On July 21, Senators Blumenthal (D-CT) and Markey (D-MA) introduced legislation, the Security and Privacy in Your Car Act (“SPY Car”Act), that would protect drivers’ privacy while allowing them to remain connected to the growing technological advances in the automobile industry. In addition to directing the National Highway Traffic Safety Administration (NHTSA) and the FTC to develop federal cybersecurity and privacy standards that would secure motor vehicles manufactured for sale in the United States and protect drivers, the SPY Car Act seeks to establish a rating system, or “cyber dashboard,” that “informs consumers about how well the vehicle protects drivers’ security and privacy” beyond the minimum standards potentially set by the NHTSA and the FTC. The requirements that motor vehicles: (i) be equipped with reasonable measures to protect against hacking attacks; (ii) maintain the ability to reasonably secure data collected within electronic systems; and (iii) be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle, are among the cybersecurity standards outlined in the SPY Car Act. In regards to privacy standards, the legislation proposes the following: (i) transparency, such that owners or lessees are explicitly aware of the collection, transmission, retention, and use of driving data; (ii) consumer choice, allowing owners or lessees to opt out of data collection and retention without losing access to other features, such as key navigation; and (iii) marketing prohibition, which would ban companies from using personal driving information for advertising purposes without obtaining the affirmative express consent of the owner or lessee. The introduction of the SPY Car Act follows Senator Markey’s 2015 Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk report, which showed gaps in the auto industry’s ability to prevent hackers from accessing internet-connected features in vehicles.
On July 9, U.S. Senators Jack Reed (D-RI) and Chuck Grassley (R-IA) introduced Senate bill 1730, the Stronger Enforcement of Civil Penalties Act of 2015 (SECPA), aimed at increasing the SEC’s ability to combat securities’ laws violations to better protect investors and bolster oversight and accountability. Specifically, the SECPA “increase[es] the statutory limits on civil monetary penalties, directly linking the size of these penalties to the scope of harm and associated investor losses, and substantially raising the financial stakes for repeat securities law violators.” In addition, the legislation calls for expanded penalty authority for violations of previously imposed injunctions or bars, and would categorize individual injunction violations as separate charges.
On July 8, the DOJ’s Deputy Assistant AG, David Bitkower, delivered his testimony before the Senate Judiciary Subcommittee on Crime and Terrorism’s hearing entitled, “Cyber Crime: Modernizing Our Legal Framework for the Information Age.” Bitkower’s testimony focused on two of President Obama’s earlier 2015 legislative proposals regarding the security of online privacy for American citizens and businesses. The first proposal, with an emphasis on the “insider threat,” seeks to amend a provision of the Computer Fraud and Abuse Act (CFAA) – the primary statute the DOJ uses to charge computer crime cases – to ensure that corrupt employees using their authority to access sensitive data for personal gain are not immune from federal punishment. Bitkower noted that recent judicial decisions have impeded the government’s ability to prosecute cases where “serious violations and invasions of privacy” were prevalent. The second legislative proposal would enhance the DOJ’s ability to combat botnets, the networks of computers that are infected with malware and used by criminals to steal personal information, evade detection, and hold computers and computer systems for ransom. The proposed legislation would broaden the categories of crimes committed with botnets that can be enjoined by courts, which, under the current law, are mostly limited financial crimes.
NAAG Urging Congress to Refrain From Passing Federal Data Breach Legislation Preempting State Authority
On July 7, as Congress considers proposed legislation on data breach notification and security, the National Association of Attorneys General (NAAG) sent a letter to leaders of both houses of Congress urging them to refrain from passing federal data breach and identity theft laws that would preempt states’ authority to enforce their own legislation, or pass legislation that exceeds federal standards. The 47 state attorneys general argued that “preempting state law would make consumers less protected than they are right now” because (i) states are closer to people affected consumers and can better respond to their concerns; (ii) states are “better equipped to quickly adjust to the challenges presented by a data-driven economy”; (iii) although helpful for a national data breach, a single federal agency would be unable to “respond effectively” to the large number of smaller data breaches that “have a large impact in a particular state or region”; and (iv) “with the increasing speed rate of technological developments,” states need the ability to surpass minimal and continually obsolete federal requirements. Accordingly, the state attorneys general asserted it was “crucial” that they “maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”
On June 9, the FTC announced that it has provided to the CFPB its 2014 Annual Financial Acts Enforcement Report. The report highlights the FTC’s enforcement, research, rulemaking, and policy development activities with respect to the Truth in Lending Act (Regulation Z), the Consumer Leasing Act (Regulation M), and the Electronic Funds Transfer Act (Regulation E). Areas detailed within the report include enforcement actions related to non-mortgage credit, including auto finance and payday lending, mortgage loan advertising, and forensic audit scams; and consumer and business outreach related to truth in lending requirements. The report, submitted on May 29, will be used to prepare the CFPB’s Annual Report to Congress. The FTC also submitted a copy of the report to the Federal Reserve Board.
On April 23, the U.S. Senate confirmed Loretta Lynch to be the next U.S. Attorney General with a 56-43 majority vote, succeeding current Attorney General Eric Holder. With the confirmation, Lynch, who currently serves as the U.S. Attorney for the Eastern District of New York, becomes the first African-American woman to lead the DOJ.
DOJ Announces Indictment of U.S. Senator Menendez and Friend Salomon Melgen for Conspiracy, Bribery, and Honest Services Fraud
On April 1, the DOJ indicted Senator Robert Menendez and Florida ophthalmologist Salomon Melgen for an alleged bribery scheme in which Menendez accepted financial gifts from Melgen in exchange for using his position of power to assist Melgen in furthering financial and personal interests. According to the DOJ, from January 2006 and January 2013, Menendez accepted gifts including a vacation on the coast of the Dominican Republic, hundreds of thousands of dollars to his 2012 Senate campaign, and numerous trips on Melgen’s private jet. In return for these gifts, which were never reported on the appropriate financial disclosure forms, Menendez (i) pressured executive agencies regarding a dispute between Melgen and the Dominican Republic government concerning a contract relating to the “exclusive screening of containers coming through the Dominican ports;” (ii) advocated on Melgen’s behalf in regards to a Medicare billing dispute; and (iii) actively supported the visa applications of persons related to or in a relationship with Melgen.
On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.
On January 6, President Obama announced his intent to nominate Allan R. Landon to serve on the Board of Governors of the Federal Reserve System. If confirmed by the U.S. Senate, Landon would serve out the remaining term of former Fed Governor Sarah Bloom Raskin, who departed to become Deputy Secretary of Treasury. Previously, Landon was a partner at Ernst & Young LLP and served as Chairman and CEO of Bank of Hawaii Corporation.
On January 7, the Republican members of the U.S. Senate Committee on Banking, Housing, and Urban Affairs elected Sen. Richard Shelby (R-Ala) as its new chairman for the 114th Congress. Sen. Shelby previously served as Committee chairman from 2003 to 2006. Sen. Sherrod Brown (D-OH) will serve as the Committee’s ranking member.
On December 18, after passing unanimously in both houses of Congress, President Obama signed into law S.3008, the Foreclosure Relief and Extension for Servicemembers Act of 2014. Previously, the SCRA’s protection for servicemembers against foreclosure for one year after the end of active duty was set to expire at the end of 2014. The Act extends this protection until the end of 2015, at which point the foreclosure protection is scheduled to revert to the period of active duty plus 90 days that was in effect in 2008.
On December 18, President Obama signed into law H.R. 5859, the “Ukraine Freedom Support Act of 2014.” First introduced in the House on December 11, the bill gives the President the authority to impose sanctions against countries, entities, and individual persons that pose potential threats to financial stability through excessive risk-taking with the Russian market. The bill provides authority for sanctions against foreign persons, including executive officers of an entity, relating to (i) banking transactions; (ii) investing in or purchasing equity or debt instruments; (iii) U.S. property transactions; and (iv) Export-Import Bank of the United States assistance. Finally, the bill directs the President to “use U.S. influence to encourage the World Bank Group, the European Bank for Reconstruction and Development, and other international financial institutions to invest in and stimulate private investment in such projects.”
On December 2, the U.S. Senate confirmed Nani Coloretti to be appointed as the new Deputy Secretary of HUD. Nominated in March, Coloretti currently serves as the Assistant Secretary for Management at the Department of Treasury where she advises on the development and execution of Treasury’s budget, strategic plans, and the internal management of the Department and its bureaus. Following the passage of the Dodd-Frank Act, she also helped stand-up the CFPB by serving as its Acting COO.
Senator Warren And Congressman Cummings Urge GAO To Study Economic Vulnerability Of Non-Bank Mortgage Servicers, Risks To Consumers
On October 20, Senator Warren and Congressman Cummings co-authored a letter to the GAO requesting that the agency investigate possible effects on the non-bank servicing industry in the event of an economic downturn. In addition, the duo urged the GAO to study the potential risks to consumers should a major non-bank servicer fail. The letter stems from a report recently issued by the FHFA-OIG. The report cites that the rise in non-bank mortgage servicers “has been accompanied by consumer complaints, lawsuits, and other regulatory actions as the servicers’ workload outstrips their processing capacity.”