Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New York settles with online retailer over data breach

    State Issues

    On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted).  The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.

    The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.

    State Issues State Attorney General Privacy/Cyber Risk & Data Security Settlement Credit Cards

  • Nevada authorizes pilot program for marijuana banking

    State Issues

    On June 5, the Nevada governor signed AB 466, requiring the State Treasurer to create a pilot program, authorized to operate from October 1, 2019 through June 30, 2023, for the establishment of one or more closed-loop payment processing systems that enable certain persons to engage in financial transactions relating to marijuana.

    The closed-loop payment processing system established under the pilot program must be designed to, among other things: (i) provide marijuana establishments and medical marijuana establishments a safe, secure and convenient method of paying state and local taxes; (ii) prevent revenue from the sale of marijuana from going to criminal enterprises, gangs and drug cartels, and; (iii) prevent lawful financial transactions relating to marijuana from being used as a cover or pretext for unlawful activities. The bill requires the State Treasurer to adopt regulations to carry out the pilot program and requires that the State Treasurer submit a report concerning the pilot program on or before December 1, 2020, and every 6 months thereafter.

    State Issues State Legislation State Regulators Medical Marijuana

  • Maine enacts consumer privacy law for internet service providers

    State Issues

    On June 6, the Maine governor signed S.P. 275/L.D. 946, which requires certain broadband Internet access services to receive express, affirmative consent from a customer before disclosing, selling, or permitting access to a customer’s personal information. Among other things, the provisions stipulate that a customer may revoke his or her consent at any time, and forbid providers from refusing service or charging a penalty or offering a discount based on the customer’s decision to provide or not provide consent. Furthermore, providers must include a “clear, conspicuous and nondeceptive notice at the point of sale,” as well as on the provider’s public website, concerning the provider’s obligations and the customer’s rights. Requirements for safeguarding customers’ personal information are also outlined. The Act applies only to providers operating in Maine that provide Internet access service to customers that are physically located and billed for services received in Maine.  The new law will take effect July 1, 2020.

    State Issues State Legislation Privacy/Cyber Risk & Data Security Consumer Protection

  • 9th Circuit: Class decertification appropriate when representative lacks standing

    Courts

    On June 5, the U.S. Court of Appeals for the 9th Circuit affirmed a lower court’s decision to decertify a class of callers claiming their cellphone calls were unlawfully recorded, holding that the class representative lacked standing as to its individual claim. According to the opinion, customers of a concrete supplier alleged that calls placed to a phone system that the company began using in 2009 failed to inform callers that their cellphone calls were being recorded. In 2013, the company changed the recording to state that the calls maybe be “monitored or recorded.” The class representative sought to certify a class of all persons whose calls were recorded between the time that the company started using the call recording system in 2009 to when it updated the recording. The district court initially denied certification under the Federal Rule of Civil Procedure Rule 23’s predominance requirement, and later—after certifying the class based on evidence presented concerning the timing of certain recorded calls—decertified the class for failing to satisfy the “commonality” and “predominance” requirements once the concrete supplier identified nine customers who claimed they had actual knowledge of the recording practice during the class period. In addition, the court concluded that the class representative lacked standing to seek damages on its individual claim or injunctive relief because it lacked standing under the 2016 Supreme Court opinion Spokeo, Inc. v. Robins, which required that it show a concrete or particularized injury as a result of the concrete supplier's alleged violation. 

    On appeal, the 9th Circuit rejected the class’s argument that it “has standing to appeal the decertification order notwithstanding the adverse judgment against it on the merits” due to the following two exceptions to the mootness doctrine that may permit a class representative to appeal decertification even if its individual claims have been mooted: (i) the class representative “retains a ‘personal stake’ in class certification”; or (ii) “the claim on the merits is ‘capable of repetition, yet evading review,’” even though the class representative has lost “his personal stake in the outcome of the litigation.” The appellate court concluded that “neither of these mootness principles can remedy or excuse a lack of standing as to the representative's individual claims.”

    Courts Ninth Circuit Appellate Spokeo Standing Class Action State Issues

  • Oregon enacts new vendor data breach notification requirements

    State Issues

    On May 24, the Oregon Governor signed SB 684, which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and (ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so. SB 684 also updates the definition of personal information to include usernames in combination with other authentication factors used to access a consumer’s account, and establishes that a covered entity or vendor may “affirmatively defend” against allegations it has not adequately safeguarded personal information by showing that it maintained reasonable security measures for protecting personal information in compliance with HIPAA or the Gramm-Leach-Bliley Act, as applicable. The amendments take effect January 1, 2020.

    State Issues State Legislation Data Breach Privacy/Cyber Risk & Data Security Third-Party

  • Maryland amends statute of limitations for UDAP actions against mortgage servicers

    State Issues

    On May 25, the Maryland governor signed HB 0425, which amends the state’s statute of limitations applicable to certain civil actions relating to unfair, abusive, or deceptive trade practices (UDAP) filed against a mortgage servicer. Specifically, the bill requires that an action filed by a homeowner alleging damages arising out of a UDAP violation shall be filed within the earlier of: (i) 5 years after a foreclosure sale of the residential property; or (ii) 3 years after the mortgage servicer discloses its UDAP violation to the homeowner. The bill is effective October 1.

    State Issues State Legislation UDAP Mortgage Servicing Mortgages Foreclosure

  • Oregon removes sunset on GAP waiver statutes

    State Issues

    On May 24, the Oregon governor signed SB 366, which repealed the sunset provision on statutes establishing the conditions under which creditors can offer guaranteed asset protection (GAP) waivers in connection with the sale of an automobile. Chapter 523, Oregon Laws 2015 allows creditors to offer GAP waivers to consumers outside of the regulation of the Insurance Code while specifying certain requirements for offering the waivers. Section 11 of Chapter 523, would have repealed these GAP waiver provisions on January 2, 2020. The bill repeals Section 11, allowing for the GAP waiver provisions to remain in effect. The bill is effective January 1, 2020.

    State Issues State Legislation GAP Waivers Auto Finance

  • OCC wants final judgment in NYDFS fintech charter challenge

    Courts

    On May 30, the OCC filed a letter with the U.S. District Court for the Southern District of New York notifying the court that it intends to work with NYDFS to issue a proposed final order to the court in the action challenging the OCC’s decision to allow fintech companies to apply for a Special Purpose National Bank Charter (SPNB). As previously covered by InfoBytes, in May, the court denied the OCC’s motion to dismiss, concluding that, among other things, the OCC failed to rebut NYDFS’s claims that the proposed national fintech charter posed a threat to the state’s ability to establish its own laws and regulations, and therefore, the challenge “is ripe for adjudication.” In its letter, the OCC states that while it “disagrees with the Court’s decision, and reserves its right to appeal, it believes that the decision renders entry of final judgment in this matter appropriate.” An entry of final judgment, would allow the OCC to challenge the decision with the U.S. Court of Appeals for the 2nd Circuit.

    Courts Fintech NYDFS OCC Fintech Charter National Bank Act State Issues Preemption

  • Oregon requires consumers to repay title, payday loans before lender makes new loan

    State Issues

    On May 30, the Oregon Governor signed HB 2089, which, among other things, prohibits title loan and payday loan lenders from making a new loan to a consumer until seven days after the consumer has fully repaid a previous title loan or payday loan. In addition, lenders may not make or renew a title loan or payday loan with an interest rate exceeding 36 percent annually, excluding a one-time allowable origination fee. These amendments apply to loan contracts, including renewals, executed on or after January 1, 2020.

    State Issues State Legislation Consumer Lending Payday Lending

  • Pennsylvania court holds mobile giving app not required to be licensed as a money transmitter

    Courts

    On May 30, the Commonwealth Court of Pennsylvania reversed an order by the Pennsylvania Department of Banking and Securities Commission (Commission) issued against a mobile giving app and two of its executives (petitioner), holding that the petitioner was not required to be licensed by the Commission because it was not transmitting money under the court’s interpretation of the Pennsylvania Money Transmitter Act (Act). In 2016 the Compliance Office of the Department of Banking and Securities (Department) issued an order to cease and desist against the petitioner for transmitting money in the state without a license as required under the Act. At issue was whether petitioner’s activities constituted “transmitting money” under the Act, or merely involved collecting and supplying information. The Department claimed the petitioner’s app was “an indispensable part of a chain of events through which money was transferred from the donors to the recipients of the donations.” However, the petitioner argued that the app simply connected donors to the recipients, and that the actual transmission of money was outsourced to a payment processor who conducted the actual transactions.

    The six-judge majority stated that the Commission’s interpretation of the Act was too broad, holding that “[o]n a basic and critical level, the Commission erroneously interpreted the terminology ‘engage in the business’ in an overly expansive manner and essentially read it as prohibiting any conduct that contributes toward—or has a tangential involvement with—the concrete and real act of ‘transmitting money.’” Moreover, “the key term in ascertaining the defining characteristic of the conduct that is proscribed by the statute is ‘transmitting,’” and while the petitioner’s “software application can be deemed to have acquired and ‘transmitted’ information vital to the donative transactions to [the payment processor], by no means was [the petitioner] ‘transmitting money’ itself, or transmitting some other ‘method for the payment’ of the donation, ‘from one person or place to another.’”

    Courts Licensing Money Service / Money Transmitters State Issues Fintech

Pages

Upcoming Events