On December 15, Speaker Paul Ryan (R-WI) unveiled the omnibus spending bill, which includes the Cybersecurity Act of 2015 – legislation that would affect how businesses share information with each other and the government, and establish an information system for the government to share “cyber threat indicators and defensive measures in real time consistent with the protection of classified information” with federal and non-federal entities. The cybersecurity text included in the omnibus bill is a combination of three cybersecurity bills that were under legislative consideration this year, as follows: S. 754 – Cybersecurity Information Sharing Act of 2015; H.R. 1731 – National Cybersecurity Protection Advancement Act of 2015; and H.R. 1560 – Protecting Cyber Networks Act. Designating the Department of Homeland Security as the government’s proxy, the revised legislation provides entities with liability protections to voluntarily share with the government cybersecurity threat information. Specifically, regarding the sharing or receipt of cyber threat indicators, the legislation reads, “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 104(c).” Read more…
On January 6, U.S. Senator Sherrod Brown, who serves on the Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to President Obama requesting that the FY 2017 budget proposal prioritize funding for programs outlined in Title XII – Improving Access to Mainstream Financial Institutions of the Dodd-Frank Act, which has yet to be implemented. According to Senator Brown, resources are needed in order to implement Title XII, which would, among other things, (i) allow the Treasury to establish partnerships with certain eligible entities to help low and moderate income individuals access accounts at banks and credit unions; and (ii) foster partnerships with non-profits, federally insured depository institutions, community development financial institutions (CDFIs), or State, local, or tribal governments to provide low-cost, small dollar loans to traditionally unbanked or underbanked Americans as a more affordable option to the more costly alternative financial services (AFS), such as payday loans, money orders, cash checking, remittances, and auto title loans.
Legislation Seeking Better Transparency in Federal Agency Settlements Passes Unanimously in U.S. Senate
On September 21, Senate Bill 1109, the Truth in Settlements Act, passed in the U.S. Senate with amendments by unanimous consent and has now been referred to the U.S. House of Representative’s Committee on Oversight and Government Reform for consideration. Originally introduced in January 2014 and sponsored by Elizabeth Warren (D-MA), the Truth in Settlements Act would require federal agencies to post online, in a searchable format, a list of each covered settlement agreement, criminal or civil, with payments totaling $1 million or more. The list would entail, among other things, (i) the names of the settling parties and the amount each must pay; (ii) a description of the claims each party settled; (iii) whether a portion of the settlement amount is tax-deductible; and (iv) any actions the settling parties must take under the settlement agreement in lieu of payment. If enacted, the bill would require agencies to publicly explain via written statement why confidentiality is justified for certain instances. The bill, co-sponsored by Senators James Lankford (R-OK) and Tammy Baldwin (D-WI), aims to provide greater transparency and oversight regarding settlements reached by federal enforcement agencies.
Banking Trade Associations Urge Senate Leaders to Pass Regulatory Relief Legislation for Community Institutions
On September 8, four trade associations representing 14,000 financial institutions – the American Bankers Association, the Credit Union National Association, the Independent Community Bankers of America, and the National Association of Federal Credit Unions – submitted a letter to Senate Banking Committee Chairman Richard Shelby and Ranking Member Sherrod Brown urging them to enact bipartisan legislation that would provide “regulatory relief to community financial institutions.” The letter describes the measures that community banks have been forced to make to address the “growing volume and complexity of regulations,” including cutting back on their loan officers ranks in favor of additional compliance staff and adjusting or eliminating financial products and services offered to consumers. The letter urges the Senate to pass the Financial Regulatory Improvement Act of 2015, S. 1484, which was approved by the Senate Banking Committee in May. This legislation, the letter claims, will “addresses statutory and regulatory obstacles that thwart the ability of community banks and credit unions to fully serve the diverse financial services needs of consumers.”
On July 21, Senators Blumenthal (D-CT) and Markey (D-MA) introduced legislation, the Security and Privacy in Your Car Act (“SPY Car” Act), that would protect drivers’ privacy while allowing them to remain connected to the growing technological advances in the automobile industry. In addition to directing the National Highway Traffic Safety Administration (NHTSA) and the FTC to develop federal cybersecurity and privacy standards that would secure motor vehicles manufactured for sale in the United States and protect drivers, the SPY Car Act seeks to establish a rating system, or “cyber dashboard,” that “informs consumers about how well the vehicle protects drivers’ security and privacy” beyond the minimum standards potentially set by the NHTSA and the FTC. The requirements that motor vehicles: (i) be equipped with reasonable measures to protect against hacking attacks; (ii) maintain the ability to reasonably secure data collected within electronic systems; and (iii) be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle, are among the cybersecurity standards outlined in the SPY Car Act. In regards to privacy standards, the legislation proposes the following: (i) transparency, such that owners or lessees are explicitly aware of the collection, transmission, retention, and use of driving data; (ii) consumer choice, allowing owners or lessees to opt out of data collection and retention without losing access to other features, such as key navigation; and (iii) marketing prohibition, which would ban companies from using personal driving information for advertising purposes without obtaining the affirmative express consent of the owner or lessee. The introduction of the SPY Car Act follows Senator Markey’s 2015 Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk report, which showed gaps in the auto industry’s ability to prevent hackers from accessing internet-connected features in vehicles.
