Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
On June 5, the Nevada governor signed AB 466, requiring the State Treasurer to create a pilot program, authorized to operate from October 1, 2019 through June 30, 2023, for the establishment of one or more closed-loop payment processing systems that enable certain persons to engage in financial transactions relating to marijuana.
The closed-loop payment processing system established under the pilot program must be designed to, among other things: (i) provide marijuana establishments and medical marijuana establishments a safe, secure and convenient method of paying state and local taxes; (ii) prevent revenue from the sale of marijuana from going to criminal enterprises, gangs and drug cartels, and; (iii) prevent lawful financial transactions relating to marijuana from being used as a cover or pretext for unlawful activities. The bill requires the State Treasurer to adopt regulations to carry out the pilot program and requires that the State Treasurer submit a report concerning the pilot program on or before December 1, 2020, and every 6 months thereafter.
On June 6, the Maine governor signed S.P. 275/L.D. 946, which requires certain broadband Internet access services to receive express, affirmative consent from a customer before disclosing, selling, or permitting access to a customer’s personal information. Among other things, the provisions stipulate that a customer may revoke his or her consent at any time, and forbid providers from refusing service or charging a penalty or offering a discount based on the customer’s decision to provide or not provide consent. Furthermore, providers must include a “clear, conspicuous and nondeceptive notice at the point of sale,” as well as on the provider’s public website, concerning the provider’s obligations and the customer’s rights. Requirements for safeguarding customers’ personal information are also outlined. The Act applies only to providers operating in Maine that provide Internet access service to customers that are physically located and billed for services received in Maine. The new law will take effect July 1, 2020.
On May 24, the Oregon Governor signed SB 684, which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and (ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so. SB 684 also updates the definition of personal information to include usernames in combination with other authentication factors used to access a consumer’s account, and establishes that a covered entity or vendor may “affirmatively defend” against allegations it has not adequately safeguarded personal information by showing that it maintained reasonable security measures for protecting personal information in compliance with HIPAA or the Gramm-Leach-Bliley Act, as applicable. The amendments take effect January 1, 2020.
On May 25, the Maryland governor signed HB 0425, which amends the state’s statute of limitations applicable to certain civil actions relating to unfair, abusive, or deceptive trade practices (UDAP) filed against a mortgage servicer. Specifically, the bill requires that an action filed by a homeowner alleging damages arising out of a UDAP violation shall be filed within the earlier of: (i) 5 years after a foreclosure sale of the residential property; or (ii) 3 years after the mortgage servicer discloses its UDAP violation to the homeowner. The bill is effective October 1.
On May 24, the Oregon governor signed SB 366, which repealed the sunset provision on statutes establishing the conditions under which creditors can offer guaranteed asset protection (GAP) waivers in connection with the sale of an automobile. Chapter 523, Oregon Laws 2015 allows creditors to offer GAP waivers to consumers outside of the regulation of the Insurance Code while specifying certain requirements for offering the waivers. Section 11 of Chapter 523, would have repealed these GAP waiver provisions on January 2, 2020. The bill repeals Section 11, allowing for the GAP waiver provisions to remain in effect. The bill is effective January 1, 2020.
On May 30, the Oregon Governor signed HB 2089, which, among other things, prohibits title loan and payday loan lenders from making a new loan to a consumer until seven days after the consumer has fully repaid a previous title loan or payday loan. In addition, lenders may not make or renew a title loan or payday loan with an interest rate exceeding 36 percent annually, excluding a one-time allowable origination fee. These amendments apply to loan contracts, including renewals, executed on or after January 1, 2020.
On May 28, the Nevada governor signed SB 201, which, among other things, updates existing Nevada law referring to the federal Military Lending Act (MLA). Specifically, the bill eliminates the current state law provisions that adopt the MLA by referring generally to the federal law and instead specifically adopts the language of certain MLA provisions for lending to a covered service member or a dependent of a covered service member. The bill thus includes language that (i) prohibits a lender from charging an annual percentage rate greater 36 percent; (ii) requires a lender to make certain disclosures before extending certain consumer credit; and (iii) prohibits certain additional loan terms in a transaction, such as a requirement that the loan be repaid by allotment. The bill also requires the Commissioner of Financial Institutions to adopt regulations to administer, carry out, and enforce the MLA provisions. The new provisions were effective on May 28 for the purpose of adopting any regulations and performing any other preparatory administrative tasks that are necessary to carry out the provisions of this act, and on October 1, 2019, for all other purposes.
On May 28, the California Attorney General announced approximately $1.5 million in judgments against a company and four individuals (defendants) charged with allegedly operating a telemarketing scheme that offered fake investment recovery services. According to the Attorney General’s office, the defendants allegedly made false and deceptive claims to investors, many of whom were elderly, that the company could recover money lost from previous investments for an up-front fee of several thousand dollars. The terms of the judgments include $930,800 in combined civil penalties and $567,774 in restitution, and permanently enjoin and restrain the defendants from, among other things, making false or misleading statements in connection with telemarketing transactions. The Attorney General’s announcement also disclosed the recovery of nearly $25,000 in victim restitution pursuant to a bond issued to the company under California’s Telephonic Sellers Law.
On May 24, Attorneys General from 47 states, American territories, and Washington D.C., sent a letter to Secretary Betsy DeVos of the U.S. Department of Education (Department) to implement an automatic discharge process for the student loans of veterans who are totally and permanently disabled or otherwise unemployable (known as a “TPD discharge”). The letter asserts that while the Higher Education Opportunity Act of 2008 requires that the Department discharge the student loans of veterans who are totally and permanently disabled as a result of service, the Department requires eligible veterans to take “affirmative steps to secure the loan forgiveness,” which “may prove [to be] insurmountable obstacles to relief for many eligible veterans due to the severe nature of their disabilities.” According to the letter, the Department has identified over 42,000 veterans who are eligible for discharges and carry over $1 billion in dischargeable student loan debt, yet fewer than 9,000 of the eligible veterans had applied for the discharge as of April 2018. In response to the Department’s concerns about the veterans’ potential tax liability, the Attorneys General pointed out that federal tax law excludes loan discharges for disabled borrowers from taxable income. Even if the discharge increases their state tax bill, the Attorneys General argued that most borrowers would prefer to have their outstanding loans completely discharged, and those that do not could be given notice and an opportunity to opt out. Because there is no statutory requirement that eligible veterans apply for the TPD discharges, the Attorneys General urged the Department to implement a program to automatically discharge the outstanding loans as expeditiously as possible.
- APPROVED Webcast: Introducing Mogy — APPROVED’s licensing technology solution
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Christopher M. Witeck and Moorari K. Shah to discuss "The latest in vendor management regulations" at a Mortgage Bankers Association webinar
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference