InfoBytes Blog

NY passes crypto mining bill

On November 22, the New York governor signed AB 7389, which establishes a moratorium on cryptocurrency mining operations that use proof-of-work authentication methods to validate blockchain transaction. Among other things, the bill also establishes a section on the moratorium on air permit issuance and renewal that states that the state cannot approve a new application, or issue a new permit, for an electric generating facility that utilizes carbon-based fuel and that provides behind-the-meter electric energy consumed or utilized by cryptocurrency mining operations that use proof-of-work authentication methods to validate blockchain transactions. The bill is effective immediately.

State Issues Digital Assets State Legislation New York Cryptocurrency Climate-Related Financial Risks Blockchain

New York enacts protections for consumers with medical debt

On November 23, the New York governor signed S6522A/A7363A to prohibit certain hospitals and healthcare providers from placing liens on the primary residences of individuals with unpaid medical debts or garnishing wages to collect on unpaid bills or satisfy judgments arising from a medical debt lawsuit. “No one should face the threat of losing their home or falling into further debt after seeking medical care,” Governor Kathy Hochul said in an announcement. “I’m proud to sign legislation today that will end this harmful and predatory collection practice to help protect New Yorkers from these unfair penalties. The bill is effective immediately.

State Issues State Legislation Debt Collection Garnishment Medical Debt Consumer Finance New York

District Court issues judgment against company bilking 9/11 first responders

On November 23, the U.S. District Court for the Southern District of New York entered a stipulated final judgment and order against a finance company, two related entities, and the companies’ founder and owner (collectively, “defendants”) for engaging in deceptive and abusive acts or practices under the Consumer Financial Protection Act (CFPA) related to the offering of cash advances to people on their settlement payouts from victim-compensation funds established for certain first responders to the World Trade Center attack on September 11, 2001.

As previously covered by InfoBytes, in 2017, the CFPB and the New York attorney general filed a complaint alleging that the defendants engaged in deceptive and abusive acts by misleading consumers into selling expensive advances on benefits to which they were entitled by mischaracterizing extensions of credit as assignments of future payment rights, thereby causing the consumers to repay far more than they received. In March 2022, the district court ruled that the CFPB could proceed with its 2017 enforcement action against the defendants (covered by InfoBytes here) two years after the U.S. Court of Appeals for the Second Circuit vacated a 2018 district court order dismissing the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company (covered by InfoBytes here).

The 2nd Circuit remanded the case to the district court, determining that the U.S. Supreme Court’s ruling in Seila Law LLC v. CPFB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling. The appellate court further noted that following Seila, former Director Kathy Kraninger ratified several prior regulatory actions (covered by InfoBytes here), including the enforcement action brought against the defendants, and as such, remanded the case to the district court to consider the validity of the ratification of the enforcement action. The defendants later filed a petition for writ of certiorari, arguing that the Bureau could not use ratification to avoid dismissal of the lawsuit, but the Supreme Court declined the petition. (Covered by InfoBytes here). In 2021, the defendants filed a motion to dismiss the Bureau’s enforcement action on the grounds that “it was brought by an unconstitutionally constituted agency” and that the Bureau’s “untimely attempt to subsequently ratify this action cannot cure the agency’s constitutional infirmity.” (Covered by InfoBytes here). The district court turned to the Supreme Court’s June 2021 majority decision in Collins v. Yellen, which held that “‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[.]’” Accordingly, the agency’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” (Covered by InfoBytes here).

In the amended complaint, filed in July 2022, the Bureau and the New York AG alleged that, among other things, the defendants engaged in deceptive acts by misrepresenting to consumers that the company’s contracts created valid and enforceable assignments of their payment proceeds when, in fact, the assignments were not valid and enforceable. The amended complaint also alleged that the company misrepresented to consumers when they would receive funds from the company, often promising consumers an earlier date of disbursement than the actual disbursement. Additionally, the joint complaint alleged that the defendants violated state law by collecting on purported assignments that are void, unenforceable, and uncollectable, or alternatively, by collecting on contracts that functioned as loans with interest rates that exceed usury limits under state law, which are also void and on which no payment is due.

Under the terms of the final judgment, defendants must pay a $1 civil money penalty to the Bureau and must not take any action to collect any unpaid or future amounts owed by the harmed responders, which totals at least $600,000. Under the order, defendants must also refrain from participating in offering, brokering, or providing credit or advances of funds to individuals entitled to payments from governmentally created funds established to compensate victims of 9/11.

Courts State Issues CFPB Enforcement CFPA UDAAP State Attorney General New York Consumer Finance

NYDFS amends cybersecurity regs

On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”

Some changes within the proposed amended regulation include:

• New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
• Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
  • The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
  • The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
  • The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
  • If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
• Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
• Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
• Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
• Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
  • Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory.  At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
  • Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
  • Multi-Factor Authentication:  The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
  • Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
• Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
• Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.

The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.

See continuing InfoBytes coverage on 23 NYCRR Part 500 here.

Privacy, Cyber Risk & Data Security Bank Regulatory Agency Rule-Making & Guidance State Issues New York NYDFS 23 NYCRR Part 500

NYDFS issues RFI on private student loan refinancing

On November 8, NYDFS issued a request for information (RFI) to student loan advocates, lenders, regulators, servicers, and other stakeholders, seeking information regarding private student loan refinancing in New York. The Private Student Loan Refinancing Task Force, tasked with “study[ing] and analyz[ing] ways lending institutions that offer non-federal student loans to students of New York institutions of higher education can be incentivized and encouraged to create student loan refinance programs,” issued questions to solicit information from stakeholders to inform a forthcoming report. According to the announcement, the Task Force is seeking responses to questions concerning private sector refinancing of student loans. The questions include, among other things: (i) “What options are available for student loan borrowers to refinance private student loans both in New York State and outside the state?”; (ii) “What options are available for student loan borrowers to refinance federal student loans both in New York State and outside the state?”; (iii) “What is the volume of private student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; (iv) “What is the volume of federal student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; and (v) “What publicly available data should the Task Force review? Is there privately owned data that could be made available to the Task Force?” Responses are due by December 8.

State Issues NYDFS New York Student Lending State Regulators Consumer Finance

NYDFS revises state CRA regulations

On October 26, NYDFS released revisions to its proposed state Community Reinvestment Act regulation, which would allow the Department to obtain the necessary data to evaluate the extent to which New York-regulated banking institutions are serving minority- and women-owned businesses in their communities. The revised proposed regulation addresses comments received during a prior 60-day comment period that began last November (covered by InfoBytes here), and is intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. Among other things, the revised proposed regulation would require regulated entities to inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. Additionally, the revised proposed regulation (i) establishes processes for regulated entities when soliciting, collecting, storing, and reporting information related to their provision of credit to minority- and women-owned businesses, including when requests for information should be made, and notifications informing applicants of their right to refuse to offer information in response to a request and that the provided information may not be used for any discriminatory purpose; (ii) provides that, to the extent feasible, underwriters should not be able to access information provided by an applicant; (iii) stipulates how long a regulated entity is required to preserve gathered information; and (iv) provides a sample data collection form that regulated entities may choose to use. According to NYDFS, the revisions are designed to make sure regulated entities abide by fair lending laws when collecting and submitting the necessary data. Comments will be accepted for 45 days following publication in the State Register.

State Issues Bank Regulatory Agency Rule-Making & Guidance NYDFS New York New York CRA Fair Lending

NYDFS reaches $4.5 million settlement over cybersecurity violations

On October 18, NYDFS announced a $4.5 million settlement with a licensed health insurance company for alleged violations of the Department’s Cybersecurity Regulation (23 NYCRR Part 500), which contributed to the exposure of consumers’ sensitive non-public information (NPI). According to NYDFS, a bad actor gained access to a shared email mailbox in 2020 via a phishing attack. This mailbox, NYDFS said, allegedly contained more than six years’ worth of consumer NPI. An NYDFS investigation found that the company allegedly, among other things, failed to implement multi-factor authentication throughout its email environment, did not limit user access privileges (thus allowing nine employees to share login credentials to the compromised mailbox), and failed to implement sufficient data retention and disposal procedures. NYDFS asserted that the cybersecurity event may have been avoided or limited in scope if these security controls had been implemented. Furthermore, the company’s alleged failure to conduct an adequate risk assessment as required by 23 NYCRR Part 500, prevented it from being able to identify the user access privilege and data disposal risks associated with the mailbox that was impacted by the phishing attack. Consequently, the company’s cybersecurity certifications for calendar years 2018 - 2021 were improper, NYDFS said.

Under the terms of the consent order, the company is required to pay a $4.5 million civil money penalty and must conduct a comprehensive cybersecurity risk assessment of its information systems. NYDFS recognized the company’s cooperation throughout the investigation and commended its ongoing and completed remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program” and making “changes to its policies, procedures, systems, and governance structures.”

State Issues Bank Regulatory NYDFS New York Enforcement Privacy, Cyber Risk & Data Security 23 NYCRR Part 500

New York prohibits agencies from assessing additional student debt charges

On October 12, the New York governor signed S7862B, which prohibits state agencies from assessing certain additional collection fee charges on certain outstanding student debts. According to the bill, no state agency is permitted to assess an additional collection fee charge on any debt “owed by a debtor to a state agency for a liability resulting from tuition, fees, room and board, educational benefit overpayments, student loans, or other such charges incurred by a student in furtherance of such student's education,” under certain circumstances. The act is effective April 1, 2023.

State Issues State Legislation New York Student Lending

New York announces $1.9 million data breach settlement with global retailer

On October 12, the New York attorney general announced a $1.9 million settlement with an international e-commerce retailer for failing to properly handle a 2018 data breach. According to the settlement, the e-commerce owns and operates two brands (collectively, “respondents”), which experienced a data breach that caused 39 million accounts to be stolen, including accounts for more than 800,000 New York residents. The AG found, among other things, that the respondents failed to properly safeguard consumers’ information, failed to adhere to requirements for protecting stored credit card data, and misrepresented the extent of the cyberattack to consumers. As a result of the settlement, the respondents are required to pay New York $1.9 million in penalties and costs, and must maintain a comprehensive information security program that includes robust hashing of customer passwords, among other things.

State Issues Privacy, Cyber Risk & Data Security New York Data Breach State Attorney General Enforcement Consumer Finance Settlement

NYDFS announces fair lending settlement with indirect auto lender

On October 6, NYDFS announced a settlement with a New York State-licensed bank to resolve allegations that the bank violated New York Executive Law § 296-a while engaged in indirect automobile lending. NYDFS alleged that the bank’s practices resulted in minority borrowers paying higher interest rates than non-Hispanic white borrowers regardless of their creditworthiness. According to the announcement, the bank allegedly “failed to effectively monitor automobile dealers from which [the bank] agreed to purchase loans, thereby allowing the dealers to charge members of protected classes more in discretionary dealer markups than borrowers identified as non-Hispanic White.” Under the terms of the consent order, the bank agreed to pay a $950,000 civil money penalty to the state, as well as restitution to eligible borrowers impacted during the period of January 1, 2017 through March 31, 2022. The bank also agreed to undertake fair lending compliance remediation efforts to increase its monitoring of dealers participating in its indirect auto lending program to precent discriminatory markups in the future.

State Issues NYDFS State Regulators Enforcement Fair Lending Auto Finance Consumer Finance Markups New York