InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CSBS announces Nonbank Model Data Security Law
The Conference of State Bank Supervisors (CSBS) recently released a comprehensive framework for safeguarding sensitive information held at nonbank financial institutions. CSBS’s Nonbank Model Data Security Law is largely based on the FTC’s updated Safeguards Rule, which added specific criteria for financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, to undertake when conducting risk assessments and implementing information security programs. (Covered by InfoBytes here.) Adopting the Nonbank Model Data Security Law allows for a streamlined and efficient approach to data security regulations for nonbank financial institutions, CSBS explained, adding that by leveraging the existing Safeguards Rule’s applicability to state covered nonbanks, the model law imposes minimal additional compliance burdens and ensures smoother implementation for financial institutions. States can also choose an alternative approach by requiring nonbank financial institutions to conform to the Safeguards Rule, CSBS said.
The Nonbank Model Data Security Law outlines numerous provisions, which are intended to protect customer information, mitigate cyber threats, and foster a secure financial ecosystem. These include standards for safeguarding customer information, required elements that must be included in a nonbank financial institution’s information security program, and an optional section that requires entities to notify the commissioner in the wake of a security event. CSBS noted that because “the proposed rule on notification requirements for the FTC Safeguards Rule is still pending, the model law allows each state to establish their own customer threshold number, providing flexibility in determining the extent of impact that triggers the notification obligation.” CSBS also provided a list of resources for adopting the Nonbank Model Data Security Law.
California AG warns against unlawful employer-driven debt arrangements
On July 25, California Attorney General Rob Bonta issued a Legal Alert to remind all employers of state-law restrictions on employer-driven debt. Bonta highlighted concerns about employers engaging in exploitative practices that lead to employees accumulating debts as a result of their employment. (Also covered by InfoBytes here). Such practices may include employers withholding wages, failing to reimburse necessary expenses, or charging fees that are unlawful under California labor laws.
The alert outlines that employer-driven debt arrangements may violate California Labor Code section 2802, “which mandates that employers ‘indemnify employees for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties.’” Regarding job training, the alert mentions that California law forbids employers from making workers repay training costs, except in two cases: (i) when the training is necessary for legally practicing the profession, and (ii) when the worker voluntarily undertakes the training, not due to employer mandate. The alert warns companies that engage in exploitative practices that the protections established in the Labor Code cannot be waived by contract. The alert also states that such practices risk violating the state’s Rosenthal Fair Debt Collection Practices Act, which “prohibits an employer or its agent from engaging in unfair or deceptive acts or practices when attempting to collect on employer-driven debt.” Finally, the alert notes that if an employer takes advantage of a worker’s lack of information or knowledge about the risks or costs of the debt, they may violate the California Consumer Financial Protection Law.
Supreme Court of New York: FDCPA does not require collectors to explain how debt is acquired
On July 19, the Supreme Court of the State of New York filed an order granting defendants’ motion for summary judgment, ruling that the FDCPA does not require debt collectors to provide debtors with proof of how they came to acquire the debt from the original creditor. One of the defendants purchased plaintiff’s defaulted credit card debt, which was placed with the second defendant for collection. The second defendant sent plaintiff a collection letter that identified the original creditor, along with the last four digits of the account number and identified the current creditor by name. Plaintiff sued, alleging violations of several sections of the FDCPA, claiming the letter was “false, deceptive, and misleading” because he never entered into a transaction with the current creditor and that the defendants reported the alleged debt to the credit reporting agencies. Plaintiff also maintained that prior to filing the lawsuit, he sought to validate the alleged debt but that neither defendant provided information sufficient to establish the current creditor’s ownership of the debt. Defendants filed for summary judgment seeking dismissal of plaintiff’s claims. In granting the motion, the court held that nothing in the FDCPA requires debt collectors “to educate the debtor ‘with proof, or at least a narrative, as to how it came to acquire the debt from [the] original creditor,’” and that the statute does not require plaintiffs to be notified when their debt is sold.
DOE recognizes states’ role in investigating student loan servicers
On July 24, the Department of Education (DOE) issued a final interpretation to clarify that the Higher Education Act (HEA) preempts state laws and other applicable federal laws “only in limited and discrete respects.” Specifically, the final interpretation revises and clarifies the DOE’s position on the legality of state laws and regulations regarding certain aspects of the federal student loan servicing, including preventing unfair or deceptive practices, correcting misapplied payments, or addressing servicers’ refusals to communicate with borrowers.
The final interpretation supersedes a 2021 DOE interpretation (covered by InfoBytes here), as well as prior statements and interpretations issued by the agency, which addressed state regulation of the servicing of student loans under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program. Following a review of public comments, the DOE modified its interpretation to more clearly describe the standard for conflict preemption, explaining that recent court rulings on the issue of conflict preemption have consistently found that the HEA does not prioritize maintaining uniformity in federal student loan servicing, and that as a result, the courts have upheld the authority of individual states to address fraud and affirmative misrepresentations in the federal student aid program without being hindered by federal preemption. Additionally, the DOE noted that courts have consistently applied conflict preemption to state laws that require licensing of the DOE’s student loan servicers, particularly in limited circumstances where the licensing requirement aims to disqualify a federal contractor from operating within the state. The final interpretation states that it is firmly established that states cannot hinder the federal government's ability to choose its contractors by imposing such licensing requirements, noting that two courts recently concluded that such preemption also applies to a state’s refusal to license federal student loan servicers.
The final interpretation is effective immediately.
District Court says bank discrimination suit can proceed
On July 21, the U.S. District Court for the Western District of Michigan denied a bank’s motion to dismiss plaintiff’s allegations that she was discriminated against on the basis of race when her account was frozen due to a purported suspicious deposit. Plaintiff, an African-American woman, sued the bank claiming violations of both federal and state anti-discrimination laws after she was allegedly questioned by bank employees about the authenticity of a check she tried to deposit in the amount of $27,616, which was money she received from a legal settlement. Plaintiff claimed that the bank maintained the check was fraudulent and soon afterward froze her account and deactivated her debit card. Plaintiff further stated that her debit card remained frozen even after her attorney explained the legal settlement to the bank and her check was cleared. Claiming the bank’s treatment was racially discriminatory, plaintiff maintained that because bank “employees assumed that her ‘having money must be evidence of fraud or wrongdoing,’” she suffered financial hardships and “significant emotional and physical distress.” The bank argued that plaintiff failed to state a claim because she has not shown a connection between the bank’s actions and her race and claimed the bank employees were acting to prevent fraud.
The court disagreed, ruling that due to the bank’s alleged actions and the fact that plaintiff’s account was frozen in violation of its own policies, discriminatory intent is plausible. The court noted that “most significantly,” plaintiff’s account remained frozen for eight days after the check cleared and the possibility of fraud was discounted. The court reasoned that defendant failed to explain why its fraud-prevention policies would justify keeping an account frozen after a check has been cleared. “[A] defendant’s hostile treatment of a plaintiff can allow for an inference of discriminatory intent even if the defendant’s actions lack a direct connection to race,” the court wrote, noting that fraud prevention does not fully explain all of the bank’s actions, which “went beyond” simply conveying suspicion about a potentially fraudulent check or freezing plaintiff’s account.
NYDFS: Auto loan borrowers are entitled to rebates for cancelled ancillary products
On July 18, NYDFS sent a letter reminding regulated auto lenders and auto loan servicers that they are responsible for ensuring certain rebates are credited to consumers whose vehicles were repossessed or were a total loss. During its examinations, NYDFS identified instances where certain institutions that finance ancillary products, such as extended warranties, vehicle service contracts, and guaranteed asset protection insurance, failed to properly calculate, obtain, and credit rebates to consumers as required. NYDFS explained that the terms of sale for such ancillary products “provide that if the vehicle is repossessed or is a total loss prior to the product’s expiration, the consumer is entitled to a rebate for the prorated, unused value of the product (a ‘Rebate’), payable first to the [i]nstitution to cover any deficiency balance, and then to the consumer.” NYDFS found that some institutions either neglected to pursue Rebates from the issuers of the ancillary products or miscalculated the owed amounts, adding that in some instances, institutions made initial requests for Rebates but did not follow through to ensure that they were received and credited to consumers.
NYDFS explained that an institution’s failure to obtain and credit Rebates from unexpired ancillary products is considered to be unfair “because it causes or is likely to cause substantial injury to consumers who are made to pay or defend themselves against deficiency balances in excess of what the consumer legally owes.” The resulting injury caused to consumers is not outweighed by any countervailing benefits to consumers or to competition, NYDFS stressed.
Additionally, NYDFS said an institution’s statements and claims of consumers’ deficiency balances that do not include correctly calculated and applied Rebates are considered to be deceptive, as they mislead consumers about the amount they owe after considering all setoffs. NYDFS said it expects institutions to fulfill their contractual obligations by ensuring Rebates are properly accounted for, either by deducting them from deficiency balances or issuing refund checks if no deficiency balance is owed.
NYDFS further noted in its announcement that recent CFPB examinations found that certain auto loan servicers engaged in deceptive practices when they notified consumers of deficiency balances that misrepresented the inclusion of credits or rebates. The Bureau’s supervisory highlights from Winter 2019, Summer 2021, and Spring 2022 also revealed that collecting or attempting to collect miscalculated deficiency balances that failed to account for a lender’s entitled pro-rata refund constituted an unfair practice.
Michigan Supreme Court limits applicability of “usury savings clauses”
On June 23, the Michigan Supreme Court reversed a circuit court’s decision on a case involving Michigan’s “longstanding prohibition on excessive interest rates for certain loans.” The case involved a “usury savings clause,” which is a term sometimes used in notes, which requires the borrower to pay the maximum legal interest rate if the contractual terms impose an illegal rate. In the case, a nonbank investment group (plaintiff) lent a realty service company (defendant) $1 million to flip tax-foreclosed homes. Plaintiff sued for breach of contract and fraud after defendant discontinued payments after paying more than $140,000 in interest on the loan. Defendant argued that plaintiff violated the criminal usury statute by, “knowingly charging an effective interest rate exceeding 25%,” which it alleged barred plaintiff from recovering on the loan under the wrongful-conduct rule.
