Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 17, a healthcare clearinghouse reached a $1.4 million settlement with a coalition of 33 state attorneys general for allegedly exposing the protected health information of approximately 1.5 million consumers. As a health care clearinghouse, the company facilitates transactions between health care providers and insurers. The states began investigating the company in 2019, when the U.S. Department of Health and Human Services discovered that personal health information maintained by the company was available through search engines, which appeared to be the result of a coding error by the company. According to the states, after the company was alerted to the breach, it delayed notification to impacted customers for over three months and sent notices to impacted consumers that were vague and confusing. Under the settlement, in addition to the $1.4 million payment, the company agreed to overhaul its data security and breach notification practices. The multistate coalition was led by the Indiana Attorney General’s Office.
On May 4, the Indiana governor signed SB 452 to amend Indiana code governing financial institutions. Among other things, the Act amends a provision to require the Department of Financial Institutions to adopt emergency rules no later than June 30, 2024, to authorize certain licensees (or certain exempt persons aside from a person that has voluntarily registered with the Department) “to sponsor one (1) or more mortgage loan originators, who are not employees of the sponsoring person, to perform mortgage loan originator activities” provided certain criteria is met. Requirements include that (i) each sponsored person performs mortgage loan originator activities exclusively for the sponsoring person (as provided in a written agreement); (ii) the sponsoring person assumes responsibility for and reasonably supervises the activities of each sponsored mortgage loan originator; (iii) the sponsoring person maintains a bond that covers all sponsored mortgage loan originators; and (iv) each sponsored mortgage loan originator possesses a current, valid insurance producer license as required under state law. The emergency rules must meet the requirements of the Secure and Fair Enforcement for Mortgage Licensing Act of 2008, HUD and CFPB interpretations of that Act, as well as a subsequent amendment provided by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
On May 4, the Indiana governor signed SB 458, which repeals current Indiana code governing the licensing and regulation of money transmitters by the Department of Financial Institutions. The bill adds a new chapter codifying the Money Transmission Modernization Act, and outlines provisions to be administered by the Department’s Division of Consumer Credit. Among other things, the Act is designed to eliminate unnecessary regulatory burden and ensure states are able to coordinate in all areas of regulation, licensing, and supervision. The Act will also enforce compliance with applicable state and federal laws, standardize activities subject to or exempt from licensing, and modernize safety and soundness requirements to protect customer funds, while also supporting innovation and competitive business practices. The Act defines terms, outlines exemptions, and establishes authorities for the director who many enter into agreements with other government officials or regulatory agencies/associations to improve efficiencies and reduce regulatory burden. The Department is also granted authority to interpret and enforce the chapter, promulgate rules and regulations, and recover administrative and enforcement costs.
With respect to licensing provisions, the director is authorized to report complaints received concerning licensees, as well as significant or recurring violations, to the Nationwide Multi-State Licensing System and Registry (NMLS), and may use NMLS for all aspects of licensing, including applications, surety bonds, reporting, background checks, credit checks, fee processing, and examinations. Moreover, the director may also “participate in multistate supervisory processes established between states and coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and the affiliates and successors of either organization, for all licensees that hold licenses in Indiana and other states,” including entering into agreements to coordinate and share information.
The Act outlines licensing application procedures, as well as licensees’ rights, reporting and recordkeeping requirements, examination processes for outside vendors that provide services normally undertaken by the licensee, criminal penalties, surety bonds, permissible investments, authorized delegate provisions, and explains how the Act applies to licensees issued a license under the current statute, among other things. Additionally, licensees are required to pay all costs reasonably incurred in connection with an examination of the licensee or the licensee’s authorized delegate. The Act’s provisions take effect January 1, 2024.
On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and Iowa (covered by Special Alerts here and here and InfoBytes here, here, here, and here). The Act applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Indiana residents or (ii) controls or processes personal data of at least 25,000 Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data. The Act outlines exemptions, including financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as covered entities governed by the Health Insurance Portability and Accountability Act.
Indiana consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The Act outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities created on or generated after December 31, 2025, that present a heightened risk of harm to consumers. Under the Act, controllers may not process consumers’ personal data without first obtaining consent, or in the case of a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act. Additionally, the Act sets forth obligations relating to contracts between a controller and a processor.
While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The attorney general may seek injunctive relief and civil penalties not to exceed $7,500 for each violation.
The Act takes effect January 1, 2026.
On April 24, the FDIC issued FIL-18-2023 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Indiana affected by severe storms, straight-line winds, and tornados from March 31 to April 1. The FDIC acknowledged the unusual circumstances faced by affected institutions and encouraged those institutions to work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements, and instructs institutions to contact the Chicago Regional Office if they expect delays in making filings or are experiencing difficulties in complying with publishing or other requirements.
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
On August 12, the U.S. District Court for the Southern District of Indiana issued an order denying plaintiffs’ motion for partial summary judgment and granting defendants’ cross-motion for summary judgment in an action concerning alleged violations of TILA, ECOA, and FHA disparate impact claims. According to the court’s determination, the defendant corporate entity was not a “creditor” during the leasing portion of the underlying rent-to-buy (RTB) agreements, and the plaintiffs lacked standing on certain claims because the wrong parties were targeted.
The defendant realty group purchases, sells, and manages real estate. The plaintiffs all entered into RTB agreements with the realty group that allowed the renter to make 24 payments and then execute a sales contract for the property. The agreements carried interest rate terms between 9.87 and 18 percent. According to the plaintiffs, the defendants, among other things, did not provide TILA-required disclosures for high-cost mortgages, did not require written certifications that tenants had obtained counseling prior to entering into the transaction, and did not provide property appraisals to tenants.
The plaintiffs sued alleging several claims under TILA for failure to provide required information. However, the court concluded that during the 24-month rental period, the realty group was not a “creditor” but was instead a “landlord.” Moreover, the court determined that “the only entities that could arguably be considered creditors are the Individual Land Trusts as the sellers and parties to the Conditional Sales Contract.” These trusts were not named as defendants, the court observed, adding that the plaintiffs failed to meet the burden of showing that the land trusts were sufficiently related to the named defendants to allow the court to “pierce the corporate veil” and hold the named defendants liable for actions conducted by the non-party individual land trusts.
With respect to the plaintiffs’ ECOA claims, which claimed that the realty group’s policies and practices were intentionally discriminatory and had a disparate impact on the basis of race, color, and/or national origin, the court applied the same rationale as it did to the TILA claims and again ruled that the realty group was not a “creditor.” In terms of plaintiffs’ FHA claims, the court said that “the racial disparity must have been created by the defendant.” In this action, the court determined that the realty group did not create the condition, reasoning that “the fact that lower-priced homes are more likely to exist in minority neighborhoods is not of Defendants’ making and existed before, and without, the RTB Program.”
However, the court’s order does allow certain individual and class claims related to disparate treatment under the FHA to proceed, as well as certain claims regarding Indiana law related to standard contract terms and the condition of homes in the RTB program.
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.
On March 18, the Indiana governor signed HB 1092, which amends the provisions regarding loan brokers that include requirements for licensing, as well as contract for the services of a loan broker. Among other things, the bill establishes that a loan processing company notice filing must be made on a form prescribed by the commissioner and include the: (i) loan processing company's business name, address, and state of incorporation or business registration; (ii) names of the owners, officers, members, or partners who control the loan processing company; and (iii) name of each individual who is employed by the loan processing company, including the unique identifier from the Nationwide Multistate Licensing System (NMLS) of each loan processor. Additionally, when a contract for the services of a loan broker is assigned, the loan broker shall provide a copy of the signed contract and a written disclosure of any agreement entered into by the loan broker to procure loans exclusively from one lender to each party to the contract. The bill is effective July 22.