Compliance Newshub
State News

Ballard Sparh, LLP--Anthony C. Kaye & John L. Culhane, Jr. 

The Washington state Senate and House of Representatives have passed a bill (House Bill 1056) that would expand the coverage of the Washington Service Members’ Civil Relief Act (WSCRA) and provide additional protections to active duty service members.  The bill is now awaiting signature by the state’s Governor, who is expected to sign it.  The bill is effective 90 days after the current legislative session is adjourned, which is expected to occur by March 8.

The WSCRA is the state’s version of the federal Servicemembers Civil Relief Act (SCRA).  Like the SCRA, the WSCRA provides various protections for active duty military service members, including reduced interest rates on preexisting debts, foreclosure and eviction protections, and protections from default judgments.  On March 28, 2018, from 12 p.m. to 1 p.m ET, Ballard Spahr attorneys will hold a webinar, “Update on Federal and State Military Finance Developments.”  Click hereto register.

In 2014, the WSCRA was amended to create a private right of action and to authorize the Washington state Attorney General to enforce the WSCRA.  House Bill 1056 would further amend the WSCRA by expanding its definition of “service member” to mean “an active member of the United States armed forces, a member of a military reserve component, or a member of the national guard who is either stationed in or a resident of Washington state.”  The current definition only covers Washington state residents who are members of the national guard or a military reserve component.

The bill would also add a new section to the WSCRA that allows a service member to terminate or suspend certain service contracts at any time after he or she receives orders for a permanent change of station or a military deployment for 30 days or more.

The service contracts covered by the new section are: contracts for telecommunications services from a telecommunications company; health studio services from a health studio; subscription television services from a television service provider; and internet services from an internet service provider.  To terminate or suspend a contract, a service member must provide written proof of his or her official orders.

A termination or suspension is effective upon the service provider’s receipt of the service member’s written notice of termination or suspension (which can include email notice).  The service member remains obligated to pay for services rendered before the effective date of the suspension or termination, cannot be charged a penalty, lose a deposit, or incur any additional cost due to the suspension or termination, and can reinstate the services by giving written notice to the provider within 90 days after the service member’s military service terminates.

The bill specifies that the renewed services must be on the same terms and conditions that originally applied if the service member served for no more than 12 months.  For longer service, the terms and conditions for the renewed services must be the same as those offered to any new consumer at the lowest discounted or promotional rate within the previous 12 months.

InfoBytes Blog--Buckley Sandler, LLC

On February 22, Alabama enacted HB 90, which amends the Code of Alabama section relating to the right of redemption on residential property. The amendment provides for a one-year right of redemption period after the foreclosure sale date. Alabama requires a mortgagee to mail a notice of a mortgagor’s right of redemption at least 30 days prior to the foreclosure sale, and the amendment allows the mortgagee to use the proof of mailing of the notice as an affirmative defense to any notice requirement action. Finally, the amendment reduces the time all actions related to the notice requirement must be brought from two years to one year after the date of foreclosure.

MRG

The Delaware legislature recently amended its laws related to breaches of security, effective April 14, 2018.

Any person who conducts business in Delaware and owns, licenses, or maintains personal information must implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.

“Breach of security” means:

• The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.  Good faith acquisition of personal information by an employee or agent of any person for the purposes of security, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure;
• The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information is not a breach of security to the extent that personal information contained therein is encrypted, unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render the personal information readable or useable.

“Determination of the breach of security” means the point in time at which a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.

“Encrypted” means personal information that is rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.

“Encryption key” means the confidential key or process designed to render the encrypted personal information useable, readable, and decipherable.

“Notice” means any of the following:

• Written notice;
• Telephonic notice;
• Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures required by federal law or if the person’s primary means of communication with the resident is by electronic means;
• Substitute notice, if the person required to provide notice demonstrates that the cost of providing notice will exceed $75,000, or that the affected number of Delaware residents to be notified exceeds 100,000 residents, or that the person does not have sufficient contact information to provide notice.  Substitute notice consists of all of the following:
  • Electronic notice if the person has e-mail addresses for the members of the affected class of Delaware residents;
  • Conspicuous posting of the notice on the web site page of the person if the person maintains one;
  • Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.

“Person” means an individual; corporation; business trust; estate trust; partnership; limited liability company; association; joint venture; government; governmental subdivision, agency, or instrumentality; public corporation; or any other legal or commercial entity.

“Personal information” means a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to that individual:

• Social security number;
• Driver’s license number or state or federal identification card number;
• Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
• Passport number;
• A username or e-mail address, in combination with a password or security question and answer that would permit access to an online account;
• Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile;
• Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person;
• Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes;
• An individual taxpayer identification number.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely-distributed media.

Any person who conducts business in Delaware and who owns or licenses computerized data that includes personal information must provide notice of any breach of security following determination of the breach of security to any resident of Delaware whose personal information was breached or is reasonably believed to have been breached, unless, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.

A person that maintains computerized data that includes personal information that the person does not own or license must give notice to and cooperate with the owner or licensee of the information of any breach of security immediately following determination of the breach of security.  For purposes of this provision, “cooperation” includes sharing with the owner or licensee information relevant to the breach.

The required notice must be made without unreasonable delay but not later than 60 days after determination of the breach of security, except in the following situations:

• A shorter time is required under federal law.
• A law enforcement agency determines that the notice will impede a criminal investigation and such law enforcement agency has made a request of the person that the notice be delayed.  Any such delayed notice must be made after such law enforcement agency determines that notice will not compromise the criminal investigation and so notifies the person of such determination.
• When a person otherwise required to provide notice, could not, through reasonable diligence, identify within 60 days that the personal information of certain residents of Delaware was included in a breach of security, such person must provide the notice to such residents as soon as practicable after the determination that the breach of security included the personal information of such residents, unless such person provides or has provided substitute notice.

