InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.
According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.
As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.
11th Circuit says one-year statutory notice period cannot be varied
On August 26, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s summary judgment in favor of a bank after determining that the plaintiff-appellants’ claim for statutory repayment is not time-barred. Plaintiffs (Venezuelan citizens residing in Venezuela) maintained personal and commercial bank accounts at a Florida branch of the bank. According to the plaintiffs, a bank employee changed the email account associated with the bank accounts to a new fraudulent email. Identity thieves were later able to bypass security measures on the account, gave correct answers to security questions, and sent documents with signatures that matched ones the bank had on file, resulting in roughly $850,000 being transferred out of one of the accounts. Plaintiffs contended they were locked out of their accounts and struggled to contact the bank for months without success. After eventually regaining access to their accounts, plaintiffs discovered the stolen money and sued for a variety of claims, including fraud, negligence, and breach of contract. They also claimed that the bank was required to refund them for the fraudulent wire transfers under Florida Statutes § 670.202. The bank argued, among other things, that the plaintiffs’ claims were time-barred because they failed to notify the bank about the alleged fraud within 30 days of receiving a bank statement. Plaintiffs responded that the Florida Statutes provide a one-year time period to notify a bank of an unauthorized wire transfer and stated that the time-period could not be modified by agreement. The district court entered summary judgment for the bank, concluding “that the one-year period was modifiable and that the parties had modified it.” The district court also determined that because the bank’s procedures were “commercially reasonable” and followed “in good faith” it was not liable to the plaintiffs to repay the wire transfers.
On appeal, the 11th Circuit held that the plaintiffs were still within their statutory one-year notification period when they notified the bank of the fraudulent wire transfers, and rejected the bank’s argument that it could shorten the notification period to 30 days. The 11th Circuit, in rejecting the bank’s argument determined that it cannot “shift the loss of an unauthorized order to the customer during the statutorily determined period,” adding that “if the one-year statutory notice period could be varied, then banks could insist that customers sign contracts that make the time to demand a refund of a fraudulent payment a day (or even less). That would impair the account holder’s right to a refund and defeat Florida’s intent that banks—not account holders— bear the risk of a fraudulent transfer for the first year following the transfer. And there’s no limiting principle in the text for how short banks could make the statutory refund period.” Pointing out that the bank was unable to identify a limiting principal at oral argument, the appellate court concluded that “if banks could modify the one-year period, there’s no principled way to draw the line as to how short of a refund period is too short.” On remand, the 11th Circuit also instructed the district court to review whether the bank’s security procedures are “commercially reasonable.”
District Court denies request to reverse summary judgment in FDIA suit
On August 29, the U.S. District Court for the Eastern District of Pennsylvania denied a consumer plaintiff’s request to reconsider its summary judgment order against him in a Federal Deposit Insurance Act (FDIA) suit. According to the opinion, the plaintiff accrued debt to a federally-insured, state-chartered bank, which had then assigned that debt to defendants, who were not state-chartered, federally-insured banks. The plaintiff’s debt included interest charges that had accrued at an annual rate between 24.99 percent and 25.99 percent, which the plaintiff argued could not be collected by defendants because the interest exceeded the six percent allowed under Pennsylvania's usury law. The court ruled in favor of the defendants, relying on a recently promulgated FDIC rule that determined that state usury laws are preempted by section 27 of the FDIA in cases where state usury law interferes with state-chartered, federally-insured banks' ability to make loans or when they interfere with a state-chartered, federally-insured bank’s assignee’s efforts to collect on those loans. The plaintiff requested the reconsideration of the district court's summary judgment decision and filed a notice of appeal to the U.S. Court of Appeals for the Third Circuit. In his motion for reconsideration, the plaintiff argued that the court’s previous summary judgment decision was “erroneous” because: (i) the 3rd Circuit held in In re: Community Bank of Northern Virginia that “the FDIA unambiguously excludes non-bank purchasers of debt from its coverage and that deference to the FDIC’s contrary interpretation would, therefore, be inappropriate”; (ii) the FDIC’s rule cannot apply to his debts because such an application would be impermissibly retroactive; and (iii) LIPL fits within the FDIC rule’s exception for “licensing or regulatory requirements.”
