InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
8th Circuit pauses student debt relief program
On November 14, the U.S. Court of Appeals for the Eighth Circuit granted an emergency motion for injunction pending appeal filed by state attorneys general from Nebraska, Missouri, Arkansas, Iowa, Kansas, and South Carolina to temporarily prohibit the Secretary of Education from discharging any federal loans under the agency’s student debt relief plan (announced in August and covered by InfoBytes here). Earlier in October, the 8th Circuit issued an order granting an emergency motion filed by the states, which requested an administrative stay prohibiting the discharge of any student loan debt under the cancellation plan until the appellate court had issued a decision on the states’ motion for an injunction pending an appeal. (Covered by InfoBytes here.) The October order followed a ruling issued by the U.S. District Court for the Eastern District of Missouri, which dismissed the states’ action for lack of Article III standing after concluding that the states—which attempted “to assert a threat of imminent harm in the form of lost tax revenue in the future”— failed to establish imminent and non-speculative harm sufficient to confer standing.
In granting the emergency motion, the appellate court disagreed with the district court’s assertion that the states lacked standing. The 8th Circuit reviewed whether the state of Missouri could rely on any harm the Missouri Higher Education Loan Authority (MOHELA) might suffer as a result of the Department of Education’s cancellation plan. The appellate court found that the relationship between MOHELA and the state is relevant to the standing analysis, especially as Missouri law specifically directs MOHELA (which receives revenue from the student loan accounts it services) to distribute $350 million into the state’s treasury. As such, “MOHELA may well be an arm of the State of Missouri” under this reasoning, the appellate court wrote, adding that several district courts have concluded that MOHELA is an arm of the state. However, regardless of whether MOHELA is an arm of the state, the resulting financial impact due to the cancellation plan would, among other things, affect the state’s ability to fund public higher education institutions, the 8th Circuit noted. “Consequently, we conclude Missouri has shown a likely injury in fact that is concrete and particularized, and which is actual or imminent, traceable to the challenged action of the Secretary, and redressable by a favorable decision,” the appellate court wrote, adding that since one party likely has standing it does not need to address the standing of the other states. The appellate court also determined that “the equities strongly favor an injunction considering the irreversible impact the Secretary’s debt forgiveness action would have as compared to the lack of harm an injunction would presently impose.” The 8th Circuit explained that it considered several criteria, including the fact that the collection of student loan payments and the accrual of interest have both been suspended. The Missouri attorney general released a statement applauding the 8th Circuit’s decision.
The 8th Circuit’s decision follows a recent ruling issued by the U.S. District Court for the Northern District of Texas, which found that the student loan forgiveness program is “an unconstitutional exercise of Congress’s legislative power.” (Covered by InfoBytes here.)
California appellate court affirms arbitration denial
On November 8, the Sixth Appellate District Court in the Court of Appeal in California affirmed a lower court’s decision denying a defendant collection agency’s motion to compel arbitration in a California Rosenthal Fair Debt Collection Practices Act (RFDCPA) suit. According to the order, the defendant was hired to collect unpaid credit card debt from the plaintiff on behalf of a creditor. The plaintiff asserted that the defendant “engaged in a routine practice of sending initial communications that failed to provide notice as required by Civil Code section 1788.14, subdivision (d)(2), which governs attempts to collect ‘time-barred’ debts—those that are ‘past the date of obsolescence set forth in Section 605(a) of the federal Fair Credit Reporting Act.’” The defendant filed a motion to compel arbitration, submitting two cardholder agreements produced by the original creditor that did not reference the plaintiff’s name, account number, or the plaintiff’s signature. The plaintiff opposed the motion, arguing that the defendant failed to link the plaintiff to the “generic documents” and denied ever seeing or receiving the agreements before. The trial court ruled the documents were not admissible because there was no evidence that they were ever sent to the plaintiff. The trial court concluded that failing to show evidence of mutual assent, the defendant “could not show that the card agreements were enforceable binding arbitration agreements, and thus it denied the motion to compel arbitration.” The defendant appealed.
The appellate court noted that while the custodian of records for the original creditor declared that the agreements submitted by the defendant were linked to the plaintiff’s account, the custodian did not declare how or if the agreements were provided to the plaintiff for his review and acceptance. The appellate court further found that since the plaintiff declared that he never received the agreements, the burden to prove the existence of a valid arbitration agreement shifted back to the defendant.
Pennsylvania amends remote work definition
On November 3, the Pennsylvania governor signed HB 2667, which amends the definition of “remote location” in the Pennsylvania Consolidated Statutes. In order for a mortgage loan originator sponsored by a licensee to be permitted to work from a “remote location,” the location must meet certain criteria. The amended definition includes a prohibition against “in-person consumer interaction” that is limited to “in-person consumer interaction” at a mortgage loan originator’s personal residence. It also removes a requirement for a “remote location” to maintain “physical records regarding the licensee’s mortgage loan business . . . at the location.” The bill is effective immediately.
Debt collection company issued a CDO for operating without a license
On November 3, the Massachusetts Division of Banks issued a cease directive to a formerly-licensed debt collector company for allegedly operating for more than six years without a license. According to the order, the debt collecting company was a foreign company conducting business in Massachusetts with a main address in Florida. According to records maintained on file with the Division and the NMLS, the Commissioner initially issued a debt collector license to the company to engage in the business of debt collection in Massachusetts on or about January 14, 2010. In December 2012, the debt collector license expired due to the company's failure to respond to license items placed on the NMLS account of the company. In May 2013, the debt collector license was placed into a status of “Terminated – Expired.” During an examination of a separate debt collector licensee, the Division became aware that the company continued to engage in now unlicensed debt collection activity in Massachusetts on behalf of the licensee being examined. As a result, the Division directed the company to immediately cease collecting debts on any accounts in Massachusetts until it obtained the proper license to do so. The company was also been directed to provide a complete record of all funds collected from Massachusetts consumers from January 2019 through November 3, 2022, as well as a detailed record of the Massachusetts accounts it is holding for collection. The company can request a hearing to contest the Division’s allegations and has 30 days from November 3 to request such hearing. If it does not do so or fails to appear at a scheduled hearing, it will have been deemed to have consented to the issuance of the cease directive.
Delaware enacts licensing legislation
On November 2, the Delaware governor signed SB 296, which increases the threshold for licensed property appraisers so that they may appraise complex one to four residential units valued up to $400,000. Among other things, the bill also amends the requirements for licensure and registration, such as that property appraisers must renew their licenses every other year instead of yearly, whereas appraisal management companies are now required to reregister and certify annually, rather than biennially. The bill is effective immediately.
California DFPI concludes MTA licensure not required for crypto exchange
On November 3, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to a cryptocurrency exchange’s transactions. The redacted opinion letter examines whether the inquiring company’s proposed business activities—which “will offer the purchase, sale, and trading of various cryptocurrencies using a platform provided by its affiliate and in conjunction with another affiliate that is a . . . registered broker-dealer”—are exempt from the MTA. Transactions on the company’s platform will involve the use of the company’s tokenized version of the U.S. dollar. Customers will deposit U.S. dollar funds into a company account where an equivalent amount of tokens will be created and used to facilitate a trade for cryptocurrency. The tokens can also be exchanged for U.S. dollars, or customers can hold the tokens in their wallet. According to the letter, the company says it “does not take custody of its client’s currencies or offer digital wallets,” but rather a “client’s digital wallet is directly linked to the platform and transacts on a peer-to-peer basis with other clients.” In addition to trading cryptocurrencies, the company also plans to allow customers to “trade in cryptographic representations of publicly listed securities,” thereby permitting customers to purchase, sell, or trade the securities tokens on the platform. The company will also be able to transfer customers’ shares of securities tokens from the platform to a customer’s traditional brokerage account. The company explained that these transactions of securities tokens will be covered by the company’s affiliate’s broker-dealer license.
DFPI concluded that because the Department has not yet “determined whether the issuance of tokenized versions of the U.S. Dollar or securities, or their use to trade cryptocurrencies, is money transmission,” it will not require the company to obtain an MTA license in order to perform the aforementioned services or to issue tokenized version of the U.S. dollar or securities. DFPI noted, however, that its conclusions are subject to change, and emphasized that its letter does not address whether the proposed activities are subject to licensure or registration under other laws, including the Corporate Securities Law of 1968.
NYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some changes within the proposed amended regulation include:
- New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
- Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
- The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
- The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
- The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
- Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
- Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
- Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
- Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
- Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory. At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
- Multi-Factor Authentication: The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
- Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
- Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
- Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.
The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
States reach multi-million dollar CRA data breach settlement
On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.
Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.
Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.
District Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.
The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”
District Court: Unclear when networking site became aware of data scraping
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.
As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.
In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.