Trade Law Daily is a Warren News publication.
'Substantial Risk'

4 Class Actions in Santa Ana Court Are Sparked by loanDepot's Data Breach

Four plaintiffs pounced last week on news of a data breach that mortgage lender loanDepot announced this month, filing negligence class actions in U.S. District Court for Central California in Santa Ana over the breach that exposed the personally identifiable information (PII) of 16.6 million customers.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

LoanDepot first reported the incident to the SEC Jan. 8, in a filing dated Jan. 4, saying it recently identified a cybersecurity incident affecting certain of its systems. The “unauthorized third party activity” included access to company systems and the encryption of data, it said. In response to the cyberattack, loanDepot “shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident,” it said.

Also on Jan. 8, loanDepot posted to its website that it had taken certain systems offline and was “working diligently to restore normal business operations as quickly as possible,” the complaint said. The company retained a forensics expert and was working with law enforcement, it said.

LoanDepot gave staggered updates over the next couple of weeks, including four Jan. 18, telling customers when certain portals were back online. A Jan. 22 update and news release said the company will notify affected individuals and offer credit monitoring and identity theft protection services “at no cost to them.” The most recent update Friday said late fees for January payments “will not be assessed until after January 31.

Plaintiff David Ware of Maricopa County, Arizona, provided his PII to loanDepot in 2021 when he obtained two mortgage loans from the lender: one on his principal residence in January and another on a second property about five months later, said his Thursday class action (docket 8:24-cv-00179).

Ware’s complaint showed a screenshot of a loanDepot update with an error message asking customers who were trying to make payments to call or mail in their payments instead. The mortgage lender hasn’t yet shared what type of customer PII was accessed and stolen from its systems, but based on information and belief, that information likely included name, address, address, phone number, Social Security number, employment and contact information, and account information, including username and password, the complaint said.

LoanDepot was aware of the risks of a breach, the complaint said, citing remarks made by Chief Risk Officer Joseph Grassi in a May 5 letter announcing that the company observed “anomalous activity” on its IT network the previous August. It reported the event to regulators and remediated the incident within three hours, said Grassi.

Ware has financial losses as a result of the breach, and he is subject to a “substantial risk for further identity theft” due to the event, it said. Ware will need to monitor his financial accounts and credit reports and take other measures to protect himself from identity theft and fraud, it said. Ware believes he “paid a premium to loanDepot for its data security,” the complaint said. He would not have used loanDepot if he had known it would expose his PII and make it available to identity thieves, it said.

California has the “greatest interest in applying its law” to class members’ claims due to its “compelling interest in using its laws to regulate a resident corporation and preserve a business climate free of unfair and deceptive practices,” the complaint said. If other states’ laws were applied to class members’ claims, “California’s interest in discouraging resident corporations from engaging in the sort of unfair and deceptive practices alleged in this complaint would be significantly impaired,” it said. California “could not effectively regulate a company like loanDepot, which does business throughout the United States, if it can only ensure remuneration for consumers from one of the fifty states affected by conduct that runs afoul of its laws,” it said.

Ware asserts claims of negligence; violation of California’s Consumers Legal Remedies Act, Unfair Competition Law and Customer Records Act; breach of contract, implied contract and fiduciary duty; unjust enrichment; and invasion of privacy, said the complaint. He seeks injunctive relief including orders requiring loanDepot to strengthen its data security systems and to pay all costs associated with class notice and administration of relief; awards of compensatory, consequential, incidental and statutory damages, plus restitution and disgorgement; attorneys fees and costs: and pre- and post-judgment interest.

Plaintiff Jonathan Rosa of Passaic County, New Jersey, secured a loan from loanDepot in summer 2021, and provided his PII through the application process, said his Tuesday class action (docket 8:24-cv-00167). As a result of the breach, Rosa has been injured and has financial losses; he is also subject to further identity theft due to loanDepot’s breach, it said. Rosa, whose co-counsel is Ware attorney Barrack Rodos, seeks similar claims to Ware.

Plaintiff Amy Penird’s Thursday class action (docket 8:24-cv-00180) said loanDepot didn’t use “reasonable security procedures and practices suitable or adequate to protect the sensitive information of customers it was maintaining.” Penird hasn’t received notice of the data breach from the defendant but is aware of it “through other sources,” said the Hernando, Florida, resident. The breach has caused her to “suffer fear, anxiety and stress” and she plans to take additional “time-consuming, necessary steps” to “continually reviewing her depository, credit, and other accounts for any unauthorized activity,” her complaint said.

Penird asserts claims of negligence, breach of contract, invasion of privacy, unfair and unlawful conduct in violation of California’s Unfair Competition Law. She seeks actual, consequential and nominal damages, or restitution; an award of attorneys’ fees and costs; and prejudgment interest.

Plaintiff Joel Eggleton of Menifee, California, believed that as a loanDepot customer, the company would implement and maintain reasonable security practices to protect his PII, said his Wednesday class action (8:24-cv-00170).

LoanDepot “knew or should have known” that its affected IT systems “are unsecure and do not meet industry standards” for protecting customers’ PII, the complaint said. On information and belief, the defendant “failed to timely make changes to its data security systems, privacy policies, and its IT systems and servers,” exposing his and class members’ PII to the risk of theft, identity theft and fraud, it said.

The harm caused to Eggleton and class members “has already been suffered,” the complaint said. Even if companies that are hit by ransomware attacks, such as loanDepot, “pay the ransom, there is no guarantee that the criminals making the ransom demands will suddenly act honorably” and destroy customers’ PII, it said. “In fact, there is no motivation for them to do so, given the burgeoning market” for PII on the dark web, it said.

Eggleton asserts claims of negligence and negligence per se; breach of implied contract and fiduciary duty; violations of California’s Customer Records Act and Unfair Competition Law; invasion of privacy; and unjust enrichment, the complaint said. He seeks awards of actual, statutory, punitive and monetary damages; pre- and post-judgment interest; and attorneys’ fees and costs.