Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • States pass legislation updating security freeze laws

    Privacy, Cyber Risk & Data Security

    On April 12, the Kansas governor signed HB 2580, which amends existing law to prohibit consumer reporting agencies (CRAs) from charging a fee to a consumer for placing, temporarily lifting, or removing a security freeze on his or her credit report. Moreover, it prevents CRAs from charging fees for replacing a previously requested personal identification number. The law is effective July 1.

    Additionally, on April 10, the Iowa governor signed SF 2177, which updates the state’s security freeze law to prohibit CRAs from charging a fee to a consumer for placing, temporarily lifting, removing, or reinstating a security freeze on his or her credit report. Additionally, among other things, the law (i) expands the methods a consumer may use to submit a request for a security freeze; (ii) reduces the number of days CRAs must commence a security freeze after receiving a request from five to three business days; (iii) requires CRAs to send written confirmation within three business days to a consumer after placing a security freeze; and (iv) states that if a consumer requests a security freeze from a CRA that “compiles and maintains files on a nationwide basis,” the CRA must attempt to identify other CRAs that also maintain nationwide files so that the consumer may request additional security freezes. The amendments generally take effect July 1, with the exception of certain provisions that take effect January 1, 2019.

    Visit here for additional InfoBytes coverage on states that have recently enacted similar prohibitions.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Security Freeze

    Share page with AddThis
  • Arizona governor amends data breach law, updates security freeze legislation

    Privacy, Cyber Risk & Data Security

    On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of possible breaches of personal information. Owners or licensees of personal information must then notify affected individuals within 45 days, pending the needs of law enforcement. Key amendment highlights are as follows:

    • makes revisions to definitions, which include (i) expanding “personal information” to include a combination of a user’s name, password/security question, and answer that grants access to an online account; (ii) defining the term “redact”; and (iii) clarifying that a “specified data element” now includes an individual’s unique “private key” used when authenticating or signing an electronic record;
    • adds a requirement that for breaches impacting more than 1,000 individuals, the Attorney General and the three largest consumer reporting agencies must be notified in writing;
    • amends a provision concerning “substitute notice,” which removes requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media. The amendments now stipulate that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days; and
    • clarifies a section that states entities are no longer required to notify affected individuals if an independent third-party forensic auditor or law enforcement agency “determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”

    Separately, on April 3, the governor signed SB 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. 

    Both bills are scheduled to take effect 91 days after the end of the legislative session.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Security Freeze

    Share page with AddThis
  • Oregon amends debt collection statute to expand coverage to debt buyers

    State Issues

    On April 3, the Oregon governor signed SB 1553, which amends Oregon’s debt collection laws to provide that a debt buyer (or a debt collector acting on a debt buyer’s behalf) engages in unlawful collection practice if it collects or attempts to collect a debt without providing a debtor, within 30 days of their request, documents which establish the nature and amount of debt.

    State Issues Debt Collection State Legislation

    Share page with AddThis
  • States pass bills amending security freeze laws

    State Issues

    On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 becomes effective on January 1, 2019.

    On March 30, the Kentucky governor signed HB 46, which updates Kentucky’s security freeze law to, among other things, allow a consumer to request a security freeze by methods established by the credit reporting agency in addition to written notification, and remove the requirement that a security freeze expire after seven years. The law continues to allow for a charge of up to ten dollars for the placement, temporary lift, or removal of a security freeze unless the consumer is a victim of identity theft and provides the credit reporting agency with a valid police report. The law is effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.

    State Issues State Legislation Security Freeze Data Breach Privacy/Cyber Risk & Data Security Credit Reporting Agency

    Share page with AddThis
  • Washington governor enacts bill to provide student loan debt relief

    Lending

    On March 22, the Washington governor signed HB 1169, which establishes the student opportunity, assistance, and relief act to address student loan debt. Among other things, HB 1169 (i) repeals certain statutes allowing the suspension of a professional license or certificate due to student loan default; (ii) changes the judgment interest rate for unpaid private student loan debt to two percentage points above the prime rate, unless the judgment interest rate is specified in the contract; (iii) defines “private student loan,” and outlines exclusions, such as “an extension of credit made under an open-end consumer credit plan, a reverse mortgage transaction, a residential mortgage transaction, or any other loan that is secured by real property or a dwelling”; and (iv) outlines provisions and exemptions for bank account and wage garnishment. The act takes effect June 7.

    As previously covered in InfoBytes, earlier in March the Washington governor established the “Washington student education loan bill of rights” to outline licensing requirements and responsibilities for student loan servicers.

    Lending State Issues State Legislation Student Lending Debt Relief

    Share page with AddThis
  • Washington expands the state’s Service Member’s Civil Relief Act

    State Issues

    On March 22, the Washington governor signed HB 1056, which amends the Washington Service Member’s Civil Relief Act (WSCRA) to update the definition of “service member” and allow for a service member to terminate or suspend certain private contracts without penalty. Specifically, HB 1056 defines “service member” as “an active member of the United States armed forces, a member of a military reserve component, or a member of the national guard who is either stationed in or a resident of Washington state.” The law allows for a service member, after receiving orders for a permanent change of station or deployment (for at least 30 days), to terminate or suspend certain contracts for the following: telecommunication services, internet services, health studio services, and subscription television services. After proper written notice is given to the service provider for termination, suspension or reinstatement, the service member may not be charged a “penalty, fee, loss of deposit, or any other additional cost” due to the notice. Additionally, HB 1056 allows the Washington Attorney General to recover costs and fees in an action brought to enforce the WSCRA. The law becomes effective on June 7.

    State Issues SCRA Servicemembers State Legislation State Attorney General

    Share page with AddThis
  • West Virginia passes bill amending licensing requirements for mortgage loan originators

    Lending

    On March 22, the West Virginia governor signed HB 4285, which amends provisions under the West Virginia Safe Mortgage Licensing Act (Act) related to licensing requirements for mortgage loan originators, including those related to continuing education. HB 4285, among other things, (i) updates requirements for applicants registering for mortgage loan originator licenses; (ii) requires nonresident mortgage loan originators licensed under the Act to “acknowledge that they are subject to the jurisdiction of the courts of West Virginia”; (iii) outlines provisional license exceptions for loan originators; and (iv) specifies prelicensing and relicensing education requirements. The amendments take effect May 31.

    Lending State Issues State Legislation Mortgage Origination Mortgages Licensing

    Share page with AddThis
  • Multiple states pass bills addressing GAP waiver framework

    State Issues

    On March 28, HB 4186, which amends the Code of West Virginia by adding a section related to guaranteed asset protection waivers (GAP waivers), became law without the governor’s signature. Among other things, HB 4186 clarifies that GAP waivers are not insurance, and that GAP waivers issued after the bill’s effective date are exempt from West Virginia insurance laws. The bill also (i) specifies terms and conditions when offering GAP waivers; (ii) provides requirements for offering GAP waivers, including “contractual liability” obligations, certain disclosures, and cancellation/non-cancellation terms; and (iii) outlines exemptions, such as commercial transactions and GAP waivers sold or issued by federally regulated depository institutions. Additionally, HB 4186 clarifies the procedures a borrower must follow to activate benefits under a GAP waiver. The bill will apply to all GAP waivers in effect on or after July 1.

    On March 28, the Wisconsin governor signed Assembly Bill 663 (AB 663), which amends statutes related to GAP waivers sold in connection with the credit sale or lease of a vehicle. Among other things, AB 663 prohibits creditors from requiring borrowers to purchase GAP waivers and requires creditors to provide written disclosures to borrowers prior to, or at the time of execution, which include that (i) the purchase of a GAP waiver is optional; (iii) outlines the costs and terms; and (iii) specifies procedures borrowers are required to follow to receive GAP waiver benefits. AB 663 also addresses cancellation provisions for borrowers. Furthermore, the bill clarifies that GAP waivers are not insurance and that any cost to a borrower must be separately stated as part of the finance agreement and cannot be considered a finance charge or interest. AB 663 becomes effective September 1.

    Finally, on March 26, the Mississippi governor signed SB 2929, which clarifies that GAP waivers are not insurance and are therefore exempt from Mississippi insurance laws. Provisions promulgated under SB 2929 provide a framework for which GAP waivers may be offered to borrowers in the state and include (i) requirements for contractual liability and other policies to insure a GAP waiver; (ii) disclosure requirements; and (iii) cancellation policies for GAP waivers and procedures for borrowers to obtain a refund in the instance of cancellation or early termination. Similar to Wisconsin AB 663, any cost to a borrower associated with a GAP waiver must be separately stated as part of the finance agreement and cannot be considered a finance charge or interest. The act takes effect July 1.

    State Issues State Legislation GAP Waivers Disclosures Auto Finance

    Share page with AddThis
  • Alabama enacts data breach notification law

    Privacy, Cyber Risk & Data Security

    On March 28, the Alabama governor signed SB 318, The Alabama Data Breach Notification Act of 2018 (Act), which requires entities doing business in the state to (i) notify consumers within 45 days if their personal data has been compromised in a data breach; and (ii) notify the state Attorney General and consumer reporting agencies if more than 1,000 individuals have been impacted. The Act also states that third-party agents, entities that have been contracted to maintain, store, process, or otherwise access sensitive personally identifying information in connection with providing services to a covered entity, are required to notify the covered entity of a breach of security “no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” Additionally, the Act gives the state Attorney General authority to prosecute a failure to disclose a data breach as an unlawful act or practice under the Alabama Deceptive Trade Practices Act, which can result in daily penalties of up to $5,000 per violation. However, entities that follow the notice requirements of industry-specific state or federal laws or regulations are exempt from the Alabama legislation. The law is effective June 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach State Attorney General

    Share page with AddThis
  • Florida enacts legislation prohibiting the misrepresentation of a residential mortgage loan as a business purpose loan

    Lending

    On March 21, the Florida governor signed HB 935, which prohibits the misrepresentation of a residential mortgage loan as a business purpose loan. HB 935 defines “business purpose loan” and requires that “a person must refer to the official interpretation” of the CFPB under 12 C.F. R. Section 1026.3(a) to determine if a loan is for a “business purpose.”  It also provides penalties for knowingly or willfully misrepresenting a residential mortgage loan as a business purpose loan. Additionally, HB 935 defines the phrase “hold himself or herself out to the public as being in the mortgage lending business” to include representing to the public through advertisements or solicitations that the individual or business is a licensed mortgage lender. The law is effective July 1.

    Lending State Issues State Legislation Mortgages

    Share page with AddThis

Pages