On July 9, U.S. Senators Jack Reed (D-RI) and Chuck Grassley (R-IA) introduced Senate bill 1730, the Stronger Enforcement of Civil Penalties Act of 2015 (SECPA), aimed at increasing the SEC’s ability to combat securities’ laws violations to better protect investors and bolster oversight and accountability. Specifically, the SECPA “increase[es] the statutory limits on civil monetary penalties, directly linking the size of these penalties to the scope of harm and associated investor losses, and substantially raising the financial stakes for repeat securities law violators.” In addition, the legislation calls for expanded penalty authority for violations of previously imposed injunctions or bars, and would categorize individual injunction violations as separate charges.
On July 8, the DOJ’s Deputy Assistant AG, David Bitkower, delivered his testimony before the Senate Judiciary Subcommittee on Crime and Terrorism’s hearing entitled, “Cyber Crime: Modernizing Our Legal Framework for the Information Age.” Bitkower’s testimony focused on two of President Obama’s earlier 2015 legislative proposals regarding the security of online privacy for American citizens and businesses. The first proposal, with an emphasis on the “insider threat,” seeks to amend a provision of the Computer Fraud and Abuse Act (CFAA) – the primary statute the DOJ uses to charge computer crime cases – to ensure that corrupt employees using their authority to access sensitive data for personal gain are not immune from federal punishment. Bitkower noted that recent judicial decisions have impeded the government’s ability to prosecute cases where “serious violations and invasions of privacy” were prevalent. The second legislative proposal would enhance the DOJ’s ability to combat botnets, the networks of computers that are infected with malware and used by criminals to steal personal information, evade detection, and hold computers and computer systems for ransom. The proposed legislation would broaden the categories of crimes committed with botnets that can be enjoined by courts, which, under the current law, are mostly limited financial crimes.
NAAG Urging Congress to Refrain From Passing Federal Data Breach Legislation Preempting State Authority
On July 7, as Congress considers proposed legislation on data breach notification and security, the National Association of Attorneys General (NAAG) sent a letter to leaders of both houses of Congress urging them to refrain from passing federal data breach and identity theft laws that would preempt states’ authority to enforce their own legislation, or pass legislation that exceeds federal standards. The 47 state attorneys general argued that “preempting state law would make consumers less protected than they are right now” because (i) states are closer to people affected consumers and can better respond to their concerns; (ii) states are “better equipped to quickly adjust to the challenges presented by a data-driven economy”; (iii) although helpful for a national data breach, a single federal agency would be unable to “respond effectively” to the large number of smaller data breaches that “have a large impact in a particular state or region”; and (iv) “with the increasing speed rate of technological developments,” states need the ability to surpass minimal and continually obsolete federal requirements. Accordingly, the state attorneys general asserted it was “crucial” that they “maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”
On June 9, the FTC announced that it has provided to the CFPB its 2014 Annual Financial Acts Enforcement Report. The report highlights the FTC’s enforcement, research, rulemaking, and policy development activities with respect to the Truth in Lending Act (Regulation Z), the Consumer Leasing Act (Regulation M), and the Electronic Funds Transfer Act (Regulation E). Areas detailed within the report include enforcement actions related to non-mortgage credit, including auto finance and payday lending, mortgage loan advertising, and forensic audit scams; and consumer and business outreach related to truth in lending requirements. The report, submitted on May 29, will be used to prepare the CFPB’s Annual Report to Congress. The FTC also submitted a copy of the report to the Federal Reserve Board.
On April 23, the U.S. Senate confirmed Loretta Lynch to be the next U.S. Attorney General with a 56-43 majority vote, succeeding current Attorney General Eric Holder. With the confirmation, Lynch, who currently serves as the U.S. Attorney for the Eastern District of New York, becomes the first African-American woman to lead the DOJ.
DOJ Announces Indictment of U.S. Senator Menendez and Friend Salomon Melgen for Conspiracy, Bribery, and Honest Services Fraud
On April 1, the DOJ indicted Senator Robert Menendez and Florida ophthalmologist Salomon Melgen for an alleged bribery scheme in which Menendez accepted financial gifts from Melgen in exchange for using his position of power to assist Melgen in furthering financial and personal interests. According to the DOJ, from January 2006 and January 2013, Menendez accepted gifts including a vacation on the coast of the Dominican Republic, hundreds of thousands of dollars to his 2012 Senate campaign, and numerous trips on Melgen’s private jet. In return for these gifts, which were never reported on the appropriate financial disclosure forms, Menendez (i) pressured executive agencies regarding a dispute between Melgen and the Dominican Republic government concerning a contract relating to the “exclusive screening of containers coming through the Dominican ports;” (ii) advocated on Melgen’s behalf in regards to a Medicare billing dispute; and (iii) actively supported the visa applications of persons related to or in a relationship with Melgen.
On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.
On January 6, President Obama announced his intent to nominate Allan R. Landon to serve on the Board of Governors of the Federal Reserve System. If confirmed by the U.S. Senate, Landon would serve out the remaining term of former Fed Governor Sarah Bloom Raskin, who departed to become Deputy Secretary of Treasury. Previously, Landon was a partner at Ernst & Young LLP and served as Chairman and CEO of Bank of Hawaii Corporation.
On January 7, the Republican members of the U.S. Senate Committee on Banking, Housing, and Urban Affairs elected Sen. Richard Shelby (R-Ala) as its new chairman for the 114th Congress. Sen. Shelby previously served as Committee chairman from 2003 to 2006. Sen. Sherrod Brown (D-OH) will serve as the Committee’s ranking member.