Facts

On November 19, 2020, Kyle Rodriguez was sent a Notice of Data Breach from his bank, River City Bank. The notice stated that the Bank had discovered an unauthorized activity by a River City employee on September 29, 2020. The employee downloaded customer data to a personal storage drive and sent the information to a third party. The incident was reported to law enforcement and an investigation ensued thereafter. The day after the Bank sent the notification, it notified the customers affected by the data breach, that they could obtain, at the Bank's expense, credit monitoring services furnished by Kroll which would include credit monitoring services, fraud consultation, and identity theft restoration for a period of 24 months. On March 16, 2021, Rodriguez filed a class action alleging the following causes of action: negligence; negligence per se; bailment; breach of implied contract; violation of Unfair Competition Law (UCL); violation of the Customer Records Act (CRA); and violation of the California Consumer Privacy Act (CCPA). River City Bank filed a Demurrer and Motion to Strike. The Sacramento Superior Court sustained, without leave to amend, the demurrer on the negligence per se and bailment causes of action. The demurrer for violations of the UCL, CRA, and CCPA were sustained with leave to amend and only as to the negligence cause of action did the court overrule the Bank's demurrer. River City Bank's motion to strike was denied in part (as to the references to Financial Code §4050 and Civil Code §§1798.81.5, 1798.82 and §1798.100 et seq.); granted in part (as to plaintiff's claim for "restitutionary disgorgement of all profits"); and dropped as moot with respect to plaintiff's claims for "statutory damages" under the Unfair Competition Law, Customer Records Act and California Consumer Privacy Act. Thereafter, the parties reached a class-wide settlement which received preliminary approval on April 26, 2022.

PLAINTIFF'S CONTENTIONS: Plaintiff Rodriguez contended that defendant River City Bank's tardiness in notifying its customers exposed the affected customers to considerable risk of identity theft and fraud, causing them to expend time, money and resources to address their damaged security interests and reputation. Though defendant knew of the data breach in September, it did not notify its customers until two months later. Plaintiff and other class members must now take steps to monitor their personal and business accounts, networks, computer profiles and other financial relations or associations to prevent further theft or damage. Plaintiff entrusted their personal identification and financial information to defendant and defendant breached that trust.

DEFENDANT'S CONTENTIONS: Defendant River City Bank denied all contentions.

Result

The case settled for $140,000.