Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Insurers consider biometric exclusions as privacy cases increase

    Privacy, Cyber Risk & Data Security

    According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric Information Privacy Act (BIPA), as “more courts began ruling that individuals need not show actual injury to allege BIPA violations.” The article explained that insurance carriers now “argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements.” This issue is poised to become increasingly important to carriers and policyholders as additional states seek to regulate biometric privacy. The article noted that in the first quarter of 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington also have biometric laws, but without a private right of action.

    Privacy/Cyber Risk & Data Security Insurance BIPA State Issues Courts Biometric Data

    Share page with AddThis
  • District Court says Massachusetts law will apply in choice-of-law privacy dispute

    Privacy, Cyber Risk & Data Security

    On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security program was inadequate and that the security risks associated with the Personal Information went unmitigated, allowing [] cybercriminals to gain access.” During discovery, the defendant (headquartered in South Carolina) stated that its U.S. data centers are located in Massachusetts, Texas, California, and New Jersey, and that the particular servers that housed the plaintiffs’ data (and were the initial entry point for the ransomware attack) are physically located in Massachusetts. While both parties stipulated to the application of South Carolina choice-of-law principles generally, the plaintiffs specifically requested that South Carolina law be applied to their common law claims of negligence, negligence per se, and invasion of privacy since it was the state where defendant executives made the cybersecurity-related decisions that allegedly allowed the data breach to occur. However, the defendant countered that the law of each state where a plaintiff resides should apply to that specific plaintiff’s common law tort claims because the “damages were felt in their respective home states.” Both parties presented an alternative argument that if the court found the primary choice-of-law theory to be unfounded, then Massachusetts law would be appropriate as “Massachusetts was the state where the last act necessary took place because that is where the data servers were housed.”

    In determining which state’s common-law principles apply, the court stated that even if some of the cybersecurity decisions were made in South Carolina, the personal information was stored on servers in Massachusetts. Moreover, the “alleged decisions made in South Carolina may have contributed to the breach, but they were not the last act necessary to establish the cause of action,” the court wrote, noting that in order for the defendant to be potentially liable, the data servers would need to be breached. The court further concluded that “South Carolina’s choice of law rules dictate that where an injury occurs, not where the result of the injury is felt or discovered is the proper standard to determine the last act necessary to complete the tort.” As such, the court stated that Massachusetts law will apply as that is where the data breach occurred.

    Privacy/Cyber Risk & Data Security Courts State Issues Massachusetts South Carolina Class Action

    Share page with AddThis
  • CFPB says states may regulate credit reporting markets

    Agency Rule-Making & Guidance

    On June 28, the CFPB issued an interpretive rule addressing states’ authority to pass consumer-reporting laws. Specifically, the Bureau clarified that states “retain broad authority to protect people from harm due to credit reporting issues,” and explained that state laws are generally not preempted unless they conflict with the FCRA or “fall within narrow preemption categories enumerated within the statute.” Under the FCRA, states have flexibility to enact laws involving consumer reporting that reflect challenges and risks affecting their local economies and residents and are able to enact protections against the abuse and misuse of data to mitigate these consequences. 

    Stating that the FCRA’s express preemption provisions have a narrow and targeted scope, the Bureau’s interpretive rule provided several examples such as (i) if a state law “were to forbid consumer reporting agencies [(CRA)] from including information about medical debt, evictions, arrest records, or rental arrears in a consumer report (or from including such information for a certain period of time), such a law would generally not be preempted; (ii) a state law that prohibits furnishers from furnishing such information to a CRA would generally not be prohibited; and (iii) if a state law requires a CRA to provide information required by the FCRA at the consumer’s requests in a language other than English, such a law would generally not be preempted. The interpretive rule is effective upon publication in the Federal Register.

    The issuance of the interpretive rule arises from a notice received by the Bureau from the New Jersey attorney general concerning pending litigation that involves an argument that the FCRA preempted a state consumer protection statute. The Bureau stated that it “will continue to consider other steps to promote state enforcement of fair credit reporting along with other parts of federal consumer financial protection law,” including “consulting with states whenever interpretation of federal consumer financial protection law is relevant to a state regulatory or law enforcement matter, consistent with the State Official Notification Rule." As previously covered by InfoBytes, the Bureau issued an interpretive rule last month, clarifying states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA.

    Agency Rule-Making & Guidance Federal Issues State Issues CFPB FCRA Consumer Finance Credit Report Consumer Reporting Agency

    Share page with AddThis
  • NYDFS imposes $5 million fine against cruise line for cybersecurity violations

    Privacy, Cyber Risk & Data Security

    On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.

    The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues NYDFS State Regulators Enforcement Settlement Data Breach 23 NYCRR Part 500

    Share page with AddThis
  • FTC, Florida file complaint against grant funding operation

    Federal Issues

    On June 27, the FTC and the Florida attorney general filed a complaint against a Florida-based grant funding company and its owner (collectively, “defendants”) alleging that the defendants violated the Consumer Protection Act, the FTC Act, and the Florida Deceptive Unfair Trade Practices Act. According to the complaint, the defendants deceptively marketed grant writing and consulting services to minority-owned small businesses by, among other things, (i) promising grant funding that did not exist and/or was never awarded; (ii) misleading customers about the status of grant awards; and (iii) failing to honor a “money-back guarantee” and suppressing customer complaints. The complaint also alleged that the owner relied on funds that she acquired through the federal Paycheck Protection Program Covid-19 stimulus program to start the company. The U.S. District Court for the Middle District of Florida issued a restraining order with asset freeze, appointment of a temporary receiver, and other equitable relief order against the defendants, which also prohibits them from engaging in grant funding business activities.

    Federal Issues State Issues FTC Enforcement State Attorney General Florida Covid-19 FTC Act Deceptive UDAP

    Share page with AddThis
  • DFPI seeks to regulate commercial financial products and services under the CCFPL

    State Issues

    Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, the CCFPL became law in 2020 and, among other things, (i) establishes UDAAP authority for the DFPI; (ii) authorizes the DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful (thus going beyond both Dodd-Frank and existing California law); (iii) provides the DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that enforcement of the CCFPL will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), the law expands the DFPI’s oversight authority to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.

    The NPRM proposes new rules to implement sections 22159, 22800, 22804, 90005, 90009, 90012, and 90015 of the CCFPL related to the offering and provision of commercial financing and other financial products and services to small businesses, nonprofits, and family farms. According to DFPI’s notice, section 22800 subdivision (d) authorizes the Department to define unfair, deceptive, and abusive acts and practices in connection with the offering or provision of commercial financing. Section 90009, subdivision (e), among other things, authorizes the Department’s rulemaking to include data collection and reporting on the provision of commercial financing or other financial products and services.

    Among other things, the NPRM:

    • Clarifies that the CCFPL makes it unlawful for covered providers, as defined, to engage in unfair, deceptive, or abusive acts or practices;
    • Provides standards for determining whether an act or practice is unfair, deceptive, or abusive;
    • Defines small business, nonprofit, and family farm, among other terms;
    • Clarifies DFPI's ability to enforce the regulation’s provisions;
    • Requires covered providers to submit annual reports containing information about their provision of commercial financing or other financial products and services to small businesses, nonprofits, and family farms;
    • Identifies persons excluded from the reporting requirement;
    • Specifies the information required in the reports, as well as provide guidance on calculating or determining certain information;
    • Clarifies the obligations of those also submitting annual reports to DFPI as licensees under the California Financing Law.

    Written comments on the NPRM are due by August 8.

    State Issues Agency Rule-Making & Guidance DFPI California Commercial Finance UDAAP Small Business Financing

    Share page with AddThis
  • Hawaii enacts licensing legislation

    On June 17, the Hawaii governor signed two bills into law. HB 2113 permits money transmitter license applicants to submit to either a state or federal criminal history record check, rather than both, upon application. SB 1105 establishes that, in addition to application fees, and any fees required by NMLS, a mortgage loan originator licensee must pay a mortgage loan recovery fund fee of $200, and upon application for renewal of a license, a mortgage loan originator licensee must pay $100. The bill also permits a person aggrieved by the fraud, misrepresentation, or deceit of a mortgage loan originator company licensee to receive restitution payment upon a final court order. The bills are effective July 1.

