On Tuesday, Envestnet and its subsidiary finance data aggregator, Yodlee, were sued in a class-action complaint in the Northern District of California over their alleged failure to protect consumer data by selling and sharing it via unencrypted files, which the plaintiff claimed left her and the class vulnerable to fraud and identity theft.
Yodlee’s business “focuses on selling highly sensitive financial data, such as bank balances and credit card transaction histories, collected from individuals throughout the United States.” The plaintiff averred that Yodlee “surreptitiously collects such data from software products that it markets and sells to some of the largest financial institutions in the country,” including Bank of America, Merrill Lynch, and Citibank, as well as wealth management firms and digital payment platforms like PayPal.
These financial companies use Yodlee’s software to, for example, connect their systems to each other. In return, Yodlee obtains individuals’ financial data when they interact with the financial companies’ systems; however, according to the plaintiff, “these individuals often have no idea they are dealing with Yodlee,” which is allegedly “by design.”
Reportedly, Yodlee seamlessly integrates with a financial company’s current website or mobile app “in a way that obscures who the individual is dealing with and where their data is going.” For instance, when a person connects his bank account to PayPal, he will be prompted to log in to connect, the login screen will replicate what would be shown if the individual “directly logged into (his) respective bank’s website.” The bank’s logo is “prominently displayed on each of the screens” an individual interacts with and the consumer uses the same login credentials used for their bank.
The plaintiff alleged that an individual is not “prompted to create or use a Yodlee account.” Furthermore, the plaintiff argued that people are “not given accurate information about what Yodlee does or how it collects their data.” For example, plaintiff Deborah Wesch stated that while PayPal notes that Yodlee is involved in order to connect the bank accounts it does not give the full extent of said involvement.
Additionally, the plaintiff proffered that Yodlee stores login information for bank accounts and then “exploits this information to routinely extract data from that user’s accounts without their consent.” Wesch asserted that when she was connecting her bank account to PayPal using Yodlee she did not receive adequate disclosure in violation of several privacy laws.
Envestnet and Yodlee have been accused of “mishandling the data they collected from individuals without authorization by distributing it in unencrypted plain text files.” The plaintiff alleged that since Yodlee has failed to take steps to safeguard this sensitive data, the plaintiff and the class are “at a significant risk of fraud and identity theft.” According to the plaintiff, this threat is heightened by Yodlee’s data reselling practice because those accessing this sensitive data could be using it “for nefarious purposes.”
The plaintiff claimed that she and the class have suffered economic damages, loss of control over valuable property, and increased risk of identity theft and fraud. Wesch also asserted that she and the class had a reasonable expectation of privacy and that Yodlee does not have adequate safeguards for the data.
In sum, the claims of relief for the aforementioned conduct include: common law invasion of privacy – intrusion upon seclusion; violations of the Stored Communications Act, various California Civil Code provisions, the California Unfair Competition Law, California’s Comprehensive Data Access and Fraud Act, California’s Anti-Phishing Act of 2005, Computer Fraud and Abuse Act, and unjust enrichment.
The plaintiff has sought to certify the class and appoint themselves as class representative; declaratory, injunctive, and equitable relief; and an award for damages.
The plaintiff is represented by Robins Kaplan LLP and Lowey Dannenberg, P.C.