InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts attorney general launches data breach reporting portal
On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, which is available through the agency’s Security Breaches site. Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the Massachusetts Data Breach Notification Law (law), M.G.L. c. 93H. According to the announcement, the law requires any entity that “owns or licenses a consumer’s personal information” to notify the attorney general’s office, among others, “any time personal information is accidentally or intentionally compromised.” The announcement notes that organizations are not required to use the online portal and may still send written notice to the attorney general’s office through the mail.
The online portal announcement follows other recent actions by Healey in response to consumer data breaches. In September, Healey filed the first enforcement action in the nation against a major credit reporting agency after its significant data breach announcement (previously covered by InfoBytes here) and introduced proposed legislation, SB 130/HB 134, which, among other things, would eliminate fees for credit freezes and mandate encryption of personal information in credit reports.
CFPB Succession: Senators express concern over CFPB’s investigation into data breach; Otting praises Mulvaney; & more
On February 7, a bipartisan group of 32 senators wrote to the CFPB expressing concerns over reports that the Bureau may have halted an investigation into a large credit reporting agency’s significant data breach. The letter requests specific information related to agency’s oversight over the issue, such as, (i) whether the CFPB has stopped an on-going investigation into the data breach and if so, why; (ii) whether the CFPB intends to conduct on-site exams of the credit reporting agency at issue; and (iii) if an investigation is on-going, details related to the steps taken in that investigation. Additionally, on February 6, during a House Financial Services Committee hearing on the Financial Stability Oversight Council (FSOC), Representative David Scott, D-Ga., addressed rumors that the CFPB has scaled back its investigation of a large credit reporting agency’s significant data breach. In response to Scott, Treasury Secretary Steven Mnuchin noted that, while he has not done so yet, he intends to discuss the matter with acting Director Mulvaney and at FSOC. According to reports, a spokesperson for the Bureau noted that Mulvaney takes data security issues “very seriously” but that the Bureau does not comment on open enforcement or supervisory matters. It has also been reported that the CFPB may be deferring to the FTC’s on-going investigation.
Comptroller of the Currency, Joseph Otting, issued a statement on February 6 after meeting with Mulvaney about ways the CFPB and the OCC can work together to pursue each agency’s mission. Otting praised Mulvaney’s leadership of the agency and noted that the recent announcements regarding HMDA compliance and the payday rule reconsideration have “helped to reduce the burden on the banking system.” (Previously covered by InfoBytes here and here).
On the same day, the CFPB announced that Kirsten Sutton Mork was selected as the new chief of staff for the agency. Mork had been serving as staff director of the House Financial Services Committee under Chairman Jeb Hensarling, R-Texas. Leandra English previously held the role of chief of staff, prior to her appointment as deputy director in late November. English’s litigation against the appointment of Mulvaney as acting director continues with the U.S. Court of Appeals for the D.C. Circuit and oral arguments have been set for April 12.
Maryland issues bipartisan consumer protection recommendations
On January 26, the Maryland Financial Consumer Protection Commission (the “Commission”) and ranking officials from the Maryland legislature announced bipartisan “Interim Recommendations” of the Commission for State and local action in response to the federal government’s “efforts to change or weaken […] important federal consumer protections.” New legislation in response to the recommendations is expected to be released in the near future. Key recommendations include, among other things: (i) requiring credit reporting agencies to provide an alert of data breaches promptly and provide free credit freezes; (ii) adopting new financial consumer protection laws in areas where the federal government may be weakening oversight; (iii) addressing potential issues with Maryland’s current payday and lending statutes; (iv) adopting the Model State Consumer and Employee Justice Enforcement Act that addresses forced arbitration clauses; and (v) adopting new laws that address new risk, such as, virtual currencies and financial technology.
Credit Reporting Agencies Must Comply With Emergency Regulations
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:
- provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
- identify dedicated points of contact to assist the Division’s effective administering of the program;
- make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
- clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.
Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.
As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.
Senate Banking Committee Approves Financial Regulatory Relief Bill
On December 5, the Senate Banking Committee approved bill S. 2155, Economic Growth, Regulatory Relief, and Consumer Protection Act, which would alter certain financial regulations under the Dodd-Frank Act of 2010. While not as sweeping as previous legislative relief proposals (see previous InfoBytes coverage on House Financial CHOICE Act of 2017), the bill was introduced and passed the Committee with bipartisan support. The bill’s highlights include, among other things:
- Consumer Access to Credit. The bill deems mortgage loans held in portfolios by insured institutions with less than $10 billion in assets to be “qualified mortgages” under TILA, and removes the three-day waiting period for TILA-RESPA Integrated Disclosures if the second credit offer is a lower rate. The bill also instructs the CFPB to provide “clearer, authoritative guidance” on certain issues such as the applicability of TRID to mortgage assumptions and construction-to-permanent loans. Additionally, the bill eases appraisal requirements on certain mortgage loans and exempts small depository institutions with low mortgage originations from certain HMDA disclosure requirements.
- Regulatory Relief for Certain Institutions. The bill exempts community banks from Section 13 of the Bank Holding Company Act if they have, “[i] less than $10 billion in total consolidated assets, and [ii] total trading assets and trading liabilities that are not more than five percent of total consolidated assets” – effectively allowing for exempt banks to engage in the trading of, or holding ownership interests in, hedge funds or private equity funds. Additionally, the bill raises the threshold of the Federal Reserve’s Small Bank Holding Company Policy Statement and the qualification for certain banks to have an 18-month examination cycle from $1 billion to $3 billion.
- Protections for Consumers. Included in an adopted “manager’s amendment,” the bill requires credit bureaus to provide consumers unlimited free security freezes and unfreezes. The bill also limits certain medical debt information that can be included on veterans’ credit reports.
- Changes for Bank Holding Companies. The bill raises the threshold for applying enhanced prudential standards from $50 billion to $250 billion.
The bill now moves to the Senate, which is not expected to take up the package before the end of this year.
CFPB Fines Loan-Servicing Software Company $1.1 Million for Flaws Leading to the Reporting of Inaccurate Consumer Information
On November 17, the CFPB ordered a loan-servicing software company to pay a $1.1 million penalty for errors that resulted in the company furnishing incorrect consumer information related to over one million borrowers to the credit reporting agencies. The consent order alleges that the company violated the Consumer Financial Protection Act when its third-party software application generated and furnished inaccurate and incomplete information to consumer reporting agencies because of known software defects. The company allegedly did not share the existence of the defects with its auto-lender clients. In addition to the civil money penalty, the company was ordered to: (i) explain its errors to its clients; (ii) fix the faulty software; and (iii) provide the Bureau with a compliance plan outlining how it plans to identify and fix the defects, as well as ensure that the software is capable of reporting accurate information.
District Court Upholds $60 Million Jury Verdict for Credit Reporting Agency’s Use of OFAC Alert
On November 7, the Northern District Court of California upheld a $60 million jury verdict against a credit reporting agency regarding the use of its OFAC Alert (previously covered by InfoBytes). The verdict stems from a 2012 class action lawsuit in which the plaintiffs alleged that the defendant had failed to distinguish law-abiding citizens from drug traffickers, terrorists, and other criminals with similar names found on the Treasury Department’s OFAC database. Following the defendant's motion for judgment as a matter of law or a new trial, the district court agreed with the jury’s findings that the defendant (i) “willfully fail[ed] to follow reasonable procedures to assure the maximum possible accuracy of the OFAC information it associated with members of the class’’; (ii) “willfully failed to clearly and accurately disclose OFAC information in the written disclosures it sent to members of the class”; and (iii) “failed to provide class members a summary of their FCRA rights with each written disclosure made to them.”
District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees
On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.
As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.
Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out
On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.
On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.
Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.
Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.
NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo directed NYDFS to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.
State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.