InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
AG Schneiderman Reports Increase in Data Breach Notifications; Unveils Electronic Submission Form
On May 4, New York AG Schneiderman announced that, from January 1, 2016 through May 2, 2016, his office received 459 data breach notices – more than a 40% increase compared to the 327 notices received during the same time last year. Due to the increased volume of data breach notices and in an effort to provide greater efficiency in the reporting process, AG Schneiderman announced an electronic breach reporting form. The new form allows companies to submit data breach notices via web submission: “[c]ompanies may now notify the Attorney General’s Office of a data breach via a web submission form in order to expedite and streamline the process. Previously, and consistent with most other state attorneys general offices, companies were required to mail, fax, or email a separate data breach form.” AG Schneiderman’s office expects to receive “well over” 1,000 data breach notices in 2016.
New York AG Schneiderman Opines on Legality of Electronic Signatures for the Purposes of Online Voter Registration
This week, New York AG Schneiderman issued an opinion regarding the legality of online voter registration, including the use of electronically affixed handwritten signatures. The opinion is in response to a February 8 letter from Suffolk County seeking the AGs opinion as to whether State law permits Suffolk County to implement online voter registration through the use of an electronic signature or whether the signature requirements of N.Y. Election Law § 5-210(5)(d)(xi) require signatures to be handwritten or affixed by hand. AG Schneiderman opined that because Election Law § 5-210(5)(d)(xi) does not specifically require a signature written with ink on a voter registration application, the law does not preclude an electronically affixed signature. In accordance with the Election Law, AG Schneiderman commented that the electronic signature must be of a quality and likeness to a signature written with ink, and that an applicant completing an online registration application must either (i) print and mail the application to the local board of elections, or have a third party print and mail the application; or (ii) personally appear at the local board of elections.
New York AG Takes Action Against Credit Card Processing Company for Alleged Deceptive Practices
Recently, New York AG Schneiderman filed a lawsuit against a New York-based credit card processing company, several affiliated companies, and select owners and officers of the companies over alleged fraudulent and deceptive practices. According to the AG’s office, the companies “trapped small businesses into never-ending lease agreements for over-priced credit card processing equipment and abused the judicial process by suing to collect on [those] leases in the Civil Court of the City of New York, regardless of whether the debt is fraudulent, the claim is timely or legitimate efforts to terminate the lease were ignored.” The AG investigation found that the companies targeted small business owners through its deceptive practices, which included (i) inducing individuals to sign lease agreements without realizing they were doing so; (ii) falsely representing the lease as “free” or a way to save money; and (iii) falsely informing consumers that he or she could cancel the lease at any time. In addition, the AG investigation also revealed that in many instances consumers alleged that the signatures on the leases were not theirs or that material terms were added to the lease without their knowledge. AG Schneiderman also alleges that the companies harassed consumers with threatening phone calls and letters, asserting that consumers would be sued if they did not make the payments on their leases. According to AG Schneiderman, between 2010 and 2015, the companies filed over 30,000 collection actions in the New York City Civil Court (NYC Civil Court), and obtained more than 19,000 default judgments against individual consumers in NYC Civil Court since 2010. The AG’s lawsuit against the companies seeks to, among other things, (i) vacate default judgments against consumers; (ii) permanently prohibit the companies and its owners and officers “from continuing their deceptive business practices”; and (iii) pay restitution to consumers.
Illinois AG Settles with New York Investment Bank Over RMBS Practices
Last week, Illinois AG Madigan announced a $41 million settlement with a New York-based investment bank for its alleged misconduct in connection with the marketing and selling of at risk residential mortgage-backed securities (RMBS) prior to the economic collapse in 2008. Specifically, according to an investigation led by AG Madigan’s office, the investment bank allegedly failed to disclose the actual risk of RMBS investments. Under the terms of the settlement, $16 million of the settlement funds will go toward consumer relief, with the remainder being distributed to the Teachers Retirement System of the State of Illinois, the State Universities Retirement System of Illinois, and to the Illinois State Board of Investment. Finally, the investment bank’s settlement with Illinois is part of a $5 billion national settlement led by the DOJ – as well as additional federal entities – and the state AGs of New York and California.
California AG Harris Announces Settlement with San Francisco-Based Bank Over Consumer Privacy Violations
On March 28, California AG Harris announced an $8.5 million settlement with a San Francisco-based bank for alleged violations of California consumer privacy laws. Specifically, AG Harris’s and five district attorneys’ investigation into the bank found that its employees failed to “timely and adequately disclose the recording of communications they had with members of the public” in violation of sections 632 and 632.7 of the California Penal Code. Without admitting liability, the bank agreed to (i) implement changes to its policies; (ii) comply fully with California’s laws concerning the recording of communications between the bank and California consumers, making a clear, conspicuous, and accurate disclosure (the Recorded Call Disclosure) at the beginning of any communication that is subject to recording; and (iii) implement an internal compliance program to “promote full compliance with the requirements of Penal Code sections 632.7 and 632, and the Recorded call disclosure.” Of the $8.5 million civil money penalty, $384,000 will be used to reimburse the prosecutors’ investigative costs, and $500,000 will be contributed to two California organization dedicated to advancing consumer protection and privacy rights.