The circuit court determined that the fees and charges associated with the loan constituted disguised interest, making the total interest the plaintiff was seeking above the legal 25% limit and “criminally usurious.” However, the court agreed with the defendant that the usury savings clause was enforceable and the note was not facially usurious. Nevertheless, “the court agreed that the appropriate remedy is to relieve [defendant] of its obligation to pay the interest on the loan but not its obligation to repay the principal.”
The Michigan Supreme Court held that in determining whether a loan agreement imposes illegal rates of interest, a usury savings clause is ineffective if the loan agreement requires a borrower to pay an illegal interest rate, even if the interest is labeled as a “fee” or something else. Further, the court held that enforcing usury savings clauses would undermine the state’s usury laws because it would nullify the statutory remedies for usury, which would relieve lenders of their obligation to ensure that their loans have a legal interest rate. The court also held that a lender is not criminally liable for seeking to collect on an unlawful interest rate in a lawsuit. The court reasoned that seeking relief through the court of law is generally encouraged over extrajudicial means. According to the opinion, the court held that “[t]he appropriate remedy for a lender’s abusive lawsuit is success for the borrower in that lawsuit and appropriate civil sanctions, not a criminal conviction for usury.”
Feds, states launch “Operation Stop Scam Calls”
On July 18, the FTC, along with over 100 federal and state law enforcement partners nationwide, including the DOJ, FCC, and attorneys general from all 50 states and the District of Columbia, announced a new initiative to combat illegal telemarketing calls, including robocalls. The joint initiative, “Operation Stop Scam Calls,” targets telemarketers and the companies that hire them, lead generators that provide consumers’ telephone numbers to robocallers and others who falsely represent that consumers consented to receive the calls. The initiative also targets Voice over Internet Protocol (VoIP) service providers that facilitate illegal robocalls, many of which originate overseas.
In connection with Operation Stop Scam Calls, the FTC has initiated five new cases against companies and individuals allegedly responsible for distributing or assisting in the distribution of illegal telemarketing calls to consumers across the country. According to the announcement, the actions reiterate the FTC’s position “that third-party lead generation for robocalls is illegal under the Telemarketing Sales Rule (TSR) and that the FTC and its partners are committed to stopping illegal calls by targeting anyone in the telemarketing ecosystem that assists and facilitates these calls, including VoIP service providers.” The announcement also states that more than 180 enforcement actions and other initiatives have been taken by 48 federal and 54 state agencies as part of Operation Stop Scam Calls.
Among the new actions announced a part of Operation Stop Scam Calls is a complaint filed against a “consent farm” lead generator, which allegedly uses “dark patterns” to collect consumers’ broad agreement to provide their personal information and receive robocalls and other marketing solicitations through a single click of a button or checkbox via its websites. Under the terms of the proposed order, the defendant would be required to pay a $2.5 million civil penalty and would be banned from engaging in, assisting, or facilitating robocalls. The defendant would also be required to implement measures to limit its lead generation practices, establish systems for monitoring its own advertising and that of its affiliates, comply with comprehensive disclosure requirements concerning the collection of consumers’ consent to the sale of their information, and delete all previously collected consumer information.
Other actions were taken against a California-based telemarketing lead generator, a telemarketing company that provides soundboard calling services to clients who use robocalls to sell a range of products and services, a New Jersey-based telemarketing outfit that placed tens of millions of calls to consumers whose numbers are listed on the National Do Not Call Registry, and Florida-based defendants accused of assisting and facilitating the transmission of roughly 37.8 million illegal robocalls by providing VoIP services to over 11 foreign telemarketers.
Illinois Supreme Court declines to reconsider BIPA accrual ruling
On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Three justices, however, dissented from the denial of rehearing, writing that the ruling leaves “a staggering degree of uncertainty” by offering courts and defendants little guidance on how to determine damages. The putative class action stemmed from allegations that the defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting plaintiff’s biometric data and disclosing the data to a third-party vendor without first obtaining her consent. While the defendant challenged the timeliness of the action, the plaintiff asserted that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”
In February, a split Illinois Supreme Court held that claims accrue under BIPA each time biometric identifiers or biometric information (such as fingerprints) are scanned or transmitted, rather than simply the first time. (Covered by InfoBytes here.) The dissenting judges wrote that they would have granted rehearing because the majority’s determination that BIPA claims accrue with every transmission “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.” The dissenting judges further maintained that the majority’s February decision is confusing and lacks guidance for courts when determining damages awards. While the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” it also said that it continues “to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature,” and that it “respectfully suggest[s] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
Oregon is 11th state to enact comprehensive privacy legislation
On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
Highlights of the Act include:
- Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
- Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
- Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
- Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller.
- Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation.
The Act takes effect July 1, 2024.