Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Minnesota amends health care provision in extensive new law

    Privacy, Cyber Risk & Data Security

    On November 9, the State of Minnesota enacted Chapter 70--S.F.No. 2995, a large bill to amend certain sections of its current health care provisions. The bill covers extensive changes to healthcare provisions, from prescription contraceptives, hearing aids, mental health, long COVID, and childcare, among many others.

    One of the significant new laws requires a hospital to first check if a patient’s bill is eligible for charity care before sending it off to a third-party collection agency. Further, the bill places new requirements on hospitals collecting on a medical debt before it can “garnish wages or bank accounts” of an individual. The Minnesota law also outlines how a hospital wishing to use a third-party collection agency, must first complete an affidavit attesting that it has checked if the patient is eligible for charity care, confirmed proper billing, given the patient the opportunity to apply for charity care, and, under certain circumstances, if the patient is unable to pay in one lump sum, offered a reasonable payment plan instead.

    Privacy Privacy, Cyber Risk & Data Security Minnesota Health Care Medical Debt Debt Collection

  • FTC approves amendment to Safeguards Rule requiring nonbanks to report data breaches

    Privacy, Cyber Risk & Data Security

    On October 27, the FTC approved an amendment to the Safeguards Rule to require nonbanks to report data breaches. Under the amended rule, financial institutions, including mortgage brokers, motor vehicle dealers, and payday lenders, will be required to notify the FTC of data breaches as soon as possible, and no later than 30 days after the discovery of incident involving at least 500 consumers. Notice of an incident is required if unencrypted consumer information was acquired without their authorization, as the FTC noted that encrypted consumer information is unlikely to cause consumer harm. The FTC will provide an online form that will be used to report certain information, including the type of information involved in the security event and the number of consumers affected or potentially affected. Additionally, the amended rule will require nonbanks to “to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.” As previously covered by InfoBytes, the FTC recently extended compliance on some Safeguards provisions finalized in October 2021 (covered by InfoBytes here), to June of this year.

    The commission voted 3-0 to publish the amendment, which will become effective 180 days after its publication in the Federal Register.

    Privacy, Cyber Risk & Data Security Federal Issues Data Breach FTC Safeguards Rule Nonbank Supervision

  • President Biden issues Executive Order targeting AI safety

    Federal Issues

    On October 30, President Biden issued an Executive Order (EO) outlining how the federal government can promote artifical intelligence (AI) safety and security to protect US citizens’ rights by: (i) directing AI developers to share critical information and test results with the U.S. government; (ii) developing standards for safe and secure AI systems; (iii) protecting citizens from AI-enabled fraud; (iv) establishing a cybersecurity program; and (v) creating a National Security Memorandum developed by the National Security Council to address AI security.

    President Biden also called on Congress to act by passing “bipartisan data privacy legislation” that (i) prioritizes federal support for privacy preservation; (ii) strengthens privacy technologies; (iii) evaluates agencies’ information collection processes for AI risks; and (iv) develops guidelines for federal agencies to evaluate privacy-preserving techniques. The EO additionally encourages agencies to use existing authorities to protect consumers and promote equity. As previously covered by InfoBytes, the FCC recently proposed to use AI to block unwanted robocalls and texts). The order further outlines how the U.S. can continue acting as a leader in AI innovation by catalyzing AI research, promoting a fair and competitive AI ecosystem, and expanding the highly skilled workforce by streamlining visa review.

    Federal Issues Privacy, Cyber Risk & Data Security White House Artificial Intelligence Biden Executive Order Consumer Protection

  • 7th Circuit: Court upholds dismissal of FDCPA lawsuit over debt information sharing

    Courts

    On October 23, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a consumer’s putative class action lawsuit alleging that a collection agency violated the FDCPA by sharing the consumer’s debt information with a third-party vendor. The court ruled that the consumer lacked standing because she did not sustain an injury from the sharing of her information.

    To collect a defaulted credit-card debt, the defendant collection agency used a third-party vendor to print and mail a collection letter to the consumer. The consumer alleged that the collection agency violated the FDCPA by disclosing to the vendor the consumer’s personal information, and the disclosure was analogous to the tort of invasion of privacy. The appeals court disagreed, reasoning that the sharing of a debtor’s data with a third-party mail vendor to populate and send a form collection letter that caused no cognizable harm, legally speaking. The court also noted that the U.S. Courts of Appeal for the Tenth and Eleventh Circuits have reached similar conclusions. “The transmission of information to a single ministerial intermediary does not remotely resemble the publicity element of the only possibly relevant variant of the privacy tort.”

    Courts Privacy, Cyber Risk & Data Security Seventh Circuit FDCPA Class Action Appellate Credit Cards

  • SEC announces 2024 examination priorities, excludes ESG

    Securities

    On October 16, the SEC’s Division of Examinations announced that its 2024 examination priorities will focus on key risk factors related to information security and operational resiliency, crypto assets and emerging financial technology, regulation systems compliance and integrity, and anti-money laundering. SEC registrants, including investment advisers, investment companies, broker dealers, self-regulatory organizations, clearing agencies, and other market participants are reminded of their obligations to address, manage, and mitigate these key risks. Notably, ESG was a “significant focus area[]” in 2022 (covered by InfoBytes here) and 2023, but it is not directly mentioned in the 2024 examination priorities.

    According to the report, examiners plan to increase their engagement to support the evolving market and new regulatory requirements. Regarding information security and operational resiliency, examiners will focus on registrants’ procedures surrounding “internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.” Additionally, regarding crypto assets and emerging fintech, examiners will focus on registrants’ business practices involving compliance practices, risk disclosures, and operational resiliency practices. The SEC also mentioned in the “Crypto Assets and Emerging Financial Technology”  section of the report that it will assess registrant preparations for the recently adopted rule for broker dealer transactions that shortens the standard settlement cycle to one business day (previously two days) after the trade, which has a compliance date of May 28, 2024. Among other things, the SEC will also focus on whether registrants’ regulation systems compliance and integrity are “reasonably designed” to ensure the security of its systems, including physical security of the systems housed in data centers.

    SEC chair Gary Gensler said that the Division of Examinations plays an important role in “protecting investors and facilitating capital formation,” adding that the commission will focus on “enhancing trust” in the changing markets.

    Securities SEC Examination Digital Assets Fintech Compliance Privacy, Cyber Risk & Data Security

  • Healthcare clearinghouse settles for $1.4M over data breach

    Privacy, Cyber Risk & Data Security

    On October 17, a healthcare clearinghouse reached a $1.4 million settlement with a coalition of 33 state attorneys general for allegedly exposing the protected health information of approximately 1.5 million consumers. As a health care clearinghouse, the company facilitates transactions between health care providers and insurers. The states began investigating the company in 2019, when the U.S. Department of Health and Human Services discovered that personal health information maintained by the company was available through search engines, which appeared to be the result of a coding error by the company. According to the states, after the company was alerted to the breach, it delayed notification to impacted customers for over three months and sent notices to impacted consumers that were vague and confusing. Under the settlement, in addition to the $1.4 million payment, the company agreed to overhaul its data security and breach notification practices. The multistate coalition was led by the Indiana Attorney General’s Office.

    Privacy, Cyber Risk & Data Security Data Breach State Attorney General Settlement Indiana

  • CFPB proposes rule to accelerate a shift toward open banking

    Agency Rule-Making & Guidance

    On October 19, the CFPB announced a proposed rule that it said would accelerate a shift toward open banking, would give consumers more control over their financial data, and would offer new protections against companies misusing consumer data. The proposed Personal Financial Data Rights rule activates a dormant provision of law enacted by Congress more than a decade ago, Section 1033 of the Consumer Financial Protection Act. According to the CFPB, the rule would “jumpstart competition” by prohibiting financial institutions from “hoarding” a person’s data and requiring companies to share data with other companies at the consumer’s direction about their use of checking and prepaid accounts, credit cards, and digital wallets. This would allow consumers to access competing products and services while ensuring that their data would be used only for their own preferred purpose. Among other things, the proposed rule would ensure that consumers: (i) can obtain their personal financial data at no cost; (ii) have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts; and (iii) can walk away from bad service. Comments on the proposed rule must be received on or before December 29, 2023.

    Agency Rule-Making & Guidance Federal Issues CFPB Consumer Protection Privacy, Cyber Risk & Data Security Open Banking

  • California enacts new data broker regulations

    State Issues

    The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.

    Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.

    The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.

     

    State Issues Privacy, Cyber Risk & Data Security State Legislation California CPPA Data Brokers Consumer Protection

  • California enacts two privacy bills AB 1194 and AB 947

    State Issues

    On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.

    AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.

    State Issues Privacy, Cyber Risk & Data Security State Legislation CPRA CCPA Consumer Protection

  • Software provider settles allegations related to data breach

    Privacy, Cyber Risk & Data Security

    On October 5, a software provider serving nonprofit fundraising entities agreed to pay almost $50 million to settle claims with 49 states and the District of Columbia alleging that the provider maintained insufficient data security measures and inadequately responded to a 2020 data breach. Specifically, the settlement resolved claims that the software provider violated state consumer protection laws, breach-notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).

    According to the allegations, the data breach exposed donor information, including Social Security numbers and financial records, of over 13,000 nonprofit groups and organizations and the provider waited two months before informing these clients of the breach.

    The settlement requires the provider to improve its cybersecurity protections and breach notification procedures.

    Earlier this year, the software provider also settled claims with the SEC for $3 million to address allegations of misleading disclosures relating to the same 2020 data breach.

     

    Privacy, Cyber Risk & Data Security SEC Data Breach HIPAA Consumer Protection Settlement

Pages

Upcoming Events