InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC to review potential updates to federal privacy rules
On October 17, as part of its fall 2018 rulemaking agenda, the FTC announced that it plans to review potential updates to federal privacy rules on how banks protect consumer data. The planned recommendation—scheduled to be presented to FTC commissioners at the end of November—will incorporate recommendations by staff and the public on changing the Gramm-Leach-Bliley Act Safeguard Rules (the Rule) given the potential conflict between the Rule and state, local, or other federal laws or regulations. As previously covered by InfoBytes, the FTC requested comments on the Rule in 2016, seeking feedback on several specific questions relating to the Rule’s economic impact and benefits, potential conflicts, and how technological, economic, or other industry changes will affect the Rule.
Among other things, the FTC’s regulatory agenda will also address (i) 2016 amendments to the Telemarking Sales Rule; (ii) the periodic review of identity theft rules; (iii) issues related to the privacy of consumer financial information concerning vehicle disclosures; and (iv) credit monitoring for active duty military as required by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
Court approves $115 million settlement for health insurer data breach
On August 15, the U.S. District Court for the Northern District of California issued final approval for a $115 million class action settlement to resolve claims stemming from a large health insurer’s 2015 data breach. As previously covered by InfoBytes, in June 2017, the health insurer and plaintiffs came to the $115 million agreement regarding the company’s 2015 data breach, exposing consumers’ and employees’ social security numbers, birthdays, and other personal data to hackers. The settlement agreement provides for (i) two years of credit monitoring; (ii) reimbursement of out-of-pocket costs related to the breach; and (iii) alternative cash payment for credit monitoring services already obtained. While the settlement agreement was challenged after the initial deal was struck, the court noted that the objectors “ignore that the [s]ettlement provides the class with a timely, certain, and meaningful recovery.” Moreover, the court notes the objectors do not account for the “strong message” it sends to the health insurer, stating, “a settlement does not need to provide for all possible recoverable damages to deter wrongdoing.”
District Court agrees with FTC, enters $5 million judgment against credit monitoring scheme
On June 26, the U.S. District Court for the Northern District of Illinois granted the FTC’s motion for summary judgment, concluding that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge did not involve unfair or deceptive practices. The FTC argued that the defendants’ scheme, which used the promise of a free credit report to enroll the consumers into a monthly credit monitoring program, violated the FTC Act’s ban on deceptive practices. The court agreed, holding that the ad campaign was “rife with material misrepresentations that were likely to deceive a reasonable consumer.” Additionally the court agreed with the FTC that the defendants’ website was materially misrepresentative because it did not give “the net impression that consumers were enrolling in a monthly credit monitoring service” for $29.94 a month, as opposed to defendants’ claim that consumers were obtaining a free credit report.
The court entered a judgment ordering the defendants to pay over $5 million in equitable monetary relief to the FTC and prohibiting defendants from, among other things, charging consumers for any credit monitoring services and disclosing or using any collected consumer information. The defendants must also submit to compliance reporting and monitoring by the FTC.
Trump signs legislation enacting bipartisan regulatory relief bill
On May 24, President Trump signed the Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) (the bill) — which modifies provisions of the Dodd-Frank Act and eases certain regulations on certain smaller banks and credit unions. Upon signing, the White House released a statement quoting the president, “[c]ommunity banks are the backbone of small business in America. We are going to preserve our community banks.”
The House, on May 22, passed the bipartisan regulatory reform bill by a vote of 258-159. The bill was crafted by Senate Banking, Housing, and Urban Affairs Committee Chairman Mike Crapo, R-Idaho and passed by the Senate in March. The House passed the bill without any changes to the Senate version, even though House Financial Services Chairman, Jeb Hensarling, originally pushed for additional reform provisions to be included. Specifically, the bill does not include certain provisions that were part of Hensarling’s Financial CHOICE Act, such as (i) a complete repeal of the Volker Rule; (ii) subjecting the CFPB to the Congressional appropriations process and restructure the agency with a bipartisan commission; and (iii) reducing the Financial Stability Oversight Council’s (FSOC) authority to designate nonbank financial institutions as Systemically Important Financial Institutions (SIFIs).
In response to the bill’s passage, the OCC’s Comptroller of Currency, Joseph Otting, issued a statement supporting the regulatory changes and congratulating the House, “[t]his bill restores an important balance to the business of banking by providing meaningful reductions of regulatory burden for community and regional institutions while safeguarding the financial system and protecting consumers.” Additionally, acting Director of the CFPB, Mick Mulvaney, applauded Congress, noting that the reforms to mortgage lending were “long overdue” and called the bill “the most significant financial reform legislation in recent history.”
