Compliance Newshub
State News

Bankers Advisory--Robert Harrison

The state of Arizona amended its provisions relating to notaries public through House Bill 2178. These provisions are effective on July 20, 2018 (or 90 days following adjournment of the current legislative session).

Arizona Revised Statutes Section 41-311 is amended to modify the definition of “Notarial act” or “notarization” to specify that it only verifies “the identity of a signer of a document and not the truthfulness, accuracy or validity of the document.” Furthermore that same section includes amendments to the definition of “satisfactory evidence of identity” to include:

• “nonoperating identification license that is issued by a state or territory of the United States.”
• “An inmate identification card that is issued by the state department of corrections, if the inmate is in the custody of the department.”
• “Any form of inmate identification that is issued by a county sheriff, if the inmate is in the custody of the county sheriff.”

Arizona Revised Statutes Section 41-313 has been amended to remove language which permitted a notary to perform a notarial act on a document that is a translation of a document that is in a language that the notary does not understand. These amendments also require the official seal of a notary to include their notarial commission number in addition to the previously required: “words ‘notary public’, the name of the county in which the notary is commissioned, the name of the notary as it appears on the notarial application, the great seal of the state of Arizona… and the expiration date of the notarial commission.”

Currently, a notary public is required to file a surety bond with the Arizona Secretary of State that must be issued within 60 days before and 30 days after the Arizona Secretary of State commissions the notary (A.R.S. § 41-315). This rule has been amended to require the Arizona Secretary of State to accept a surety bond issued by a notary public that was issued 60 days, rather than 30 days, after the notary is commissioned.

Arizona Revised Statutes Section 41-352 is added as a new section which contains rules related to electronic notarization. This section states notarial acts may be performed electronically and a notary public can accept documents electronically signed.  Furthermore the Arizona Secretary of State is required by this section to “adopt rules that establish standards for secure and feasible implementation of electronic notarization” before January 1, 2020.

Arizona Revised Statutes Section 44-7011 requires a notary public who is appointed after the effective date to use an official seal imprinted with his or her commission number. A notary public appointed before the effective date must replace his or her official seal on reappointment with an official seal imprinted with his or her notarial commission number.

The full text of Arizona House Bill 2178 can be found here: https://www.azleg.gov/legtext/53leg/2R/laws/0013.htm

Ballard Sparh, LLP--Edward J. McAndrew; Philip N. Yannella

Alabama has officially joined the data breach notification party. Alabama Governor Kay Ivey signed Act No. 2018-396 into law on March 28, 2018. The law will take effect on May 1, 2018. Although it was last in the country to enact such a data security law, Alabama's new law will immediately take its place among the most stringent in the nation.

The Alabama law generally can be categorized into four obligations:

• All entities subject to the law (covered entities and third-party agents) must "implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security."
• A "covered entity shall conduct a good faith and prompt investigation" into "a breach of security that has or may have occurred in relation to sensitive personally identifying information."
• A "covered entity" must notify each affected Alabama resident, and a "third-party agent" must notify the "covered entity" of a "breach of security involving sensitive personally identifying information"; and
• A "covered entity" must notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.

Implementing and Maintaining Reasonable Security Measures

Alabama joins approximately 14 other states that have created stand-alone statutory obligations to maintain reasonable cybersecurity measures. Alabama's new obligation breaks new ground, however, by elaborating in the statutory text on factors to be considered in assessing 'reasonableness.' Alabama's obligation also expressly applies to both covered entities and their service providers.

In addition to being "practicable . . . to implement and maintain," reasonableness requires:

• designation of "an employee or employees to coordinate" the data security measures
• identification of internal and external cyber risks
• adoption of "appropriate information safeguards to address identified risks . . . and assess the effectiveness of such safeguards"
• service providers to be "contractually required to maintain appropriate safeguards"
• evaluation and adjustment of measures as circumstances change
• informing the management and board of directors of the "overall status of its security measures"

The same statutory section also provides that "[a]n assessment of the covered entity's security" shall focus on the security measures "as a whole" and shall emphasize "data security failures that are multiple or systemic." Consideration must be given to the covered entity's: (1) size; (2) amount of sensitive personally identifying information and the type of activities involving such; and (3) cost to implement and maintain the security measures.

Section 10 of the Act requires covered entities and third-party service providers to "take reasonable measures" to dispose of records containing sensitive personally identifying information when those records "are no longer to be retained pursuant to applicable law, regulations, or business needs."

These prescriptions are similar to some of those imposed by other states by regulation (see Massachusetts and New York Department of Financial Services). Alabama has raised the stakes, though, by including such prescriptions in its data security statute.

