InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York announces $1.9 million data breach settlement with global retailer
On October 12, the New York attorney general announced a $1.9 million settlement with an international e-commerce retailer for failing to properly handle a 2018 data breach. According to the settlement, the e-commerce owns and operates two brands (collectively, “respondents”), which experienced a data breach that caused 39 million accounts to be stolen, including accounts for more than 800,000 New York residents. The AG found, among other things, that the respondents failed to properly safeguard consumers’ information, failed to adhere to requirements for protecting stored credit card data, and misrepresented the extent of the cyberattack to consumers. As a result of the settlement, the respondents are required to pay New York $1.9 million in penalties and costs, and must maintain a comprehensive information security program that includes robust hashing of customer passwords, among other things.
North Carolina issues enforcement order against debt collection operation
On October 10, the North Carolina attorney general announced a consent judgment with the president and CEO of two debt collection companies (collectively, “defendants”). According to the AG, in 2019, the AG sued the defendants for allegedly engaging in illegal debt collection practices. The AG alleged that from 2012 to 2018, the CEO used his debt collection companies to buy unpaid consumer debt from a national corporation that sells rent-to-own household furniture, appliances, and electronics. Since 2018, he allegedly collected or attempted to collect on these unpaid debts from North Carolina consumers, even though he did not have the correct registration or permits to operate in the state. The AG further noted that the defendants allegedly sent customers simulated court notices that were not from the court and claimed they had committed a criminal violation by failing to return rented property. When consumers contacted the companies they received debt collection threats. The defendants also filed criminal complaints in several counties that resulted in actual criminal summonses being issued against customers. Among other things, the defendants are ordered to forgive the debts of 20,000 individuals, refund 650 consumers, and pay fines. The defendants are also permanently banned from collecting debts in North Carolina, and are required to report compliance to the AG’s office.
NYDFS announces fair lending settlement with indirect auto lender
On October 6, NYDFS announced a settlement with a New York State-licensed bank to resolve allegations that the bank violated New York Executive Law § 296-a while engaged in indirect automobile lending. NYDFS alleged that the bank’s practices resulted in minority borrowers paying higher interest rates than non-Hispanic white borrowers regardless of their creditworthiness. According to the announcement, the bank allegedly “failed to effectively monitor automobile dealers from which [the bank] agreed to purchase loans, thereby allowing the dealers to charge members of protected classes more in discretionary dealer markups than borrowers identified as non-Hispanic White.” Under the terms of the consent order, the bank agreed to pay a $950,000 civil money penalty to the state, as well as restitution to eligible borrowers impacted during the period of January 1, 2017 through March 31, 2022. The bank also agreed to undertake fair lending compliance remediation efforts to increase its monitoring of dealers participating in its indirect auto lending program to precent discriminatory markups in the future.
Colorado releases draft Colorado Privacy Act rules
On September 29, the Colorado attorney general published proposed draft Colorado Privacy Act (CPA) rules with the Colorado Department of Regulatory Agencies. (See Colorado Register here.) As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights. The CPA provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism.
Pre-rulemaking considerations were released in April, where the AG’s office stated that it planned to adopt a principle-based model for the state’s rulemaking approach, rather than a prescriptive one (covered by InfoBytes here). Comments received on the pre-rulemaking considerations, as well as feedback received during two public listening sessions, were considered when drafting the proposed rules. The AG’s office explained that when considering feedback it sought to clarify the CPA, simplify compliance, and ensure consumer privacy rights granted by the statute are protected, while also attempting to create a legal framework that “does not overly burden technological innovation” while operating in conjunction with other national, state, and international data privacy laws.
- Definitions. The proposed rules add new terms aside from those already set forth in the CPA. These include terms related to biometric data and identifiers (including behavioral characteristics), bona fide loyalty programs, data brokers, automated processing, publicly available data, opt-out purposes and mechanisms, sensitive data inferences, and solely automated processing. The term “sensitive data inferences” indicates an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. Controllers must obtain consent to process sensitive data inferences unless they meet specific requirements. Additionally, controllers must comply with certain retention and deletion requirements for this type of information.
- Disclosures. The proposed rules provide that disclosures, notifications, and other communications to consumers must be clear, accessible, and understandable, and must be available in the languages in which the controller would ordinarily do business, as well as be accessible to consumers with disabilities (online notices should generally follow recognized industry standards such as version 2.1 of the Web Content Accessibility Guidelines).
- Consumer personal data rights. The proposed rules outline requirements for submitting data rights requests, including through online and in-person methods, and requires controllers to use reasonable data security measures when exchanging information. Among other things, requests should be easy to execute, require a minimal number of steps, and not require a consumer to create a new user account. Notably, a data rights request method does not have to be specific to Colorado, provided it “clearly indicates which rights are available to Colorado consumers.” Controllers must also provide instructions on how to appeal a data rights request decision.
- Opt-out rights and mechanisms. Under the proposed rules, controllers must cease processing a consumer’s personal data for opt-out purposes as soon as feasibly possible but no later than 15 days after the request is received (authorized agents may exercise a consumer’s opt-out right provided certain criteria is met). A record of opt-out requests and responses also must be maintained. Clear and conspicuous opt-out methods must be provided in a controller’s privacy notice, as well as in a readily accessible location outside the privacy notice “at or before the time” the personal data is processed for opt-out purposes. The proposed rules also provide that the Colorado Department of Law will maintain a public list of universal opt-out mechanisms that have been recognized by the AG’s office as meeting the required standards. The proposed rules also provide details for deployment, and state that ease of use, implementation, and detection, among other factors will be considered when determining which universal opt-out mechanisms will be recognized. Additionally, the proposed rules state that a universal opt-out mechanism may also be a “do not sell list” that controllers query in an automated manner.
- Right of access, and right to correction, deletion, and data portability. The proposed rules outline controller requirements for handling consumers’ requests to access, correct, or delete their personal data, as well as instructions for complying with data portability requests. The proposed rules also consider instances where personal data may be corrected more quickly and easily through account settings than through the data rights review process.
- Data minimization. Under the proposed rules, controllers would be required to “specify the express purposes” for which personal data is collected and processed in a manner that is “sufficiently unambiguous, specific, and clear.” Controllers must also consider each processing activity to determine whether it meets the requirement to use only the minimum personal information necessary, adequate, or relevant for the express purpose.
- Data protection assessments. The proposed rules provide a list of 18 elements for controllers to include when assessing whether a processing activity presents a “heightened risk of harm,” including the specific purpose of the processing activity, procedural safeguards, alternative processing activities, discrimination harms, and the dates the assessment was reviewed and approved. The proposed rules also require that these assessments be revisited and updated at least annually in certain instances for fairness and disparate impact. Assessments are required for activities conducted after July 1, 2023, and are not retroactive.
- Profiling. Under the proposed rules, controllers are obligated to clearly inform consumers when their personal data is being used for profiling. Consumers must also have the right to opt out of profiling in connection with decisions that result in legal or similar effects on consumers, and controllers that engage in profiling must provide additional disclosures in their privacy notices. A controller may deny a consumer’s request to opt out if there is human involvement in the automated processing, but is required to provide additional notice in such cases.
The proposed rules also contain provisions addressing requirements for refreshing consent, how data right requests impact loyalty programs and the disclosures that are required for these programs, and how a consumer’s right to delete might impact a controller’s ability to provide program benefits.
Comments on the proposed rules will be accepted between October 10 and February 1, 2023. On February 1, a proposed rulemaking public hearing will be held to hear testimony from stakeholders.
Arizona reaches $85 million settlement in location tracking suit
On October 4, the Arizona attorney general announced an $85 million settlement with an internet technology company to resolve allegations that it collected individuals’ location data for targeted advertising without users’ knowledge or consent or after users opted out of the feature through the platform’s settings. The AG initiated an investigation in 2018 into the company’s practices after sources claimed that the platform surreptitiously collected and sold location information through other settings even though users believed disabling the “Location History” setting would ensure this would not occur. The AG sued the company in 2020, claiming violations of the Arizona Consumer Fraud Act. Among other things, the AG alleged the company’s disclosures misled users into believing these other settings had nothing to do with tracking user location, and that the company used “deceptive and unfair practices to collect as much user information as possible” and made it difficult for users to understand what was being done with their data or opt out of data sharing. Without admitting any wrongdoing, the company agreed to the terms of the settlement agreement and will pay Arizona $85 million, of which the majority will go toward “education, broadband, and [i]nternet privacy efforts and purposes.”
California amends certain debt collector licensing provisions
On September 27, the California governor signed AB 156, which, among other things, amends various provisions of the Debt Collection Licensing Act to allow any debt collector that submits an application to the commissioner of the Department of Financial Protection and Innovation before January 1, 2023, to operate pending the approval or denial of the application. The amendments also authorize the commissioner to issue a conditional license pending the receipt and review of fingerprints and related information. Additional provisions state that a conditional license will expire under certain conditions, including the issuance of an unconditional license. The amendments also grant the commissioner authorization to deem an application abandoned. The amendments take effect January 1, 2023.
California amends protections for servicemembers and veterans
On September 27, the California governor signed SB 1311 to enact the Military and Veteran Consumer Protection Act of 2022. The Act updates several provisions related to servicemembers and veterans, including amending existing law to provide that a person will be liable for an additional civil penalty of up to $2,500 for each violation if the person engages in “unfair competition, including any unlawful, unfair, or fraudulent business act or practice and unfair, deceptive, untrue, or misleading advertising,” against one or more servicemembers or veterans. Additionally, the Act amends certain provisions related to enforcement of the federal Military Lending Act (MLA). Specifically, the bill makes “any security interest in personal property other than a motor vehicle, off-highway vehicle, trailer, or aircraft void if it would cause a loan procured by specified service members in the course of purchasing the personal property to be exempt from the [MLA].” The Act also makes “any security interest in a motor vehicle void if it would cause a loan procured by specified service members in the course of purchasing the motor vehicle to be exempt from the [MLA] and the loan also funds the purchase of a credit insurance product or credit-related ancillary product.” The Act takes effect January 1, 2023.
FDIC releases August enforcement actions
On September 30, the FDIC released a list of administrative enforcement actions taken against banks and individuals in August. During the month, the FDIC made public seven orders consisting of “one consent order, one order terminating consent order, two orders of prohibition from further participation and three orders granting permission to file application and approving application for consent to participate in the conduct of the affairs of any insured depository institution.” Among the orders is a consent order imposed against a Mississippi-based bank by the FDIC and the Mississippi Department of Banking and Consumer Finance, which alleged that the bank engaged in unsafe or unsound banking practices or violations of law relating to the Bank Secrecy Act (BSA). While the bank consented to the action, it did so without admitting or denying any charges. Under the consent order, the bank must, among other things: (i) develop, adopt, and implement a written customer due diligence program; (ii) develop and establish a system of internal controls; and (iii) establish and maintain an independent testing program for compliance with the BSA and its implementing rules and regulations. The bank must also “conduct a lookback review all transactions of $3M or more starting with July 1, 2020, through February 28, 2022, to ensure all suspicious activity is identified, investigated and/or a SAR filed or a documented decision not to file is completed.”
DFPI cracks down on crypto-asset Ponzi schemes
On September 27, the California Department of Financial Protection and Innovation issued desist and refrain orders against 11 entities, including nine crypto asset trading platforms, one metaverse software development company, and one decentralized finance platform for violating California securities laws. While each of the 11 entities allegedly offered and sold unqualified securities through their platforms and promised various fixed rates of return to investors, DFPI claimed that the entities actually engaged in Ponzi-like schemes and used investor funds to distribute supposed profits and returns to other investors. Additionally, DFPI accused the entities of “luring” new investors through referral programs that operated like pyramid schemes in which investors would be paid commissions to recruit new investors. Referring to these as “high yield investment programs (HYIPs),” DFPI claimed the entities provided investors with few details about the people operating the HYIPs, how the HYIPs make money, or how the HYIPs facilitate deposits and withdrawals with crypto assets, among other things. DFPI also accused 10 of the 11 entities of making material representations and omissions to investors about the qualifications of their securities under California law as well as the purported risks. DFPI said in its announcement that it had been directed by an executive order issued by the governor in May (covered by InfoBytes here) to initiate enforcement actions to stop violations of consumer financial laws and to increase residents’ awareness of the benefits and risks associated with crypto asset-related financial products and services.
States accuse crypto platform of offering unregistered securities
On September 26, the New York attorney general sued a cryptocurrency platform for allegedly offering unregistered securities and defrauding investors. New York was joined by state regulators from California, Kentucky, Maryland, Oklahoma, South Carolina, Washington, and Vermont who also filed administrative actions against the platform. The states alleged that the platform failed to register as a securities and commodities broker but told investors that it was fully in compliance. According to the New York AG’s complaint, the platform promoted and sold securities through an interest-bearing virtual currency account that promised high returns for participating investors. The NY AG said that a cease-and-desist letter was sent to the platform last year, and that while the platform stated it was “working diligently to terminate all services” in the state, it continued to handle more than 5,000 accounts as of July. The complaint charges the platform with violating New York’s Martin Act and New York Executive Law § 63(12), and seeks restitution, disgorgement of profits, and a permanent injunction.
California’s Department of Financial Protection and Innovation (DFPI) said in a press release announcing its own action that it will continue to take “aggressive enforcement efforts against unregistered interest-bearing cryptocurrency accounts.” DFPI warned companies that crypto-interest accounts are securities and are therefore subject to investor protection under state law, including disclosure of associated risks.