InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State Law Update: Hawaii and California Take Actions on Mortgages and Privacy
California AG Announces Privacy Enforcement Unit. On July 19, California Attorney General Kamala Harris announced the creation of the Privacy Enforcement and Protection Unit. The unit will combine the various existing privacy functions of the California Department of Justice to centrally enforce and protect consumer privacy. The unit will pursue civil prosecution of state and federal privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. These include laws relating to cyber privacy, financial privacy, identity theft, and data breaches, among others. The new unit will reside within the eCrime Unit, which was created in December 2011 to identify and prosecute identity theft crimes, cyber-crimes and other crimes involving the use of technology.
California Expands Servicemember Protections. On July 13, California enacted AB 2476, which expands the period of time during which servicemembers are protected from high interest rates. Under current law, a creditor cannot charge, during a servicemember’s period of military service, an interest rate in excess of 6% on any obligation or liability incurred by a servicemember before that person’s entry into service. The bill expands the interest rate protections to prevent an increase in any such rate on a mortgage, trust deed, or other security in the nature of a mortgage for one year after the period of military service.
Hawaii Enacts Multiple Mortgage-Related Bills and Legislation to Protect Personal Information. Recently, Hawaii enacted a set of bills related to mortgage origination and servicing. With regard to mortgage origination, S.B. 2763 amends the state SAFE Act to reflect changes to the federal law and to adjust originator registration fees. With regard to mortgage servicers, H.B. 2502 allows the Commissioner of Financial Institutions to require registration with the NMLS and makes it unlawful for a servicer to provide loan modifications without first complying with certain licensing requirements. Another bill, H.B. 1875 makes numerous changes to the state’s foreclosure laws, largely implementing recommendations from the Mortgage Foreclosure Task Force created by the state legislature in 2010. Finally, with regard to mortgages, H.B. 2375 establishes criminal penalties for certain violations of the state’s Mortgage Rescue Fraud Prevention Act. Hawaii also recently enacted S.B. 2419, which prohibits businesses from scanning a customer’s identification card or driver’s license with an electronic device capable of obtaining information electronically encoded on that identification card, except for specific purposes.
Congress Acts on Bills Regarding Protection of Information Submitted to CFPB and ATM Fee Disclosure Requirements
On July 12, Representatives Renacci (R-OH) and Perlmutter (D-CO) introduced H.R. 6125, a bill that would amend the Federal Deposit Insurance Act to grant protections to documents and information submitted by banks and nonbanks to the CFPB and state bank and financial regulators. H.R. 4014, a similar bill, previously passed the House with broad bipartisan support. The House also recently passed by a wide margin H.R. 4367, a bill to eliminate the EFTA requirement that ATM providers attach a fee disclosure placard to their machines. On July 17, Senate Banking Committee Chairman Johnson (D-SD) introduced with the support of Ranking Member Shelby (R-AL) S. 3394, which combines versions of H.R. 4014 and H.R. 4367 for Senate consideration.
NIST Proposes Update To Mobile Device Security Guidelines
On July 11, the National Institute of Standards and Technology released a proposed update to its guidelines for securing mobile devices. Originally published as Guidelines on Cell Phone and PDA Security, the proposed Guidelines for Managing and Securing Mobile Devices in the Enterprise offer new recommendations for devices used by the federal government. The draft guideline provide recommendations for developing centralized device management systems, with specific guidance related to (i) developing system threat models, (ii) establishing mobile device security policies, and (iii) implementing and testing prototype mobile device solutions, among other topics.
Senate Committee Explores Framework for Mobile Payments
On July 10, the Senate Banking Committee held the second hearing in a two-part series on developing a framework for safe and efficient mobile payment systems. A panel comprised of economic and legal experts in the area of mobile payments updated the Committee on the state of the market and provided ideas for establishing an appropriate regulatory framework that balances innovation and consumer protection. Among other topics, the panelists and Senators discussed information collection and use and the related privacy and data security risks to consumers, as well as to merchants taking mobile payments. At the first hearing in the series, held in March, the Committee received testimony from regulatory experts from the Federal Reserve System. During that hearing the Committee sought information about the current roles of regulators with regard to mobile payments, and potential gaps in the regulatory structure. The House Financial Services Committee recently concluded a similar series in which it explored the regulatory structure for mobile payments and assessed the market impacts of mobile payment advances.
FFIEC Issues Statement on Cloud Computing Vendors
On July 10, the federal banking regulators, through the Federal Financial Institutions Examination Council (FFIEC), published a statement on outsourcing of cloud computing services by financial institutions. The statement explains that the regulators consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. The statement goes on to outline the key risks of outsourced cloud computing, focusing on due diligence, vendor management, information security, audits, legal and regulatory compliance, and business continuity planning. The statement concludes that “[c]loud computing may require more robust controls due to the nature of the service. When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service.”
Mobile App Developer Agrees to Stop Collecting and Using Children's Data in Settlement
On June 27, the New Jersey Attorney Generals office announced a consent decree and injunction against 24x7digital LLC, a mobile app company, settling charges under the Childrens Online Privacy Protection Act (COPPA). The company created a series of apps for children in preschool through second grade that encouraged children to provide their first and last names and photos for personal profiles. Under the settlement, the company agreed to stop collecting, using, and disclosing childrens personal information without verifiable parental consent. The company also agreed to provide direct notice to parents of the types of information it collects and what it does with that information.
Massachusetts Federal Court Finds On-Demand Web Streaming Service Falls within the ADA's Scope
On June 19, the U.S. District Court for the District of Massachusetts ruled that Netflix’s “Watch Instantly” on-demand movie and television streaming service is a “place of public accommodation” subject to the Americans with Disabilities Act’s (ADA) bar on disability-based discrimination. Nat’l Ass’n of the Deaf v. Netflix, Inc., No. 11-30168 (D. Mass. June 19, 2012). Plaintiffs asserted that the streaming service provided inadequate closed-captioned content and sought declaratory and injunctive relief directing the company to provide closed-captioning for all “Watch Instantly” offerings. Netflix moved for judgment on the pleadings, arguing that the ADA did not apply to its on-demand service and that the Twenty-First Century Communications and Video Accessibility Act of 2010 (CVAA) precluded the plaintiffs’ interpretation of the ADA. The court disagreed, finding that the plaintiffs adequately pled their claim that the scope of the ADA applies to the company’s on-demand service. In addition, the court rejected the company’s argument that the CVAA precluded the plaintiffs’ ADA claim, concluding that the CVAA’s specific requirements related to captioning of streamed video did not present an irreconcilable conflict with the ADA.
FTC Sues Hotel Corporation and Subsidiaries Over Data Protection Practices
On June 26, the FTC filed a complaint in the U.S. District Court for the District of Arizona alleging that Wyndham Worldwide Corporation (and several of its subsidiaries) violated the FTC Act by misrepresenting the adequacy of their data security procedures. The FTC specifically maintains that Wyndham and its subsidiaries engaged in unfair and deceptive practices when they represented on their website that they maintained measures adequate to protect customers’ personal information. In truth, the FTC alleges, Wyndham failed to maintain such protections. According to the FTC, the companies’ lack of reasonable data security allowed intruders to obtain unauthorized access to that information on three separate occasions. These breaches purportedly resulted in more than $10.6 million in fraud loss and the export—to a foreign-registered domain—of payment card account information for hundreds of thousands of consumers.
California Supreme Court Ruling Stops Convenience Check Class Action
On June 21, the California Supreme Court held that the National Bank Act (NBA) preempts California Civil Code section 1748.9, which requires that certain disclosures accompany preprinted checks provided by a credit card issuer to its cardholders. Parks v. MBNA Am. Bank, N.A., No. S183703, 2012 WL 2345006 (Cal. June 21, 2012). In a unanimous decision, the court concluded that the NBA preempts section 1748.9 because the law is an obstacle to the broad grant of power given to national banks to conduct the business of banking. The court held that the specific disclosure obligations imposed by section 1748.9, including precise language and placement of the disclosures, exceeded any federal law requirements. In addition, the court recognized that the NBA was intended to prevent banks from complying with a patchwork of local disclosure requirements like section 1748.9.
House Committee Approves Legislation to Alter ATM Fee Disclosure Requirement
On June 27, the House Financial Services Committee unanimously approved H.R. 4367, which would amend the Electronic Fund Transfer Act to remove the requirement that ATMs attach a placard disclosing fees. Instead, the bill would require only that fees be disclosed on the ATM screen.