InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York expands data breach notification laws
On July 25, the New York governor signed two bills designed to strengthen protections for consumers in the event their private information is compromised in a data breach.
A 5635B, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) updates the state’s privacy law by expanding the definition of personal information and broadening the definition of a data breach. Notably, the SHIELD Act applies to any person or entity with access to a New York resident’s private information, regardless of whether or not the company conducts business in the state. Among other provisions, the SHIELD Act:
- Requires all covered entities to adopt and implement “reasonable” administrative, technical, and physical safeguards to protect and dispose of sensitive data, as well as implement “reasonable” administrative safeguards, such as employee training;
- Stipulates that a covered entity that is already regulated by, and in compliance with, certain existing applicable state or federal data security requirements (e.g., Gramm-Leach-Bliley Act, HIPAA, and 23 NYCRR Part 500—NYDFS’ Cybersecurity Regulation) is considered a “compliant regulated entity”;
- Requires entities to promptly notify impacted individuals under new, broadened data breach notification requirements, which now include (i) “access to” private information as a trigger for notification, in addition to the existing “acquired” trigger; and (ii) expanded data types, including biometric data, email addresses, and corresponding passwords or security questions and answers;
- Applies a more flexible standard for small businesses to ease regulatory burdens (qualifying small businesses must have fewer than 50 employees, under $3 million in gross annual revenue, or less than $5 million in assets) and will consider a small business compliant if its “security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business” to protect the security, confidentiality, and integrity of private information; and
- Broadens the New York attorney general’s oversight regarding data breaches impacting state residents. The SHIELD Act further stipulates that actions may not be brought under the law’s provisions unless the action is commenced within three years following either the date on which the attorney general received notice of the violation, or the date the notice was sent to affected individuals, whichever occurs first. However, “[i]n no event shall an action be brought after six years from the date of discovery of the breach of private information by the company unless the company took steps to hide the breach.”
The SHIELD Act takes effect March 21, 2020.
A 2374, which was signed into the law the same day, prohibits consumer credit reporting agencies from charging fees to consumers if the agency’s system was involved in a data breach including social security numbers. Credit reporting agencies are required to provide “reasonable identity theft prevention services and, if applicable, identity theft mitigation services for a period not to exceed five years at no cost to such consumers.” The law applies to any breach of security of a consumer credit reporting agency that occurred in the last three years. This measure takes effect September 23.
CFPB, New York AG settle lawsuit against debt collection network
On July 25, the CFPB and New York attorney general announced (see here and here) proposed settlements with a network of New York-based debt collectors (defendants) to resolve allegations that the defendants engaged in improper debt collection tactics in violation of the Consumer Financial Protection Act, the FDCPA, and various New York laws. As previously covered by InfoBytes, the CFPB and the New York AG filed a lawsuit in 2016, alleging the defendants established and operated a network of companies that harassed and/or deceived consumers into paying inflated debts or amounts they may not have owed. Among other things, the defendants allegedly (i) “misrepresented to consumers that they owed sums they did not owe, were not obligated to pay, or that the companies did not have a legal right to collect”; (ii) deceptively threatened consumers with lawsuits that the defendants did not plan on initiating; and (iii) impersonated law enforcement officials, government agencies, and court officers. Additionally, the New York AG claimed the defendants violated state laws related to the collection of consumer debt and the placement of consumer debt for collection.
The settlements were approved by the court on August 23 and permanently ban the defendants from acting as debt collectors and enjoin all defendants from engaging in the alleged unlawful conduct in the future and from making any misrepresentation or omission connected with any consumer financial product or service. The first stipulated final judgment and order for a group of the defendants imposes a $10 million civil money penalty (CMP) to both the CFPB and the New York AG, as well as $40 million in redress to harmed consumers. Under the terms of the second stipulated final judgment and order, the other group of defendants must pay CMPs of $1 million to both the CFPB and the New York AG and $4 million in consumer redress. However, based on the second group of defendants’ inability to pay, full payment is suspended subject to the defendants paying $10,000 in consumer redress and a $1 CMP to the Bureau.
Credit reporting agency agrees to multi-agency settlement over 2017 data breach
On July 22, the CFPB, FTC, and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. According to the complaints (see here and here) filed in the U.S. District Court for the Northern District of Georgia, the company allegedly engaged in unfair and deceptive practices by, among other things, (i) failing to provide reasonable security for the sensitive personal information stored within its network; (ii) deceiving consumers about its data security program capabilities; and (iii) failing to patch its network after being alerted in 2017 to a critical security vulnerability.
Under the terms of the proposed settlements (see here and here), pending final court approval, the company will pay up to $425 million in monetary relief to consumers and provide credit monitoring to affected individuals, as well as six free credit reports each year for seven years to all U.S. consumers. The company must also pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil money penalty to the Bureau. The $425 million fund will also compensate consumers who bought credit- or identity-monitoring services from the company and paid other expenses as a result of the breach. The company must also, among other things, implement a comprehensive information security program that will require annual assessments of security risks and safeguard measures, obtain third-party information security assessments, and acquire annual certifications from the board of directors that the company has complied with the settlements.
North Carolina AG sues unlicensed debt collector for multiple violations
On July 17, the North Carolina attorney general announced a lawsuit filed against multiple debt collection entities and their owner for allegedly collecting or attempting to collect on consumer debts in North Carolina without filing the appropriate registration or obtaining the necessary permits to operate as a debt collection agency in the state. According to the complaint, the entities, based and registered in Texas, purchased unpaid debts from a national rent-to-own consumer goods company. North Carolina customers allegedly received misleading collection notices from the entities simulating actual court notices and implying the customers had committed criminal offenses. Additionally, the complaint alleges that the entities filed criminal complaints against the customers, containing misleading information and resulting in actual summonses being issued. The complaint alleges violations of North Carolina’s Unfair and Deceptive Trade Practices Act, Business Corporation Act, Professional Corporation Act, Uniform Partnership Act, and North Carolina’s Prohibited Practices by Collection Agencies Engaged in Collection of Debts from Consumers and seeks among other things, civil penalties, restitution, and injunctive relief.
As a result of the complaint filing, the court approved a temporary restraining order prohibiting the entities from engaging in debt collection practices and scheduled a preliminary injunction hearing.
NY AG settlement resolves deceptive practices action with ticket resale companies
On July 10, the New York attorney general announced a settlement with two ticket resale companies that allegedly deceived thousands of consumers by selling event tickets that the companies did not actually own. According to the announcement, the defendants’ practice of selling “speculative tickets” to consumers involved listing and selling tickets the companies did not possess and attempting to purchase such tickets only after a consumer had already placed an order. The attorney general claimed the defendants often charged premiums or inflated prices for tickets then “kept the difference between the price they actually paid and the price at which the speculative ticket was sold to a consumer.” Additionally, one of the defendants also allegedly misled consumers in instances when tickets could not be provided by blaming technical errors or vague supplier issues. While the defendants have not admitted any liability, under the terms of the settlement—subject to court approval—they have agreed to pay $1.55 million and adopt reforms designed to protect ticket purchasers in the future, including, where appropriate, providing clear and conspicuous disclosures stipulating that the ticket seller does not possess the listed tickets and is merely offering to obtain such tickets on a consumer’s behalf.
FTC and NY AG settle with phantom debt operation
On July 1, the FTC announced, together with the New York attorney general, a settlement with two New York-based phantom debt operations and their principals (collectively, “defendants”) resolving allegations that the operations bought, placed for collection, sold lists of, and collected on fake debts that consumers did not owe. As previously covered by InfoBytes, the June 2018 complaint alleged that the defendants ran a deceptive and abusive debt collection scheme in violation of the FTC Act, the FDCPA, and New York state law. The settlement order against one company and its owners bans the defendants from debt collection activities, including buying, placing for collection, and selling debt. The order requires the defendants to pay a combined $676,575, suspending the total judgment of $6.75 million, due to inability to pay. The settlement order against the other company and its owner prohibits the defendants from engaging in unlawful collection practices and requires the payment of $118,000, suspending the total judgment of $4.94 million, due to inability to pay.
Federal and state enforcement agencies coordinate on robocall crackdown
On June 25, the FTC announced a major crackdown on illegal robocalls named “Operation Call it Quits,” which includes 94 enforcement actions from around the country brought by the FTC and 25 other federal, state, and local agencies. In addition to actions targeting the actors, the operation also includes a consumer education initiative and promotion of the development of technology-based solutions to block robocalls and fight caller ID spoofing. In addition to the 87 other enforcement actions brought under the initiatives, the FTC announced four new actions, some of which were filed by the DOJ on the FTC’s behalf, and three new settlements targeting robocallers for violations of the FTC Act and the Telemarketing Sales Rule (TSR), among other things. The FTC alleges many of the actors used illegal robocalls to contact financially distressed consumers regarding interest rate reductions, sell fraudulent money-making opportunities, pitch free medical alert systems, or develop leads for solar energy companies. The affected consumers in these actions were often listed on the Do Not Call Registry. The FTC provided a complete list of the 94 actions brought under Operation Call it Quits.
State Attorneys General participating in the initiative are: Alabama, Arizona, Colorado, Florida, Illinois, Indiana, Michigan, Missouri, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Texas, and Virginia. Additionally, local agencies include: the Consumer Protection Divisions of the District Attorneys for the Counties of Los Angeles, San Diego, Riverside, and Santa Clara, California; the Florida Department of Agriculture and Consumer Services; and the Los Angeles City Attorney.
Japanese bank pays $33 million to settle NYDFS claims of weak BSA/AML controls
On June 24, the New York Department of Financial Services (NYDFS), together with the New York Attorney General, announced a $33 million settlement with a Japanese bank resolving allegations the bank’s internal controls—specifically, its anti-money laundering (AML), Bank Secrecy Act (BSA), and Office of Foreign Assets Control (OFAC) sanctions compliance programs—at its New York Branch were “systematically deficient” between November 2014 and November 2018. This allegedly resulted in violations of state and federal laws and regulations, as well as two previous NYDFS consent orders from 2013 and 2014. The settlement resolves an action that was commenced by the bank against NYDFS in connection with a 2017 application with the OCC to convert its state-licensed branches in New York, Illinois, and California and its state-licensed agency offices in Texas to federally licensed branches and agency offices. The action sought to block a NYDFS order that would keep the bank under its supervisory purview notwithstanding the OCC’s granting of the federal charter. The settlement indicates that neither NYDFS, NYAG, or the bank admit any wrongdoing, but have agreed to dismiss all outstanding claims, upon the bank’s monetary payment. The settlement states that NYDFS releases the bank of any further obligations related to the previous consent orders and notes that it “will not attempt to exercise any visitorial power or other supervisory, regulatory, or enforcement authority over [the bank] or its branches or agencies.”
New York settles with online retailer over data breach
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
California announces $1.5 million in judgments against investment recovery telemarketing scheme
On May 28, the California Attorney General announced approximately $1.5 million in judgments against a company and four individuals (defendants) charged with allegedly operating a telemarketing scheme that offered fake investment recovery services. According to the Attorney General’s office, the defendants allegedly made false and deceptive claims to investors, many of whom were elderly, that the company could recover money lost from previous investments for an up-front fee of several thousand dollars. The terms of the judgments include $930,800 in combined civil penalties and $567,774 in restitution, and permanently enjoin and restrain the defendants from, among other things, making false or misleading statements in connection with telemarketing transactions. The Attorney General’s announcement also disclosed the recovery of nearly $25,000 in victim restitution pursuant to a bond issued to the company under California’s Telephonic Sellers Law.