On January 15, New York AG Eric Schneiderman announced that he intends to propose legislation that would “overhaul New York State’s data security law and require new and unprecedented safeguards for the personal data of consumers.” Specifically, the bill would (i) make companies responsible for protecting a broader range of information by expanding the definition of “private information;” (ii) require better data security measures for entities that collect and/or store private information; and (iii) create a safe harbor for companies that would shield them from liability if they adopt heightened security practices. In addition, the proposal would incentivize companies to share forensic data with authorities in the event of a data breach by ensuring that disclosure does not affect the company’s privileges. The proposed legislation follows New York AG’s release of a July 2014 report, which examined the growing number of data breaches occurring within the state. Schneiderman expects the new law to be “the strongest, most comprehensive in the nation… [making] [New York] a national model for data privacy and security.”
On January 19, the New York Attorney General (AG) announced an agreement with a New York-based community bank that the AG alleged had excluded predominantly minority neighborhoods from its mortgage lending business. As part of the agreement, the bank will (i) open two branches in neighborhoods with a minority population of at least 30 percent, with the first located within two miles of a majority-minority neighborhood and the second located within one mile of a majority-minority neighborhood; (ii) create a special financing program to provide $500,000 in discounts or subsidies on loans to residents of majority-minority neighborhoods; and (iii) create a marketing program directed at minority communities. Additionally, the bank agreed to submit to reporting and monitoring by the AG for a three-year period and pay $150,000 in costs to the State of New York
CSBS Issues Policy, Draft Model Regulatory Framework, and Request for Comment Regarding State Regulation of Virtual Currency
As previously reported in our January 8 Digital Commerce & Payments alert and in InfoBytes, the Conference of State Bank Supervisors (“CSBS”) issued a Policy on State Regulation of Virtual Currency (the “Policy”), Draft Model Regulatory Framework, and a request for public comment regarding the regulation of virtual currency on December 16, 2014. The Policy and Draft Model Regulatory Framework were issued through the work of the CSBS Emerging Payments Task Force (the “Task Force”). The Task Force was established to explore the nexus between state supervision and the development of payment systems and is seeking to identify where there are consistent regulatory approaches among states.
On January 6, the Connecticut Department of Banking issued a cease and desist order against the head of an American Indian tribe and two payday loan companies owned by the tribe for allegedly violating a state cap on interest rates. The order requires (i) the two companies pay a combined civil penalty of $800,000 and (ii) that the head of the tribe pay a civil penalty in the amount of $700,000.This action is considered to be the first enforcement action ever against the leader of a Native American tribe.
On December 19, the New York Department of Financial Services announced a recent settlement with a Long Island-based auto lender to resolve allegations of violations of several consumer protection laws including the DFA, TILA, NY Banking Law, and NY Financial Services Law. According to the consent judgment, the Defendants allegedly (i) failed to notify consumers who made overpayments on their accounts; (ii) miscalculated the interest charged to customers; and (iii) endangered the security of its customer information by leaving loan files openly around common areas. As part of the settlement, the auto dealer must (i) pay $3 million in penalties; (ii) pay full restitution plus nine percent interest to all affected customers; (iii) liquidate all remaining loans; and (iv) surrender its licenses in all states.
On December 16, the Conference of State Bank Supervisors (CSBS) announced its draft regulatory framework and requested public comment on specific questions intended to aid state regulators on the regulation of virtual currencies. The regulation of virtual currency activities currently varies from state to state. The draft framework is intended to create uniform state regulation. Comments are due by February 16, 2015.
On December 18, Superintendent Lawsky delivered remarks regarding New York’s revised proposal for regulating virtual currency companies. The new proposal stems from the original July 17 proposal and includes certain revisions previously alluded to on October 17. Lawsky noted that the revisions will provide flexibility to virtual currency startups, while simultaneously allowing the New York Department of Financial Services to remain committed to protecting consumers. Most notably, the revised regulation “will offer a two-year transitional BitLicense, which may be issued to those firms who are unable to satisfy all of the requirements of a full license, and will be tailored to startups and small businesses.” According to Lawsky, while the companies will still have to abide by anti-money laundering and consumer protection requirements, the revisions are intended to “strike an appropriate balance between permitting innovation to proceed, while at the same time strongly protecting consumers and helping root out illicit activity.”
On December 10, NY DFS Superintendent Benjamin Lawsky issued a bulletin to all New York state-chartered or licensed banking institutions regarding an updated IT examination process. Effective immediately, cybersecurity examinations will be included within the overall IT examination process. The DFS cybersecurity examinations will incorporate a number of new topics, including: (i) corporate governance; (ii) protections against intrusion, such as multi-factor or adaptive authentication, along with server and database configuration; (iii) information security testing and monitoring; and (iv) cybersecurity insurance coverage, along with other third-party protections. Ultimately, the new examination process will assess a bank’s cybersecurity protections, in addition to how it manages potential cyber risks and handles a cybersecurity attack.