Data Breach Investigation and Notification

Aside from the obligation to maintain reasonable security measures noted above, the other requirements of the Alabama law are triggered by a covered entity's determination that "a breach of security has or may have occurred in relation to sensitive personally identifying information that is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity."

            Key Definitions

A "breach of security" is the "unauthorized acquisition of data in electronic form containing sensitive personally identifying information."

"Sensitive personally identifying information" (SPII) includes an Alabama resident's first name/first initial and last name in combination with one or more of the following:

• non-truncated Social Security or tax-identification number
• non-truncated driver's license, passport, or other government identification number
• financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will "credit or debit the account"
• individual's medical history, mental/physical condition, medical treatment/diagnosis by a health care professional, health insurance policy/subscriber number, or other insurance identifier
• user name or email address combined with a password or security question/answer permitting access to "an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain [SPII]."

The statute expressly excludes from SPII's definition information that is publicly available or "is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or otherwise renders the information unusable."

A "covered entity" includes any person or any type of business entity "that acquires or uses sensitive personally identifying information." A "third-party agent" is an entity "contracted [by a covered entity] to maintain, store, process or is otherwise permitted to access sensitive personally identifying information."

            Required Investigations

A covered entity must "conduct a good faith and prompt investigation" upon determining that a breach of security "has or may have occurred in relation to SPII." The statute further requires that the investigation include:

• assessing the nature and scope of the breach
• identifying any SPII (and the individuals to whom it relates) that may have been involved
• determining whether SPII has been or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to affected individuals
• identifying and implementing "measures to restore the security and confidentiality of the systems compromised in the breach."

The statute lists factors to be considered in determining whether SPII has been or is reasonably believed to have been acquired without authorization, including "indications":

• of physical possession or control of SPII by an unauthorized person, such as laptop or device loss/theft
• of downloading or copying of the SPII
• of unauthorized use of the SPII, such as opening fraudulent accounts or ID theft reports
• of publication of the SPII.

Required Notifications

The Act contains notification requirements that apply to covered entities and their third-party service providers.

A covered entity generally must notify affected Alabama residents of a breach of security if two conditions are met: (1) SPII has been or is reasonably believed to have been acquired by an unauthorized person; and (2) substantial harm to affected individuals is "reasonably likely" to result.

Covered entities must notify Alabama residents, by mail or email, "as expeditiously as possible and without unreasonable delay," but not later than 45 days after being notified of a breach by a third-party agent or determining that a breach has or is reasonably believed to have occurred. There are exceptions/exemptions for law enforcement investigations and compliance with other similar laws. Notice to residents must at least include: (1) the estimated date of the breach; (2) a description of the SPII acquired without authorization; (3) a general description of remedial measures; (4) a general description of protective measures the individual may take; and (5) contact information for the covered entity.

Covered entities must notify the Alabama Attorney General (and national credit reporting agencies) under the same time constraints noted above if a breach involves more than 1,000 "individuals"—a term defined to mean Alabama residents. The notice must include: (1) "a synopsis of the events surrounding the breach"; (2) the approximate number of affected individuals; (3) any services being offered without charge to the individuals, and related instructions; and (4) contact information for the covered entity. Importantly, any information marked "as confidential" will not be subject to open records, freedom of information, or other public record disclosure laws.

A third-party agent must notify the covered entity of a breach impacting relevant SPII "as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred." The third-party agent must cooperate with—and provide information in its possession to—the covered entity, which then has the notification obligations noted above. The covered entity may contractually delegate its notification obligations to a third-party agent.

Remedies and Penalties

The Alabama law contains a number of important provisions relating to remedies for violation "of the notification provisions" of the Act.

A violation of the notification provisions constitutes an "unlawful trade practice" under the Alabama Deceptive Trade Practices Act, but with very important limitations. First, a violation of the Data Breach Notification Act does not constitute a criminal offense under the Deceptive Trade Practices Act, Ala. Code 18-19-12. See our recent blog post explaining how South Dakota's new data breach law does include criminal penalties. Second, the Data Breach Notification Act does not create a private right of action under Section 8-19-10.

The Alabama Attorney General has exclusive authority to bring a civil action for penalties, as well as a civil action in a representative capacity for damages incurred by named individuals. The maximum civil penalty is $5,000 per day for failure to notify under the Act, capped at $500,000 "per breach." Damages are limited to "actual damages," plus reasonable attorney's fees and costs.

To stay up to date on the latest developments in privacy and data security, subscribe to Ballard Spahr's Privacy and Data Security blog, CyberAdviser.

Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of more than 50 lawyers across the country includes investigators and advocates with deep experience with cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.

Summary

Notaries; fee agreements with employer. Allows an employer to require a notary in his employment to surrender to such employer a fee, if charged, provided that the notarial act for which the fee is charged is performed during the course of the employee's employment. Current law prohibits an employer from requiring the surrender of any such fee.

Effective July 1, 2018

Senate Bill 102 Creating WV Uniform Fiduciary Access to Digital Assets Act --Effective June 5, 2018

House Bill 4233 Amending the Uniform Voidable Transactions Act - Generally Fraudulent Transfers -- Effective June 8, 2018

House Bill 4320 Amending the Uniform Power of Attorney Act -- Effective June 8, 2018

Mortgage Daily

Residential loan servicers will soon be able to apply for licenses in the Keystone State as required by legislation that became law late last year.

On Dec. 22, 2017, Pennsylvania Gov. Tom Wolf, a Democrat, signed Act 81 of 2017 into law -- authorizing the state's Department of Banking and Securities to license and examine non-bank servicers.

The law, which is intended to help ensure that the rights of borrowers are protected, requires non-bank mortgage servicers to apply for a license by June 30.

An announcement Wednesday from the department indicated that servicers can begin submitting applications on April 1.

"Companies servicing a Pennsylvania mortgage without applying for a license by the deadline will be considered unlicensed and subject to enforcement action," the statement said.

To help prospective licensees, answers to frequently asked question have been posted online by the department at www.dobs.pa.gov.

Applications for licenses can be submitted online beginning April 1 through the Nationwide Multistate Licensing System at https://mortgage.nationwidelic....

House File 2232, a bill for an act relating to mortgage releases. (Formerly HSB 504.) Effective 7-1-18.

• Closed-end credit: Within 30 days of payment in full, shall execute and record an instrument of satisfaction
• Open-end credit: If the mortgage secures a revolving line of credit, future advances, or other future obligations, the mortgagee is not required to file a satisfaction upon payment in full unless the mortgagor makes a written request. Mortgagor must file the release within 30 days after payment in full or such written request is made, whichever occurs later.
• Failure to timely release the lien may result in all actual damages and a penalty of $500, plus reasonable attorney fees incurred by the aggrieved party.

Bankers Advisory--Robert Harrison

The state of Indiana amended provisions relating to notarial acts through Senate Bill 372. Provisions in this bill range from being effective immediately to being effective on July 1, 2019. Many of the amendments make technical changes to the standard language and definitions as they relate to notarial acts.  There are also new provisions in Senate Bill 372 that specify requirements for remote notarial acts.

Section 64. IC 33-42-17 is added to the Indiana Code as a new chapter governing remote notarial acts and applies to remote notarial acts performed after June 30, 2019. This section specifies requirements for remote notarial acts, including: registration, certification of and record keeping, use of audio visual communication and recording, verification of credentials, and maintenance of records.

Section 27. IC 33-42-0.5-20 is added to the Indiana Code as a new section which defines “notary public” as “an individual commissioned by the secretary of state to perform a notarial act.” This definition is effective on July 1, 2019.

Section 25. IC 33-42-0.5-18 is added to the Indiana Code as a new section which defines “notarial act” as “the following acts with respect to either a tangible or an electronic record:

1. Taking an acknowledgment.
2. Administering an oath or affirmation.
3. Taking a verification on an oath or affirmation.
4. Attesting to or witnessing a signature.
5. Attesting to or certifying a copy of: (A) a tangible document or record; or (B) an electronic document or record.
6. Noting a protest of a negotiable record.
7. Any other act authorized by common law or the custom of merchants.”

This definition is effective on July 1, 2019.

Section 34. IC 33-42-0.5-26 is added to the Indiana Code as a new section which defines “remote notarial act as “a notarial act described in section 18(1) through 18(5) of this chapter:
(1) performed through audio visual communication; and
(2) involving an electronic record.”
This definition is effective on July 1, 2019.

Section 34. IC 33-42-0.5-27 is added to the Indiana Code as a new section which defines “remote notary public” as “a notary public who is authorized by the secretary of state to perform a remote notarial act under IC 33-42-17.” This definition is effective on July 1, 2019.

The full text of Indiana Senate Bill 372 can be found here: https://iga.in.gov/legislative/2018/bills/senate/372#document-50bed3d4

Bankers Advisory--Zachary Pearlstein

The legislature of the state of Florida has recently enacted provisions regarding foreclosure proceedings where a defendant has filed for bankruptcy. This bill will be effective as of October 1, 2018.

The new bill, Section 702.12 of the Florida Statutes, essentially allows a foreclosing lienholder to submit a document from a defendant’s bankruptcy case, which will serve as an “admission by the defendant” that he or she intended to surrender the property.

The bill states that a foreclosing lienholder may submit a document that a defendant filed under penalty of perjury in his or her bankruptcy case. This document will be taken as an admission by the defendant, and will create a rebuttable presumption that the defendant has waived any defense to foreclosure if certain conditions are met.

The rebuttable presumption that the defendant has waived any defense to foreclosure will stand if the foreclosing lienholder files documents that show the defendant’s intention to surrender to the lienholder the property that is the subject of the foreclosure. These documents must not have been withdrawn by the defendant.  The bill further states that the documents must show that a final order has been entered in the defendant’s bankruptcy case, which discharges the defendant’s debts or confirms the defendant’s repayment plan that provides for the surrender of the property.

Once the bankruptcy documents have been submitted by a lienholder, the bill does not prevent the defendant from raising a defense based upon the lienholder’s action or inaction following the lienholder’s filing.

This bill applies to all foreclosure actions filed on or after October 1, 2018.

Bankers Advisory--Rhona Kyeyune

The Commonwealth of Virginia amended its provisions regarding notice to tenant in the event of a foreclosure. These provisions are effective on July 1, 2018.

Failure to pay certain rents after five days’ notice forfeits right of possession.

“If any tenant or lessee of commercial or other nonresidential premises being in default in the payment of rent, shall so continue for five days after notice, in writing, requiring possession of the premises or the payment of rent, such tenant or lessee shall there by forfeit his right to the possession. In such case, the possession of the defendant may, at the option of the landlord or lessor, be deemed unlawful, and he may proceed to recover possession of the premises.”

“The right to evict a tenant whose right of possession has been terminated in any commercial or other nonresidential tenancy may be effectuated by self-help eviction without further legal process so long as such eviction does not incite a breach of the peace. Eviction may also be effectuated by the filing of an unlawful detainer action as provided by Article 13 (§ 8.01-124 et seq.) of Chapter 3 of Title 8.01, entry of an order of possession, and eviction pursuant to § 55-237.1 .”

Tenant to maintain dwelling unit.

“The tenant shall be financially responsible for the added cost of treatment or extermination due to the tenant’s unreasonable delay in reporting the existence of any insects or pests and be financially responsible for the cost of treatment or extermination due to the tenant’s fault in failing to prevent infestation of any insects or pests in the area occupied.”

“The tenant shall also use reasonable care to prevent any dog or other animal in possession of the tenant, authorized occupants, or guests or invitees from causing personal injuries to a third party in the dwelling unit or on the premises, or property damage to the dwelling unit or the premises.”

Wrongful failure to supply heat, water, hot water, or essential services.

“If contrary to the rental agreement or provisions of this chapter, the landlord willfully or negligently fails to supply heat, running water, hot water, electricity, gas, or other essential service, the tenant must serve a written notice on the landlord specifying the breach if acting under this section and, in such event, and after a reasonable time allowed for the landlord to correct such breach, may:

1. Recover damages based upon the diminution in the fair rental value of the dwelling unit; or
2. Procure reasonable substitute housing during the period of the landlord’s noncompliance, in which case the tenant is excused from paying rent for the period of the landlord’s noncompliance, as determined by the court.”

The rights of the tenant under this section shall not arise until he has given written notice to the landlord; and no rights arise where the condition was caused by the deliberate or negligent act or omission of the tenant, a member of his family, or other person on the premises with his consent.

Landlord’s noncompliance as defense to action for possession for nonpayment of rent.

“In an action for possession based upon nonpayment of rent or in an action for rent by a landlord when the tenant is in possession, the tenant may assert as a defense that there exists upon the leased premises a condition that constitutes or will constitute a fire hazard or a serious threat to the life, health, or safety of occupants thereof, including but not limited to a lack of heat or running water or of light or of electricity or adequate sewage disposal facilities or an infestation of rodents, or a condition that constitutes material noncompliance on the part of the landlord with the rental agreement or provisions of law.”

Security deposits.

“As of the date of the termination of the tenancy or the date the tenant vacates the dwelling unit, whichever shall occur last, the tenant shall be required to deliver possession of the dwelling unit to the landlord. If the termination date is prior to the expiration of the rental agreement or any renewal thereof, or the tenant has not given proper notice of termination of the rental agreement, the tenant shall be liable for actual damages pursuant to § 55-225.48, in which case, the landlord shall give written notice of the disposition of the security deposit within the 45-day period but may retain any security balance to apply against any financial obligations of the tenant to the landlord pursuant to this chapter or the rental agreement. If the tenant fails to vacate the dwelling unit as of the termination of the tenancy, the landlord may file an unlawful detainer action pursuant to § 8.01-126.”

Landlord may obtain certain insurance for tenant.

“If a tenant allows his renter’s insurance policy required by the rental agreement to lapse for any reason, the landlord may provide any landlord’s renter’s insurance coverage to such tenant. The tenant shall be obligated to pay for the cost of premiums for such insurance as rent or as otherwise provided herein until the tenant has provided written documentation to the landlord showing that the tenant has reinstated his own renter’s insurance coverage.”

Confidentiality of tenant records.

“No landlord or managing agent shall release information about a tenant or prospective tenant in the possession of the landlord to a third party unless the information is requested by an employee or independent contractor of the United States to obtain census information pursuant to federal law.”

Failure to deliver possession.

“If the landlord willfully fails to deliver possession of the dwelling unit to the tenant, rent abates until possession is delivered and the tenant may terminate the rental agreement upon at least five days’ written notice to the landlord and, upon termination, the landlord shall return all prepaid rent and security deposits or demand performance of the rental agreement by the landlord. If the tenant elects, he may file an action for possession of the dwelling unit against the landlord or any person wrongfully in possession and recover the damages sustained by him.”

Notice to tenant in event of foreclosure.

“The landlord of a dwelling unit used a single-family residence shall give written notice to the tenant that the landlord has received a notice of a mortgage default, mortgage acceleration, or foreclosure sale relative to the loan on the dwelling unit within five business days after written notice from the lender is received by the landlord. If the landlord fails to provide the notice required by this section, the tenant shall have the right to terminate the rental agreement upon written notice to the landlord at least five business days prior to the effective date of termination. If the tenant terminates the rental agreement, the landlord shall make disposition of the tenant’s security deposit in accordance with law or the provisions of the rental agreement, whichever is applicable.”

The amendment also lays out prohibited provisions in rental agreements and also provides for the early termination of a rental agreement by military personnel.

Buckley Sandler, LLP--InfoBytes Blog

On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.

A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:

• Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
• Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).

Bankers Advisory--Rhona Kyeyune

The state of Utah amended its provisions relating to its Residential Mortgage Practices and Licensing Act (RMPLA) that include the exemption of certain nonprofit corporations from licensing requirements. These provisions are effective on May 8, 2018.

The amendment defines “balloon payment” as a required payment in a mortgage transaction that:

1. results in a greater reduction in the principle of the mortgage than a regular installment payment; and
2. is made during or at the end of the term of the loan.

The amendment excludes from licensing a nonprofit corporation that:

1. is exempt from paying federal income taxes;
2. has as the nonprofit corporation’s primary purpose serving the public by helping low-income individuals and families build, repair, or purchase housing;
3. does not require, under the terms of a mortgage, a balloon payment;
4. performs loan originator activities, using only unpaid volunteers or employees whose compensation is not based on the number or size of the mortgage transactions that the employees originate.

This bill changes the application of interest rates to the amount financed instead of the total amount of the loan with regard to certain loans made by industrial loan and thrift companies.

Under present law, a registered industrial loan and thrift company may charge interest as follows:

(1) On loans where the total amount of the loan is less than $100, at a nominal rate not in excess of 7.5 percent per annum, deducted in advance, on the total amount of the loan for the full term thereof without regard to the payment schedule; but no interest may be charged on the loans in excess of a maximum effective rate of 18 percent per annum;
(2) On loans where the total amount of the loan is $100 or more, up to $5,000, at any rate not in excess of a maximum effective rate of 30 percent per annum;
(3) On loans where the total amount of the loan is more than $5,000, at any rate not in excess of the maximum effective rate of 24 percent per annum; and
(4) On loans made under open-end credit plans, which are plans under which a registrant contemplates repeated loans that may be without fixed maturities or limitation as to the length of term, and that are subject to prepayment at any time, at any rate not in excess of a maximum effective rate of 24 percent per annum.

This bill revises the above provisions to refer to "the amount financed" instead of "the total amount of the loan" for purposes of charging interest. Also, in (1) above, this bill specifies that the interest will be "on the principal" for the full term, instead of "on the total amount of the loan". This bill makes similar changes in other related provisions governing contracts for interest by industrial loan and thrift companies.

Effective immediately.