The court denied the plaintiff’s motion for reconsideration, holding that the plaintiff “failed to identify an appropriate basis for reconsideration,” as the consumer’s arguments are “either a new argument that could have been presented before judgment was entered or a reprisal of an argument that the Court addressed in its original decision.” The court further noted that it would be “inappropriate for the Court to grant a motion to reconsider under either of those circumstances.” The court went on to determine that the new arguments advanced by the plaintiff were unpersuasive in any event, finding that the 3rd Circuit had not held section 27 of the FDIA to be unambiguous in its meaning and that application of the FDIC’s rule did not create an impermissible retroactive effect.
District Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
FDIC updates risk management, consumer compliance examination policies
Recently, the FDIC updated Section 2.1 of its Risk Management Manual of Examination Policies related to capital. The FDIC noted that since capital adequacy assessments are central to the supervisory process, examination staff “evaluate all aspects of a financial institution’s risk profile and activities to determine whether its capital levels are appropriate and in compliance with minimum regulatory requirements.” This includes examining a financial institution’s capital ratios, risk-weighted assets, regulatory capital requirements, community bank leverage ratios, capital adequacy (including liquidity, earnings, and market risk), and adherence to laws and regulations. The FDIC also announced updates to the Privacy—Telephone Consumer Protection Act section within its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations.
RHS finalizes changes to Single-Family Housing Guaranteed Loan Program
On August 31, the Rural Housing Service (RHS) issued a final rule in the Federal Register announcing changes to the Single-Family Housing Guaranteed Loan Program (SFHGLP). The final rule, among other things, updates the requirements for federally supervised lenders, minimum net worth and experience for non-supervised lenders, approved lender participation requirements, handling of applicants with delinquent child support payments, and builder credit requirements. Specifically, the rule establishes that lenders not supervised by federal banking agencies must have “a minimum adjusted net worth of $250,000, or at least $50,000 in working capital plus one percent of the total volume in excess of $25 million in guaranteed loans originated, serviced or purchased during the lender’s prior fiscal year, up to a maximum $2.5 million.” The final rule also requires one or more lines of credit with a minimum aggregate of $1 million, and clarifies that lenders must meet applicable requirements in order to begin and continue participation in the SFHGLP. The final rule is effective November 29.
DOJ weighs in on FDIC chair’s powers
Recently, the assistant attorney general for the DOJ’s Office of Legal Counsel opined that the chairperson of the FDIC cannot prevent a majority of the agency’s Board of Directors from presenting items for a vote and decision. The DOJ’s opinion follows a December 2021 conflict among members of the FDIC Board of Directors related to a joint request for information seeking public comment on revisions to the FDIC’s framework for vetting proposed bank mergers. Shortly after the announcement was issued, the FDIC released a statement disputing that any action had been approved. FDIC board member, and CFPB Director, Rohit Chopra released a follow-up statement challenging the view that only the FDIC chairperson has the right to raise matters for discussion in Board meetings, and called for “immediate[]” resolution of the conflict, stating that “[a]bsent a return to legal reality and constructive engagement, board members will need to take further steps to exercise independence from management and to ensure sound governance of the [FDIC].” (Covered by InfoBytes here.)
The DOJ wrote in the opinion that “[t]here is no general or specific source of authority in the [Federal Deposit Insurance Act (FDIA)] that can be read as permitting the Chairperson to prevent a majority of the Board from exercising its statutory responsibilities or otherwise making decisions for the FDIC.” The opinion stated that the FDIA gives the Board “broad governance and decision-making authority” and clarified that while the “power to present matters for Board vote and decision is not explicitly addressed by the Act[,] . . . the Board, not the Chairperson, has the authority to determine how the FDIC should exercise its substantive powers.” Furthermore, the opinion emphasized that the FDIA authorizes the Board to “prescribe bylaws ‘regulating the manner in which its general business may be conducted’ and to prescribe ‘such rules and regulations as it may deem necessary.’” According to the opinion, nothing in the FDIA “can be read as authorizing the Chairperson to prevent a majority of the Board from presenting items to the Board for a vote and decision, and, as far as we are aware, no one has ever taken the position that the [FDIA] authorizes the Chairperson to do so.”
