InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Hawaii extends work from home guidance
The Hawaii Department of Financial Institutions extended interim guidance permitting certain licensees with a physical presence to reduce hours or work from home to coincide with local mayor’s orders (see previous coverage here, here, here and here). The department explained that licensees may continue work from home status until applicable mayor’s orders are lifted. The department will also continue remote work status.
FDIC announces first-ever chief innovation officer
On February 16, the FDIC announced the appointment of Sultan Meghji as the agency’s first Chief Innovation Officer. Prior to the FDIC, Meghji was the co-founder of a financial technology firm that provides, “secure, cloud-native, artificial intelligence-based software for community banks and credit unions.” Additionally, Mr. Meghji served as an advisor to the U.S. Treasury, the Group of Seven (G7), the OCC, and the FBI in the areas of cybersecurity, quantum computing, and artificial intelligence. In accepting the position, Meghji stated that his mission “is to engage both public and private sector partners to ensure the financial system of the future is innovative, resilient, and equitable.”
Florida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969, which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include:
- Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal information (“or is the entity on behalf of which such information is collected”), and (i) have global annual gross revenues exceeding $25 million; (ii) annually buy, receive, sell, or share for commercial purposes, personal information of at least 50,000 consumers, households, or devices; or (iii) derive 50 percent or more of its gross revenue from the sale of personal information. Notably, data governed by certain federal regulations and specified protected health information are exempt from coverage.
- Consumer rights. Under the bill consumers will be able to, among other things, access their personal data; have available at least two methods for requesting personal information free of charge within a certain timeframe; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of third-party disclosure of their personal information collected by businesses. Businesses will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances, and will be prohibited from taking certain discriminatory actions against consumers who exercise certain rights. Additionally, the bill will provide that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Disclosures. The bill will require businesses that collect consumers’ personal data to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Businesses will also be prohibited from collecting or using additional categories of personal information without first notifying consumers.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information. The definition of “personal information” will also be revised “to include additional specified information to data breach reporting requirements.”
- Private cause of action. The bill will provide “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access,” and will allow consumers to bring a civil action for injunctive or declaratory relief, as well as damages that must be at least $100 but not more than $750 per consumer per incident or actual damages, whichever is greater. The Department of Legal Affairs is also authorized to seek civil penalties of no more than $2,500 for each unintentional violation or $7,500 for each intentional violation. However, fines may be tripled if a violation involves consumers 16 years of age or younger.
- Right to cure. Upon notification of any alleged violation of the law, businesses have 30 days to cure the alleged violation.
If enacted in its current form, the bill would take effect January 1, 2022. Florida is just one of several states that have recently introduced or advanced privacy legislation (continuing InfoBytes coverage available here).
NYDFS announces cybersecurity fraud alert
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).
Court holds satellite provider not liable for telemarketer’s calls
On February 12, the U.S. District Court for the Northern District of Georgia granted summary judgment in favor of a satellite TV company as to a class action’s TCPA claims, concluding that the company was not liable for its telemarketing service provider’s cold calls. As previously covered by InfoBytes, a consumer filed a class action against the company alleging that the company failed to maintain an “internal do-not-call list,” which allowed the company and its telemarketing service provider to contact him eighteen times after he repeatedly asked to not be contacted. The consumer sought certification “of all persons who received more than one telemarketing call from [the telemarketing service provider] on behalf of [the company] while it failed to maintain an internal do-not-call list.” The district court certified two representative classes: the Internal Do Not Call (IDNC) class and the National Do Not Call (NDNC) class. The company appealed the IDNC class and the U.S. Court of Appeals for the Eleventh Circuit vacated the district court’s certification of the IDNC class. The company then moved for summary judgment on the certified NDNC class claims and plaintiff’s individual IDNC claim.
Upon review, the court granted summary judgment in favor of the company concluding that there was no evidence that (i) the cold calls were made by the telemarketing provider within its actual authority from the company; (ii) the company made representations sufficient to give the telemarketing provider the apparent authority to make the cold calls; or (iii) the company ever ratified the cold calls. Specifically, the court noted that not only did the company “categorically ban[] all residential and cellular cold calls,” it also “regularly issued reminders that [the telemarketing provider] was required to continue implementation of national-do-not-call procedures in compliance with the TCPA.”
OCC says storm-affected banks may close
On February 16, the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by Winter Storm Uri “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
Find continuing InfoBytes coverage on disaster relief here.
