Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Illinois, Connecticut, and Hawaii pass security freeze legislation

    Privacy, Cyber Risk & Data Security

    On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately.  The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.

    This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.

    On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach Credit Reporting Agency

    Share page with AddThis
  • 9th Circuit affirms credit reporting agency’s code data did not violate the FCRA


    On May 29, the U.S. Court of Appeals for the 9th Circuit affirmed summary judgment for a national credit reporting agency, holding that the company did not violate the Fair Credit Reporting Act (FCRA) in its reporting of short sales executed by the plaintiffs. The decision results from a proposed class action suit alleging that the credit reporting agency violated the FCRA by reporting short sales executed between 2010 and 2011 with code numbers that misreported the data as foreclosures. In September 2016, the lower court found that the credit reporting agency provided creditors with clear instructions on how to interpret the code system and Fannie Mae’s Desktop Underwriter program misinterpreted the “settled” code number “9” as a foreclosure, which was not the credit reporting agency’s fault. In affirming the lower court’s decision, the 9th Circuit held that the credit reporting agency “clearly and accurately disclosed to [consumers] all information that [the company] recorded and retained that might be reflected in a consumer report.” Additionally, the panel noted that the credit reporting agency was not required to report that Fannie Mae mishandled the code data when it became aware of it.

    Courts Ninth Circuit FCRA Credit Reporting Agency Short Sale Foreclosure Fannie Mae Appellate

    Share page with AddThis
  • Minnesota prohibits security freezes fees, authorizes security freezes for protected persons

    State Issues

    On May 19, the Minnesota governor signed HF1243, which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law authorizes the placement of a security freeze for a protected person – defined by the law as an individual under the age of 16 – if a consumer reporting agency receives a request by the protected person’s representative and certain authentication standards are met. The law also outlines the requirements for removing a security freeze for a protected person.

    State Issues Credit Reporting Agency Security Freeze State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Maryland and Georgia prohibit security freeze fees

    State Issues

    On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.

    On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.

    State Issues State Legislation Credit Reporting Agency Security Freeze Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Maryland expands authority over credit reporting agencies

    State Issues

    On May 8, Maryland governor Larry Hogan signed HB848, which expands Maryland’s authority over Credit Reporting Agencies (CRAs) by requiring CRAs to develop a secure system to process electronic requests for placing, lifting, or removing a security freeze. Additionally, the law expands the definition of “protected consumer” for purposes of free security freezes to include persons age 85 or older, certain members of the military, and incarcerated individuals. The law also (i) codifies an existing requirement that CRAs register with the Office of the Commissioner of Financial Regulation (OCFR); (ii) allows the OCFR to investigate written consumer complaints against CRAs; and (iii) increases the maximum civil monetary penalty to $1,000 for the first violation and $2,500 for each subsequent violation. The law is effective October 1.

    State Issues Credit Reporting Agency Security Freeze Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • 7th Circuit affirms summary judgment for consumers in FDCPA suit


    On May 2, the U.S. Court of Appeals for the 7th Circuit affirmed four district court decisions granting summary judgment in favor of consumers who alleged a debt collector violated the Fair Debt Collection Practices Act (FDCPA) by communicating debts to credit reporting agencies without indicating the debts were disputed. According to the opinion, the debt collector sent the four consumers a debt validation notice regarding an alleged credit card debt. More than 30 days later, a local legal aid organization sent the debt collector’s general counsel a notice of representation for each of the four consumers, noting, “the amount reported is not accurate.” After the attorney letters were sent, the debt collector reported the debts to the credit reporting agencies. The consumers each filed a separate action in district court alleging a violation of the FDCPA, and each district court granted the consumer summary judgment, finding the debt collector did not handle the letters properly. In the consolidated appeal, the 7th Circuit agreed with the district courts, holding that the actions of the debt collector were “a clear violation of the statute” as each attorney letter stated the amount was inaccurate and the debt collector still reported the debts without noting they were disputed. While the panel noted that there is no clear definition of “dispute” under the FDCPA, the court concluded, “there is simply no other way to interpret [the] language” of the attorney letter, rejecting the debt collector’s “bona fide error defense.”

