InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California amends the California Consumer Privacy Act of 2018
On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:
- The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
- The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
- The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
- The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
- The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
- The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
- The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.
California law requires credit reporting agencies to address security vulnerabilities
On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.
California reinstates provisions of Homeowner Bill of Rights
On September 14, the California governor signed SB 818, which permanently reinstates and amends certain provisions of California’s Homeowner Bill of Rights (HBOR), which expired on January 1, 2018. The revised and restored provisions of the HBOR, among other things, require entities that foreclosed on more than 175 first lien mortgages and deeds of trust on owner-occupied residences during the prior reporting year to: (i) stop foreclosure proceedings if a complete loan modification application is submitted and pending, a homeowner is in compliance with a foreclosure prevention alternative, or an appeal of a loan modification denial is pending; (ii) include in the notice of default a specified declaration regarding contact with a borrower; (iii) send a written notice of a loan modification denial, specifying the reasons for the denial and providing foreclosure prevention alternatives; (iv) assign a single point of contact to any borrower who requests foreclosure prevention assistance; (v) not charge fees in conjunction with applications for foreclosure prevention alternatives; and (vi) honor loss mitigation alternatives following servicing transfers. The legislation also adds a legislative intent clause that emphasizes that any amendment, addition, or repeal of an HBOR section will not have the effect to release, extinguish, or change any liability under a previous section that was in effect at the time of an action.
California governor approves revisions to Student Loan Servicing Act
On September 14, the California governor approved AB 38 amending the state’s Student Loan Servicing Act (Act). The Act provides for the licensure, regulation, and oversight of student loan servicers by the California Department of Business Oversight (CDBO). Among other things, the amendments: (i) clarify the circumstances under which the Commissioner of the CDBO may deny a student loan servicer’s application; (ii) remove debt collectors of defaulted student loans from the definition of a “student loan servicer”; (iii) authorize the Commissioner to require license applicants and licensees to submit required filings with, and pay assessments to, the Commissioner through the Nationwide Multistate Licensing System and Registry; (iv) require the Commissioner to report violations of the Act “as well as other enforcement actions and information to the licensing system and registry to the extent that the information is a public record”; and (v) extend to 10 business days the time for a licensee to acknowledge receipt of a qualified written request from a borrower. The amendments also grant the Commissioner the authority to prescribe circumstances under which electronic records, including applications, financial statements, and reports, may be accepted.
California updates foreign language disclosure requirements for mortgage modifications
On September 11, the California governor approved SB 1201, which amends the state civil code to, among other things, require any supervised financial institution that negotiates a mortgage loan modification with a borrower primarily in Spanish, Chinese, Tagalog, Vietnamese, or Korean and offers the borrower a final loan modification in writing, to deliver to the borrower at the same time, a specified form summarizing the modified terms in the same language as the negotiation. The amendments require the California Department of Business Oversight (CDBO) to make available—using CFPB and Fannie Mae forms as guidance—certain disclosures and forms in those specified languages.
The amendments are generally effective on January 1, 2019, with the amendments relating to the new written disclosures to become operative 90 days following the issuance of forms by the CDBO, but not before January 1, 2019.
California governor signs amendments requiring the furnishing of customer account information associated with certain crime reports
On September 6, the governor of California signed amendments to the California Right to Financial Privacy Act to provide various state and local agencies—including the police, sheriff’s department, or district attorney in the state—the authorization to request information from financial institutions in certain circumstances associated with crime reports involving the alleged fraudulent use of drafts, checks, access cards, or other orders. Specifically, AB 3229 states that banks, credit unions, and savings associations must furnish a statement with the requested customer account information for a period of 30 days prior, and up to 30 days following, the date of the alleged illegal act’s occurrence. AB 3229 further states that financial institutions will be required to furnish account information—subject to the outlined procedures—to a DOJ special agent upon request.
California updates notice requirements on time-barred debt collection efforts
On September 5, the California governor signed AB 1526, which, among other things, amends state debt collection law to require certain written notices to be included in the first written communications provided to the debtor after the debt became time-barred and after the date for obsolescence under the FCRA. If the debt is not past the date of obsolescence, the debt collector is required to include specific language in the first written communication to the debtor after the debt has become time-barred that indicates the debtor will not be sued for the debt, but the debt may be reported as unpaid to credit reporting agencies as allowed by law. If the debt is past the date of obsolescence, the debt collector is required to include specific language in the first written communication to the debtor after the date for obsolescence indicating the debtor will not be sued for the debt and the debt will not be reported to credit reporting agencies. The law also incorporates a four-year statute of limitations on the collection of debt by specifically prohibiting a debt collector from initiating a lawsuit, an arbitration, or other legal proceeding to collect the debt after the four-year period in which the action must have been commenced has ended.
Ohio governor enacts legislation recognizing blockchain transactions as enforceable electronic transactions
On August 3, the governor of Ohio signed into law SB 220, which codifies that records or contracts and signatures secured through blockchain technology are enforceable electronic transactions. Specifically, SB 220 amends Ohio’s Uniform Electronic Transactions Act to state that “a record or contract that is secured through blockchain technology is considered to be in an electronic form and to be an electronic signature” and that a “signature that is secured through blockchain technology is considered to be in an electronic form and to be an electronic signature.” The amendments also create an affirmative defense or “safe harbor” to tort actions against businesses alleged to have failed to implement reasonable information security controls leading to a data breach of personal or restricted information. To qualify for the safe harbor, a business must implement and comply with a written cybersecurity program that contains specific safeguards for either the protection of personal information or the protection of both personal and restricted information.
Ohio Governor signs bill limiting payday lending
On July 30, Ohio’s governor signed into law HB 123, which “modifies the Short-Term Loan Act, specifies a minimum loan amount and duration for loans made under the Small Loan Law and General Loan Law, and limits the authority of credit services organizations to broker extensions of credit for buyers.” Under these amendments, payday lenders in the state will now be restricted to short-term loans of $1,000 or less, with terms for a single short-term loan set at a 91-day minimum and a one year maximum. Exemptions provided under the legislation will allow short-term loans with a minimum term of less than 91 days if the total monthly payments do not exceed an amount greater than six percent of the borrower’s verified gross monthly income or seven percent of the borrower’s verified net monthly income. Moreover, lenders are: (i) prohibited from demanding collateral for short-term loans; (ii) restricted to a small-dollar loan cap—including both fees and interest—set at 60 percent of the original principal; and (iii) required to grant borrowers three business days to rescind loans without interest. HB 123 further prohibits credit service organizations from extending credit in amounts of $5,000 or less, with repayment terms of one year or less, or with annual percentage rates exceeding 28 percent. The amendments, which take effect 90 days after the governor’s signature, will “apply only to loans that are made, or extensions of credit that are obtained, on or after the date that is [180] days after the effective date of this act.”
Illinois amends law to clarify that debt collection law firms are not student loan servicers
On July 27, Illinois’s Governor signed HB 4397, which amends the state’s Student Loan Servicing Rights Act to specify that the definition of “student loan servicer” does not include a law firm or a licensed attorney that is collecting a post-default debt. The amended law is effective December 31.