InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Wyoming to issue stable tokens
On March 17, the Wyoming governor signed SF 127 enacting the Wyoming Stable Token Act, creating the Wyoming stable token commission, and authorizing the issuance of stable tokens in the state. Under the Act, a Wyoming stable token is “a virtual currency representative of and redeemable for one (1) United States dollar held in trust by the state of Wyoming” that may only be issued in exchange for a USD. Stable tokens will be issued by the Wyoming stable token commission—created by the Act and to be comprised of no more than four virtual currency/fintech subject matter experts. The commission is authorized to, among other things, (i) establish “the means used to issue, maintain and manage the Wyoming stable tokens and the manner of and requirements for redemption”; (ii) select which financial institutions will manage the stable tokens, and make and enter into contracts and arrangements for such services; (iii) seek rulings and other guidance from federal agencies related to the provisions outlined in the Act; (iv) prior to issuing any such tokens, issue a comprehensive report to a select committee overseeing blockchain, financial technology, and digital innovation technology, among others, on all actions taken under the Act; and (v) promulgate rules and regulations as necessary to administer the Act and ensure compliance. The Act also outlines criteria relating to liability limitations and requires that the commission endeavor to issue at least one Wyoming stable token no later than December 31.
Iowa becomes sixth state to enact comprehensive privacy legislation
On March 28, the Iowa governor signed SF 262, establishing a framework for controlling and processing consumers’ personal data in the state. Iowa is now the sixth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, and Utah (covered by Special Alerts here and here and InfoBytes here, here, and here).
- Consumer rights. Iowa consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their personal data processed by a controller (“except as to personal data that is defined as personal information pursuant to section 715C.1 that is subject to security breach protection”); and (iv) opt out of the sale of their data.
- Controller responsibilities. The Act requires controllers—the persons that determine the purpose and means of processing personal data—to respond to consumers’ requests free of charge within 90 days (the response period may be extended an additional 45 days under extenuating circumstances). A controller must also provide a consumer, without undue delay, of its justification should it decline to take action regarding the consumer’s request, as well as instructions for appealing the decision. Controllers are also required to implement reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data, and must not process collected sensitive data without notifying the consumer and allowing for the opportunity to opt out of such processing (or in the case of data involving a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act). Controllers may not violate state and federal laws that prohibit discriminatory practices when processing personal data and may not discriminate against a consumer for exercising any of the provided consumer rights. Contacts that purport or waive or limit consumer rights shall be deemed void and unenforceable.
- Disclosures. Controllers are required to provide consumers “a reasonably accessible, clear, and meaningful privacy notice” that outlines the categories of personal data to be processed, the purpose for processing the data, and how consumers may submit requests to exercise their personal rights (a controller may not require a consumer to create a new account to exercise consumer rights). The privacy notice must also outline the categories of data that may be shared with third parties, as well as the categories of applicable third parties, and clearly disclose when personal data is being sold or used in targeted advertising to allow a consumer the right to opt out of such activity.
- Processor duties. Processors shall help controllers fulfill their obligations under the Act. A contract established between a controller and a processor will “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller,” and must “clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.”
- Exemptions and limitations. The Act also outlines various processing exemptions, including those related to pseudonymous data, and addresses certain actions that a controller or processor is able to take with respect to complying with federal, state, or local laws, investigations, or law enforcement agency inquiries, among others. The Act also limits the collection of personal data to what is adequate, relevant and necessary in relation to the purposes for which such data is processed, and requires controllers to implement data security protection practices.
- Enforcement. Although the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 90 days to cure the alleged violation before the attorney general can file suit. Should the controller or processor continue to violate the Act, the attorney general may seek an injunction and civil penalties of up to $7,500 for each violation.
The Act takes effect January 1, 2025.
California OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
SEC charges companies and executives for operating an unregistered exchange
On March 29, the SEC filed a complaint in the U.S. District Court for the Northern District of Illinois against a cryptocurrency trading platform and its executives for allegedly failing to register as a national securities exchange, broker, and clearing agency. The SEC also claimed the founder of the platform used it to raise $8 million in an unregistered token offering and misappropriated at least $900,000 for personal use. Additionally, the SEC charged certain defendant “market makers” operating on the platform as unregistered dealers. The complaint flagged certain defendants as being responsible for maintaining and providing the platform that facilitated the crypto assets that were offered and sold as securities and cited other defendants for operating as an unregistered exchange, broker, and clearing agency or as unregistered dealers.
According to the SEC’s announcement, some of the defendants—without admitting or denying the allegations—“have agreed to perform certain undertakings, including ceasing all activities as an unregistered exchange, clearing agency, broker, and dealer; shutting down the [platform]; providing an accounting of assets and funds for the benefit of customers; transferring all customer assets and funds to each respective customer; and destroying any and all [tokens] in [one of the defendant company’s] possession.” These defendants have agreed to permanent injunctions prohibiting them from engaging in future securities law violations and will pay civil penalties collectively totaling $165,800. Two of these defendants have also agreed to pay a combined amount of $62,779 in disgorgement and prejudgment interest. The SEC said it is continuing to litigate its charges against other defendants for securities fraud and for offering unregistered tokens.
Utah repeals some collection agency registration requirements
On March 17, the Utah governor signed HB 20 to repeal several of the state’s collection agency statutory provisions. Specifically, the bill repeals provisions that (i) require collection agencies to register with the Division of Corporations and Commercial Code and have on file sufficient bond in the amount of $10,000 (see Sections 12-1-1 and 12-1-2); (ii) stipulate bond terms and require certain records relating to registrations and bonds to be maintained with the Division and open to public inspection (see Sections 12-1-3, and 12-1-5); (iii) relate to violations and penalties and specify that “[a]ny person, member of a partnership, or officer of any association or corporation who fails to comply with any provision of this title is guilty of a class A misdemeanor (see Section 12-1-6); (iv) outline exceptions (see Section 12-1-7); (v) govern assignments of debts involving collection agencies and limit activities as to the assignments (see Section 12-1-8); (vi) specify that information about a consumer’s credit rating or credit worthiness sent to a consumer reporting agency is void if the collection agency does not have a bond on file (see Section 12-1-9); and (vii) require certain registration forms and application fees for collection agencies seeking approval to conduct business in Utah (see Section 12-1-10). Limitations and terms of collection fees and convenience fees imposed by creditors or third-party debt collection agencies will remain unchanged by the amendments (see Section 12-1-11). The changes take effect May 3.
Arkansas amends LO sponsorship licensing requirements
On March 21, Arkansas enacted HB 1439 to clarify the sponsorship process and amend licensing requirements under the state’s Fair Mortgage Lending Act. The amendments modify the definition of a “transitional loan officer license” to mean a license that is issued to an individual who is employed “and sponsored by” a licensed mortgage banker or mortgage broker. The term “sponsor” was also added and defined as a licensed mortgage broker or mortgage banker “that has assumed the responsibility for and agrees to supervise the actions of a loan officer or transitional loan officer.” HB 1439 also amends provisions relating to the termination of a loan officer’s license to provide that should the employment of a loan officer or a transitional loan officer be surrendered or canceled, a “sponsor shall terminate the sponsorship of the loan officer or transitional loan officer with the commissioner within thirty (30) days from the date that the loan officer or transitional loan officer ceased to be employed or ceased activities for the sponsor.” Sponsorship termination extinguishes any rights of a loan officer or a transitional loan officer to engage in mortgage loan activity. The license will be marked as “approved-inactive” until a licensed mortgage broker or mortgage banker files an application with the commissioner to sponsor the loan officer. The “approved-inactive” status may be changed to “approved” if a licensed mortgage broker or mortgage banker files an application for sponsorship, pays a $50 fee, and provides sponsorship notice to the commissioner. The amendments will take effect 90 days following the adjournment of the legislature.
Virginia amends remote work requirements for mortgage companies
On March 26, the Virginia governor signed HB 2389, which permits mortgage lenders and mortgage brokers to allow employees and exclusive agents to work remotely provided certain conditions are met. Requirements to conduct business out of a remote location include: (i) the establishment of written policies and procedures for remote work supervision; (ii) ensuring access to platforms and customer information adheres to the licensee’s comprehensive written information security plan; (iii) the employment of appropriate risk-based monitoring and oversight processes, as well as the agreement from employees or exclusive agents who will work remotely to comply with these established practices; (iv) banning in-person customer interaction at an employee’s or exclusive agent’s residence unless the residence is an approved office; (v) the proper maintenance of physical records; (vi) compliance with federal and state security requirements when engaging in customer interactions and conversations; (vii) access to the licensee’s secure systems via a virtual private network or comparable system with password protection; (viii) the installation and maintenance of security updates, patches, or other alterations; (ix) “the ability to remotely lock or erase company-related contents of any device or otherwise remotely limit access to a licensee’s secure systems"; and (x) the designation of the principal place of business as the mortgage loan originator’s registered location for the purposes of the Nationwide Mortgage Licensing System and Registry record, “unless such mortgage loan originator elects an office as a registered location.” The amendments also add definitions for “office” and “remote location.” The Act is effective July 1.
Oregon clarifies appraisal company registration authority
On March 13, the Oregon governor signed HB 2287 to clarify that the Appraiser Certification and Licensure Board (the “Board”) is the entity responsible for determining specified criteria for registration or certification of real estate appraisal management companies. In Oregon, “[a] person may not directly or indirectly engage in or attempt to engage in business as an appraisal management company or advertise or represent that the entity is an appraisal management company unless the person is” registered with the Board or is owned and controlled by an insured depository institution. The Act takes effect 91 days following adjournment of the legislature.
OFAC sanctions individuals involved in Syria’s drug production and trafficking
On March 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) designated key individuals for supporting the regime of Syrian President Bashar al-Assad and the regime’s billion-dollar illicit drug production and trafficking enterprise. Taken in coordination with the UK, the designations, issued pursuant to Executive Orders 13572, 13582, and 13224, “also highlight the important role of Lebanese drug traffickers—some of whom maintain ties to Hizballah—in facilitating the export of Captagon[,]” the dangerous amphetamine at issue. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions or subject to an enforcement action, OFAC warned.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPAA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPAA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”