As previously covered by InfoBytes, the highlights of the bill include:
- Improving consumer access to mortgage credit. The bill’s provisions state, among other things, that: (i) banks with less than $10 billion in assets are exempt from ability-to-repay requirements for certain qualified residential mortgage loans held in portfolio; (ii) appraisals will not be required for certain transactions valued at less than $400,000 in rural areas; (iii) banks and credit unions that originate fewer than 500 open-end and 500 closed-end mortgages are exempt from HMDA’s expanded data disclosures (the provision would not apply to nonbanks and would not exempt institutions from HMDA reporting altogether); (iv) amendments to the S.A.F.E. Mortgage Licensing Act will provide registered mortgage loan originators in good standing with 120 days of transitional authority to originate loans when moving from a federal depository institution to a non-depository institution or across state lines; and (v) the CFPB must clarify how TRID applies to mortgage assumption transactions and construction-to-permanent home loans, as well as outline certain liabilities related to model disclosure use.
- Regulatory relief for certain institutions. Among other things, the bill simplifies capital calculations and exempts community banks from Section 13 of the Bank Holding Company Act if they have less than $10 billion in total consolidated assets. The bill also states that banks with less than $10 billion in assets, and total trading assets and liabilities not exceeding more than five percent of their total assets, are exempt from Volcker Rule restrictions on trading with their own capital.
- Protections for consumers. Included in the bill are protections for veterans and active-duty military personnel such as: (i) permanently extending from nine months to one year the protection that shields military personnel from foreclosure proceedings after they leave active military service; and (ii) adding a requirement that credit reporting agencies provide free credit monitoring services and credit freezes to active-duty military personnel. The bill also addresses the creation of an identity theft protection database. Additionally, the bill instructs the CFPB to draft federal rules for the underwriting of Property Assessed Clean Energy loans (PACE loans), which would be subject to the TILA ability-to-repay requirement.
- Changes for bank holding companies. Among other things, the bill raises the threshold for automatic designation as a SIFI from $50 billion in assets to $250 billion. The bill also subjects banks with $100 billion to $250 billion in total consolidated assets to periodic stress tests and exempts from stress test requirements entirely banks with under $100 billion in assets. Additionally, certain banks would be allowed to exclude assets they hold in custody for others—provided the assets are held at a central bank—when computing the amount such banks must hold in reserves.
- Protections for student borrowers. The bill’s provisions include measures to prevent creditors from declaring an automatic default or accelerating the debt against a borrower on the sole basis of bankruptcy or cosigner death, and would require the removal of private student loans on credit reports after a default if the borrower completes a loan rehabilitation program and brings payments current.
Each provision of the bill will take effect at various intervals from the date of enactment up to 18 months after.
Senators release report on credit reporting agency from data in CFPB’s public complaint database
On April 30, three Democratic Senate Banking Committee members released a report addressing publicly available complaints the CFPB received regarding the 2017 data breach announcement by a national credit reporting agency. In a letter to the CFPB, which accompanied the release of the report, the Senators encouraged the Bureau to “hold [the credit reporting agency] accountable and act quickly and decisively to protection the millions of consumers harmed by the breach.” Additionally, the Senators make a plea for the CFPB to continue to keep consumer complaints public, citing to recent remarks by Mulvaney that the database would soon be removed from public view. According to the report, within six months of the data breach announcement—which reportedly affected 143 million American consumers—the CFPB received over 20,000 complaints against the company. Of the 20,000 complaints, the issues consumers mentioned include (i) “improper use of a credit report after the breach”; (ii) “incorrect information on credit report”; (iii) “[Company]’s inadequate assistance in resolving problems after the breach”; and (iv) “[Company]’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products.” The report also cites to specific narratives from consumer complaints that were available through the CFPB’s consumer complaint database.
FDIC OIG releases Special Inquiry Report to address breach response plan
On April 16, the FDIC’s Office of Inspector General (OIG) released its Special Inquiry Report—“The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches”—which contains findings from an examination of the FDIC’s practices and policies related to data security, incident response and reporting, and Congressional interactions. The Special Inquiry Report is the culmination of a request made by the former Chairman of the Senate Committee on Banking, Housing, and Urban Affairs in 2016, and focuses on the circumstances surrounding eight information security incidents that occurred in 2015 and 2016—seven of which involved personally identifiable information and constituted data breaches. An eighth incident involved the removal of “highly sensitive components of resolution plans submitted by certain large systemically important financial institutions without authorization” by a departing FDIC employee.
According to the report, the OIG asserts that, among other things, the FDIC failed to (i) put in place a “comprehensive incident response program and plan” to handle security incidents and breaches; (ii) clearly document risk assessments and decisions associated with data incidents; (iii) fully consider the range of impacts on bank customers whose information was compromised; (iv) promptly notify consumers when an incident occurred and did not adequately consider notifications as a separate decision from whether it would provide credit monitoring services; (v) for at least one incident, failed to convey the seriousness of the breach; and (vi) provide timely, accurate, and complete responses to Congressional requests to gather information about how the agency was handling the incidents.
As a result of these findings, the OIG presented recommendations and timeframes for the FDIC to “address the systemic issues.” Recommendations include: (i) clearly defining roles and responsibilities within the FDIC Breach Response Plan, and establishing procedures “consistent with legal, regulatory, and/or operational requirements for records management”; (ii) establishing a separation between consumer breach notifications and the offer of credit monitoring services; (iii) adhering to established timeframes for reporting incidents to FinCEN when suspicious activity report information has been compromised; (iv) conducting an annual review of the Breach Response Plan to confirm that that the guidance has been consistently followed during the preceding year; (v) developing guidance and training to ensure that employees and contractors are fully aware of the legal consequences of removing any sensitive information from FDIC premises before they depart; (vi) ensuring that FDIC policies, procedures, and practices result in complete, accurate statements and representations to Congress, and updating and correcting prior statements and representations as necessary; (vii) clarifying “legal hold policies and processes”; and (viii) specifying that the Office of Legislative Affairs is responsible for “providing timely responses to Congressional requests and communicating with Congressional staff regarding those requests.”
The FDIC concurred with the recommendations and has completed corrective actions for two, with plans to address the remaining recommendations between June and December of this year. The FDIC has also agreed to keep the OIG informed of the progress made to address the identified performance issues.
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
Senate passes bipartisan financial regulatory reform bill
On March 14, by a vote of 67-31, the Senate passed the Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) (the bill)—a bipartisan regulatory reform bill crafted by Senate Banking, Housing, and Urban Affairs Committee Chairman Mike Crapo, R-Idaho—that would repeal or modify provisions of Dodd-Frank and ease regulations on all but the biggest banks. (See previous InfoBytes coverage here.) The bill’s highlights include:
- Improving consumer access to mortgage credit. The bill’s provisions state, among other things, that: (i) banks with less than $10 billion in assets are exempt from ability-to-repay requirements for certain qualified residential mortgage loans; (ii) appraisals will not be required for certain transactions valued at less than $400,000 in rural areas; (iii) banks and credit unions that originate fewer than 500 open-end and 500 closed-end mortgages are exempt from HMDA’s expanded data disclosures (the provision would not apply to nonbanks and would not exempt institutions from HMDA reporting altogether); (iv) amendments to the S.A.F.E. Mortgage Licensing Act will provide registered mortgage loan originators in good standing with 120 days of transitional authority to originate loans when moving from a federal depository institution to a non-depository institution or across state lines; and (v) the CFPB must clarify how TRID applies to mortgage assumption transactions and construction-to-permanent home loans, as well as outline certain liabilities related to model disclosure use.
- Regulatory relief for certain institutions. Among other things, the bill simplifies capital calculations and exempts community banks from Section 13 of the Bank Holding Company Act if they have less than $10 billion in total consolidated assets. The bill also states that banks with less than $10 billion in assets, and total trading assets and liabilities not exceeding more than five percent of their total assets, are exempt from Volcker Rule restrictions on trading with their own capital.
- Protections for consumers. Included in the bill are protections for veterans and active-duty military personnel such as: (i) permanently extending the protection that shields military personnel from foreclosure proceedings after they leave active military service from nine months to one year; and (ii) adding a requirement that credit reporting agencies provide free credit monitoring services and credit freezes to active-duty military personnel. The bill also addresses general consumer protection options such as expanded credit freezes and the creation of an identity theft protection database. Additionally, the bill instructs the CFPB to draft federal rules for the underwriting of Property Assessed Clean Energy loans (PACE loans), which would be subject to TILA consumer protections.
- Changes for bank holding companies. Among other things, the bill raises the threshold for automatic designation as a systemically important financial institution from $50 billion in assets to $250 billion. The bill also subjects banks with $100 billion to $250 billion in total consolidated assets to periodic stress tests and exempts from stress test requirements entirely banks with under $100 billion in assets. Additionally, certain banks would be allowed to exclude assets they hold in custody for others—provided the assets are held at a central bank—when computing the amount such banks must hold in reserves.
- Protections for student borrowers. The bill’s provisions include measures to prevent creditors from declaring an automatic default or accelerating the debt against a borrower on the sole basis of bankruptcy or cosigner death, and would require the removal of private student loans on credit reports after a default if the borrower completes a loan rehabilitation program and brings payments current.
The bill now advances to the House where both Democrats and Republicans think it is unlikely to pass in its current form.
Credit Reporting Agencies Must Comply With Emergency Regulations
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:
- provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
- identify dedicated points of contact to assist the Division’s effective administering of the program;
- make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
- clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.
Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.
As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.
50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement
On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.
The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.
The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.