Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
On March 1, the New York attorney general issued two alerts warning investors about the “extreme risk” facing New Yorkers investing in virtual or “crypto” currency. The first investor alert directs investors to take caution when investing in virtual currencies because, among other reasons, virtual currency trading platforms provide limited protection from fraud as “[m]ost platforms are subject to little or no oversight.” The second industry alert is directed towards broker-dealers, salespersons, and investment advisors, and provides a reminder that “people and entities dealing in virtual or ‘crypto’ currencies that are commodities or securities in the state of New York, and who do not qualify for an exemption, must register with the Office of the Attorney General,” and that failing to do so will expose them to both civil and criminal liability. The alerts follow an agreement entered last month (covered by InfoBytes here) between the AG and the operators of a virtual currency trading platform and a “tether” virtual currency issuer, along with their affiliated entities, which resolved allegations that the companies deceived clients by overstating available reserves and hiding $850 million in co-mingled client and corporate funds.
On March 2, the Virginia governor enacted the Consumer Data Protection Act (CDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018, California became the first state to put in place significant consumer data privacy measures (covered by a Buckley Special Alert). As previously covered by InfoBytes, under the CDPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The CDPA also outlines controller responsibilities, including a requirement that, among other things, controllers must enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. While the CDPA explicitly prohibits a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. Additionally, upon discovering a potential violation of the CDPA, the attorney general must give the data controller written notice and allow the data controller 30 days to cure the alleged violation before the attorney general can file suit. The CDPA takes effect January 1, 2023.
On February 23, the New York attorney general announced a $18.5 million settlement with the operators of a virtual currency trading platform and the “tether” virtual currency issuer, along with their affiliated entities, to resolve allegations that the companies deceived clients by overstating available reserves and hiding $850 million in co-mingled client and corporate funds. According to the AG, one of the companies operated an online trading platform for exchanging and trading virtual currency, which allowed users to store virtual or fiat currency, convert virtual currency into fiat currency, and withdraw funds, while the “tether” virtual currency issuer represented that the “stablecoin” it issued was backed one-to-one by U.S. dollars in reserve. However, an AG investigation found, among other things, that the companies made false statements about the backing of the stablecoin and moved hundreds of millions of dollars between the two companies in an attempt to conceal massive losses, and that the stablecoins were, in fact, no longer backed one-to-one by U.S. dollars in reserve, contrary to the company’s representations. The AG also noted that a national bank, which acted as the correspondent bank for the companies and was used to fill orders for U.S. dollars, elected to stop processing U.S. dollar wire transfers from the companies, forcing the companies to find alternative banking arrangements and ultimately leading to a liquidity crisis. Further, the AG stated that the companies failed to disclose these issues to the public. In 2019, a court order enjoined the companies from engaging in activities that may have defrauded investors trading in cryptocurrency (covered by InfoBytes here).
Under the terms of the settlement agreement, the companies and related entities must, among other things, (i) discontinue any further trading activity in the state; (ii) pay $18.5 million in monetary relief; and (iii) take steps to increase transparency, including maintaining internal controls and procedures designed to ensure that their products and services are not used by New York persons and entities, providing compliance reports to the AG, and providing a list of utilized payment processors.
NYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’ consent or knowledge. In 2019, the governor directed NYDFS to perform an investigation into the company’s collection of sensitive personal data from smartphone apps after a media report emerged that claimed app developers regularly sent sensitive data to the company. According to the NYDFS press release, the report’s findings conclude, among other things, that inadequate controls at the company allowed sensitive data to be wrongfully shared, and that the company “did little to track whether app developers were violating its policies” and to date has taken “no real action against developers” that transmit the data. The report outlines various remedial measures the company has undertaken as a result of the investigation, including (i) building and implementing a screening system to identify and block sensitive information prior to entering the company’s system; (ii) enhancing app developer education to better inform developers that they are obligated to avoid transmitting sensitive data; and (iii) taking measures to provide users more control over data that is collected about them, including from off-company activity. The report also includes recommendations for the company to implement to better protect consumer privacy and ensure app developers “are fully aware of the prohibition” on transmitting sensitive data. The steps include that the company should “do more  to prevent developers from transmitting sensitive data in the first place rather than simply relying so heavily on a back-end screening system.” The report also urges the company to “undertake significant additional steps to police its own rules” by putting in place appropriate consequences for doing so.
On February 22, Washington D.C. Mayor Muriel Bowser announced that the District of Columbia Department of Insurance, Securities and Banking would be partnering with the United Planning Organization to administer a free hotline to connect District residents who were financially harmed by Covid-19 with trained financial “navigators.” These navigators will offer advice and help connect residents to various programs and services to help manage income disruptions and other financial concerns, including foreclosure mediation.
On February 22, the governor of Nebraska announced the launch of an emergency rental assistance program. Through the program Nebraska’s Housing Finance Agency, $158 million in federal stimulus funds will be available for distribution to eligible tenants and landlords.
On February 22, the Maryland commissioner of financial regulation issued guidance that extends the “re-start date” for the initiation of residential foreclosures to April 1, 2021. The guidance is issued pursuant to the Maryland governor’s executive order 20-12-17-02, which amended and restated previous executive orders covered here, here, and here.
On February 19, Georgia Governor Brian Kemp announced that Georgia has received $552 million from the federal government to implement a rental assistance program. The Georgia Department of Community Affairs will be administering the Georgia Rental Assistance program (subject to the still-developing U.S. Treasury guidelines), which will make payments directly to the landlords and utility providers of eligible individuals. To qualify for the program, a household must have:
- Qualified for unemployment benefits or experienced a reduction in household income, incurred significant costs, or experienced other financial hardship due directly or indirectly to Covid-19;
- Demonstrated a risk of experiencing homelessness or housing instability; and
- Have a household income at or below 80% of the Area Median Income (AMI), with priority given to: 1) households below 50% of the AMI, or 2) households with one or more individuals who have been unemployed 90 days or longer.
Payments are generally capped at 12 months of rent and utilities, but may extend to 15 under certain circumstances.
The Hawaii Department of Financial Institutions extended interim guidance permitting certain licensees with a physical presence to reduce hours or work from home to coincide with local mayor’s orders (see previous coverage here, here, here and here). The department explained that licensees may continue work from home status until applicable mayor’s orders are lifted. The department will also continue remote work status.
- Daniel R. Alonso to discuss "How to become an AUSA" at the New York City Bar Association Minorities in the Courts Committee “How To” series
- Michelle L. Rogers and Kathryn L. Ryan to discuss “Fintech U.S. expansion” at the Tech Nation 3.0 cohort meeting
- Melissa Klimkiewicz to discuss "Flood insurance basics" at the NAFCU Virtual Regulatory Compliance School
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum