Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Illinois, Connecticut, and Hawaii pass security freeze legislation

    Privacy, Cyber Risk & Data Security

    On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately.  The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.

    This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.

    On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach Credit Reporting Agency

    Share page with AddThis
  • Maryland alters certain mortgage broker finder’s fee restrictions

    State Issues

    On May 16, the Maryland legislature enacted, without the governor’s signature, HB 1511, which will alter Maryland’s mortgage broker “finder’s fee” law to place a limit on the amount a broker may charge on the same property more than once within a 24-month period. Effective October 1, the law will only allow a mortgage broker to charge a finder’s fee with respect to the same property within a 24-month period if the fee is equal to or less than eight percent of the initial loan amount, combined with (i) the finder’s fee charged on the initial loan; and (ii) any other finder’s fee collected during the 24-month period.

    State Issues State Legislation Mortgage Broker Mortgages Finder's Fee

    Share page with AddThis
  • Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement

    Privacy, Cyber Risk & Data Security

    On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:

    • In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
    • If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
    • Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
    • If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.

    The law also includes security and notification requirements for Colorado governmental entities.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Consumer Protection

    Share page with AddThis
  • Louisiana governor signs amendments relating to consumer loan licensing

    State Issues

    On May 15, the Louisiana governor signed SB171, which amends a state statute that prescribes when a person acquiring or controlling ownership interest in a consumer loan licensee must obtain approval from the state’s commissioner. Under SB171, written approval by the commissioner must now be received for any person acquiring or controlling “[25] percent or more of the ownership interest in a licensee”—an amount previously set at 50 percent or more. The amendments also strike the requirement that “[a]ny person who acquires or anticipates acquiring a [75] percent interest in a licensee shall file for a new license prior to acquiring ownership of said interest either incrementally over a period of time or as one transaction.” The amendments became effective upon signature by the governor.

    State Issues State Legislation Licensing Consumer Lending

    Share page with AddThis
  • District of Columbia mayor passes bill to make code consistent with FTC, federal court interpretations of unfair or deceptive trade practices

    State Issues

    On May 21, District of Columbia Mayor Muriel Bowser signed B22-0185/D.C. Act 22-367 to, among other things, update portions of the District of Columbia’s Official Code concerning the term “unfair or deceptive trade practice” to make it consistent with interpretations made by the FTC and federal courts. Language under the Consumer Protection Clarification and Enhancement Amendment Act of 2018, has been amended to read as follows: “It shall be a violation of this chapter for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged thereby.” The amendments also increase the civil penalty for first violations of the act to not more than $5,000 per violation, and to not more than $10,000 for repeat violations. The act will take effect following a 30-day congressional review period.

    State Issues State Legislation Consumer Protection FTC

    Share page with AddThis
  • Louisiana governor amends data breach notification law; passes security freeze legislation

    Privacy, Cyber Risk & Data Security

    On May 20, the Louisiana governor signed SB361 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state or that own or license computerized data to (i) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,” and (ii) take “all reasonable steps” to destroy documents containing personal information once they no longer need to be retained. Key amendment highlights are as follows:

    • revises definitions, which include (i) defining “breach of the security of the system” to now apply to “the compromise… of computerized data that results in, or there is a reasonable likelihood to result in. . .” unauthorized acquisition and access; and (ii) revising the definition of “personal information” to include residents of the state, and include passport numbers and biometric data;
    • requires entities to notify affected individuals within 60 days of the discovery of a data breach—pending the needs of law enforcement—and further stipulates that if a determination is made to delay notification, the Attorney General must be notified in writing within the 60-day period to receive an extension of time;
    • provides that substitute notification—consisting of email notification, a notice posted to the entity’s website, and notifications to major statewide media—may be provided should the entity demonstrate that (i) the cost of the notification would exceed $100,000; (ii) the affected class of persons exceeds 100,000; or (iii) the entities lack sufficient contact information; and
    • states that violations of the Database Security Breach Notification Law constitute an unfair act or practice.

    The amendments take effect August 1.

    Separately, on May 15, the governor signed SB127, which prohibits credit reporting agencies from charging a fee for placing, reinstating, temporarily lifting, or revoking a security freeze. The bill became effective upon signature by the governor.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach

    Share page with AddThis
  • Vermont legislation regulates data brokers and provides consumer protections

    Privacy, Cyber Risk & Data Security

    On May 22, a Vermont bill, established to regulate data brokers and provide consumers with protections against companies that collect, analyze, and sell their personal information, was enacted without the governor’s signature. Among other things, H.764: (i) requires data brokers to pay a $100 fee to register annually with the Vermont Secretary of State and publicly disclose information about data collection practices and opt-out policies; (ii) requires companies to implement measures to ensure they have “adequate security standards” to safeguard against data breaches; (iii) prohibits the “acquisition of personal information with the intent to commit wrongful acts”; and (iv) prohibits credit reporting agencies from charging consumers fees for the placement, removal, or temporary lift of a security freeze. The credit freeze provisions became effective upon passage. The data broker provisions take effect January 1, 2019.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Data Brokers

    Share page with AddThis
  • Minnesota prohibits security freezes fees, authorizes security freezes for protected persons

    State Issues

    On May 19, the Minnesota governor signed HF1243, which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law authorizes the placement of a security freeze for a protected person – defined by the law as an individual under the age of 16 – if a consumer reporting agency receives a request by the protected person’s representative and certain authentication standards are met. The law also outlines the requirements for removing a security freeze for a protected person.

    State Issues Credit Reporting Agency Security Freeze State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Maryland and Georgia prohibit security freeze fees

    State Issues

    On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.

    On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.

    State Issues State Legislation Credit Reporting Agency Security Freeze Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Maryland governor signs provisions amending Maryland Consumer Loan Law’s small lending requirements

    State Issues

    On May 15, the Maryland governor signed legislation to establish requirements for lenders making covered loans in the state. Among other things, HB1297 increases the threshold for which a loan is subject to small lending requirements within the Maryland Consumer Loan Law (MCLL) from $6,000 to $25,000. The law also prohibits (i) lenders who are not licensed in the state from making loans of $25,000 or less, unless the person is exempt from requirements under MCLL; (ii) a person contracting “for a covered loan that has a rate of interest, charge, discount, or other consideration greater than the amount authorized under state law”; and (iii) covered loans that would be a violation of the Military Lending Act. Loans that violate these provisions are deemed void and unenforceable except in limited circumstances. The law takes effect January 1, 2019.

    State Issues State Legislation Licensing Lending Military Lending Act Usury Consumer Finance

    Share page with AddThis

Pages