Compliance Newshub
State News

These provisions are effective on October 1, 2018.

Altering a certain provision of law limiting the amount of a finder's fee that may be charged by a mortgage broker obtaining a mortgage loan with respect to the same property more than once within a 24-month period.

Ballard Sparh, LLP--David M. Stauss, Gregory Szewczyk

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General's office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are as follows:

Data Security Requirements

For the first time, covered entities that maintain, own, or license "personal identifying information" (PII) of a Colorado resident are required to implement and maintain reasonable security procedures and practices that are "appropriate to the nature of the personal identifying information and the nature and size of the business and its operations."

The law defines PII broadly to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device (as defined in C.R.S. § 18-5-701(3)).

Covered entities also must take measures to protect PII when transferring it to third parties. Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity "shall require" the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII disclosed and reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction. A "third-party service provider" is defined as an entity that "has been contracted to maintain, store, or process personal information on behalf of a covered entity."

The law also requires covered entities that maintain electronic or paper documents that contain PII to develop a written policy for the destruction of such documents when they are no longer needed.

The Attorney General’s office is authorized to enforce these new requirements and may bring an action in law or equity to ensure compliance or recover direct economic damages resulting from a violation.

As a consequence of these new requirements, covered entities should consider developing and implementing written information security programs that include appropriate administrative, technical and physical safeguards for the types of PII that they maintain, own or license.

Changes to Colorado's Breach Notification Law

The new law strengthens and expands Colorado’s data breach notification law. Perhaps the most significant change is that covered entities now must notify affected individuals within 30 days after determining that a security breach occurred that resulted in, or is likely to result in, misuse of personal information. Colorado’s 30-day deadline is the shortest of any state. Florida also has a 30-day deadline but allows for an additional 15 days under certain circumstances.

The new law drastically expands the types of information that will trigger a breach notification obligation if compromised. Specifically, the law defines "personal information" to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver's license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or e-mail address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident's account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account. However, a covered entity does not need to provide notice if the information was encrypted unless the encryption key also was compromised.

Importantly, the law does not create exemptions for entities subject to reporting requirements under the Gramm-Leach-Bliley Act or HIPAA. Rather, if there is a conflict between the 30-day time period for providing notice under Colorado law and a time period in another federal or state law, the law with the shortest time frame for providing notice controls.

The law also specifies what type of information must be included in the notice, such as a description of the PII involved in the breach, the date or estimated date of the breach, and contact information for the Federal Trade Commission and credit reporting agencies. If the breach involves the compromise of login information, a covered entity also is required to notify individuals to change their login information for that account and any other account that uses the same login information.

A covered entity must notify the Colorado Attorney General's office if it provides notice to 500 or more Colorado residents, and it must notify credit reporting agencies if it is provides notice to more than 1,000 residents.

If a third-party servicer provider experiences a data breach, it must notify the covered entity "in the most expedient time possible, and without unreasonable delay."

As with the new data security requirements, the Attorney General's office is charged with enforcing violations of the notification requirements. However, a covered entity that maintains its own notification procedures as part of an information security policy that is consistent with the new law is in compliance with the law’s requirements if the covered entity follows those procedures. Therefore, to ensure compliance, covered entities should consider developing and implementing incident response plans that are consistent with the new law.

Finally, the law adds new provisions that create similar obligations for government entities.

Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of nearly 50 lawyers across the country includes investigators and advocates with deep experience in cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.

Housingwire--Jeremiah Jensen

Gov. John Bel Edwards vetoed a bill that would have blocked the institution of inclusionary zoning policies in the state of Louisiana, according to the New Orleans Advocate.

Earlier this month, a majority in the Louisiana House and Senate passed a bill blocking inclusionary zoning with strong support from developers who claimed that the pro-affordable housing policies would make building too costly.

Edwards' veto comes with the condition that parishes in Louisiana must enact inclusionary zoning policies by 2019, else he will not strike down another bill seeking to block them.

If the parishes do not implement inclusionary zoning policies, the governor said he will “conclude that it is not their will to utilize these strategies, and I will be inclined to sign a similar piece of legislation in the 2019 Regular Session,” Edwards said of the bill in a letter to state Sen. John Alario, the Senate president, according to the New Orleans Advocate.

This added pressure to enact or forever hold their peace is a response to parishes' reluctance to use these policies though they have been available since 2006 when the Louisiana legislature first signed them into law.

Bankers Advisory--Adam Faria

Tennessee has passed House Bill 1794 which amends Tennessee Code Annotated, Section 66-22-10. HB 1794 provides for the online notarization of documents or instruments by a notary public who has been appointed as an online notary public by the Secretary of State.

Section 66-22-10 has been amended to include an electronic signature as defined in Section 8-16-302 in the definition of “original signature.” Amended Section 66-22-10 allows a principal to appear before an online notary public to make an acknowledgment using an interactive two-way audio and video communication system that meets the requirements for online notarization under the Online Notary Public Act pursuant to Title 8, Chapter 16, Part 3. The online notary taking the acknowledgement must state in the acknowledgement whether the principal personally appeared by way of an interactive two-way audio and video system. An acknowledgement taken by means of a two-way audio video system must amend the acknowledgement form to read “personally appeared before me by audio-video communication” or “personally appeared by audio-video communication” or “before me appear by audio-video communication” rather than “personally appeared before me” or “personally appeared” or “before me appear” in order for the acknowledgement to be compliant. The Secretary of State is charged with the promulgation of rules necessary to implement and facilitate online notarizations.

In order for a notary public to be commissioned as an online notary public, the applicant must satisfy the requirements for appointment as a notary public and submit an application in the prescribed form promulgated by the Secretary of State. The application must include the applicant’s legal name, the physical address of the applicant, a valid email address, a valid telephone number, the county where the notary was commissioned, the commission date, the commission expiration date, and any other information required by the Secretary of State.

An online notary public may perform notarial acts under these provisions without regard to the physical location of the principal so long as the notary is physically in the state of Tennessee. The online notary is required to maintain a secure electronic record of electronic documents notarized including the date and time of notarization, the type of notarial act, a description of the electronic document, the name and address of each principal involved, evidence of identity of each principal and a recording of any video and audio that is the basis of the satisfactory evidence of identification. The electronic record must be maintained for at least 5 years from the date of the transaction requiring notarization.

When performing an online notarization, the online notary shall verify the identity of the person creating an electronic signature either by the notary’s personal knowledge of the person or by remote presentation by the principal of a government issued identification.

Amended Section 8-16-112 states that an electronic signature or a digitized image of a wet signature of the online notary satisfies the existing requirement of a notary public’s signature in ink or by hand and seal. Further, the requirement of an official seal or stamp is satisfied by an electronically transmitted document so long as the document reproduces the required elements of the seal.

The provisions of HB 1794 are effective July 1, 2019 and the full text of the bill may be found at: https://legiscan.com/TN/text/HB1794/id/1696649/Tennessee-2017-HB1794-Draft.pdf

This bill adopts miscellaneous consumer protection provisions.

• Adds multiple definitions under Credit Protection for Vulnerable Persons
• Adds a new section titled Credit Report Protection for Minors
• Adds new provisions for Security Freezes
• Adds new provisions for Use of Credit Information for Personal Insurance

Provisions in this bill range from effective immediately to effective on January 1, 2019.

Bankers Advisory--Rhone Kyeyune

The State of Minnesota enacted provisions relating to its Revised Uniform Law on Notarial Acts. These provisions are effective on January 1, 2019.

Section 5 provides that a notarial officer who takes an acknowledgment of record, verifies statements on oath, witnesses or attests signatures shall determine, from personal knowledge or satisfactory evidence of the identity of the individual that the individual appearing before the officer and making the acknowledgment, verification or appearing before the officer and signing the record has the identity claimed and that the signature on the record or statement verified is the signature of the individual.

Furthermore, a notarial officer who certifies a copy of a record or an item that was copied must determine that the copy is a full, true, and accurate transcription or reproduction of the record or item.

Section 6 requires an individual to appear personally before a notarial officer whenever the officer performs a notarial act regarding a record signed or a statement made by the individual regardless of whether the notarial act is completed on a tangible or an electronic record.

Section 7 provides that a notarial officer must identify an individual before performing a notarial act for that individual. A notarial officer may identify an individual through personal knowledge of the individual appearing before the officer. If an individual is not personally known to the notarial officer, the individual must provide satisfactory evidence of the individual’s identity, which may be through a passport, driver’s license, or a government-issued nondriver identification card or by means of an oath or affirmation of a credible witness.

A notarial officer may require additional identification of an individual if the officer is not satisfied with the individual’s identity. The amendment further provides that an officer may refuse to perform a notarial act if the officer is not satisfied that individual’s signature is knowingly and voluntarily made or has concern as to the competency or capacity of the individual.

The amendment acknowledges notarial acts performed by notarial officers in the State of Minnesota, another state of the United States, or under federal authority. It also recognizes notarial acts performed under the authority of a federally recognized Indian tribe and notarial acts performed in foreign states. The Act continues to recognize an “apostille” complying with the Convention de La Haye du 5 octobre 1961 (“Hague Convention”) as a means of providing conclusive authentication of notarial acts that are performed by a notarial officer of a foreign state. It also recognizes a consular authentication as an alternative means of providing that conclusive authentication of a foreign notarial act.

Section 15 lays down provisions relating to a remote online notary public. A remote online notary public is defined as “notary public who has registered with the secretary of state to perform remote online notarizations.”

A remote online notary public must keep a secure electronic journal of notarial acts performed by the remote online notary public. The electronic journal and electronic seal must be kept secure and under the remote online notary public’s exclusive control.

The remote online notary public may not allow another person to use the remote online notary public’s electronic journal or seal to perform notarial acts or for any unauthorized purpose.

A remote online notary public whose registration terminates must destroy the coding, disk, certificate, card, software, or password that enables electronic affixation of the online notary public’s official electronic signature or seal.

The amendment recognizes electronic notorial acts and puts them on the same level with notarial acts performed on tangible media. The amendment lays down the same requirements for and treatment of notarial acts, regardless of whether the acts are performed with respect to tangible or electronic media.

Section 16 provides that:

 “if a law requires as a condition for recording that a document be an original, be on paper or another tangible medium, be in writing, or be signed, the requirement is satisfied by a paper copy of an electronic document bearing an electronic signature that a notary public has certified to be a true and correct copy of a document that was originally in electronic form and bearing an electronic signature.”
“A requirement that a document or a signature associated with a document be notarized, acknowledged, verified, witnessed, or made under oath is satisfied by a paper copy of an electronic document bearing an electronic signature of the person authorized to perform that act, and all other information required to be included, that a notary public has certified to be a true and correct copy of a document that was originally in electronic form and bearing an electronic signature of the person.”
“The office of the county recorder or the office of registrar of titles shall record a paper copy of a document that was originally in electronic form and that is otherwise entitled to be recorded under the laws of this state, provided that the paper copy has been certified to be a true and correct copy of the electronic original by a notary public duly commissioned under the laws of this state as evidenced by a certificate attached to or made a part of the document.”

Section 17 stipulates that a notarial act must be evidenced by a certificate of notarial act and sets out the requirements of that certificate. The certificate must be executed contemporaneously with the performance of the notarial act; be signed and dated by the notarial officer and, if the notarial officer is a notary public, be signed in the same manner as on file with the commissioning officer or agency; identify the jurisdiction in which the notarial act is performed; contain the title of office of the notarial officer; and if the officer is a notary public, indicate the date of expiration, if any, of the officer’s commission.

Section 19 provides for the mandatory contents of the official stamp and requires that it be capable of being copied along with the record with which it is affixed, attached or associated. Section 20 provides for the stamping device, which is defined under Section 2 as the means of affixing the official stamp to a tangible record or associating the official stamp with an electronic record. Section 20 lays the responsibility for controlling the stamping device and assuring that it not be used by others on the notary public.

Section 22 provides grounds for denying, refusing to renew, revoking, suspending, or condition commission of notary public. It also states that a notary may be removed from office only by the governor, the district court, or the commissioner of commerce and also lays down generally prohibited acts.

Section 23 provides that the secretary of state must maintain an electronic database of notaries public through which a person may verify the authority of a notary public to perform notarial acts; and which indicates whether a notary public has applied to the commissioning officer or agency to perform notarial acts on electronic records or to perform notarial acts.

The amendment also ensures that a notarial officer does not act in a deceptive or fraudulent manner. Section 4 prohibits a notarial officer from performing a notarial act with regard to a record to which the officer or the officer’s spouse is a party or in which either of them has a direct beneficial interest. Section 24 provides for prohibited acts. It prohibits a notary public from drafting legal records, giving legal advice, or otherwise practicing law. It also prohibits a notary public from acting as a consultant or expert on immigration matters or representing persons in judicial or administrative proceedings in that regard. It further prohibits a notary public from engaging in false or deceptive advertising and from unauthorized practice of law.

Enacts an act relating to notaries public, requires notaries public to be commissioned and regulated by the Office of Professional Regulation. These provisions are effective on July 1, 2019. 

CounselorLibrary

On May 18, 2018, South Carolina enacted House Bill 4628, which creates the South Carolina Telephone Privacy Protection Act. The SCTPPA applies to "telephone solicitations," defined as the "initiation of a telephone call, or a text or media message sent, to a natural person's residence in South Carolina, or to a wireless telephone with a South Carolina area code, for the purpose of offering or advertising a property, good, or service for sale, lease, license, or investment, including offering or advertising an extension of credit, prize promotion, or for the purposes of obtaining information that will or may be used for the direct solicitation thereof."

The following solicitations are generally exempt from coverage under the SCTPPA:

(1) a political campaign-related call made, or a text or media message sent, in compliance with the Federal Telephone Consumer Protection Act;

(2) unless the consumer previously stated a desire not to be contacted, a telephone solicitation made to a consumer with:

(a) that consumer's prior express invitation or permission as evidenced by a signed or electronically signed, written agreement stating that the person agrees to be contacted by or on behalf of a specific party and including the telephone number to which they may be placed;

(b) whom the person on whose behalf the telephone solicitation is made has an established business relationship; or

(c) whom the telephone solicitor making the telephone call or sending a text message has a personal relationship; or

(3) calls by institutions licensed and regulated under the South Carolina Insurance Title.

"Established business relationship" means a relationship between the consumer and the person on whose behalf the telephone solicitation call is being made based on the consumer's:

(1) purchase from, or transaction with, the person on whose behalf the telephone solicitation is being made within the 18 months immediately preceding the solicitation date; or

(2) inquiry or application regarding a property, good, or service offered by the person on whose behalf the telephone solicitation is being made within the 3 months immediately preceding the solicitation date.

The SCTPPA prohibits telephone solicitors from contacting consumers at certain times without consent, requires specific disclosures at the outset of the call, prohibits the display of misleading, false or inaccurate caller ID information, requires prerecorded identification and opt-out messages in some instances, and prohibits contacting persons that have either previously expressed a desire not to be contacted or who appear on the National Do Not Call Registry.

The SCTPPA took effect on May 18, 2018, and will be enforced by the South Carolina Attorney General and Department of Consumer Affairs.

House Bill 4628

A bill for an act relating to redemption by certain persons of parcels sold at tax sale. (Formerly HSB 605.) Effective 7-1-18.

• Altering the definition of "unfair or deceptive trade practice" to be "unfair, abusive, or deceptive trade practice"; 
• providing the purpose of the Act is to support enforcement by and funding of the Office of the Attorney General and the Commissioner of Financial Regulation to protect State residents when conducting financial transactions and receiving certain services; 
• requiring the Commissioner to designate an individual as the Student Loan Ombudsman; 
• requiring the establishment of a student loan borrower education course; etc.

Provisions in these bills range from effective on October 1, 2018 to effective on January 1, 2019.

Buckley Sandler, LLP--InfoBytes Blog

On May 15, the Maryland governor signed HB1634, the Financial Consumer Protection Act of 2018, which expands the definition of “unfair and deceptive trade practices” under the Maryland Consumer Protection Act (MPCA) to include “abusive” practices, and violations of the federal Military Lending Act (MLA) and Servicemembers Civil Relief Act (SCRA). The law also, among other things:
 

• Civil Penalties. Increases the maximum civil penalties for certain consumer financial violations to $10,000 for the initial violation and $25,000 for subsequent violations
• Debt Collection. Prohibits a person from engaging in unlicensed debt collection activity in violation of the Maryland Collection Agency Licensing Act or engaging in certain conduct in violation of the federal FDCPA.
• Enforcement Funds. Requires the governor to appropriate at least $700,000 for the Office of the Attorney General (OAG) and at least $300,000 to the Office of the Commissioner of Financial Regulation (OCFR) for certain enforcement activities.
• Student Loan Ombudsman. Creates a Student Loan Ombudsman position within the OCFR and establishes specific duties for the role, including receiving, reviewing, and attempting to resolve complaints from student loan borrowers.
• Required Studies. Requires the OCFR to conduct a study on Fintech regulation, including whether the commissioner has the statutory authority to regulate such firms. The law also requires the Maryland Financial Consumer Protection Commission (MFCPC) to conduct multiple studies, including studies on (i) cryptocurrencies and initial coin offerings and (ii) the CFPB’s arbitration rule (repealed by a Congressional Review Act measure in November 2017).

docutech--Compliance News Alert

On May 8, 2018 Gov. Nathan Deal (R) signed into law GA HB 1036 (2017), which permits the clerk of the Superior Court of Fulton County “to require that no instrument by which the title to real property or any interest therein is conveyed, created, assigned, encumbered, disposed of, or otherwise affected shall be entitled to recordation unless the tax parcel identification number or numbers associated with all or any portion of the real property affected are legibly printed, typewritten, or stamped upon such affidavit or instrument at the top of the first page thereof.” (see http://www.legis.ga.gov/legislation/en-US/Display/20172018/HB/1036). This law takes effect on July 1, 2018.