Massachusetts AG Healey Continues Subprime Auto Loan Review; Lenders to Pay $7.4 Million in Consumer Relief
On March 16, Massachusetts AG Maura Healey announced that two national auto lenders, based in South Carolina and California respectively, agreed to collectively pay $7.4 million in relief to more than two thousand Massachusetts consumers to resolve allegations that they charged excessive interest rates on subprime auto loans. Under the terms of the assurance of discontinuance, the companies will eliminate the alleged excessive interest on certain loans resulting from add-on GAP insurance coverage, forgive outstanding interest on the loans, and reimburse consumers that already paid interest. The South Carolina-based lender will pay approximately $1.7 million in relief to consumers, while the California-based lender will pay the remaining $5.7 million. The settlement agreements further require the lenders to pay $225,000 for implementation of the agreements and to undergo additional auditing to determine if other loans are subject to refunds.
These settlements are part of AG Healey’s subprime loan review initiative. In November 2015, as part of this initiative, AG Healey announced a $5.4 million settlement with a national auto lender to resolve allegations similarly related to the practice of charging inflated interest rates because of add-on GAP insurance coverage.
California AG Harris: Department of Education Should Revise Regulations to Protect Students Defrauded by For-Profit Colleges
Last week, California AG Kamala Harris requested that the Department of Education revise its proposed regulations regarding debt relief for students allegedly misled by “predatory” and for-profit colleges that advertise inflated job placement rates and asked that the Department “do more” to protect the students affected. Defrauded students have a right under Federal law to have loans discharged when their schools engage in misrepresentations and other unlawful conduct. According to AG Harris, the process for asserting this right is unclear. While the Department has emphasized that it intends to enforce an effective and streamlined loan discharge process to provide students’ relief, in the second of three negotiated rulemaking sessions, the Department “unveiled proposed language that contradicts the intent of previous discussions by narrowing, limiting, and delaying student relief.” In response to the Department’s proposal, Harris called on the Department to revise its regulations in a manner that ensures “fair and effective defense-to-repayment procedures.” Specifically, AG Harris commented that the procedures must (i) refer to state law for a basis to assert a defense; (ii) not include a statute of limitations for borrowers to assert a defense to repayment; (iii) provide procedures for broad and instantaneous relief to student borrowers affected by schools’ deceptive practices; and (iv) ban schools from making the discharge process burdensome and expensive.
Massachusetts AG Announces New Consumer Advocacy and Response Division
On March 3, Massachusetts AG Healey announced a new Consumer Advocacy and Response Division (CARD) intended to protect Massachusetts consumers from alleged fraud, unfair business practices, and consumer abuse. The CARD staff will assist consumers with issues such as (i) auto purchasing and financing; (ii) data security and identity theft; (iii) debt collection; and (iv) foreclosure prevention. In 2015, AG Healey’s office handled more than 2,600 consumer complaint cases, resolving issues related to debt collection, auto lending, and securing refunds for disputed charges with cellular phone carriers.
Massachusetts AG Settles with Mortgage Lender and Servicer Over Force-Placed Insurance Policies
On February 18, Massachusetts AG Maura Healey announced that a New York-based mortgage lender and servicer agreed to pay a total of $4 million “to resolve allegations that it received commissions and other kickbacks relating to force-placed insurance policies that it procured for struggling Massachusetts homeowners.” According to AG Healey, until June 1, 2012, the mortgage servicer received payments that were linked to force-placed insurance premiums charged to borrowers, which “created an improper conflict of interest and violated state consumer protection laws.” Under the assurance of discontinuance, which was filed in Suffolk Superior Court, the mortgage servicer will pay affected Massachusetts homeowners $2.675 million in restitution, as well as $1.4 million to the Commonwealth.
California AG Harris Issues Data Breach Report
On February 16, California AG Kamala Harris released a report analyzing data breaches reported to her office from 2012 through 2015. During that time period, the report identifies 657 data breaches that compromised more than 49 million Californians’ personal information. The report summarizes the scope of California’s existing breach notice law and notes that notification laws in 46 other states were modeled after California’s original law. According to the report, federal data breach proposals currently under consideration in Congress would, among other things, (i) set the consumer protection bar very low; (ii) infringe on state-based innovation; (iii) encroach on enforcement by state attorneys general; (iv) narrowly define harm and personal information; and (v) set “overly rigid timelines for notification.” The report provides recommendations for organizations and state policymakers on how to improve data security. Specifically, the report recommends that organizations: (i) adopt the Center for Internet Security’s Critical Security Controls relevant to the organization’s specific environment; (ii) use multi-factor authentication to protect critical systems and data, and make the multi-factor authentication available on consumer-facing online accounts containing sensitive personal information; (iii) consistently use strong encryption to protect personal information on laptops and other portable devices; and (iv) encourage persons affected by a breach of Social Security or driver’s license numbers to place a fraud alert on their credit files. Finally, the report recommends that state policymakers “collaborate in seeking to harmonize state breach laws on some key dimensions.”