InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts AG orders company to pay $230,000 for data breach
On July 21, the Massachusetts AG announced that a Rhode Island-based job placement service company must pay a $230,000 settlement to resolve allegations that it failed to implement the proper security programs, which led to a data breach. According to the assurance of discontinuance (AOD), the company was breached in December 2020 after an employee was a victim to a phishing email, resulting in a compromise of credentials that allowed hackers to access personal data of users. The AG alleged that the company violated Massachusetts data privacy laws by failing to have a written information security program (WISP) in place during or prior to the data breach. Under the terms of the settlement, the company is required to pay $230,000 in penalties, come into compliance with state laws, continue to implement and maintain a WISP, and continue to train its employees on the importance of personal information security.
District Court says Massachusetts law will apply in choice-of-law privacy dispute
On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security program was inadequate and that the security risks associated with the Personal Information went unmitigated, allowing [] cybercriminals to gain access.” During discovery, the defendant (headquartered in South Carolina) stated that its U.S. data centers are located in Massachusetts, Texas, California, and New Jersey, and that the particular servers that housed the plaintiffs’ data (and were the initial entry point for the ransomware attack) are physically located in Massachusetts. While both parties stipulated to the application of South Carolina choice-of-law principles generally, the plaintiffs specifically requested that South Carolina law be applied to their common law claims of negligence, negligence per se, and invasion of privacy since it was the state where defendant executives made the cybersecurity-related decisions that allegedly allowed the data breach to occur. However, the defendant countered that the law of each state where a plaintiff resides should apply to that specific plaintiff’s common law tort claims because the “damages were felt in their respective home states.” Both parties presented an alternative argument that if the court found the primary choice-of-law theory to be unfounded, then Massachusetts law would be appropriate as “Massachusetts was the state where the last act necessary took place because that is where the data servers were housed.”
In determining which state’s common-law principles apply, the court stated that even if some of the cybersecurity decisions were made in South Carolina, the personal information was stored on servers in Massachusetts. Moreover, the “alleged decisions made in South Carolina may have contributed to the breach, but they were not the last act necessary to establish the cause of action,” the court wrote, noting that in order for the defendant to be potentially liable, the data servers would need to be breached. The court further concluded that “South Carolina’s choice of law rules dictate that where an injury occurs, not where the result of the injury is felt or discovered is the proper standard to determine the last act necessary to complete the tort.” As such, the court stated that Massachusetts law will apply as that is where the data breach occurred.
Massachusetts amends mortgage lender/broker licensing provisions
Recently, the Massachusetts Office of Consumer Affairs and Business Regulation, Division of Banks announced final amendments effective May 27 to certain provisions of Regulation 209 CMR 42.00, which establishes procedures and requirements for the licensing and supervision of mortgage lenders under M.G.L. c. 255E. (See also redlined version of the final amendments here.) Specifically, the amendments:
- Add and amend certain definitions. The amendments add new terms such as “Bona Fide Nonprofit Affordable Homeownership Organization” and “Instrumentality Created by the United States or Any State,” and amend “Mortgage Broker” to also include a “person who collects and transmits information regarding a prospective mortgage loan borrower to a third party” that conducts any one or more of the following activities: (i) collects a prospective borrower’s Social Security number; (ii) views a prospective borrower’s credit report; (iii) obtains a prospective borrower’s authorization to access or view the borrower’s credit report or credit score; (iv) accepts an application; or (v) issues a prequalification letter.
- Add licensing exemptions. The amendments provide a list of persons that are not required to be licensed in the state as a mortgage broker or mortgage lender. These include: (i) lenders making less than five mortgage loans and persons acting as mortgage brokers fewer than five times within a 12 consecutive-month period; (ii) banks, national banking associations, federally chartered credit unions, federal savings banks, or any subsidiary or affiliate of the above; (iii) banks, trust companies, savings banks, and credit unions “organized under the laws of any other state; provided, however, that such provisions shall apply to any subsidiary or affiliate, as described in 209 CMR 42.0”; (iv) nonprofit, public, or independent post-secondary institutions; (v) charitable organizations; (vi) certain real estate brokers or salesmen; and (vii) persons whose activities are “exclusively limited to collecting and transmitting” certain quantities of specified information regarding a prospective borrower to a third party.
The amendments also specifically provide that “a person who collects and transmits any information regarding a prospective mortgage loan borrower to a third party and who receives compensation or gain, or expects to receive compensation or gain, that is contingent upon whether the prospective mortgage loan borrower in fact obtains a mortgage loan from the third party or any subsequent transferee of such information, is required to be licensed as a mortgage broker.”
Massachusetts settles with financial company
On April 13, the Massachusetts attorney general announced a settlement with a California-based finance company (defendant) resolving allegations that it violated Massachusetts law by purchasing and collecting on dog leases – which are illegal in Massachusetts. The settlement also alleges that the company engaged in illegal debt collection practices such as calling debtors too frequently while attempting to collect on the leases. Under the terms of the settlement, the defendant must pay over $930,000, which includes $175,000 in restitution to approximately 200 consumers, and a $50,000 fine. The defendant is prohibited from collecting on any active leases involving dogs in Massachusetts and must transfer full ownerships of the dogs to the consumers. The defendant must also cancel any outstanding amount owed on the leases, totaling approximately $700,000.
The Massachusetts AG has been investigating financial companies who originate or purchase dog leases – calling the practice “exploitive” because it uses “dogs as emotional leverage” over debtors – and encouraged consumers who are victims of dog leases to call the AG’s office or to file a complaint online.
Massachusetts settles with auto lender
On February 18, the Massachusetts attorney general announced that a national auto lender entered into a settlement with the Commonwealth resolving allegations that the lender did not provide sufficient disclosures to consumers related to its debt collection practices, with over 1,000 borrowers expected to be eligible for relief. According to the Assurance of Discontinuance (AOD), the lender allegedly failed to provide certain consumers with sufficient information about the calculation methods for any deficiencies remaining on their auto loans after their cars were repossessed. The AOD requires the auto lender to pay $5.6 million in restitution to eligible borrowers, and cover administration and investigation costs associated with the matter. According to Massachusetts Attorney General Laura Healey, the “settlement, which combines cash payments with debt relief and credit repair, will help many subprime borrowers in need.”
Massachusetts highlights UDAP risks of representment fees
On September 23, the Massachusetts Office of Consumer Affairs and Business Regulation, Division of Banks, issued a supervisory alert reminding financial institutions to clearly disclose representment non-sufficient funds (NSF) fees connected to deposit accounts to avoid consumer confusion as well as potential legal and regulatory risks. The alert explains that a representment NSF fee may occur when a financial institution presents the same transaction again, in an attempt to obtain declined funds. According to the alert, a “repeated merchant payment transaction can trigger the assessment of multiple NSF fees by a depository institution if the transaction is presented more than once,” causing some financial institutions to charge the consumer an NSF fee for both the original presentment as well as for each subsequent representment. The alert discusses consumer protection risks associated with the representment of NSF fees, including recent class action lawsuits for breach of contract, some of which have resulted in customer reimbursements and legal fees. Additionally, the alert highlights issues with standard industry deposit account agreements and fee schedules supplied by payment processing software vendors to financial institutions, which may not adequately explain an institution’s actual NSF fee practices as disclosed to customers. While certain disclosures and account agreements may indicate that one NSF fee will be charged “per item” or “per transaction,” these forms may not sufficiently explain that the same processed transaction may trigger multiple NSF fees. The alert reminds financial institutions charging representment fees that they risk violating state and federal UDAP law if their relevant account disclosures and agreements are not in compliance, and urges financial institutions to review deposit disclosures and contract language to ensure NSF fees are clearly and consistently communicated to consumers.
Massachusetts securities division settles with broker dealer
On September 15, the Massachusetts Office of the Secretary of the Commonwealth, Securities Division (Division) entered into two consent orders with a broker-dealer firm for alleged failure of supervisory and compliance procedures in violation of the Massachusetts Uniform Securities Act. According to one consent order, the firm failed to, among other things: (i) ensure that its agents with Massachusetts customers were registered in Massachusetts; (ii) have adequate policies and procedures in place regarding state-based requirements for supervisors; and (iii) supervise its agents in Massachusetts. The terms of the order require the company, among other things, to cease and desist from future violations of Massachusetts General Laws and Regulations, register its employees, enhance policy and procedures, and pay a $750,000 fine. The second consent order alleged that the firm failed to, among other things: (i) have reasonable policies in place to detect and monitor a broker-dealer agent’s social media accounts; (ii) “reasonably monitor internal communications between and among its registered persons”; and (iii) adequately discipline an employee after gaining knowledge of his personal use of social media in violation of state laws. The order requires the firm to permanently cease and desist from future violations of Massachusetts General Laws and Regulations, employ a third-party consultant to supervise the firm’s practices regarding employee trading and social media usage, conduct an annual compliance review, and pay an administrative fine of $4 million.
Massachusetts investigating data breach
On September 14, the Massachusetts attorney general announced the launch of an investigation to determine if an international wireless carrier had proper safeguards in place to protect consumer and mobile device information after a major data breach that allegedly compromised personally-identifying information of more than 50 million people. According to the carrier’s announcement, in July, the carrier experienced a breach where personally-identifying information, such as names, drivers’ license information, Social Security numbers, and addresses, among other things, of approximately 13.1 million current customers and 40 million former and prospective customers were compromised. According to the AG, the office is also investigating the circumstances of the breach and the steps the company is taking to address it and notify consumers. The AG urged affected consumers to take precautions “to ensure their information is safe, and to prevent identity theft and fraud” as the carrier continues to contact individuals. She also encouraged customers to utilize the free theft protection services being offered by the carrier, such as scam and account take-over protection for their cell phones, and to take precautionary steps, such as placing a credit freeze on credit reports.
Massachusetts announces $27 million settlement with auto lender
On September 1, the Massachusetts attorney general announced “the largest settlement of its kind” with a Michigan-based auto finance company (defendant) resolving allegations of predatory lending and deceptive debt collection practices. The defendant allegedly made high-interest subprime auto loans that it knew or should have known that many borrowers would be unable to repay. The assurance of discontinuance states that some of the company’s borrowers were subject to hidden finance charges, which resulted in violations of Massachusetts’s 21 percent usury cap. The defendant also allegedly “failed to inform investors that it topped off securitization loan pools with higher-risk loans.” Under the terms of the settlement, the defendant must pay a total of $27.2 million and provide debt relief and credit repair to over 3,000 borrowers across the state who are expected to be eligible for settlement funds. The settlement also requires that the defendant make changes to its loan handling practices. According to the AG, this action “is part of her Office’s ongoing industry-wide review of securitization practices in the subprime auto loan market.”
Massachusetts announces consent judgment against debt-collection company
On August 31, the Massachusetts attorney general announced a “first-of-its-kind” consent judgment against a Massachusetts-based debt-settlement company and its chief operating officer for allegedly violating the Massachusetts Consumer Protection Act, among other things. The consent judgment settled a lawsuit in which the AG alleged that the company charged inflated and premature fees, knowingly and regularly enrolled consumers who were not able to benefit from its program, and failed to communicate the harms that consumers could encounter after enrolling in its program. According to the AG, the company “directed consumers to stop paying their debts and to stop communicating with creditors, and to instead make payments into a dedicated ‘savings’ account administered by [a] payment processor.” The AG also alleged the company “engaged in the unauthorized practice of law by continuing to represent consumers after they were sued in relation to an enrolled debt.” Under the terms of the AG’s consent order, the company is required to pay $1 million to the Commonwealth.
As previously covered by InfoBytes, in May, the CFPB announced a settlement with the same company for allegedly violating the Telemarketing Sales Rule and the Consumer Financial Protection Act.