InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California DFPI concludes MTA licensure not required for crypto exchange
On November 3, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to a cryptocurrency exchange’s transactions. The redacted opinion letter examines whether the inquiring company’s proposed business activities—which “will offer the purchase, sale, and trading of various cryptocurrencies using a platform provided by its affiliate and in conjunction with another affiliate that is a . . . registered broker-dealer”—are exempt from the MTA. Transactions on the company’s platform will involve the use of the company’s tokenized version of the U.S. dollar. Customers will deposit U.S. dollar funds into a company account where an equivalent amount of tokens will be created and used to facilitate a trade for cryptocurrency. The tokens can also be exchanged for U.S. dollars, or customers can hold the tokens in their wallet. According to the letter, the company says it “does not take custody of its client’s currencies or offer digital wallets,” but rather a “client’s digital wallet is directly linked to the platform and transacts on a peer-to-peer basis with other clients.” In addition to trading cryptocurrencies, the company also plans to allow customers to “trade in cryptographic representations of publicly listed securities,” thereby permitting customers to purchase, sell, or trade the securities tokens on the platform. The company will also be able to transfer customers’ shares of securities tokens from the platform to a customer’s traditional brokerage account. The company explained that these transactions of securities tokens will be covered by the company’s affiliate’s broker-dealer license.
DFPI concluded that because the Department has not yet “determined whether the issuance of tokenized versions of the U.S. Dollar or securities, or their use to trade cryptocurrencies, is money transmission,” it will not require the company to obtain an MTA license in order to perform the aforementioned services or to issue tokenized version of the U.S. dollar or securities. DFPI noted, however, that its conclusions are subject to change, and emphasized that its letter does not address whether the proposed activities are subject to licensure or registration under other laws, including the Corporate Securities Law of 1968.
NYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some changes within the proposed amended regulation include:
- New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
- Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
- The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
- The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
- The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
- Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
- Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
- Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
- Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
- Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory. At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
- Multi-Factor Authentication: The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
- Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
- Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
- Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.
The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
States reach multi-million dollar CRA data breach settlement
On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.
Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.
Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.
District Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.
The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”
District Court: Unclear when networking site became aware of data scraping
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.
As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.
In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
NYDFS issues RFI on private student loan refinancing
On November 8, NYDFS issued a request for information (RFI) to student loan advocates, lenders, regulators, servicers, and other stakeholders, seeking information regarding private student loan refinancing in New York. The Private Student Loan Refinancing Task Force, tasked with “study[ing] and analyz[ing] ways lending institutions that offer non-federal student loans to students of New York institutions of higher education can be incentivized and encouraged to create student loan refinance programs,” issued questions to solicit information from stakeholders to inform a forthcoming report. According to the announcement, the Task Force is seeking responses to questions concerning private sector refinancing of student loans. The questions include, among other things: (i) “What options are available for student loan borrowers to refinance private student loans both in New York State and outside the state?”; (ii) “What options are available for student loan borrowers to refinance federal student loans both in New York State and outside the state?”; (iii) “What is the volume of private student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; (iv) “What is the volume of federal student loans refinanced, the terms of the borrowers’ prior loans, the terms of the borrowers’ refinancing loans, the unmet need for student loan refinancing, and the impact of these refinancing loans in New York and nationwide?”; and (v) “What publicly available data should the Task Force review? Is there privately owned data that could be made available to the Task Force?” Responses are due by December 8.
Mortgage servicer must pay $4.5 million in payment service fee suit
On November 7, the U.S. District Court for the Southern District of West Virginia granted final approval of a class action settlement, resolving allegations that a defendant mortgage servicer charged improper fees for optional payment services in connection with mortgage payments made online or over the telephone. The plaintiffs' memorandum of law in support of its motion for final approval of the settlement alleges the defendant engaged in violations of the West Virginia Consumer Credit Protection Act, breach of contract, and unjust enrichment with respect to the fees. According to the memorandum, before deduction of attorneys’ fees and expenses, administrative costs, and any service award, the $4.5 million settlement fund represents approximately $216 per fee paid to the defendant by the putative class members. The court also approved $1.5 million in attorney’s fees, plus $4,519.20 in expenses, along with a $15,000 service award for the settlement class representative.
North Carolina Supreme Court orders appeals court to review HAMP fraud claims
On November 4, the Supreme Court of North Carolina determined that an appeals court erred by remanding a case concerning a defendant bank’s Home Affordable Modification Program to a trial court with instructions to make factual findings and conclusions of law on the defendant’s motion to dismiss. Plaintiffs sued the defendant alleging fraud and other related claims arising out of the bank’s mortgage modification program. The trial court dismissed the claims for failure to state a claim pursuant to North Carolina’s Rule of Civil Procedure 12(b)(6), after concluding that plaintiffs’ claims were time barred and “that ‘the claims of all [p]laintiffs who were parties to foreclosure proceedings [were] barred by the doctrines of res judicata and collateral estoppel.’” Plaintiffs appealed. A divided panel of the Court of Appeals remanded the case to the trial court claiming that “it could not ‘determine the reason behind the grant’ and could not ‘conduct a meaningful review of the trial court’s conclusions of law.’” The North Carolina Supreme Court countered, however, that there exists “no legal basis or practical reason for the Court of Appeals to remand the case to the trial court to make factual findings and conclusions of law” as “a trial court is not required to make factual findings and conclusions of law to support its order unless requested by a party”—a request neither party made. According to the North Carolina Supreme Court, the appeals court erred by not conducting a de novo review of the sufficiency of the plaintiffs’ allegations. The North Carolina Supreme Court ordered the appeals court to address whether the plaintiffs’ allegations, if treated as true, are sufficient to state a claim upon which relief can be granted.
District Court preliminary approves $4.3 million data breach settlement
On November 4, the U.S. District Court for the Eastern District of Michigan granted preliminary approval of a $4.3 million class action settlement regarding a data breach, following the filing of the plaintiffs’ unopposed motion for preliminary approval of class action settlement. After a plaintiff consolidated her suit with other similar lawsuits, the plaintiff class sued the defendant for negligence, unjust enrichment, and breach of contract, alleging their personal information was stolen from the defendant during a malware attack due to lack of cybersecurity measures. The settlement provides for, among other things, three years of free credit-monitoring services for the plaintiff class, up to $2,500 per member to cover out-of-pocket expenses related to the breach, up to $80 per member to cover lost time remedying issues related to the breach, $75 per member for California residents for claims under state statutes, and a year of password-managing services. The plaintiffs are seeking service awards of $1,500 for each of the 15 representative plaintiffs. The motion also noted that class counsel will ask the court for just over $1.4 million in attorneys’ fees to be deducted from the settlement fund.
Massachusetts settles with debt payment processor
On November 7, the Massachusetts attorney general announced a settlement with a payment processing company to resolve claims that it provided substantial assistance to a debt settlement provider engaged in unlawful business practices that charged consumers premature and inflated fees in violation of state and federal law. According to an assurance of discontinuance filed in Suffolk Superior Court, the company processed settlement and fee payments for consumers enrolled in various debt settlement programs, including those offered by a debt settlement provider that was previously fined $1 million by the AG’s office for allegedly harming financially-distressed consumers. (Covered by InfoBytes here.) The newest settlement resolves claims that the company transferred unlawful fee payments to the debt settlement provider despite having knowledge of the alleged misconduct and even after the provider was sued by the AG’s office. Without admitting any facts, liability, or wrongdoing, the company has agreed to pay $600,000 to the Commonwealth, and will, according to the announcement, “make meaningful business practice changes that would prevent it from transferring untimely fees from any Massachusetts consumer account to any debt settlement company.”