InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Dubai to facilitate personal data transfers with California-based entities
On August 9, the Dubai International Financial Centre Authority (DIFC) Commissioner of Data Protection issued a “first-of-its-kind” adequacy decision, declaring California’s data protection regime as “substantially equivalent and low risk.” The DIFC deemed the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act of 2020, equivalent to DIFC’s DP Law 2020—opening the door to facilitate personal data transfers between DIFC and California-based entities without the need to apply additional contractual measures. The DIFC further noted that CCPA Regulations provide procedures, guidance, and clarity on the requirements of the CCPA and highlighted the key aspects of CCPA, including (i) concepts and definitions; (ii) breach notification requirements; (iii) enforcement authority; (iv) notifications to the commissioner; and (v) commissioner authority and objectives. The DIFC’s decision outlines nine observations regarding California’s data protection regime that informed its adequacy decision. In its press release, the DIFC noted that the CCPA “gives consumers control and protection over personal data collected by businesses” and limits data collection and processing to what is fair, lawful, and necessary. The DIFC added that this adequacy decision sets a precedent for Dubai to build “similar relationships with various US states and the US privacy framework in the future.”
Governor Hochul unveils statewide cybersecurity strategy for New York
On August 9, Governor Hochul announced New York’s first-ever statewide cybersecurity strategy to protect the state’s digital infrastructure from cyber threats. The cybersecurity strategy articulates a set of high-level objectives and agency roles and responsibilities, as well as outlines how existing and planned initiatives will be weaved together in a unified approach. The central principles of the strategy are unification, resilience, and preparedness, with a focus on state agencies working together with local governments to strengthen the entire state’s defenses. Included in the plan was a $600 million commitment to improve cybersecurity, including (i) a $90 million investment for cybersecurity in Fiscal Year 2024; (ii) $500 million to enhance healthcare information technology; and (iii) $7.4 million for law enforcement entities to expand their cybercrime capabilities.
California Privacy Protection Agency announces its first inquiry
On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.
Oregon enacts registration requirements for data brokers
On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others. There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.
DFPI concludes MTA licensure not required for data processor
On July 25, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter concluding that a company that merely receives payment instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission” requiring licensure under the California Money Transmission Act (MTA).
Citing the California regulations, DFPI states that to “receive money for transmission,” a person must actually or constructively receive, take possession, or hold money or monetary value for transmission; merely receiving instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission.”
As described in the letter, the data processor facilitated payments made by customers to contracting merchants in exchange for goods and services sold by merchants. The data processor forwards customer account and transaction details to partner financial institutions for debiting the customer’s account, and also facilitates refunds initiated by the merchants, including sending ACH instructions to the partner financial institution. However, the data processor at no point handles transferred funds or has custody or legal ownership of the rights to the transferred funds. DFPI, based on several factors and not solely limited to the services described, determined that the inquiring data processor’s payment system does not constitute money transmission or require an MTA license.
CSBS announces Nonbank Model Data Security Law
The Conference of State Bank Supervisors (CSBS) recently released a comprehensive framework for safeguarding sensitive information held at nonbank financial institutions. CSBS’s Nonbank Model Data Security Law is largely based on the FTC’s updated Safeguards Rule, which added specific criteria for financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, to undertake when conducting risk assessments and implementing information security programs. (Covered by InfoBytes here.) Adopting the Nonbank Model Data Security Law allows for a streamlined and efficient approach to data security regulations for nonbank financial institutions, CSBS explained, adding that by leveraging the existing Safeguards Rule’s applicability to state covered nonbanks, the model law imposes minimal additional compliance burdens and ensures smoother implementation for financial institutions. States can also choose an alternative approach by requiring nonbank financial institutions to conform to the Safeguards Rule, CSBS said.
The Nonbank Model Data Security Law outlines numerous provisions, which are intended to protect customer information, mitigate cyber threats, and foster a secure financial ecosystem. These include standards for safeguarding customer information, required elements that must be included in a nonbank financial institution’s information security program, and an optional section that requires entities to notify the commissioner in the wake of a security event. CSBS noted that because “the proposed rule on notification requirements for the FTC Safeguards Rule is still pending, the model law allows each state to establish their own customer threshold number, providing flexibility in determining the extent of impact that triggers the notification obligation.” CSBS also provided a list of resources for adopting the Nonbank Model Data Security Law.
California AG warns against unlawful employer-driven debt arrangements
On July 25, California Attorney General Rob Bonta issued a Legal Alert to remind all employers of state-law restrictions on employer-driven debt. Bonta highlighted concerns about employers engaging in exploitative practices that lead to employees accumulating debts as a result of their employment. (Also covered by InfoBytes here). Such practices may include employers withholding wages, failing to reimburse necessary expenses, or charging fees that are unlawful under California labor laws.
The alert outlines that employer-driven debt arrangements may violate California Labor Code section 2802, “which mandates that employers ‘indemnify employees for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties.’” Regarding job training, the alert mentions that California law forbids employers from making workers repay training costs, except in two cases: (i) when the training is necessary for legally practicing the profession, and (ii) when the worker voluntarily undertakes the training, not due to employer mandate. The alert warns companies that engage in exploitative practices that the protections established in the Labor Code cannot be waived by contract. The alert also states that such practices risk violating the state’s Rosenthal Fair Debt Collection Practices Act, which “prohibits an employer or its agent from engaging in unfair or deceptive acts or practices when attempting to collect on employer-driven debt.” Finally, the alert notes that if an employer takes advantage of a worker’s lack of information or knowledge about the risks or costs of the debt, they may violate the California Consumer Financial Protection Law.
Supreme Court of New York: FDCPA does not require collectors to explain how debt is acquired
On July 19, the Supreme Court of the State of New York filed an order granting defendants’ motion for summary judgment, ruling that the FDCPA does not require debt collectors to provide debtors with proof of how they came to acquire the debt from the original creditor. One of the defendants purchased plaintiff’s defaulted credit card debt, which was placed with the second defendant for collection. The second defendant sent plaintiff a collection letter that identified the original creditor, along with the last four digits of the account number and identified the current creditor by name. Plaintiff sued, alleging violations of several sections of the FDCPA, claiming the letter was “false, deceptive, and misleading” because he never entered into a transaction with the current creditor and that the defendants reported the alleged debt to the credit reporting agencies. Plaintiff also maintained that prior to filing the lawsuit, he sought to validate the alleged debt but that neither defendant provided information sufficient to establish the current creditor’s ownership of the debt. Defendants filed for summary judgment seeking dismissal of plaintiff’s claims. In granting the motion, the court held that nothing in the FDCPA requires debt collectors “to educate the debtor ‘with proof, or at least a narrative, as to how it came to acquire the debt from [the] original creditor,’” and that the statute does not require plaintiffs to be notified when their debt is sold.
DOE recognizes states’ role in investigating student loan servicers
On July 24, the Department of Education (DOE) issued a final interpretation to clarify that the Higher Education Act (HEA) preempts state laws and other applicable federal laws “only in limited and discrete respects.” Specifically, the final interpretation revises and clarifies the DOE’s position on the legality of state laws and regulations regarding certain aspects of the federal student loan servicing, including preventing unfair or deceptive practices, correcting misapplied payments, or addressing servicers’ refusals to communicate with borrowers.
The final interpretation supersedes a 2021 DOE interpretation (covered by InfoBytes here), as well as prior statements and interpretations issued by the agency, which addressed state regulation of the servicing of student loans under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program. Following a review of public comments, the DOE modified its interpretation to more clearly describe the standard for conflict preemption, explaining that recent court rulings on the issue of conflict preemption have consistently found that the HEA does not prioritize maintaining uniformity in federal student loan servicing, and that as a result, the courts have upheld the authority of individual states to address fraud and affirmative misrepresentations in the federal student aid program without being hindered by federal preemption. Additionally, the DOE noted that courts have consistently applied conflict preemption to state laws that require licensing of the DOE’s student loan servicers, particularly in limited circumstances where the licensing requirement aims to disqualify a federal contractor from operating within the state. The final interpretation states that it is firmly established that states cannot hinder the federal government's ability to choose its contractors by imposing such licensing requirements, noting that two courts recently concluded that such preemption also applies to a state’s refusal to license federal student loan servicers.
The final interpretation is effective immediately.
District Court says bank discrimination suit can proceed
On July 21, the U.S. District Court for the Western District of Michigan denied a bank’s motion to dismiss plaintiff’s allegations that she was discriminated against on the basis of race when her account was frozen due to a purported suspicious deposit. Plaintiff, an African-American woman, sued the bank claiming violations of both federal and state anti-discrimination laws after she was allegedly questioned by bank employees about the authenticity of a check she tried to deposit in the amount of $27,616, which was money she received from a legal settlement. Plaintiff claimed that the bank maintained the check was fraudulent and soon afterward froze her account and deactivated her debit card. Plaintiff further stated that her debit card remained frozen even after her attorney explained the legal settlement to the bank and her check was cleared. Claiming the bank’s treatment was racially discriminatory, plaintiff maintained that because bank “employees assumed that her ‘having money must be evidence of fraud or wrongdoing,’” she suffered financial hardships and “significant emotional and physical distress.” The bank argued that plaintiff failed to state a claim because she has not shown a connection between the bank’s actions and her race and claimed the bank employees were acting to prevent fraud.
The court disagreed, ruling that due to the bank’s alleged actions and the fact that plaintiff’s account was frozen in violation of its own policies, discriminatory intent is plausible. The court noted that “most significantly,” plaintiff’s account remained frozen for eight days after the check cleared and the possibility of fraud was discounted. The court reasoned that defendant failed to explain why its fraud-prevention policies would justify keeping an account frozen after a check has been cleared. “[A] defendant’s hostile treatment of a plaintiff can allow for an inference of discriminatory intent even if the defendant’s actions lack a direct connection to race,” the court wrote, noting that fraud prevention does not fully explain all of the bank’s actions, which “went beyond” simply conveying suspicion about a potentially fraudulent check or freezing plaintiff’s account.