Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Massachusetts attorney general launches data breach reporting portal

    Privacy, Cyber Risk & Data Security

    On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, which is available through the agency’s Security Breaches site. Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the Massachusetts Data Breach Notification Law (law), M.G.L. c. 93H. According to the announcement, the law requires any entity that “owns or licenses a consumer’s personal information” to notify the attorney general’s office, among others, “any time personal information is accidentally or intentionally compromised.” The announcement notes that organizations are not required to use the online portal and may still send written notice to the attorney general’s office through the mail.

    The online portal announcement follows other recent actions by Healey in response to consumer data breaches. In September, Healey filed the first enforcement action in the nation against a major credit reporting agency after its significant data breach announcement (previously covered by InfoBytes here) and introduced proposed legislation, SB 130/HB 134, which, among other things, would eliminate fees for credit freezes and mandate encryption of personal information in credit reports.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General Credit Reporting Agency Data Breach

    Share page with AddThis
  • Maryland issues bipartisan consumer protection recommendations

    State Issues

    On January 26, the Maryland Financial Consumer Protection Commission (the “Commission”) and ranking officials from the Maryland legislature announced bipartisan “Interim Recommendations” of the Commission for State and local action in response to the federal government’s “efforts to change or weaken […] important federal consumer protections.” New legislation in response to the recommendations is expected to be released in the near future. Key recommendations include, among other things: (i) requiring credit reporting agencies to provide an alert of data breaches promptly and provide free credit freezes; (ii) adopting new financial consumer protection laws in areas where the federal government may be weakening oversight; (iii) addressing potential issues with Maryland’s current payday and lending statutes; (iv) adopting the Model State Consumer and Employee Justice Enforcement Act that addresses forced arbitration clauses; and (v) adopting new laws that address new risk, such as, virtual currencies and financial technology.

    State Issues State Legislation Consumer Finance Data Breach Payday Lending Arbitration Virtual Currency Fintech Credit Reporting Agency

    Share page with AddThis
  • Senate Banking Committee Approves Financial Regulatory Relief Bill

    Federal Issues

    On December 5, the Senate Banking Committee approved bill S.2155, Economic Growth, Regulatory Relief, and Consumer Protection Act, which would alter certain financial regulations under the Dodd-Frank Act of 2010. While not as sweeping as previous legislative relief proposals (see previous InfoBytes coverage on House Financial CHOICE Act of 2017), the bill was introduced and passed the Committee with bipartisan support. The bill’s highlights include, among other things:

    • Consumer Access to Credit. The bill deems mortgage loans held in portfolios by insured institutions with less than $10 billion in assets to be “qualified mortgages” under TILA, and removes the three-day waiting period for TILA-RESPA Integrated Disclosures if the second credit offer is a lower rate. The bill also instructs the CFPB to provide “clearer, authoritative guidance” on certain issues such as the applicability of TRID to mortgage assumptions and construction-to-permanent loans. Additionally, the bill eases appraisal requirements on certain mortgage loans and exempts small depository institutions with low mortgage originations from certain HMDA disclosure requirements.
    • Regulatory Relief for Certain Institutions. The bill exempts community banks from Section 13 of the Bank Holding Company Act if they have, “[i] less than $10 billion in total consolidated assets, and [ii] total trading assets and trading liabilities that are not more than five percent of total consolidated assets” – effectively allowing for exempt banks to engage in the trading of, or holding ownership interests in, hedge funds or private equity funds. Additionally, the bill raises the threshold of the Federal Reserve’s Small Bank Holding Company Policy Statement and the qualification for certain banks to have an 18-month examination cycle from $1 billion to $3 billion.
    • Protections for Consumers. Included in an adopted “manager’s amendment,” the bill requires credit bureaus to provide consumers unlimited free security freezes and unfreezes. The bill also limits certain medical debt information that can be included on veterans’ credit reports.
    • Changes for Bank Holding Companies. The bill raises the threshold for applying enhanced prudential standards from $50 billion to $250 billion.

    The bill now moves to the Senate, which is not expected to take up the package before the end of this year.

    Federal Issues Senate Banking Committee Dodd-Frank Federal Legislation TILA RESPA TRID Federal Reserve OCC FDIC Mortgages HMDA Credit Reporting Agency

    Share page with AddThis
  • CFPB Fines Loan-Servicing Software Company $1.1 Million for Flaws Leading to the Reporting of Inaccurate Consumer Information

    Consumer Finance

    On November 17, the CFPB ordered a loan-servicing software company to pay a $1.1 million penalty for errors that resulted in the company furnishing incorrect consumer information related to over one million borrowers to the credit reporting agencies. The consent order alleges that the company violated the Consumer Financial Protection Act when its third-party software application generated and furnished inaccurate and incomplete information to consumer reporting agencies because of known software defects. The company allegedly did not share the existence of the defects with its auto-lender clients. In addition to the civil money penalty, the company was ordered to: (i) explain its errors to its clients; (ii) fix the faulty software; and (iii) provide the Bureau with a compliance plan outlining how it plans to identify and fix the defects, as well as ensure that the software is capable of reporting accurate information.

    Consumer Finance CFPB Enforcement Credit Reporting Agency Credit Scores CFPA UDAAP

    Share page with AddThis
  • District Court Upholds $60 Million Jury Verdict for Credit Reporting Agency’s Use of OFAC Alert

    Courts

    On November 7, the Northern District Court of California upheld a $60 million jury verdict against a credit reporting agency regarding the use of its OFAC Alert (previously covered by InfoBytes). The verdict stems from a 2012 class action lawsuit in which the plaintiffs alleged that the defendant had failed to distinguish law-abiding citizens from drug traffickers, terrorists, and other criminals with similar names found on the Treasury Department’s OFAC database. Following the defendant's motion for judgment as a matter of law or a new trial, the district court agreed with the jury’s findings that the defendant (i) “willfully fail[ed] to follow reasonable procedures to assure the maximum possible accuracy of the OFAC information it associated with members of the class’’; (ii) “willfully failed to clearly and accurately disclose OFAC information in the written disclosures it sent to members of the class”; and (iii) “failed to provide class members a summary of their FCRA rights with each written disclosure made to them.”

    Courts FCRA OFAC Credit Reporting Agency Consumer Finance

    Share page with AddThis
  • District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees

    Privacy, Cyber Risk & Data Security

    On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.

    As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Consumer Finance State Legislation Data Breach

    Share page with AddThis
  • Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out

    Privacy, Cyber Risk & Data Security

    On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.

    On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach Senate Judiciary Subcommittee Consumer Finance

    Share page with AddThis
  • Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled

    Privacy, Cyber Risk & Data Security

    The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.

    Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair and deceptive acts and practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.

    NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo released a notice directing the New York Department of Financial Services (NYDFS) to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.

    State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency State Attorney General NYDFS Enforcement Data Breach

    Share page with AddThis
  • Buckley Sandler Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation

    Privacy, Cyber Risk & Data Security

    On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
    One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.

    ***
    Click here to read full special alert.

    If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley Sandler attorney with whom you have worked in the past.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Credit Reporting Agency

    Share page with AddThis
  • Credit Reporting Agency Announces Widespread Consumer Data Breach

    Privacy, Cyber Risk & Data Security

    On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach

    Share page with AddThis

Pages