OFAC revokes Yemen-related general licenses and designations
On February 16, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) revoked and archived five counter terrorism-related general licenses (GL) related to the Ansarallah designations after the U.S. Department of State determined that Ansarallah would “no longer be[] blocked pursuant to the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594, the Foreign Terrorist Organizations Sanctions Regulations, 31 C.F.R. part 597, or Executive Order 13224, as amended.” Specifically, OFAC revoked GL 9, “Official Business of the United States Government,” GL 10, “Official Activities of Certain International Organizations,” GL 11, “Certain Transactions in Support of Nongovernmental Organizations’ Activities in Yemen,” GL 12, “Transactions Related to the Exportation or Reexportation of Agricultural Commodities, Medicine, Medical Devices, Replacement Parts and Components or Software Updates,” and GL 13,“Authorizing Transactions Involving Ansarallah.” Additionally, OFAC removed frequently asked questions 875, 876, and 877 from its website and made deletions to the Specially Designated Nationals and Blocked Persons list.
Court again rejects “unconscionable” arbitration provision
On February 12, the U.S. District Court for the Northern District of West Virginia denied for a second time a satellite TV provider’s (defendant) motion to compel arbitration in a TCPA class action, concluding that the arbitration provision was “overbroad, absurd and unconscionable.” As previously covered by InfoBytes, the plaintiff filed a lawsuit against the defendant alleging the defendant violated the TCPA by making automated and prerecorded telemarketing calls to an individual even though her number was on the National Do Not Call Registry. The defendant moved to compel arbitration, claiming that the plaintiff’s dispute was covered by an arbitration agreement in the contract governing her cell phone service with a telecommunications company, which is an affiliate of the defendant. The district court denied the request, ruling that the allegations “did not fall within the scope of the arbitration agreement.” On appeal, the U.S. Court of Appeals for the Fourth Circuit issued a split opinion vacating a district court’s decision with the majority concluding that the allegations fit within the broad scope of the arbitration agreement, and that even though the plaintiff agreed to arbitration with a telecommunications company in 2012, the agreement extends to the TCPA allegations against the defendant after the telecommunications company acquired the defendant in 2015. Specifically, the appellate court stated that the arbitration agreement had a “forward-looking nature,” and that it seemed unlikely that the telecommunications company and its affiliates “intended to restrict the covered entities to those existing at the time the agreement was signed.” The 4th Circuit remanded the case back to the district court for consideration of unconscionability.
On remand, the district court again denied the motion, stating that the “arbitration provision is overbroad, absurd and unconscionable, and far exceeds anything contemplated by Congress in enacting the [Federal Arbitration Act].” Specifically, the court stated the plaintiff was “an ordinary wireless consumer” given a “small electronic pinpad device” with a few lines of the agreement displayed at a time and an option to skip to an acknowledgment screen, which required her signature, in order to “obtain her line of service.” She would then be “irrevocably locked in to face demands that she arbitrate any dispute arising out of any relationship with virtually any of [the telecommunications company]’s corporate cousins—a list that could, overtime, comprise [] current competitors or not-yet created subsidiaries.” Because the arbitration provision was unconscionably broad, the court denied the motion to arbitrate.
Texas updates guidance for property tax lenders to work with consumers
On February 18, the Texas Office of the Consumer Credit Commissioner updated its advisory bulletin urging property tax lenders to work with consumers during the Covid-19 crisis (previously discussed here, here, here, and here) Among other measures, the regulator urges licensees to increase consumer communication regarding the effects of Covid-19 for licensees, work out modifications for payment difficulties, and review policies for fees, late charges, delinquency practices, and repossessions. The guidance also: (i) reminds licensees of legal requirements for using electronic signatures, and (ii) continues to permit licensees to conduct activity from unlicensed locations, subject to certain conditions. The guidance is in effect through March 31, 2021, unless withdrawn or revised.
Texas updates guidance for regulated lenders
On February 18, the Texas Office of the Consumer Credit Commissioner issued updated guidance (previously covered here, here, here, here, and here) for regulated lenders relating to the Covid-19 crisis. The guidance: (1) encourages lenders to work with consumers, including by working out modifications to assist with payments, and reviewing policies for fees, late charges, delinquency practices, and repossessions, among other things; (2) reminds lenders of legal requirements for using electronic signatures; and (3) permits lenders to conduct regulated lending activity from unlicensed locations, subject to certain conditions. The guidance is in effect through March 31, 2021, unless withdrawn or revised.