On December 8, a large bank settled with the state of Massachusetts for $825,000 over a data breach that exposed the personal information of at least 260,000 customers. In March 2012, the bank allegedly lost unencrypted backup tapes with customer information and failed to report the missing tapes until October 2012. According to the Massachusetts AG, the bank violated state law by failing to (i) sufficiently protect information; and (ii) provide timely notification of the data breach. In the settlement agreement, Massachusetts credited the bank with $200,000 to upgrade its security procedures, while $325,000 will be paid in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a consumer aid education fund.
On December 3, New York Governor Cuomo announced that the DFS finalized regulations to help end abusive debt collection practices. The new regulations will (i) require debt collectors and debt buyers to provide enhanced disclosures regarding the debt; (ii) protect consumers who may have debts where the statute of limitations has expired; (iii) require that the debt collector substantiate that the debt is actually owed; (iv) ensure that consumers receive written confirmation of settlement agreements; and (v) allow consumers to communicate with debt collectors via personal email. The new regulations will take effect on March 3, 2015, with the exception of Sections 1.2(b) and 1.4, which will take effect August 30, 2015. Section 1.2(b) refers to disclosure requirements and 1.4 refers to substantiation of debts.
On November 18, the New York DFS announced a consent order with a foreign bank for allegedly misleading regulators regarding its transactions with sanctioned countries, most notably Iran, Sudan, and Myanmar. According to the press release and consent order, from approximately 2007 through 2008, the bank convinced a consulting firm to “water down” reports submitted to regulators on its transactions. Specifically, the bank pressured the consulting firm to alter an historic transaction review (HTR) report to exclude key information, such as: (i) the English translation of the bank’s wire transfer instructions, which included a statement that the bank conducted business with “’enemy countries’ of the U.S.;” (ii) a majority of the consultant’s description of the bank’s wire transfer activities; and (iii) information “concerning [the bank’s] potential misuse of OFAC screening software” in connection with its wire transfer activities. The DFS ordered the bank to pay $315 million in penalties, in addition to the $250 million the DFS ordered the bank to pay June 2013 in connection with its sanctioned transactions.
On November 13, Governor Cuomo announced that four additional financial institutions have agreed to use a database created by the State’s Department of Financial Services to “help identify and stop illegal, online payday lending in New York.” The database includes a list of companies that the DFS has identified and taken action against for making illegal internet payday loans to people in New York. The total number of institutions using the database now stands at five.
On November 2, New York Superintendent Lawsky delivered remarks at the Money 20/20 Conference on the state’s virtual currency and Bitcoin regulation. In October, Lawsky publicly stated that, as a result of the comments received on New York’s proposed BitLicense framework, there would be important changes made to the July 17 proposal. This week, on behalf of the NYDFS, Lawsky announced that additional changes are being considered to address “concern about the compliance costs of regulation on new or fledging virtual currency enterprises.” Specifically, Lawsky introduced the concept of a Transitional BitLicense, which would allow certain small, money transmitting startups to begin operating without huge compliance costs. Lawsky noted four main factors the NYDFS would consider when deciding whether or not to grant a Transitional BitLicense: (i) the nature and scope of the business and the associated risks for consumers; (ii) projected transactional and business volume; (iii) registration status as a Money Services Business with FinCEN; and (iv) previously established mitigating risk controls.
On October 22, the Ninth District Court of Appeals reversed a summary judgment decision allowing a trust unit of a bank to foreclose on a home. In this case, the loan servicers were unable to prove who held the promissory note when the trust unit requested a foreclosure order from the trial court. Employees at both servicers failed to attach records relied upon in their respective affidavits, but rather provided copies of the promissory note, mortgage, and the assignment of the mortgage. The Court held that the copies “do not establish when or if the Bank came into possession of the Note or that the Bank was in possession of the Note at the time of the filing of the complaint.” Deutsche Bank Natl. Trust Co. v. Dvorak, 2014-Ohio-4652 29, Ohio. Ct. App., 27120 (Oct.22, 2014)
On October 16, a California district court issued a declaratory judgment ordering a company to comply with Rule 34 as cited in the Federal Rules of Civil Procedure. Rule 34 has two specific and separate requirements: (i) “[a] party must produce documents as they are kept in the ordinary course of business or must organize and label them to correspond to the categories in the request;” and (ii) [if] a request does not specify a form for producing electronically stored information (ESI), a party must produce it in a form in which it is ordinarily maintained or in a reasonably usable forms.” In this case, the defendant served initial document requests to the company. The parties agreed to meet and discussed about how the company would produce the requested documents. Thereafter, the company produced 41,000 pages of ESI consisting of flash drive and email. The drive and email contained no custodial index, table, or categories – just all folders of files. The Court ruled that, although the company satisfied with the first requirement of Rule 34, the company failed to adhere to the second requirement because the company must (i) either organize and label each document it has produced or it shall provide custodial and other organizational information along the lines outlined above and (2) produce load files for its production containing searchable text and metadata. Venture Corp. v. Barrett, 5:13-cv-03384-PSG, WL 5305575 (N.D. Cal. Oct.16, 2014)