New Mexico recently became the 48th state to enact a data breach notification law.  This continues the accelerated pace of state data breach legislative activity in the last two years.  Since 2015, at least 41 states have considered legislation relating to data security incidents, and at least 16 states have enacted or amended such laws.

Among the most significant aspects of New Mexico’s brand new “Data Breach Notification Act” is its definition of “Personal Identifying Information.”  The Act follows a growing state trend by including “biometric data” in its definition of “personal identifying information.  In addition, “security breach” is defined as the acquisition of—but not mere access to—unencrypted computerized data or encrypted data if the encryption key is also acquired.  The Act contains an exemption from the requirement to provide notice within 45 calendar days after discovery of the breach for persons subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.

For more information on the new law, see our legal alert.

 

 

Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.”  Pahl emphasized that the FTC is “the enforcement leader in the privacy and security arena” and that the FTC will continue to “focus the national conversation on keeping consumer privacy and data security front and center as new technologies emerge.”

Pahl’s blog posting supports recent statements by FTC Acting Chairman Maureen Ohlhausen, who recently testified before Congress that, “the FTC is committed to protecting consumer privacy and promoting data security in the private sector.”

Companies should not expect the FTC to reduce its enforcement activities relating to privacy and data security issues, but companies can expect the FTC to shift away from bringing cases based on novel legal theories.  Ohlhausen is committed to re-focusing the FTC’s efforts on “bread-and-butter” enforcement.  Ohlhausen has spoken openly in opposition to recent enforcement actions brought under the Obama Administration that were based on speculative injury or subjective types of harm rather than concrete consumer injury.

Furthermore, companies should expect further guidance from the FTC relating to privacy and data security expectations to help reduce unnecessary regulatory burdens and provide additional transparency to businesses on how they can remain compliant and avoid engaging in unfair or deceptive acts of practices.  Under Ohlhausen’s leadership, companies should be watching closely for FTC guidance laying out what they should do to protect consumer privacy and ensure proper data security, rather than just waiting to find out what they should not do from FTC enforcement actions.

On April 20, the CFPB finalized a proposed rule to delay the effective date of the final rule governing Prepaid Accounts (Prepaid Account Final Rule) by six months, from October 1, 2017 to April 1, 2018 (Effective Date Final Rule).  According to the CFPB, the delay was adopted “to facilitate compliance with the Prepaid Account Final Rule, and to allow an opportunity for the Bureau to assess whether any additional adjustments to the Rule are appropriate.”

The preamble to the Effective Date Final Rule previews that the CFPB will propose rules for “at least two issues that have been identified as areas where the Prepaid Accounts Final Rule may be posing particular complexities for implementation,” and at that time, a further delay may be proposed as well.  The two issues relate to: (1) the linking of credit cards to digital wallets that are capable of storing funds; and (2) error resolution and limitations on liability for unregistered prepaid accounts.

Over the past few months, the Prepaid Account Final Rule has faced attacks from industry representatives, such as the American Bankers Association, and from Congress under the Congressional Review Act – Representatives Tom Graves (R-Ga) and Roger Williams (R-Tx) introduced House Joint Resolution 62 and House Joint Resolution 73, respectively, and Senator David Perdue (R-Ga) introduced Senate Joint Resolution 19.  The Senate Joint Resolution was recently brought out of Committee and to the floor for consideration by way of a discharge petition filed by Senate Banking Chairman Mike Crapo.  The Prepaid Account Final Rule has also been defended by attorney generals from 17 states and the District of Columbia.

We will continue to monitor the status of the Prepaid Account Final Rule in relation to the substantive changes previewed by the CFPB and the progress of the congressional joint resolutions.

On April 20, the United States Court of Appeals for the Ninth Circuit declined to hear an interlocutory appeal  by CashCall of the district court’s order granting the CFPB’s partial summary judgment motion and denying CashCall’s summary judgment motion in the CFPB’s lawsuit against CashCall.  The district court previously had certified its decision for interlocutory appeal.

We previously reported that the Connecticut Attorney General, on behalf of the Attorneys General of Indiana, Kansas and Vermont, (the “state AGs”) had filed a joint motion to intervene in a CFPB enforcement action to request a Consent Order modification permitting unused settlement funds to be paid to the National Association of Attorneys General (“NAAG”).  Under the proposed modification, the undistributed settlement funds would be used by NAAG for the purpose of developing the National Attorneys General Training and Research Institute Center for Consumer Protection (“NAGTRI”).

The state AGs’ motion and supporting memorandum was filed in CFPB v. Sprint Corporation, a litigation in which the Bureau alleged that Sprint had violated the Consumer Financial Protection Act by allowing unauthorized third-party charges on its customers’ telephone bills.  The associated Stipulated Final Judgment and Order (“Consent Order”) authorized the implementation of a consumer redress plan pursuant to which Sprint would pay up to $50 million in refunds.  The redress plan provided for the payment of refund claims on a “claims made” basis subject to a filing deadline.  Any balance remaining nine months after the claim filing deadline was to be paid to the CFPB.

The Bureau, in consultation with the AGs of all fifty states and the District of Columbia, which were parties to concurrent settlement agreements with Sprint relating to similar billing practice claims, and the FCC, was then to determine whether additional consumer redress was “wholly or partially impracticable or otherwise inappropriate.”  If so, the Bureau, again in consultation with the states and the FCC, was authorized to apply the remaining funds “for such other equitable relief, including consumer information remedies, as determined to be reasonably related to the allegations set forth in the Complaint.”  Any funds not used for such equitable relief were to be deposited in the U.S. Treasury as disgorgement.

In a recent Memorandum and Order recounting the history of the litigation, the district court stated that “the siren song of $15.14 million in unexpended funds [had] lured some new sailors into the shoals of this litigation” because “[d]espite full restitution to Sprint customers and subsequent consultations with the Attorneys General and the FCC, the CFPB could not identify any equitable relief to which $15.14 million in unexpended settlement funds could be applied.”  The court observed that, “[a]pparently, the prospect of simply complying with the Consent Order by paying the funds into the U.S. Treasury lacked sufficient imagination.”

Although the defendant initially filed a memorandum in opposition to the intervention motion, it subsequently filed a joint submission with the state AGs that adopted their proposal to redirect $14 million of the unused settlement funds from the U.S. Treasury to NAGTRI and proposed redirecting the remaining $1.14 million to a community organization that provides internet access to underprivileged high school students.  (The court acknowledged that these were perhaps noble causes worthy of consideration.)  The joint submission stated that the CFPB had been consulted about the proposed modification but “[took] no position” on it.  The court characterized its failure to do so as remarkable, given that the Bureau was “the plaintiff in this lawsuit responsible for securing the $50 million settlement.”

The district court thus observed that it had been left “in a quandary” because:

  • The proposal would “alter the Consent Order in a fundamental way by redirecting elsewhere $15.14 million earmarked for the U.S. Treasury”;
  • The proposal may raise an issue under the Miscellaneous Receipts Act, which requires that government officials receiving money for the government “from any source” must deposit such money with the Treasury;
  • The proposed modification “does not appear, at least at first blush, to be ‘reasonably related to the allegations set forth in the Complaint’”; and
  • The defendant had concurrently entered into settlements with the Attorneys General of all 50 states and the District of Columbia and already paid them $12 million to resolve a multi-state consumer protection investigation.

The court characterized as “particularly galling” the argument that Fed. R. Civ. P. 60(a) permits the proposed modification to correct a clerical mistake.  It noted that the parties had “unmistakably understood that the Consent Order related to federal claims and that any undistributed settlement funds would be paid to the U.S. Treasury.”

In view of the foregoing, the court concluded that it needed “to hear from the Government” because of “the peculiar posture of the intervention application.”  Specifically, the court noted that the CFPB, as the plaintiff in the action, needed to take a position on the proposed intervenors’ motion and application to modify the Consent Order.  And because the proposed modification would redirect funds earmarked for the U.S. Treasury, the court noted that the United States has a direct interest that should be considered.

Accordingly, the court directed the CFPB and the Department of Justice to respond separately to the proposed intervenors’ motion and application to modify the Consent Order.  Their separate memoranda must be filed by May 10, 2017; the state AGs and the defendant may file responsive memoranda by May 24, 2017.  The court stated that the responsive submission of the Bureau “should advise this Court where the unexpended funds have been deposited during the pendency of the intervenors’ application.”   We will continue to monitor developments in this case.

 

The Conference of State Bank Supervisors issued a press release this week in which it announced the April 1 release of a new tool within the Nationwide Multistate Licensing System (NMLS) to streamline reporting by money services businesses.  The new tool is called the “Money Services Businesses (MSB) Call Report.”

The press release quotes a Vermont regulator who stated that the call report information “will provide complete and meaningful information on MSBs, including fintech companies licensed to do business as money transmitters, and assist state regulators to better analyze risk, monitor compliance, and make more informed and timely decisions when it comes to MSB supervision.”  The press release also indicated that the new reports “will also provide a unique, detailed snapshot of fintech companies as they mature and evolve.”

Licensees are required to file the new report within 45 days of the end of the first quarter (May 15).   According to the press release, 18 states (covering 25 money transmitter, money service, check casher/seller and currency exchange licenses) have adopted the report for the first quarter of 2017 and seven more states are expected to adopt it in the near future.

The reports include national and state specific MSB activity that is submitted on a quarterly and annual basis.  The MSB Call Report is the first comprehensive report to consolidate state MSB reporting requirements and provide a database of nationwide MSB transaction activity.  More detailed information regarding the MSB Call Report is available on the MSBCR webpage.

On April 13, 2017, the CFPB proposed substantive changes and technical corrections to the 2015 Home Mortgage Disclosure Act (HMDA) Final Rule (Final Rule) amending Regulation C.  The proposal, which is discussed in more detail here, would clarify certain key terms under the Final Rule, including temporary financing, automated underwriting system, multifamily dwelling, extension of credit, income, and mixed-use property.

The proposal also (1) describes the CFPB’s plans to create an online geocoding tool to avoid errors in the reporting of census tracts and provide protection from HMDA or Regulation C liability if the tool is used as intended, (2) provides clarification regarding the selection and reporting of ethnicity and race information; (3) clarifies reporting issues with respect to Regulation Z disclosures, (4) provides guidance on reporting multiple credit scores, (5)  clarifies how the reporting thresholds apply and expressly permits voluntary reporting by financial institutions that do not meet the reporting thresholds, and (6) establishes transition rules for the loan purpose and loan originator identifier data points.

Most of the proposed amendments would take effect on January 1, 2018.  Interested parties should assess if programming and operational changes that would be necessary based on the proposals can be appropriately completed by January 1, 2018.

The House Financial Services Committee announced that it will hold a hearing on April 26, 2017 to discuss the Financial CHOICE Act.  It also released a discussion draft of a revised version of the bill.

In February, Rep. Hensarling, who chairs the Committee, circulated a memorandum to the Committee’s Leadership Team describing key revisions to the bill introduced last year.  Last week, he issued an outline of changes to the bill in which he identified more revisions, including revisions that would further reduce the CFPB’s powers.  Presumably, these revisions are reflected in the discussion draft.

 

The FTC issued a press release earlier this week in which it stated that it is “moving aggressively to implement Presidential directives aimed at eliminating wasteful, unnecessary regulations and processes.”  The press release does not identify the directives but presumably they are contained in President Trump’s executive orders entitled “Core Principles for Regulating the United States Financial System” and “Presidential Executive Order on a Comprehensive Plan for Reorganizing the Executive Branch.”

The press release listed a series of initiatives that are already underway to implement the directives that include the following:

  • New groups within the FTC’s Bureau of Competition and Bureau of Consumer Protection are working to streamline demands for information in investigations to eliminate unnecessary costs to recipients of such demands.
  • Both Bureaus are reviewing their dockets and closing older investigations, where appropriate.
  • The entire FTC is working to identify unnecessary regulations that are no longer in the public interest.
  • The Bureaus of Consumer Protection and Economics are working together to integrate economic expertise earlier in FTC investigations to better inform agency decisions about the consumer welfare effects of enforcement actions

The CFPB has adopted changes to its “Policy on Ex Parte Presentations in Rulemaking Proceedings,” which generally requires anyone who communicates with the CFPB about a pending rulemaking to submit a written copy of the presentation (or a summary of an oral presentation) to the CFPB and public rulemaking docket within a specified period after the communication to the CFPB.

In addition to various non-substantive changes, the updated policy makes the following substantive changes:

  • As originally adopted, the policy required copies or summaries of presentations to be submitted to the CFPB within three business days of the presentation.  The CFPB has changed the policy to extend that period to ten business days.  In addition, the policy had directed persons submitting ex parte presentation materials to also file them directly with the public rulemaking docket at www.regulations.gov.  The updated policy only requires the materials to be submitted electronically to the CFPB, which will post them on the public rulemaking docket.
  • The updated policy creates an exemption from its requirements for ex parte presentations “by State attorneys general or their equivalents, State bank regulatory authorities, or State agencies that license, supervise, or examine the offering of consumer financial products or services, including their offices or staff, when acting in their official capacities.”  For purposes of the policy, “State” means “any State, the District of Columbia, the Commonwealth of Puerto Rico, or any territory or possession of the United States or any federally recognized Indian tribe.”  According to the CFPB, it created the exemption because, in its experience, “communications from these entities have at times been sensitive, and the CFPB believes that these entities are likely to provide more frank and robust feedback if communications are not subject to the disclosure requirements of the Policy.”