    Licensing State Issues State Legislation Hawaii Money Service / Money Transmitters Mortgages Mortgage Origination NMLS

    Share page with AddThis
  • States reach $1.25 million data breach settlement with cruise line

    State Issues

    On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”

    Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.

    State Issues Enforcement State Attorney General Data Breach Settlement Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • 5th Circuit remands nonjudicial foreclosure suit back to state court

    Courts

    On June 16, the U.S. Court of Appeals for the Fifth Circuit held that a plaintiff borrower’s requested damages in a foreclosure lawsuit did not exceed the federal jurisdictional threshold amount of $75,000, and sent the case back to Texas state court. The plaintiff sued the financial institution in state court after it sought a nonjudicial foreclosure on his house, asserting violations of the Texas Debt Collection Act, breach of the common-law duty of cooperation, fraud, and negligent misrepresentation. The suit was removed to the U.S. District Court for the Northern District of Texas, with the defendant arguing that the suit automatically stayed its nonjudicial foreclosure sale, thus putting the value of the house ($427,662) as the amount in dispute, instead of the plaintiff’s requested relief of $74,500. The plaintiff moved to remand the case to state court on the premise “that the amount in controversy could not exceed the stipulated maximum of $74,500.” The district court denied the plaintiff’s motion, ruling that it “had to measure the amount in controversy ‘by the value of the object of the litigation,’” and not by what the plaintiff’s complaint says the damages were not to exceed.

    In reversing and remanding the case to state court, the 5th Circuit concluded that, because the defendant did not show that the automatic stay brought the house’s value into controversy, it “failed to establish by a preponderance of the evidence that the amount in controversy exceeded $75,000.” The appellate court agreed with the plaintiff’s assertion that the house was simply collateral and “thus irrelevant to the amount in controversy,” writing that “[i]t is well-settled that neither the collateral effect of a suit nor the collateral effect of a judgment may count toward the amount in controversy.” The 5th Circuit also determined that the plaintiff expressly stipulated in both his original state-court petition and in a declaration “that he is seeking total damages not to exceed $74,500,” and that this stipulation is legally binding.

    Courts Appellate Fifth Circuit Debt Collection Foreclosure Mortgages State Issues Texas

    Share page with AddThis
  • California appeals court says lender cannot move bitcoin loan suit to Delaware

    Courts

    On June 14, the California Court of Appeal for the Second Appellate District reversed a trial court’s decision staying a suit against a lender and its loan payment processor (collectively, “defendants”) and enforcing a Delaware forum selection clause. The appeals court held that the plaintiff borrower’s unwaivable right to a jury trial under California law could be violated if the case proceeded in Delaware. According to the opinion, the plaintiff obtained $2.275 million in loans secured by bitcoin from the lender (a Delaware LLC that is licensed and regulated by California’s Department of Financial Protection and Innovation). When the value of bitcoin dropped, the lender sold the plaintiff’s bitcoin under the terms of the governing loan agreements. The plaintiff sued, “seeking, among other things, damages, return of his bitcoin, and cancellation of the loan agreements.” The defendants moved to stay the case because the Delaware forum selection clause required the case to be litigated in Delaware. The plaintiff countered that transferring the case to Delaware would “substantially diminish” his unwaivable rights under California law. The trial court eventually concluded that transferring the case to Delaware would not diminish the plaintiff’s rights and granted the stay pending litigation in Delaware. The trial court also stayed a second suit brought by the plaintiff alleging violations of California’s Unfair Competition Law and False Advertising Law, holding that the second suit involved the same primary rights as the first suit.

    In reviewing the consolidated cases, the appeals court determined, among other things, that the Delaware forum selection clause in this case contains a predispute jury waiver. “Because California has a fundamental policy against such a waiver, Defendants carry the burden of proving that Delaware would not diminish this important right,” the appeals court wrote, adding that under Delaware law “contractual provisions that waive the contracting parties’ right to trial by jury have been upheld, and relevant case law provides insufficient assurance that Delaware courts will apply California’s important public policy to this dispute.” Additionally, the appeals court concluded that the defendants’ proposed “offer to stipulate that the Delaware court should apply California law” provides “little assurance that a Delaware court would enforce such a stipulation under the facts present here.”

    Courts State Issues Digital Assets Cryptocurrency Fintech Appellate California Delaware

    Share page with AddThis

Pages