Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security program was inadequate and that the security risks associated with the Personal Information went unmitigated, allowing  cybercriminals to gain access.” During discovery, the defendant (headquartered in South Carolina) stated that its U.S. data centers are located in Massachusetts, Texas, California, and New Jersey, and that the particular servers that housed the plaintiffs’ data (and were the initial entry point for the ransomware attack) are physically located in Massachusetts. While both parties stipulated to the application of South Carolina choice-of-law principles generally, the plaintiffs specifically requested that South Carolina law be applied to their common law claims of negligence, negligence per se, and invasion of privacy since it was the state where defendant executives made the cybersecurity-related decisions that allegedly allowed the data breach to occur. However, the defendant countered that the law of each state where a plaintiff resides should apply to that specific plaintiff’s common law tort claims because the “damages were felt in their respective home states.” Both parties presented an alternative argument that if the court found the primary choice-of-law theory to be unfounded, then Massachusetts law would be appropriate as “Massachusetts was the state where the last act necessary took place because that is where the data servers were housed.”
In determining which state’s common-law principles apply, the court stated that even if some of the cybersecurity decisions were made in South Carolina, the personal information was stored on servers in Massachusetts. Moreover, the “alleged decisions made in South Carolina may have contributed to the breach, but they were not the last act necessary to establish the cause of action,” the court wrote, noting that in order for the defendant to be potentially liable, the data servers would need to be breached. The court further concluded that “South Carolina’s choice of law rules dictate that where an injury occurs, not where the result of the injury is felt or discovered is the proper standard to determine the last act necessary to complete the tort.” As such, the court stated that Massachusetts law will apply as that is where the data breach occurred.
On July 30, South Carolina Department of Consumer Affairs updated and extended its interim guidance for mortgage brokers, previously covered here. The interim guidance permitting mortgage loan originators to work remotely will be effective until rescinded. The Department will provide fifteen days’ notice to affected businesses before rescinding the guidance.
South Carolina regulator issues interim guidance to businesses regarding payment or performance deferrals and modifications
On June 1, the South Carolina Department of Consumer Affairs issued interim guidance regarding business activities during Covid-19, including payment or performance deferrals and modifications. The department strongly encourages persons and entities engaging in consumer credit transactions or other activities governed by the South Carolina Consumer Protection Code and subject to the department’s oversight to work with borrowers during the Covid-19 crisis and to “be practical, flexible, and empathetic.” The department also encourages businesses to adopt a number of measures related to modifications, workout strategies, waiving late fees, deferment charges, NSF fees, and certain ACH withdrawals, suspending charging off accounts, and suspending repossessions of collateral and foreclosure of real property. The interim guidance also addresses escrow accounts and electronic signatures, and sets forth additional resources for businesses and consumers.
South Carolina regulator updates guidance on working remotely and defers deadline for submitting the 2019 mortgage log
On May 28, the South Carolina Department of Consumer Affairs issued updated interim guidance (previously discussed here) regarding working remotely from unlicensed locations and the deadline for submission of the 2019 mortgage log. The updated interim guidance provides that, until July 1, 2020, licensed mortgage loan originators are permitted to work from home, whether in South Carolina or another state, even if the home is not a licensed branch. The guidance also notes the deferral of filing deadline for the 2019 mortgage log required of mortgage broker companies until June 1, 2020.
On May 7, the FDIC issued FIL-53-2020 to provide regulatory relief to financial institutions and help facilitate recovery in areas of South Carolina affected by severe storms, tornadoes, and straight-line winds from April 12 through April 13. In the letter, the FDIC encourages institutions to consider, among other things, (i) extending repayment terms; (ii) restructuring existing loans; or (iii) easing terms for new loans to borrowers affected by the severe weather, provided the measures “[are] done in a manner consistent with sound banking practices, can contribute to the health of the local community and serve the long-term interests of the lending institution.” Additionally, the FDIC notes that institutions may receive Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery. The FDIC states it will also consider relief from certain filing and publishing requirements.
Find continuing InfoBytes coverage on disaster relief guidance here.
On April 28, the South Carolina Department of Consumer Affairs issued interim guidance to mortgage brokers on working remotely from unlicensed locations and extended the deadline for submitting the 2019 mortgage log. The department clarified that, until May 31, 2020, licensed mortgage loan originators are permitted to work from home, whether in South Carolina or another state, even if the home is not a licensed branch. The department also reported that it has deferred the filing deadline for the 2019 mortgage log required of mortgage broker companies until June 1, 2020.
On April 6, South Carolina Governor Henry McMaster issued an executive order limiting social interaction and calling on citizens to stay in their residences when not conducting essential business or activities. The order defined essential businesses to include activities operations or services identified by the United States Cybersecurity and Infrastructure Security Agency in its March 28, 2020 memorandum, which includes financial services. The order went into effect at 5:00 p.m. on April 7.
On March 31, South Carolina Governor Henry McMaster signed an executive order closing non-essential businesses and public venues. McMaster’s order gave the South Carolina Department of Commerce the ability to review and designate essential businesses in the state, and where necessary, consult with the state attorney general for further clarification. The order followed a declared state of emergency announced by McMaster on March 13.
On March 13, 2020, the South Carolina State Board of Financial Institutions, Consumer Finance Division (division) released guidance for mortgage origination and servicing companies regarding working remotely due to Covid-19. The division’s interim guidance allows licensed mortgage loan originators (MLO) to work from home provided that certain criteria are met including (i) the company establishes temporary supervisory policies and procedures; (ii) the MLO has secure access to the company’s origination system; (iii) the security of the MLO’s computer is maintained; and (iv) the MLO does not keep physical company records at the remote location.
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- John R. Coleman to participate in a roundtable on current topics in administrative law at the C. Boyden Gray Center for the Study of the Administrative State at George Mason University
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The Evolving Regulatory Landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference