Inside Loandepot's plan to settle data breach claims

A pending agreement between Loandepot and class action plaintiffs to resolve data breach claims is more nuanced than its $25 million settlement fund.

A resolution for litigation over the hack the lender and servicer suffered in January is pending a federal judge’s approval. The agreement, according to court filings, was reached in June and before potentially costly motions for summary judgement and dismissal were filed. Loandepot denies any wrongdoing in the settlement. 

“While plaintiffs are confident in the merits of the case, plaintiffs understand Loandepot lacks insurance and assets to satisfy a judgment in excess of the settlement fund amount without risking insolvency,” wrote attorneys for plaintiffs. 

The parties suggest the total settlement benefit for the 16,924,007 affected persons could exceed $86 million. A spokesperson for the lender Thursday declined to comment beyond the filing, while attorneys for plaintiffs didn’t return requests for comment. 

The Irvine, California-based company in January said an unnamed, unauthorized third party gained access to its systems between Jan. 3 and Jan. 5, compromising personal identifying information including clients’ Social Security numbers. Customers subsequently filed 20 class action lawsuits for claims including negligence and violation of state consumer laws, complaints that were consolidated in a California court. 

If approved, the agreement would be one of the larger, if not the largest, data breach settlement by a mortgage lender in recent years. 

Consumer awards

Individual payments would be determined by the participation rate of the proposed class’ millions of members. A participation rate of 1% would equate to payouts of $70.71 per consumer, according to the lawsuit, while a 10% participation rate would deliver $5.30 per individual. 

A $3.65 million fund for 2.4 million members of a California subclass is also included in the $25 million amount. Those individuals could receive up to $149.04 each under a 1% participation rate, or down to $14.90 for a 10% participation rate. 

If either class of consumers were to receive less than $3.00 per individual, no payments would initially be made and the parties would confer again how to distribute the funds, according to the settlement. 

The 20 named plaintiffs, or class representatives, will request awards of $2,500 each. Class members can also request $5,000 for out-of-pocket expenses they can prove are related to identify theft stemming from the incident. Counsel for the consumers will seek an award of no more than $7.5 million they say they’ll divide evenly amongst themselves. 

Also coming out of the $25 million will be administrative funds, expected to be around $1.5 million related to notifications and distribution. 

The cost for identity theft and fraud protection services will also be drawn out of the settlement fund. Parties said each subscription is valued at $12.95 per month for each participating class member, or $310.80 for the 2-year period. The sides estimate a $52 million benefit for every 1% of class members receiving financial monitoring, part of the agreement’s suggested $86 million total benefit. 

Loandepot’s expenses

The lender is also describing $9.34 million in business expenses as a benefit for plaintiffs. Those moves include enhancements in data management, identity protection, cloud security and threat detection capabilities, according to the filing. The business improvements will not come out of the settlement fund, and Loandepot figures that number into the total $86 million expected benefit.

Following distribution, any remaining settlement funds will be paid out to class members. None of the monies will revert back to the lender. 

In its third quarter earnings report, Loandepot said it recognized $22.8 million of expenses related to the breach net of insurance recoveries, including the $25 million settlement. 

A hearing for preliminary approval is scheduled for Jan. 13. 

The hack at Loandepot was the largest, by number of consumers affected, in recent years among lenders. Mr. Cooper last November also suffered a cybersecurity incident compromising the PII of 14.7 million of its customers. The massive servicer recently sued its insurers for $30 million of losses they have yet to indemnify.