InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC charges communications company with accounting control failure
On June 18, the SEC issued a cease-and-desist order (order) against a Delaware-based business communication and marketing service provider (respondent) to settle allegations of cybersecurity controls violations related to a 2021 ransomware attack.
According to the order, the SEC alleged respondent did not have adequate controls to ensure cybersecurity incidents were reported to its management and did not respond to alerts indicating unusual network activity in a timely manner. Among other allegations, the order contended that respondent relied on a third-party vendor to review and escalate the large volume of alerts issued by its cybersecurity detection systems but did not implement procedures or controls to effectively confirm that the vendor’s review and escalation of alerts were consistent with the respondent’s expectations. The order noted that respondent cooperated with the investigation, reported the cybersecurity incident promptly, and took steps to enhance its cybersecurity technology and controls. Without admitting the SEC’s allegations, respondent agreed to a $2,125,000 civil money penalty.
Notably, in addition to alleged violation of Exchange Act Rule 13a-15(a) requiring public companies to maintain disclosure controls and procedures designed to ensure timely disclosure of incidents in compliance with the Commission’s rules, the order also alleged that respondent’s failure to design effective procedures to ensure escalation and timely decisions regarding potential security incidents violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934. Section 13(b)(2)(B) required covered companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets was permitted only in accordance with management’s general or specific authorization.”
In a statement responding to the order, SEC Commissioners Pierce and Uyeda took issue with the Commission’s application Section 13(b)(2)(B). Specifically, the commissioners argued that the requirement to maintain internal accounting controls ensuring “that access to company assets” must be authorized by management and was intended to protect the accuracy of corporate transactions for the use and disposition of assets in transactions. They noted that “[w]hile [respondent’s] computer systems constitute an asset in the sense of being corporate property, computer systems are not the subject of corporate transactions,” and that faulting respondent’s internal accounting controls in the context of a ransomware attack “breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).”
CFPB, seven State AGs file suit against debt-relief company
On January 19, the CFPB and seven state attorneys general (Colorado, Delaware, Illinois, Minnesota, New York, North Carolina, and Wisconsin) announced a lawsuit against a debt-relief company, its subsidiaries, and its two individual owners (defendants) for allegedly facilitating an unlawful debt relief service. According to the complaint, the company used third parties to solicit consumers with large debts and direct them to contact defendants. The company then, allegedly, advised consumers to enroll in their debt-relief service that will negotiate reduced payoff amounts with consumers’ creditors and represent consumers. Additionally, individual defendants implicated in the action created law firms paired with one of the company’s subsidiaries, which performed little to no work on behalf of consumers, while non-attorney negotiators from the company were tasked with renegotiating a consumer’s debt. The CFPB and the AGs alleged that the company charges fees ($84 million since 2016) before and during the service, that left consumers with additional debt, lower credit scores, lawsuits with creditors, and had none of their original debts settled or reduced.
Among other things, the CFPB claimed the company violated the Telemarketing Sales Rule (TSR) by (i) charging advance fees before a consumer has made at least one payment under a debt settlement plan; (ii) collecting fees after settling some of a consumer’s debts when the fees are not proportional to the amount of debt defendant successfully settled or based on a fixed percentage of the amount saved; and, (iii) supporting its subsidiary law firms that the company knew or knowingly avoided knowing engaged in abusive acts or practices. The complaint sought permanent and preliminary injunctive relief, redress for consumers, and a civil money penalty. On January 11, the court granted the Bureau’s request for a temporary restraining order.
Delaware Personal Data Privacy Act to protect consumers
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.
The Act is effective on January 1, 2025.
Delaware enacts licensing legislation
On November 2, the Delaware governor signed SB 296, which increases the threshold for licensed property appraisers so that they may appraise complex one to four residential units valued up to $400,000. Among other things, the bill also amends the requirements for licensure and registration, such as that property appraisers must renew their licenses every other year instead of yearly, whereas appraisal management companies are now required to reregister and certify annually, rather than biennially. The bill is effective immediately.
California appeals court says lender cannot move bitcoin loan suit to Delaware
On June 14, the California Court of Appeal for the Second Appellate District reversed a trial court’s decision staying a suit against a lender and its loan payment processor (collectively, “defendants”) and enforcing a Delaware forum selection clause. The appeals court held that the plaintiff borrower’s unwaivable right to a jury trial under California law could be violated if the case proceeded in Delaware. According to the opinion, the plaintiff obtained $2.275 million in loans secured by bitcoin from the lender (a Delaware LLC that is licensed and regulated by California’s Department of Financial Protection and Innovation). When the value of bitcoin dropped, the lender sold the plaintiff’s bitcoin under the terms of the governing loan agreements. The plaintiff sued, “seeking, among other things, damages, return of his bitcoin, and cancellation of the loan agreements.” The defendants moved to stay the case because the Delaware forum selection clause required the case to be litigated in Delaware. The plaintiff countered that transferring the case to Delaware would “substantially diminish” his unwaivable rights under California law. The trial court eventually concluded that transferring the case to Delaware would not diminish the plaintiff’s rights and granted the stay pending litigation in Delaware. The trial court also stayed a second suit brought by the plaintiff alleging violations of California’s Unfair Competition Law and False Advertising Law, holding that the second suit involved the same primary rights as the first suit.
In reviewing the consolidated cases, the appeals court determined, among other things, that the Delaware forum selection clause in this case contains a predispute jury waiver. “Because California has a fundamental policy against such a waiver, Defendants carry the burden of proving that Delaware would not diminish this important right,” the appeals court wrote, adding that under Delaware law “contractual provisions that waive the contracting parties’ right to trial by jury have been upheld, and relevant case law provides insufficient assurance that Delaware courts will apply California’s important public policy to this dispute.” Additionally, the appeals court concluded that the defendants’ proposed “offer to stipulate that the Delaware court should apply California law” provides “little assurance that a Delaware court would enforce such a stipulation under the facts present here.”
Treasury, Delaware sign MOU to strengthen sanctions-related information sharing
On September 2, the U.S. Treasury Department and the State of Delaware announced a Memorandum of Understanding (MOU) intended to foster cooperative efforts to “shut down or otherwise disrupt the illicit activities of entities that should not be operating in the United States.” Under the MOU, Treasury’s Office of Foreign Assets Control (OFAC) and Delaware’s Department of Justice will communicate frequently and meet as needed to identify and shut down entities on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List) or that are otherwise blocked. The MOU is intended, among other things, to (i) promote certain U.S. economic sanctions-related information sharing and facilitate coordinated investigations; (ii) foster cooperative efforts to “heighten awareness of U.S. economic sanctions within both the Delaware business community and the general public” and “protect national security by promoting compliance with U.S. trade and economic sanctions laws”; (iii) support litigation against entities identified on the SDN List; (iv) “[i]mprove transparency into corporate structures used to disguise illicit business dealings”; and (v) “[p]revent abuse of U.S. companies by criminal and terrorist organizations, corrupt individuals, and other blocked persons through cancellation of entities or imposition of OFAC penalties.”
Delaware announces joint effort on foreclosure and eviction prevention
On July 1, Delaware Governor Carney, Attorney General Jennings, the Delaware State Housing Authority, and the chief magistrate of the justice of the peace court announced a joint effort on foreclosure and eviction prevention to support homeowners and renters financially impacted by the Covid-19 shutdown. The foreclosure prevention effort will focus on: (i) educating Delaware homeowners at risk of losing their homes to foreclosure as a result of Covid-19, (ii) increasing the capacity of Delaware’s HUD-approved housing counseling nonprofit agencies, and (iii) providing timely financial assistance tools for homeowners at risk of foreclosure due to Covid-19. The eviction prevention effort will focus on: (i) educating Delaware renters at risk of eviction due to Covid-19, (ii) funding the state’s legal aid organizations that offer legal services for unrepresented tenants facing eviction, (iii) facilitating an alternative dispute resolution program to encourage solutions to avoid eviction, and (iv) reopening applications for the Delaware Housing Assistance Program. The statement follows a recent order issued by the governor, previously covered here, that modifies previous relief relating to evictions, foreclosures, and insurance.
Delaware governor issues order modifying relief relating to evictions, foreclosures, and insurance
On June 30, the Delaware governor issued an order that modifies previous relief relating to evictions, foreclosures, and insurance. Specifically, the declaration lifts the stay on residential mortgage foreclosure actions commenced prior to the state of emergency. However, subject to certain exceptions, individuals may not be removed from the residential properties as a result of a mortgage foreclosure process while the order is in effect. Further, actions for summary possession may be filed for residential units in Delaware, but must be stayed pending a determination of whether the parties would benefit from participating in court supervised mediation or alternative dispute resolution. During the eviction process, subject to certain exceptions, individuals may not be removed from the residential properties. Finally, beginning July 1, 2020, every insurer is required to provide a 90-day payment plan for certain individual policyholders and business policyholders impacted by the Covid-19 state of emergency.
Delaware modifies state of emergency declaration
On April 30, the Delaware governor issued a fourteenth modification of the state’s emergency declaration, providing additional protections for Delaware renters with respect to payments under rental agreements.
Delaware Department of Insurance issues bulletin to insurance companies on regulatory filing requirements
On April 9, the Delaware Department of Insurance issued Bulletin No. 118 to insurance companies authorized to transact business in Delaware regarding compliance with regulatory filing requirements during Covid-19. The bulletin permits insurers to request an extension of certain filing deadlines by an additional 30 to 60 days, depending on the type of filing. Types of filings for which a 30-day or 60-day filing deadline extension may be requested are listed in the bulletin.