InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State Law Update: NAAG to Focus on Privacy; Vermont, Connecticut, Oklahoma Make E-Commerce Changes
Incoming NAAG President to Focus on Privacy Issues. On June 22, after being elected president of the National Association of State Attorneys General (NAAG), Maryland Attorney General Doug Gansler announced a year-long Presidential Initiative titled “Privacy in the Digital Age.” The Initiative will explore the best ways to manage consumer privacy risks in light of “emerging technologies and business models” that are challenging consumers’ ability to control their personal information. Through the Initiative, state Attorneys General will attempt to ensure that “the Internet’s major players protect online privacy and provide meaningful options for privacy control” to consumers.
Two States Expand Data Breach Notification Requirements. Recently, Connecticut and Vermont altered state requirements for firms experiencing a data breach to report the breach. Connecticut’s revision – in the state’s annual budget bill, House Bill 6001 – expanded existing breach notification provisions to include notification to the state attorney general and takes effect October 1, 2012. Vermont amended, in House Bill 254, its breach notice law to require consumer notice of a security breach within 45 days and notification to the attorney general within 14 days of discovery of the incident. The Vermont requirement was effective as of May 8, 2012.
Oklahoma High Court Approves Rules for Electronic Filing and Signatures. On June 21, the Supreme Court of Oklahoma issued new state court rules governing the electronic filing of court documents in that state. These rules apply to a new statewide electronic management system that will replace the mix of electronic and paper-based record systems previously used in Oklahoma. Among other things, the rules provide for the use of electronic signatures where any statute or court rule requires a person’s signature in an Oklahoma state court. Like the new electronic system, the new rules will be phased in gradually; they become effective in each district and appellate court at the time the Oklahoma Unified Case Management System is implemented in that court.
New York Appellate Court Holds Electronically Signed Affirmations Admissible
On June 21, a New York state appellate court held that an electronically signed affirmation is admissible under state court rules. Martin v. Portexit Corp., No. 303854/07, 2012 WL 2344889 (N.Y. App. Div. June 21, 2012). In this personal injury case, the defendants moved for summary judgment in the trial court and relied on two electronically signed expert affirmations. In opposing the motion, the plaintiff argued that the electronically signed affirmations were inadmissible because they did not comply with court rules. The trial court agreed. On appeal, the court determined that the term “subscribed” in state court rules does in fact include electronic signatures; as such, electronic signatures have the same legal effect as handwritten signatures. Further, the court held that under the federal E-SIGN Act and state law, a party to a suit need not prove who placed the electronic signature on an affirmation.
CFPB Launches Consumer Complaint Database
On June 19, the CFPB released a beta version of its consumer complaint database. The database includes credit card complaints received on or after June 1, 2012. The CFPB plans to add credit card complaint data received prior to June 1, 2012 by the end of 2012. The database provides summary information related to (i) the issue identified in each complaint, (ii) the date of the complaint, (iii) the company named in the complaint, and (iv) the status and timeliness of the resolution. The credit card complaint database is governed by a CFPB Final Policy Statement, which addresses comments received in response to a 2011 version of the statement. Concurrent with the database launch, the CFPB released for public comment a Notice of Proposed Policy Statement that would extend the scope of the database to include all other financial services and products within the CFPB’s jurisdiction. The CFPB is accepting comments on the proposed expanded policy through July 19, 2012.
NTIA Announces First Privacy Stakeholder Meeting
On June 15, the National Telecommunications and Information Administration (NTIA) announced that the first meeting of a privacy multistakeholder process will be held on July 12, 2012. The meeting is the first in a series intended to produce a code of conduct that will provide transparency in the handling of personal data by mobile application and services companies. The multistakeholder process derives from the White House’s Privacy Blueprint released in February 2012, which set forth a Consumer Privacy Bill of Rights and designed the multistakeholder process to develop legally enforceable codes of conduct across diverse business contexts.
NIST Publishes Cloud Computing Guidance
Recently, the National Institute of Standards and Technology (NIST) published a document entitled Cloud Computing Synopsis and Recommendations, which (i) reprises NISTs definition of cloud computing, (ii) describes cloud computing benefits and open issues, (iii) presents an overview of the major classes of cloud technology, and (iv) provides guidance for organizations assessing cloud computing risks and opportunities. The NIST publication presents a range of factors to be considered as part of the overall business decision to employ cloud technology, including security issues related to data confidentiality and integrity. Although developed for use by federal agencies, the NIST report may influence policy decisions and may be a useful resource for private firms seeking to understand the benefits and risks of cloud technology.
FTC Settles FCRA Charges Against Data Broker
On June 12, the FTC announced that a data broker agreed to settle charges that it marketed and sold consumer profiles to companies engaged in human resources, background screening, and recruiting without taking steps to protect consumer information as required by FCRA. The FTC claimed that the data broker operated as a consumer reporting agency and violated FCRA when it failed to ensure that the information it compiled and sold would be used only for permissible purposes. The broker also allegedly failed to ensure that consumer information it sold was accurate and failed to inform buyers of their FCRA obligations. Among other things, the settlement requires the data broker to pay an $800,000 civil penalty and prohibits the firm from any future violations of FCRA.
FTC Settles Privacy, Data Security Charges Based On Peer-to-Peer File Sharing Against Two Firms
On June 7, the FTC announced two new cases (and simultaneous settlements), one against a debt collector and the other against an auto dealer, alleging privacy and data violations based on the use of peer-to-peer file sharing software. In both cases, the FTC claims that the firms allowed file-sharing software to be installed on company computers, thereby allowing files containing personal customer information to be accessed by any other person using a networked computer. Both companies, according to the FTC, (i) did not have adequate security plans, (ii) did not use reasonable measures to enforce compliance with existing security policies, (iii) did not adequately train employees, (iv) did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks, and (v) failed to assess risk to consumers. For the debt collector, the FTC alleges that the failures constituted an unfair act or practice in violation of the FTC Act. The FTC claims that the auto dealer also violated the FTC Act and, for the first time, charges an auto dealer with violations of certain Gramm-Leach-Bliley (GLB) Act rules. The settlement orders with both companies bar misrepresentations regarding the privacy, security, confidentiality, and integrity of any personal information and require that the firms establish comprehensive information security programs that will be audited every other year for 20 years. The auto dealer also is barred from violating the GLB rules at issue.
FCC Seeks Comments on Mobile Device Privacy, Data Security
Recently, the FCC released a request for public comment on the privacy and data security of personal information on mobile devices. The request focuses on the amount and types of consumer information that may be collected by carriers. For example, the FCC lists a series of factors, including (i) the degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores information, (ii) the manner in which the collected information is used, and (iii) the role of third parties in collecting and storing data, and asks which, if any, are relevant to assessing a wireless providers obligations under the Communications Act and the Commissions implementing rules. The FCC will accept public comments for 30 days from publication of the request in the Federal Register. In 2007, the FCC similarly solicited comments and revised its rules under the Communications Act to tighten data security requirements and address pretexting.
Security at Financial Institution Service Provider Scrutinized by Regulators
Recently, Fidelity National Information Services, Inc. (FIS), a company providing payment processing and other services to banks and other financial institutions, reportedly was the subject of a critical assessment by the FDIC. The FDIC report comes in the aftermath of a 2011 security breach at the company and a subsequent examination by the FDIC, OCC, and the Federal Reserve Bank of Atlanta. According to the report, the FDIC demanded that FIS immediately address eight issues, including risk management and information security issues. The FDIC allegedly also stated that actions taken by the company to date were insufficient given the regulatory concerns and weaknesses identified by the FDIC. The NCUA received the FDIC report and forwarded to credit unions with an advisory note to use the report in managing vendor relations with FIS. The report on FIS comes as regulators are placing enhanced scrutiny on financial institutions relationships with third party service providers. In April, the CFPB issued Bulletin 2012-03, providing guidance to regulated entities on the oversight of business relationships with service providers. The CFPB bulletin states that [t]he CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships and lists specific minimum steps that should be a part of service provider oversight.
State Law Update: Michigan E-Signature Rule, Numerous Mortgage Licensing Changes
Michigan Court Rule Change Allows Electronic Signatures. Recently, the Michigan Supreme Court approved a rule change that allows the use of electronic signatures for any document filed in the state court system, including any signature required by a law or court rule to be notarized or made under oath. Several States Adjust Mortgage Registration, Licensing Regulations. Recently, five states amended their laws to clarify the scope of their mortgage-related registration and licensing requirements. First, New Hampshire passed House Bill 247, which exempts from licensing requirements mortgage bankers and brokers who negotiate three or fewer residential mortgage loans in a calendar year. The bill will take effect July 13, 2012. New Hampshire also enacted House Bill 408 to provide an exemption for attorneys, which took effect on May 29, 2012. Second, Louisiana enacted, effective immediately, House Bill 508, which defines "regularly engaged" to clarify thresholds for activity requiring licensure as a mortgage loan originator or mortgage broker or lender. Third, Mississippi enacted Senate Bill 2897, which makes several changes to the states S.A.F.E. Mortgage Act including a change to the definition of mortgage loan originator to exclude certain activities. The changes go into effect July 1, 2012. Fourth, in Michigan, the Governor recently signed Senate Bill 908, which immediately amends the Mortgage Loan Originators Licensing Act to require, among other things, that a person have an approved sponsor in the NMLS in order to be licensed as a mortgage loan originator. Finally, New York enacted Senate Bill 3779, which as of January 1, 2013 will exempt from licensing any individual, person, partnership, association, corporation or other entity which makes three or fewer loans in a calendar year and no more than five in a two year period, provided that no such mortgage loans were solicited, processed, placed or negotiated by a mortgage broker, mortgage banker or exempt organization. New York also extended again its emergency rules regarding mortgage loan originator licensing, this time through August 12, 2012.