Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Multiple states update security freeze legislation

    State Issues

    On March 23, the Governor of Tennessee signed HB 1486, which prohibits credit reporting agencies from charging a fee to a consumer for the placement or removal of a security freeze if the need to place or remove the security freeze was caused by the credit reporting agency. Tennessee already prohibited charging a fee for a security freeze if the consumer is a victim of identity theft and presents a copy of a police report (or other official documentation) to the credit reporting agency at the time of the request. Under Section 47-18-2108 of the Tennessee Code Annotated, the state still allows charging a fee of up to seven dollars and fifty cents for all other placements of a security freeze and up to five dollars to permanently remove a security freeze. HB 1486 is effective immediately.

    On March 20, the Governor of Idaho signed SB 1265, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the first placement of a security freeze and for the first temporary lift of a security freeze during a twelve-month period. The law allows for a fee of up to six dollars for the second placement or temporary lift within a twelve-month period. SB 1265 still allows for a fee of up to $10.00 for the reissuance of a personal identification number or password. The legislation is effective July 1.

    State Issues Security Freeze Credit Reporting Agency Data Breach State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Florida prohibits fees for security freezes

    State Issues

    On March 21, the Florida governor signed HB 953, which prohibits credit reporting agencies from charging any fee to consumers or their representatives for “placing, removing, or temporarily lifting” security freezes on a credit report. Previously the state allowed for a fee of up to $10 to use the service. HB 953 still allows a consumer reporting agency to charge a fee of up to $10 for replacing or reissuing a personal identification number or password. The legislation is effective July 1.

    State Issues Security Freeze Credit Reporting Agency Data Breach Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • States enact data breach notification laws; Oregon prohibits fees for security freezes

    Privacy, Cyber Risk & Data Security

    On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.

    A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:

    • Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
    • Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).

    Privacy/Cyber Risk & Data Security Courts Damages Data Breach Credit Reporting Agency Security Freeze State Legislation

    Share page with AddThis
  • Multiple states address cost of security freezes

    State Issues

    On March 19, the Michigan governor signed legislation, HB 5094, which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a fee of up to $10 to use the service, if the consumer had not previously filed a police report alleging identity theft. HB 5094 is effective immediately.

    On March 15, the Utah governor signed legislation, HB 45, which amends the Utah Consumer Credit Protection Act to prohibit CRAs from charging a fee in connection with placing or removing a security freeze. Additionally, the bill also prohibits CRAs from charging a fee in connection with mobile applications through which a consumer would place or remove a security freeze. The legislation outlines the manner in which a consumer may request a security freeze and the requirements CRAs must follow in responding to the requests. Previously, Utah allowed for CRAs to charge a “reasonable fee” in connection with a security freeze service. 

    State Issues Credit Reporting Agency Privacy/Cyber Risk & Data Security Data Breach Security Freeze State Legislation

    Share page with AddThis
  • CFPB reviews removal of public records from credit reports

    Consumer Finance

    On February 22, the CFPB released a report finding that the removal of public records from consumer credit reports may have had an effect on consumers’ credit scores. The report reviewed the impact of the civil public records minimum information standards established pursuant to the National Consumer Assistance Plan (NCAP) – an initiative launched by the top three U.S. credit reporting agencies (CRAs) as a result of settlement agreements between the CRAs and over 30 state attorneys general. Starting in July 2017, the NCAP required public records furnished to the CRAs to include a name, address, and social security number and/or date of birth and required the records be refreshed every 90 days. According to the report, prior to the NCAP, six percent of consumers had a civil judgment or tax lien on their credit report; and after the NCAP implementation, the CFPB found that only 1.4 percent of consumers had a tax lien on their credit report and zero consumers had civil judgments. However, the report notes that while there was a significant drop in the overall reporting of public records, only six percent of those affected by the NCAP new reporting requirements, experienced an increase from “deep subprime or subprime credit scores in June before the standards took effect and rose to near prime or above in September.” The CFPB noted in a blog release that the Bureau cannot assess scoring-model accuracy because it requires two years of data following the implementation of new standards to perform the analysis.

    Consumer Finance CFPB Credit Reporting Agency

    Share page with AddThis
  • Massachusetts attorney general launches data breach reporting portal

    Privacy, Cyber Risk & Data Security

    On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, which is available through the agency’s Security Breaches site. Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the Massachusetts Data Breach Notification Law (law), M.G.L. c. 93H. According to the announcement, the law requires any entity that “owns or licenses a consumer’s personal information” to notify the attorney general’s office, among others, “any time personal information is accidentally or intentionally compromised.” The announcement notes that organizations are not required to use the online portal and may still send written notice to the attorney general’s office through the mail.

    The online portal announcement follows other recent actions by Healey in response to consumer data breaches. In September, Healey filed the first enforcement action in the nation against a major credit reporting agency after its significant data breach announcement (previously covered by InfoBytes here) and introduced proposed legislation, SB 130/HB 134, which, among other things, would eliminate fees for credit freezes and mandate encryption of personal information in credit reports.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General Credit Reporting Agency Data Breach

    Share page with AddThis
  • CFPB Succession: Senators express concern over CFPB’s investigation into data breach; Otting praises Mulvaney; & more

    Federal Issues

    On February 7, a bipartisan group of 32 senators wrote to the CFPB expressing concerns over reports that the Bureau may have halted an investigation into a large credit reporting agency’s significant data breach. The letter requests specific information related to agency’s oversight over the issue, such as, (i) whether the CFPB has stopped an on-going investigation into the data breach and if so, why; (ii) whether the CFPB intends to conduct on-site exams of the credit reporting agency at issue; and (iii) if an investigation is on-going, details related to the steps taken in that investigation. Additionally, on February 6, during a House Financial Services Committee hearing on the Financial Stability Oversight Council (FSOC), Representative David Scott, D-Ga., addressed rumors that the CFPB has scaled back its investigation of a large credit reporting agency’s significant data breach. In response to Scott, Treasury Secretary Steven Mnuchin noted that, while he has not done so yet, he intends to discuss the matter with acting Director Mulvaney and at FSOC. According to reports, a spokesperson for the Bureau noted that Mulvaney takes data security issues “very seriously” but that the Bureau does not comment on open enforcement or supervisory matters. It has also been reported that the CFPB may be deferring to the FTC’s on-going investigation.

    Comptroller of the Currency, Joseph Otting, issued a statement on February 6 after meeting with Mulvaney about ways the CFPB and the OCC can work together to pursue each agency’s mission. Otting praised Mulvaney’s leadership of the agency and noted that the recent announcements regarding HMDA compliance and the payday rule reconsideration have “helped to reduce the burden on the banking system.” (Previously covered by InfoBytes here and here).

    On the same day, the CFPB announced that Kirsten Sutton Mork was selected as the new chief of staff for the agency. Mork had been serving as staff director of the House Financial Services Committee under Chairman Jeb Hensarling, R-Texas. Leandra English previously held the role of chief of staff, prior to her appointment as deputy director in late November. English’s litigation against the appointment of Mulvaney as acting director continues with the U.S. Court of Appeals for the D.C. Circuit and oral arguments have been set for April 12.   

    Federal Issues CFPB Succession Enforcement CFPB HMDA Payday Lending Credit Reporting Agency

    Share page with AddThis
  • Maryland issues bipartisan consumer protection recommendations

    State Issues

    On January 26, the Maryland Financial Consumer Protection Commission (the “Commission”) and ranking officials from the Maryland legislature announced bipartisan “Interim Recommendations” of the Commission for State and local action in response to the federal government’s “efforts to change or weaken […] important federal consumer protections.” New legislation in response to the recommendations is expected to be released in the near future. Key recommendations include, among other things: (i) requiring credit reporting agencies to provide an alert of data breaches promptly and provide free credit freezes; (ii) adopting new financial consumer protection laws in areas where the federal government may be weakening oversight; (iii) addressing potential issues with Maryland’s current payday and lending statutes; (iv) adopting the Model State Consumer and Employee Justice Enforcement Act that addresses forced arbitration clauses; and (v) adopting new laws that address new risk, such as, virtual currencies and financial technology.

    State Issues State Legislation Consumer Finance Data Breach Payday Lending Arbitration Virtual Currency Fintech Credit Reporting Agency Security Freeze

    Share page with AddThis
  • Credit Reporting Agencies Must Comply With Emergency Regulations

    Privacy, Cyber Risk & Data Security

    On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft.  The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:

    • provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
    • identify dedicated points of contact to assist the Division’s effective administering of the program;
    • make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
    • clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.

    Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.

    As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.

    Privacy/Cyber Risk & Data Security State Issues Data Breach NYDFS Credit Reporting Agency

    Share page with AddThis
  • Senate Banking Committee Approves Financial Regulatory Relief Bill

    Federal Issues

    On December 5, the Senate Banking Committee approved bill S. 2155, Economic Growth, Regulatory Relief, and Consumer Protection Act, which would alter certain financial regulations under the Dodd-Frank Act of 2010. While not as sweeping as previous legislative relief proposals (see previous InfoBytes coverage on House Financial CHOICE Act of 2017), the bill was introduced and passed the Committee with bipartisan support. The bill’s highlights include, among other things:

    • Consumer Access to Credit. The bill deems mortgage loans held in portfolios by insured institutions with less than $10 billion in assets to be “qualified mortgages” under TILA, and removes the three-day waiting period for TILA-RESPA Integrated Disclosures if the second credit offer is a lower rate. The bill also instructs the CFPB to provide “clearer, authoritative guidance” on certain issues such as the applicability of TRID to mortgage assumptions and construction-to-permanent loans. Additionally, the bill eases appraisal requirements on certain mortgage loans and exempts small depository institutions with low mortgage originations from certain HMDA disclosure requirements.
    • Regulatory Relief for Certain Institutions. The bill exempts community banks from Section 13 of the Bank Holding Company Act if they have, “[i] less than $10 billion in total consolidated assets, and [ii] total trading assets and trading liabilities that are not more than five percent of total consolidated assets” – effectively allowing for exempt banks to engage in the trading of, or holding ownership interests in, hedge funds or private equity funds. Additionally, the bill raises the threshold of the Federal Reserve’s Small Bank Holding Company Policy Statement and the qualification for certain banks to have an 18-month examination cycle from $1 billion to $3 billion.
    • Protections for Consumers. Included in an adopted “manager’s amendment,” the bill requires credit bureaus to provide consumers unlimited free security freezes and unfreezes. The bill also limits certain medical debt information that can be included on veterans’ credit reports.
    • Changes for Bank Holding Companies. The bill raises the threshold for applying enhanced prudential standards from $50 billion to $250 billion.

    The bill now moves to the Senate, which is not expected to take up the package before the end of this year.

    Federal Issues Senate Banking Committee Dodd-Frank Federal Legislation TILA RESPA TRID Federal Reserve OCC FDIC Mortgages HMDA Credit Reporting Agency S. 2155

    Share page with AddThis