    Courts Seventh Circuit Appellate FDCPA Credit Reporting Agency Debt Collection

    Share page with AddThis
  • Senators release report on credit reporting agency from data in CFPB’s public complaint database

    Federal Issues

    On April 30, three Democratic Senate Banking Committee members released a report addressing publicly available complaints the CFPB received regarding the 2017 data breach announcement by a national credit reporting agency. In a letter to the CFPB, which accompanied the release of the report, the Senators encouraged the Bureau to “hold [the credit reporting agency] accountable and act quickly and decisively to protection the millions of consumers harmed by the breach.” Additionally, the Senators make a plea for the CFPB to continue to keep consumer complaints public, citing to recent remarks by Mulvaney that the database would soon be removed from public view. According to the report, within six months of the data breach announcement—which reportedly affected 143 million American consumers—the CFPB received over 20,000 complaints against the company. Of the 20,000 complaints, the issues consumers mentioned include (i) “improper use of a credit report after the breach”; (ii) “incorrect information on credit report”; (iii) “[Company]’s inadequate assistance in resolving problems after the breach”; and (iv) “[Company]’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products.” The report also cites to specific narratives from consumer complaints that were available through the CFPB’s consumer complaint database.

    Federal Issues CFPB Consumer Complaints Data Breach Privacy/Cyber Risk & Data Security Credit Reporting Agency

    Share page with AddThis
  • District court grants partial summary judgment, rules bank did not violate federal and state fair credit reporting laws


    On April 25, the U.S. District Court for the Northern District of California granted a bank’s partial motion for summary judgment, holding that a Fair Credit Reporting Act (FCRA) disclosure and authorization form (disclosure form) completed by the plaintiff as part of the bank’s background check hiring process did not violate federal and state fair credit reporting laws. The plaintiff—who brought the proposed class action suit following the bank’s decision not to hire plaintiff following an offer of employment that was contingent upon a satisfactory background check—asserted claims under the FCRA, the California Investigative Consumer Reporting Agencies Act (ICRA), and the California Consumer Credit Reporting Agencies Act (CCRA), including that (i) the disclosure form was not a standalone document; (ii) the disclosure did not accurately identify the investigative consumer reporting agency; and (iii) the bank failed to comply with CCRA disclosure requirements.

    Addressing whether the disclosure form, which “appeared as a separate and distinct web page separated from the rest of the documents,” violated the FCRA, the court ruled that because it “was a stand-alone document that contained no extraneous information or liability waiver” it was in compliance. The court also determined that the bank did not violate the ICRA because it was only required to disclose the agency it engaged to provide an investigative consumer report, not the various sources the agency itself may have used when conducting its investigation. Finally, the court ruled that the plaintiff’s argument that the disclosure form failed to comply with the CCRA lacked merit because—although the bank could not apply an exemption under state law to the section allegedly violated—the bank’s disclosure form complied with the CCRA’s disclosure requirements, and furthermore, the bank was not required to disclose the reasons for requesting the report nor the “various repositories” of information the disclosed source used when compiling the report.

    Courts State Issues FCRA Credit Reporting Agency Disclosures

    Share page with AddThis
  • State judge says Massachusetts can sue credit reporting agency over data breach

    Privacy, Cyber Risk & Data Security

    On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts Attorney General plausibly suggests that the company violated such regulations by knowing of certain vulnerabilities and failing to properly address them. As previously covered by InfoBytes, Massachusetts was the first state to file an action against the credit reporting agency after its September 2017 announcement of a data breach which affected over 143 million consumers.

    Privacy/Cyber Risk & Data Security Courts State Attorney General State Issues Data Breach Credit Reporting Agency

    Share page with AddThis
  • States pass bills amending security freeze laws

    State Issues

    On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 becomes effective on January 1, 2019.

    On March 30, the Kentucky governor signed HB 46, which updates Kentucky’s security freeze law to, among other things, allow a consumer to request a security freeze by methods established by the credit reporting agency in addition to written notification, and remove the requirement that a security freeze expire after seven years. The law continues to allow for a charge of up to ten dollars for the placement, temporary lift, or removal of a security freeze unless the consumer is a victim of identity theft and provides the credit reporting agency with a valid police report. The law is effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.

    State Issues State Legislation Security Freeze Data Breach Privacy/Cyber Risk & Data Security Credit Reporting Agency

    Share page with AddThis