InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Coalition of state Attorneys General urges Congress to oppose data breach bill
On March 19, the Illinois Attorney General, along with 30 other state Attorneys General and the Executive Director of the Hawaii Office of Consumer Protection, issued a letter to selected members of Congress opposing the Data Acquisition and Technology Accountability and Security Act (the DATAS Act), which would establish broad standards for data protection across industries and create federal notification requirements for covered entities after certain types of data breaches. (See previous InfoBytes coverage here.) According to the Illinois Attorney General’s letter, the DATAS Act would preempt state data breach and data security laws. The letter also stated that “States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.” Serious potential concerns arising from the DATAS Act raised in the letter include (i) reduced transparency to consumers; (ii) delayed notification to consumers affected by data breaches; and (iii) an overly narrow focus on large-scale data breaches “affecting 5,000 or more consumers” which “prevent[s] attorneys general from learning of or addressing breaches that happen on a smaller national scale.”
Florida prohibits fees for security freezes
On March 21, the Florida governor signed HB 953, which prohibits credit reporting agencies from charging any fee to consumers or their representatives for “placing, removing, or temporarily lifting” security freezes on a credit report. Previously the state allowed for a fee of up to $10 to use the service. HB 953 still allows a consumer reporting agency to charge a fee of up to $10 for replacing or reissuing a personal identification number or password. The legislation is effective July 1.
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
FTC reaches $45.5 million settlement with companies over illegal telemarketing calls
On March 16, the FTC and three Utah-based movie companies (defendants) agreed to a proposed stipulated final order settling charges that they violated the FTC Act and the Telemarketing Sales Rule (TSR). In 2011, the DOJ filed a complaint on behalf of the FTC, which alleged defendants engaged in abusive telemarketing practices by making more than 117 million deceptive and unlawful calls to consumers to pitch movies and induce DVD sales in violation of the TSR, including 99 million calls to numbers on the Do Not Call Registry. In 2016, a federal court jury found the defendants guilty of six TSR violations and collectively responsible for the more than 117 million unlawful calls alleged in the complaint. The jury additionally found that the defendants had “actual or implied knowledge of the TSR violations,” meaning that the court was allowed to assess civil penalties under the FTC Act. According to the FTC’s press release, this was the first-ever jury verdict in an action to enforce the TSR and DNC Registry rules.
The proposed stipulated final order bans the defendants from engaging in the alleged misconduct, orders the defendants to train and monitor its solicitors to ensure compliance with the TSR, and imposes a $45.5 million civil money penalty, of which $487,735 is suspended unless it is determined that the financial statements defendants submitted to the FTC contain any inaccuracies.
Multiple states address cost of security freezes
On March 19, the Michigan governor signed legislation, HB 5094, which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a fee of up to $10 to use the service, if the consumer had not previously filed a police report alleging identity theft. HB 5094 is effective immediately.
On March 15, the Utah governor signed legislation, HB 45, which amends the Utah Consumer Credit Protection Act to prohibit CRAs from charging a fee in connection with placing or removing a security freeze. Additionally, the bill also prohibits CRAs from charging a fee in connection with mobile applications through which a consumer would place or remove a security freeze. The legislation outlines the manner in which a consumer may request a security freeze and the requirements CRAs must follow in responding to the requests. Previously, Utah allowed for CRAs to charge a “reasonable fee” in connection with a security freeze service.
Washington governor enacts amendment relating to security freeze fees
On March 13, the Washington governor signed Senate Bill 6018, which amends sections of the state’s Fair Credit Reporting Act addressing the removal of security freezes. Among other things, the amended act prohibits credit reporting agencies (CRAs) from charging a fee for placing, temporarily lifting, or removing a security freeze, or when assigning consumers unique personal identification numbers. Additionally, the offices of cybersecurity and privacy and data protection and the Attorney General’s office are instructed to work with stakeholders to evaluate the amendment’s impact on consumers and CRAs. A findings report must be submitted by December 1, 2020, and include data breach trends and recommendations by federal and state agencies. The amendment takes effect June 7.
Senate passes bipartisan financial regulatory reform bill
On March 14, by a vote of 67-31, the Senate passed the Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) (the bill)—a bipartisan regulatory reform bill crafted by Senate Banking, Housing, and Urban Affairs Committee Chairman Mike Crapo, R-Idaho—that would repeal or modify provisions of Dodd-Frank and ease regulations on all but the biggest banks. (See previous InfoBytes coverage here.) The bill’s highlights include:
- Improving consumer access to mortgage credit. The bill’s provisions state, among other things, that: (i) banks with less than $10 billion in assets are exempt from ability-to-repay requirements for certain qualified residential mortgage loans; (ii) appraisals will not be required for certain transactions valued at less than $400,000 in rural areas; (iii) banks and credit unions that originate fewer than 500 open-end and 500 closed-end mortgages are exempt from HMDA’s expanded data disclosures (the provision would not apply to nonbanks and would not exempt institutions from HMDA reporting altogether); (iv) amendments to the S.A.F.E. Mortgage Licensing Act will provide registered mortgage loan originators in good standing with 120 days of transitional authority to originate loans when moving from a federal depository institution to a non-depository institution or across state lines; and (v) the CFPB must clarify how TRID applies to mortgage assumption transactions and construction-to-permanent home loans, as well as outline certain liabilities related to model disclosure use.
- Regulatory relief for certain institutions. Among other things, the bill simplifies capital calculations and exempts community banks from Section 13 of the Bank Holding Company Act if they have less than $10 billion in total consolidated assets. The bill also states that banks with less than $10 billion in assets, and total trading assets and liabilities not exceeding more than five percent of their total assets, are exempt from Volcker Rule restrictions on trading with their own capital.
- Protections for consumers. Included in the bill are protections for veterans and active-duty military personnel such as: (i) permanently extending the protection that shields military personnel from foreclosure proceedings after they leave active military service from nine months to one year; and (ii) adding a requirement that credit reporting agencies provide free credit monitoring services and credit freezes to active-duty military personnel. The bill also addresses general consumer protection options such as expanded credit freezes and the creation of an identity theft protection database. Additionally, the bill instructs the CFPB to draft federal rules for the underwriting of Property Assessed Clean Energy loans (PACE loans), which would be subject to TILA consumer protections.
- Changes for bank holding companies. Among other things, the bill raises the threshold for automatic designation as a systemically important financial institution from $50 billion in assets to $250 billion. The bill also subjects banks with $100 billion to $250 billion in total consolidated assets to periodic stress tests and exempts from stress test requirements entirely banks with under $100 billion in assets. Additionally, certain banks would be allowed to exclude assets they hold in custody for others—provided the assets are held at a central bank—when computing the amount such banks must hold in reserves.
- Protections for student borrowers. The bill’s provisions include measures to prevent creditors from declaring an automatic default or accelerating the debt against a borrower on the sole basis of bankruptcy or cosigner death, and would require the removal of private student loans on credit reports after a default if the borrower completes a loan rehabilitation program and brings payments current.
The bill now advances to the House where both Democrats and Republicans think it is unlikely to pass in its current form.
NYDFS issues cybersecurity compliance certificate reminder
On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent to regulated entities. Among other things, the FAQs state that a separate Certification of Compliance must be filed for each license an entity holds, and that entities who have failed to submit a Certification of Compliance must do so “as soon as possible.” Entities that received a reminder to certify their compliance but filed for an exemption under Section 500.19 are still required to file the Certificate of Compliance to “confirm that they are in compliance with those provisions of the regulation that apply.”
Find continuing InfoBytes coverage on NYDFS’s cybersecurity regulation here.
Virginia governor enacts amendment relating to security freeze fees
On March 9, the governor of Virginia signed House Bill 1027, which amends sections of the Code of Virginia relating to security freezes and lowers the maximum amount that a credit reporting agency may charge to place, remove, or lift a security freeze on a protected consumer’s credit report from $10 to $5. Victims of identity theft remain exempt from the fee. The amendment takes effect July 1.
California judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach
On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach.