Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
On May 28, the California Attorney General announced approximately $1.5 million in judgments against a company and four individuals (defendants) charged with allegedly operating a telemarketing scheme that offered fake investment recovery services. According to the Attorney General’s office, the defendants allegedly made false and deceptive claims to investors, many of whom were elderly, that the company could recover money lost from previous investments for an up-front fee of several thousand dollars. The terms of the judgments include $930,800 in combined civil penalties and $567,774 in restitution, and permanently enjoin and restrain the defendants from, among other things, making false or misleading statements in connection with telemarketing transactions. The Attorney General’s announcement also disclosed the recovery of nearly $25,000 in victim restitution pursuant to a bond issued to the company under California’s Telephonic Sellers Law.
On May 15, a group of 25 Democratic Attorneys General submitted a comment letter in response to the CFPB’s February proposal to rescind certain provisions related to the underwriting standards of the “Payday, Vehicle Title, and Certain High-Cost Installment Loans” (the Rule) (covered by InfoBytes here). In the comment letter, the Attorneys General argue, among other things, that the elimination of the underwriting provisions of the Rule: (i) is inconsistent with the Bureau’s obligations to protect consumers under the Dodd-Frank Act; (ii) ignores state experiences with payday and vehicle title lending; and (iii) would reduce states’ ability to protect their residents from predatory lending.
Specifically, the letter argues that the Bureau’s reasoning for repealing the underwriting requirements—that the findings of the Rule “were not supported by sufficiently ‘robust and reliable’ evidence”—would saddle the Bureau with an unreasonably high evidentiary standard that would prevent the Bureau from regulating unfair and abusive practices. Additionally, the letter states that the Bureau’s conclusion that the underwriting requirements would harm consumers by reducing consumer’s access to credit and ability to choose lenders offering credit ignores “the experiences of numerous states that have implemented restrictions on payday and vehicle title lending—restrictions that have protected consumers without unreasonably limiting consumers’ access to credit.” States’ restrictions on payday and vehicle title lending, according to the letter, have “benefited consumers and expanded access to manageable credit.” Lastly, the letter asserts that maintaining a federal regulatory floor on lending activities is “crucial to supporting and complementing state oversight,” and removal of the floor will “enable lenders to continue trying to avoid state regulation and continue marketing expensive and often unlawful products to consumers without providing borrowers an opportunity for negotiation or comparison.”
The comment letter was written by the Attorneys General of the District of Columbia, New Jersey, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Iowa, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Mexico, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Virginia, Washington, and Wisconsin.
As previously covered by InfoBytes, the same group of Attorneys General had urged the CFPB via a previous comment letter not to delay the August 19, 2019 compliance date for any aspect of the Rule, and had warned that they would consider taking legal action if the Bureau did so.
On May 10, the New Jersey governor signed S 52, which amends the state’s data breach notification provisions. The amendments expand the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” The amendment further permits breached entities to provide individuals, whose account access credentials have been compromised, with the opportunity to promptly change online account information, so long as the notification is not sent to an email account subject to the security breach. The amendments take effect on September 1.
On May 7, the Washington governor signed HB 1071, which amends the state’s data breach notification law to, among other things, (i) narrow the window for post-breach notification to affected individuals and to the state Attorney General, if applicable, from 45 days to 30 days after discovery; (ii) require notifications to contain the date of the breach and the date of the discovery of the breach, if known; (iii) permit electronic notification to affected individuals, which must instruct them to promptly change passwords and security questions or answers, as applicable; and (iv) significantly expand the items included in the notice to the Attorney General, including a summary of steps taken to contain the breach. In addition, HB 1071 expands the definition of “personal information” to include, among other things, the full birth date; a private key unique to an individual that is used to authenticate or sign electronic records; student, military, or passport ID numbers; health insurance identification numbers; biometric data or medical history; and user names and email addresses combined with passwords or security questions. The amendments take effect March 1, 2020.
On May 6, the Indiana Attorney General announced a lawsuit filed against a national credit reporting agency in response to its 2017 data breach, alleging the company “chose increasing revenue over protecting the safety of consumers’ sensitive personal information.” According to the complaint, the state alleges the company violated the Indiana Deceptive Consumer Sales Act by failing to secure 3.9 million residents’ personal data while representing to consumers that its payment systems were compliant with Payment Card Industry (PCI) standards. The complaint alleges among other things that the company “knew the system was storing payment card information in clear text, which was a known violation of the [PCI standard]” and “[d]espite its knowledge, … made a conscious choice to break the rules.” Indiana is seeking civil penalties, consumer restitution, costs and injunctive relief.
On April 25, the New York Attorney General announced that operators of a virtual currency trading platform and “tether” virtual currency issuer, along with their affiliated entities, are enjoined from engaging in activities that may have defrauded investors trading in cryptocurrency. The AG’s investigation found that the operators allegedly “engaged in a cover-up to hide the apparent loss of $850 million dollars of co-mingled client and corporate funds.” Under the terms of the court order, the operators and companies must, among other things, (i) immediately end the further dissipation of U.S. dollar assets that back “tether” tokens; (ii) are prohibited from making any distributions to executives, employees, or agents, investors, or associates from “funds that that have been loaned, extended, or pledged, or otherwise taken from the U.S. dollar reserves held by the operator”; and (iii) are prohibited from destroying or deleting potentially relevant documents and communications.
On April 11, the Maryland Attorney General announced an administrative proceeding taken against a title company, its owner, and related businesses for allegedly making unlicensed and usurious title loans secured by consumers’ motor vehicles. According to the AG’s charges, the defendants, among other things, allegedly engaged in unfair or deceptive trade practices by offering consumers high-interest, short-term title loans with typical annual interest rates of 360 percent. The AG contends that the loans offered by the defendants qualify as consumer loans under Maryland law and therefore are subject to state interest rate caps. Furthermore, the AG alleges that the defendants were never licensed by the Maryland Commissioner of Financial Regulation to make consumer loans in the state. The AG seeks an order compelling the defendants “to permanently cease and desist from making unlicensed and usurious consumer loans in Maryland, to pay restitution to all affected consumers, and to pay civil penalties.”
On April 16, the Maryland Attorney General announced a settlement with a reverse mortgage servicer for allegedly charging homeowners illegal inspection fees. According to the Attorney General, from 2010 through 2016, the servicer passed the cost of inspecting properties in default on to homeowners, which Maryland law does not allow. In 2013, the Maryland Commissioner of Financial Regulation put the servicer on notice that it was charging prohibited inspection fees, but the servicer did not cease the activity until January 1, 2017. The servicer has since refunded or reversed nearly $44,000 in property inspection fees charged to consumers. The settlement agreement requires the servicer to (i) refund inspection fees that have not yet been refunded; (ii) provide notice to any sub-servicer that the inspection fees should be refunded or not collected; (iii) pay $5,000 to the state for costs associated with the investigation; and (iv) pay $50,000 in civil money penalties.
On April 15, the California Attorney General announced a $4.6 million settlement with a rental car company and affiliate resolving a joint investigation with the district attorneys into the company’s violation of state consumer protection laws. According to the AG, the companies, among other things, overcharged customers for rental vehicle repairs and failed to disclose material damage to the rental cars at the time of sale or disposal. Under state law, rental car companies are prohibited from charging customers more than the actual cost of repair, which includes any discounts the company receives according to the complaint. However, the companies frequently billed customers charges that were higher than the actual cost of the repair through the use of third-party repair estimates. Under the terms of the stipulated judgment, which also include comprehensive injunctive terms to prevent future misconduct, the companies—which did not admit liability—have agreed to comply with California laws and are required to pay (i) $1 million in restitution to affected customers; (ii) $3.3 million in civil penalties; and (iii) $300,000 in investigative costs.
On April 4, the Arkansas governor signed SB 514, which establishes a process for state regulation of telecommunications service providers and third-party spoofing providers, and stiffens criminal penalties for persons who engage in illegal robocalling and spoofing practices. The act reclassifies “spoofing”—defined in the act as “displaying fictitious or misleading names or telephone numbers—and illegal robocalls as Class D felonies. Arkansas law previously classified these actions as misdemeanors. The act requires telecommunications providers to report, on an annual basis, to the Arkansas Public Service Commission, implemented measures for identifying and combating the illegal calls.
The Arkansas Attorney General issued a press release in which she noted that the legislation “reinforces how determined Arkansans are to stop these illegal calls and creates a path for enforcement to hold the bad actors accountable.” The act takes effect 90 days after adjournment of the legislature.
- APPROVED Webcast: Introducing Mogy — APPROVED’s licensing technology solution
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Christopher M. Witeck and Moorari K. Shah to discuss "The latest in vendor management regulations" at a Mortgage Bankers Association webinar
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference