Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Senate Banking Committee seeks data privacy feedback

    Privacy, Cyber Risk & Data Security

    On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of informing potential future legislation. In a press release issued by the committee, Crapo noted, “Given the exponential growth and use of data, and corresponding data breaches, it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies.” He further stressed the importance of understanding how consumer data is compiled and protected, and how consumers are able to access and correct sensitive information. The release sought answers to five questions designed to help examine ways in which legislation, regulation, or the implementation of best practices can (i) provide consumers better control over their financial data, as well as timely data breach notifications; (ii) ensure consumers receive disclosures concerning both the type of information being collected and its purpose for collection; (iii) provide consumers control over how their data is being used—including the sharing of information by third-parties; (iv) protect consumer data and ensure the accuracy of reported information in a consumer’s credit file; and (v) allow consumers the ability to “easily identify and exercise control of data that is being . . . collected and shared” as a determining factor when establishing whether a consumer is eligible for, among other things, credit or employment.

    Privacy/Cyber Risk & Data Security Senate Banking Committee Federal Legislation Consumer Protection Fair Credit Reporting Act

  • FTC to hold public hearings on consumer privacy and data security; focus will address data security enforcement program

    Privacy, Cyber Risk & Data Security

    On October 26, the FTC announced it will hold four days of public hearings in December 2018 and February 2019 to examine the Commission’s authority to deter unfair and deceptive conduct in data security and privacy matters as part of its broader series of hearings on “Competition and Consumer Protection in the 21st Century.” According to the FTC, these hearings (i) “will provide the first comprehensive re-examination of the FTC’s approach to consumer privacy since 2012,” and (ii) “will provide an opportunity to reexamine the Commission’s work in light of changing technologies, legal regimes, and business models.”

    The FTC will continue to accept public comments through March 13, 2019, regarding items to be discussed at the February 2019 hearing. As previously covered by InfoBytes, a coalition of bipartisan state Attorneys General submitted a comment letter to the FTC last August requesting that they be included in the discussions regarding consumer protection during the Commission’s hearing process. Specifically, the letter emphasized the states’ “long history of protecting consumers from unfair and deceptive practices” under each state’s consumer protection authority, and noted consumers’ concerns over personal information and data security.

    Privacy/Cyber Risk & Data Security FTC Consumer Protection State Attorney General

  • California reinstates provisions of Homeowner Bill of Rights

    State Issues

    On September 14, the California governor signed SB 818, which permanently reinstates and amends certain provisions of California’s Homeowner Bill of Rights (HBOR), which expired on January 1, 2018. The revised and restored provisions of the HBOR, among other things, require entities that foreclosed on more than 175 first lien mortgages and deeds of trust on owner-occupied residences during the prior reporting year to: (i) stop foreclosure proceedings if a complete loan modification application is submitted and pending, a homeowner is in compliance with a foreclosure prevention alternative, or an appeal of a loan modification denial is pending; (ii) include in the notice of default a specified declaration regarding contact with a borrower; (iii) send a written notice of a loan modification denial, specifying the reasons for the denial and providing foreclosure prevention alternatives; (iv) assign a single point of contact to any borrower who requests foreclosure prevention assistance; (v) not charge fees in conjunction with applications for foreclosure prevention alternatives; and (vi) honor loss mitigation alternatives following servicing transfers. The legislation also adds a legislative intent clause that emphasizes that any amendment, addition, or repeal of an HBOR section will not have the effect to release, extinguish, or change any liability under a previous section that was in effect at the time of an action.

    State Issues State Legislation Mortgages Consumer Protection Mortgage Servicing Mortgage Modification

  • Pennsylvania appeals court upholds broad standard for “deception” under state consumer protection law

    Courts

    On September 12, the Superior Court of Pennsylvania held that Pennsylvania’s Uniform Trade Practices and Consumer Protection Law (UTPCPL) imposes strict liability on businesses who deceive consumers and does not require proof of fraud or negligent misrepresentation to state a claim. The plaintiffs brought common law claims of fraudulent and negligent misrepresentation and a statutory claim under the UTPCPL against insurance companies related to the sale of various insurance products. The common law claims of fraudulent and negligent misrepresentation went to a jury, which returned verdicts on both counts in favor of the insurance companies. The trial judge, however, found that the insurance companies violated the “deceptive” provision of the UTPCPL and awarded damages to the consumers. The insurance companies appealed, arguing that (i) the jury verdict on the common law claims required the court to dismiss the UTPCPL claim, and (ii) challenging the judge’s damages award calculation.

    The appellate court affirmed the trial court’s determination that the defendants acted deceptively under the UTPCPL. The insurance companies argued that the UTPCPL claim was barred by the doctrines of collateral estoppel and res judicata based on the jury’s determination that the defendants had not committed a negligent misrepresentation. The appellate court, however, explained that these doctrines do not apply because the UTPCPL raises distinct issues. The court rejected the argument that the consumer must prove common law negligent misrepresentation to bring a claim under the deceptive prong of the UTPCPL. The court concluded that “any deceptive conduct, ‘which creates a likelihood of confusion or of misunderstanding,’” is actionable under the UTPCPL “whether committed intentionally (as in a fraudulent misrepresentation), carelessly (as in a negligent misrepresentation), or with the upmost care (as in strict liability).” The court also upheld the trial court’s damages determination under the UTPCPL, finding that the judge’s calculation was appropriate and consistent with the statute.

    Courts State Issues Deceptive Insurance Consumer Protection

  • 29 bipartisan state Attorneys General respond to FTC's consumer protection hearing announcement

    Federal Issues

    On August 20, a bipartisan coalition of 29 state Attorneys General, led by Oregon Attorney General Ellen Rosenblum, submitted a comment letter to the FTC regarding the agency’s June announcement of public hearings on “Competition and Consumer Protection in the 21st Century.” The letter requests that the state Attorneys General be included in the discussions regarding consumer protection during the agency’s hearing process, which intends to address “whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.” The letter emphasizes the states’ “long history of protecting consumers from unfair and deceptive practices” under each state’s consumer protection authority and offers specific comment on three areas of the FTC request: (i) privacy and big data; (ii) communication and media technology; and (iii) algorithmic decision tools and other artificial intelligence. Specifically, the Attorneys General note consumers’ concerns over personal information and data security, stating the “[i]ndustry must place privacy and security front and center in its research and development of products and services.” The letter concludes with a request that the agency take into account the “important role” the Attorneys General have in consumer protection and include their offices in the hearing process.

    Federal Issues State Issues State Attorney General FTC Consumer Protection

  • Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement

    Privacy, Cyber Risk & Data Security

    On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:

    • In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
    • If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
    • Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
    • If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.

    The law also includes security and notification requirements for Colorado governmental entities.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Consumer Protection

  • District of Columbia mayor passes bill to make code consistent with FTC, federal court interpretations of unfair or deceptive trade practices

    State Issues

    On May 21, District of Columbia Mayor Muriel Bowser signed B22-0185/D.C. Act 22-367 to, among other things, update portions of the District of Columbia’s Official Code concerning the term “unfair or deceptive trade practice” to make it consistent with interpretations made by the FTC and federal courts. Language under the Consumer Protection Clarification and Enhancement Amendment Act of 2018, has been amended to read as follows: “It shall be a violation of this chapter for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged thereby.” The amendments also increase the civil penalty for first violations of the act to not more than $5,000 per violation, and to not more than $10,000 for repeat violations. The act will take effect following a 30-day congressional review period.

    State Issues State Legislation Consumer Protection FTC

Pages

Upcoming Events