While the opinion emphasized that it does not have the authority “to provide more than a general response,” it stated that the FDIC Bylaws mirror the FDIA in providing that “[t]he management of the [FDIC] shall be vested in the Board of Directors, which shall have all powers specifically granted by the provisions of the [FDIA] and other laws of the United States and such incidental powers as shall be necessary to carry out the powers so granted.” The opinion agreed with the current Board majority’s interpretation “that the delegations of authority to the Chairperson in the Bylaws are best understood as preserving the power of a Board majority to present items for Board decision and vote.” The DOJ noted, however, “that the current Board majority’s understanding of its Bylaws may not be the only possible interpretation,” and pointed out that the FDIC Bylaws can be amended “to eliminate any uncertainty about questions such as the one at issue here.”
The DOJ’s opinion prompted a critical response from House Financial Services Committee Ranking Member Patrick McHenry (R-NC), who said that the “newly released opinion from the Office of Legal Counsel does not change the fact that Democrats’ power grab at the FDIC upended an 88-year tradition of considering the Chair’s agenda on a collegial basis” and pledged that “House Republicans will not be deterred from our investigations into the lawless tactics of rogue Democrat regulators.”
FHFA to review Federal Home Loan Banks system
On August 31, FHFA announced it plans to conduct a comprehensive review of the Federal Home Loan Banks (FHLBanks) starting this fall. “FHFA’s regulated entities function as a reliable source of liquidity and funding for housing finance and community investment,” FHFA Director Sandra L. Thompson said, noting that “[a]s the Federal Home Loan Banks approach their centennial, FHFA will conduct a comprehensive review to ensure they remain positioned to meet the needs of today and tomorrow.” FHFA will host two public listening sessions as well as a series of regional roundtable discussions to review the mission, membership eligibility requirements, and operational efficiencies of the FHLBanks, the statement said. Additionally, FHFA will receive input from stakeholders on the FHLBanks’ role or potential role in addressing housing finance, community and economic development, affordability, and other related issues.
The kick-off listening session will be held in Washington, D.C., on September 29. FHFA seeks feedback in six key areas: (i) FHLBanks’ general mission and purpose in a changing marketplace; (ii) the organization, operational efficiency, and effectiveness of FHLBanks; (iii) FHLBanks’ role in promoting affordable, sustainable, equitable, and resilient housing and community investment; (iv) ways to address the unique needs of rural and financially vulnerable communities; (v) member products, services and collateral requirements; and (vi) membership eligibility and requirements.
HUD updates HECM program
On August 31, HUD issued Mortgagee Letter (ML) 2022-15, which updates the Home Equity Conversion Mortgage (HECM) program. The ML, among other things, modifies the requirements for mortgagees to provide notice to a borrower’s estate following an HECM becoming due and payable due to the death of the last surviving borrower. The ML may be implemented immediately but must be implemented no later than 90 days from the date of this ML for HECMs that become due and payable on or after the publication date of this ML. Additionally, comments are due within 30 days after the date of issuance.
SEC releases draft regulatory strategic plan
Recently, the SEC released its draft FY 2022-2026 strategic plan, which focuses on goals related to protecting families against fraud and misconduct, supporting a diverse and inclusive workforce, and developing a regulatory framework that keeps pace with ever-evolving markets, business models, and technologies. The SEC noted that it plans to continue to update its disclosure framework to meet investors’ demands for information related to issuers’ climate risks and cybersecurity hygiene policies to ensure informed investment decisions are made. The draft strategic plan also discussed market risks associated with cybersecurity threats and cross-border challenges, and called on the SEC to coordinate with foreign financial regulators. The SEC also stated it plans to update existing rules and approaches to better “reflect evolving technologies, business models, and capital markets,” and intends to examine strategies for addressing systemic and infrastructure risks faced by capital markets and market participants.