InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Arizona governor amends data breach law, updates security freeze legislation
On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of possible breaches of personal information. Owners or licensees of personal information must then notify affected individuals within 45 days, pending the needs of law enforcement. Key amendment highlights are as follows:
- makes revisions to definitions, which include (i) expanding “personal information” to include a combination of a user’s name, password/security question, and answer that grants access to an online account; (ii) defining the term “redact”; and (iii) clarifying that a “specified data element” now includes an individual’s unique “private key” used when authenticating or signing an electronic record;
- adds a requirement that for breaches impacting more than 1,000 individuals, the Attorney General and the three largest consumer reporting agencies must be notified in writing;
- amends a provision concerning “substitute notice,” which removes requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media. The amendments now stipulate that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days; and
- clarifies a section that states entities are no longer required to notify affected individuals if an independent third-party forensic auditor or law enforcement agency “determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
Separately, on April 3, the governor signed SB 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password.
Both bills are scheduled to take effect 91 days after the end of the legislative session.
Electronic contracting tools provide evidence and records necessary to undermine opposing affidavits
On April 3, the Court of Appeals of North Carolina upheld an agreement executed using a third-party electronic contracting service vendor, after finding that the agreement was ratified by the plaintiff’s conduct, even if an unauthorized employee executed it in the first instance. The plaintiff argued that it had never seen the contract and that an employee must have electronically signed the contract without authority. However, the defendant produced evidence and an affidavit showing that its electronic contracting vendor had sent the contract to the plaintiff’s email address, that the emails were viewed and the link to the contract was opened, and that the contract was electronically signed in the vendor’s system. The record also showed several other emails referencing the agreement sent to plaintiff and responses thereto by plaintiff. The court observed that “[w]ere this a more traditional contract negotiation, in which the parties had mailed proposed contracts back and forth, a sworn affidavit stating that [plaintiff] never reviewed or signed the contracts might be sufficient to create a genuine issue of material fact” as to plaintiff’s knowledge of the agreement and its terms, but in the electronic context, the affidavits and audit trails produced by the vendor foreclosed any genuine dispute that the plaintiff company had received the agreement and had knowledge of it before ratifying it through its actions.
8th Circuit reverses district court’s decision, rules plaintiff failed to demonstrate actual damages under RESPA
On April 3, the U.S. Court of Appeals for the 8th Circuit reversed a district court’s decision, which granted summary judgement in favor of a consumer (plaintiff) who claimed a mortgage loan servicer violated the Real Estate Settlement Procedure Act (RESPA) and the Minnesota Mortgage Originator and Servicer Licensing Act when it failed to adequately respond to his qualified written requests concerning erroneous delinquency allegations. The district court ruled that the plaintiff suffered actual damages of $80 under his RESPA claims when the loan servicer “made minimal effort to investigate the error” and failed to provide the plaintiff with requested information about his loan history since origination. The “pattern or practice” of non-compliance also, in the district court’s view, justified $2000 in statutory damages. The plaintiff also received a separate damage award, attorney’s fees and costs under the Minnesota statute. However, under RESPA, a plaintiff must demonstrate proof of actual damages resulting from a loan servicer’s failure, and the three-judge panel argued that the plaintiff “failed to prove actual damages” because the loan servicer’s “failure to comply with RESPA did not cause [the plaintiff’s] alleged harm.” The panel opined that while the loan servicer failed to (i) conduct an adequate investigation following the plaintiff’s request as to why there was a delinquency for his account, and (ii) failed to provide a complete loan payment history when requested, its failure to comply with RESPA involved pre-2011 payment history for which the plaintiff eventually requested and received the relevant loan payment records at no cost. In fact, the panel stated, the only evidence of actual damages was the $80 the plaintiff spent for bank account records, but that expense concerned a separate dispute about whether the plaintiff missed two payments in 2012 and 2013, which the plaintiff eventually acknowledged that he did, in fact, fail to make. Since the loan servicer did not commit an error with respect to the missed payments, the court concluded that the $80 spent by plaintiff were not the result of the loan servicer’s failure to investigate and provide information related to the pre-2011 payment history. To the contrary, with respect to responding to the plaintiff’s inquiries regarding the missing payments, the loan servicer had “complied with its duties under RESPA.”
Furthermore, the panel stated that the plaintiff failed to provide evidence that the loan servicer engaged in a “pattern or practice of noncompliance.” The 8th Circuit remanded the case back to the district court with directions to enter judgment in favor of the loan servicer on the RESPA claims and for further proceedings on claims under the Minnesota statute.
NYDFS launches online portal for anti-terrorism and anti-money laundering regulation compliance certification
On April 9, the New York Department of Financial Services (NYDFS) announced the launch of a new online portal that regulated entities may use to securely file certifications required under New York’s risk-based anti-terrorism and anti-money laundering regulation. This regulation took effect January 1, 2017, and regulated entities must file their first certification of compliance by April 16 and annually thereafter. The regulation requires regulated entities to maintain programs to monitor and filter transactions for potential Bank Secrecy Act/anti-money laundering violations, and ban transactions with sanctioned entities. The announcement states that filing through the online portal is preferred over alternative filing mechanisms.
Student loan servicer seeks declaratory and injunctive relief to resolve dispute concerning preemption of state law
On April 4, a Pennsylvania-based student loan servicer (servicer) that services federal student loans on behalf of the U.S. Department of Education (Department) filed a complaint in the U.S. District Court for the District of Columbia against the Connecticut Department of Banking and its banking commissioner (together, the Connecticut Defendants), and the Department, seeking a judicial determination that the federal Privacy Act of 1974 (Privacy Act) preempts Connecticut law requiring the servicer to disclose certain records containing confidential information about its student loan borrowers to the state, along with data related to borrower complaints, or risk revocation of its state servicer’s license. In addition, the servicer seeks injunctive relief against the Connecticut Defendants to prevent the enforcement of state law in contravention of the Privacy Act and revocation of the servicer’s license.
In support of the injunctive relief sought, the servicer cites several irreparable harms, including (i) the potential termination of its federal loan servicing contract; (ii) the revocation of its license to service, which would adversely affect approximately 100,000 student borrowers in the state, and (iii) the potential impact on loan servicing arrangements that the servicer has with “dozens of private lenders doing business in Connecticut.”
As previously covered in InfoBytes, on March 12 Department Secretary Betsy DeVos published an Interpretation that asserted the position that state “regulation of the servicing of Direct Loans” is preempted because it “impedes uniquely Federal interests,” and state regulation of the servicing of loan under the Federal Family Education Loan Program “is preempted to the extent that it undermines uniform administration of the program.” However, last month—as discussed in InfoBytes—a bipartisan coalition of 30 state Attorneys General released a letter urging Congress to reject Section 493E(d) of the Higher Education Act reauthorization—H.R. 4508, known as the “PROSPER Act”—which would prohibit states from “overseeing, licensing, or addressing certain state law violations by companies that originate, service, or collect on student loans.” The states expressed a concern that, if enacted, the law would preempt state consumer protection laws for student borrowers and constitute “an all-out assault on states’ rights and basic principles of federalism.”
Oregon amends debt collection statute to expand coverage to debt buyers
On April 3, the Oregon governor signed SB 1553, which amends Oregon’s debt collection laws to provide that a debt buyer (or a debt collector acting on a debt buyer’s behalf) engages in unlawful collection practice if it collects or attempts to collect a debt without providing a debtor, within 30 days of their request, documents which establish the nature and amount of debt.
State judge says Massachusetts can sue credit reporting agency over data breach
On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts Attorney General plausibly suggests that the company violated such regulations by knowing of certain vulnerabilities and failing to properly address them. As previously covered by InfoBytes, Massachusetts was the first state to file an action against the credit reporting agency after its September 2017 announcement of a data breach which affected over 143 million consumers.
States pass bills amending security freeze laws
On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 becomes effective on January 1, 2019.
On March 30, the Kentucky governor signed HB 46, which updates Kentucky’s security freeze law to, among other things, allow a consumer to request a security freeze by methods established by the credit reporting agency in addition to written notification, and remove the requirement that a security freeze expire after seven years. The law continues to allow for a charge of up to ten dollars for the placement, temporary lift, or removal of a security freeze unless the consumer is a victim of identity theft and provides the credit reporting agency with a valid police report. The law is effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.
Washington governor enacts bill to provide student loan debt relief
On March 22, the Washington governor signed HB 1169, which establishes the student opportunity, assistance, and relief act to address student loan debt. Among other things, HB 1169 (i) repeals certain statutes allowing the suspension of a professional license or certificate due to student loan default; (ii) changes the judgment interest rate for unpaid private student loan debt to two percentage points above the prime rate, unless the judgment interest rate is specified in the contract; (iii) defines “private student loan,” and outlines exclusions, such as “an extension of credit made under an open-end consumer credit plan, a reverse mortgage transaction, a residential mortgage transaction, or any other loan that is secured by real property or a dwelling”; and (iv) outlines provisions and exemptions for bank account and wage garnishment. The act takes effect June 7.
As previously covered in InfoBytes, earlier in March the Washington governor established the “Washington student education loan bill of rights” to outline licensing requirements and responsibilities for student loan servicers.
Washington expands the state’s Service Member’s Civil Relief Act
On March 22, the Washington governor signed HB 1056, which amends the Washington Service Member’s Civil Relief Act (WSCRA) to update the definition of “service member” and allow for a service member to terminate or suspend certain private contracts without penalty. Specifically, HB 1056 defines “service member” as “an active member of the United States armed forces, a member of a military reserve component, or a member of the national guard who is either stationed in or a resident of Washington state.” The law allows for a service member, after receiving orders for a permanent change of station or deployment (for at least 30 days), to terminate or suspend certain contracts for the following: telecommunication services, internet services, health studio services, and subscription television services. After proper written notice is given to the service provider for termination, suspension or reinstatement, the service member may not be charged a “penalty, fee, loss of deposit, or any other additional cost” due to the notice. Additionally, HB 1056 allows the Washington Attorney General to recover costs and fees in an action brought to enforce the WSCRA. The law becomes effective on June 7.