of the Settlement Class cannot fully understand or appreciate whether the proposed settlement is fair or reasonable,” Judge Marsha J. Pechman of the District Court for the Western District of Washington wrote. “The amount of attorneys’ fees and costs is therefore material to understanding the fairness of the settlement.”