Envestnet and its Yodlee software subsidiary have been sued over the way Yodlee collects, uses and secures consumer data.
In a class action suit filed Aug. 25 in U.S. District Court for the Northern District of California, plaintiff Deborah Wesch of New Jersey says she and other consumers have been put at risk by the companies because they have not been adequately protecting consumer data and have failed to put in place sufficient security protocols in the U.S.
Many U.S. consumers also don’t often even know they are providing their personal data to the firms because Yodlee “surreptitiously collects such data from software products that it markets and sells to some of the largest financial institutions in the country,” including Bank of America, Citibank and Merrill Lynch, as well as digital payment platforms including PayPal, Wesch alleged in the complaint.
“Yodlee, in turn, acquires financial data about each individual that interacts with the software installed on its customers’ systems,” but those individuals “often have no idea they are dealing with Yodlee,” according to the complaint.
Envestnet on Wednesday denied the accuracy of the claims. “We believe the claims filed are baseless and intend to vigorously defend ourselves,” an Envestnet | Yodlee spokesperson told ThinkAdvisor by email.
“As a matter of policy, neither Envestnet nor Yodlee comments on pending litigation. However, we adhere to leading industry practices for data security and privacy and adhere to applicable laws and industry guidance regarding the use of consumer data,” the spokesperson added.
Wesch “connected her PNC Bank account to PayPal using a Yodlee-powered portal in order to facilitate transfers among those accounts,” she said in the complaint, adding: “At no time was it disclosed by PayPal, Yodlee, or PNC Bank that the Defendants would continuously access Plaintiff’s bank account to extract and sell data without her consent.”
That was “especially troubling as reports have revealed that Defendants are mishandling the data they collected from individuals without authorization by distributing it in unencrypted plain text files,” the complaint alleged, adding: “These files, which can be read by anyone who acquires them, contain highly sensitive information that make it possible to identify the individuals involved in each transaction.”