If the affected number of Delaware residents to be notified exceeds 500 residents, the person required to provide notice must, not later than the time when the notice is provided to the resident, also provide notice of the breach of security to the Delaware Attorney General.

If the breach of security includes a social security number, the person must offer to each resident, whose personal information, including social security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of one year.  Such person must provide all information necessary for such resident to enroll in such services and must include information on how such resident can place a credit freeze on such resident’s credit file.  Such services are not required if, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.

In the case of a breach of security involving medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile, for login credentials of an e-mail account furnished by the person, the person cannot comply with these provisions by providing the security breach notification to such e-mail address, but may instead comply by providing notice by another method described below or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person knows the resident customarily accesses the account.

A person that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements, is deemed to be in compliance with the notice requirements if the person notifies affected Delaware residents in accordance with its policies in the event of a breach of security.

A person that is regulated by state or federal law, including the Health Insurance Portability and Accountability Act of 1996 and the Gramm Leach Bliley Act and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with these provisions if the person notifies affected Delaware residents in accordance with the maintained procedures when a breach of security occurs.

InfoBytes Blog-–Buckley Sandler, LLP

On February 21, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500, which was last updated in December 2017. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. This week’s updates to the FAQs add the following guidance:

• Due to increasing cybersecurity risks facing financial institutions, NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500”;
• Not-for-profit mortgage brokers are Covered Entities under the cybersecurity regulation;
• Covered Entities, when acquiring or merging with a new company, must conduct a factual analysis of how the cybersecurity regulation applies to the acquisition or merger.  In addition, NYDFS emphasized that Covered Entities must have in place serious due diligence processes and ensure cybersecurity is a priority; and
• Health Maintenance Organizations and continuing-care retirement communities are Covered Entities and must comply with the cybersecurity regulation requirements.

As previously covered in InfoBytes, on January 22, NYDFS issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance was February 15.

Bankers Advisory--Ryan Peters

Michigan has amended 1961 PA 236 (the Act), section 600.3204, concerning foreclosure of a mortgage by advertisement, and section 600.5807, concerning limitation of actions. The amended Act is effective May 7, 2018.

Section 3204(1)(b) of the Act, as amended, now states that, “For purposes of this subdivision, an action or proceeding for the appointment of a receiver is not an action or proceeding to recover a debt.”

Additionally, section 5807 of the Act has been amended with updated periods of limitations, as follows:

• The period of limitations on an action charging a surety on a bond of a personal representative or guardian is 4 years after the discharge of the personal representative or guardian.
• Except as otherwise provided in this section or another statute of this state, the period of limitations is 10 years for an action founded on a bond of a public officer.
• The period of limitations on an action founded on a bond executed under sections 80 and 81 of 1846 RS 16, MCL 41.80 and 41.81, is 2 years after the expiration of the year for which the constable was elected.
• The period of limitations is 10 years for an action founded on a covenant in a deed or mortgage of real estate.
• Except as otherwise provided in another statute of this state, the period of limitations is 2 years for an action charging a surety for costs.
• The period of limitations is 2 years for an action brought on a bond or recognizance given on appeal from a court in this state.
• The period of limitations is 10 years for an action on a bond, note, or other like instrument that is the direct or indirect obligation of, or was issued by although not the obligation of, this state or a county, city, village, township, school district, special assessment district, or other public or quasi-public corporation in this state.
• The period of limitations is 6 years for an action to recover damages or money due for breach of contract that is not described in subsections (2) to (8).

For the full text of Michigan House Bill No. 4470, please refer to:

http://www.legislature.mi.gov/documents/2017-2018/publicact/pdf/2018-PA-0015.pdf

Bankers Advisory, Compliance Monitor--Robert Harrison

The state of Maine amended its provisions relating to debt collection. These provisions are effective on April 18, 2018 (or 90 days following adjournment of the current legislative session).

Sec. 1. 32 MRSA §11013, sub-§9, ¶D, as enacted by PL 2017, c. 216, §5, is amended to read: “The amount due at charge-off”

This bill amends the law regarding the information that a debt buyer must possess for purposes of debt collection. In current law, the debt buyer must possess the principal amount due the original creditor at charge-off, when the creditor removed the debt from its books as an asset and began to treat it as a loss or expense because payment was unlikely.  Following the amendment it is clarified that the debt buyer must possess the total amount due at charge-off.

The full text of House Paper 1165 can be found here: http://legislature.maine.gov/legis/bills/getPDF.asp?paper=HP1165&item=1&snum=128

Compliance Monitor--Robert Harrison

This bill amends the law regarding the information that a debt buyer must possess for purposes of debt collection. In current law, the debt buyer must possess the principal amount due the original creditor at charge-off, when the creditor removed the debt from its books as an asset and began to treat it as a loss or expense because payment was unlikely.  Following the amendment it is clarified that the debt buyer must possess the total amount due at charge-off. These provisions are effective on April 18, 2018.

MRG

Clark v. Deutsche Bank Nat’l Trust Co., 2018 U.S. App. (LEXIS 1484)

The Clarks (“Borrowers”) defaulted on their home equity loan and attempted to modify their loan to help remedy the default.  During this process, the Borrowers received a letter from Wells Fargo indicating that they were being reviewed to determine whether they were eligible for the Home Affordable Modification Program (“HAMP”) but were subsequently notified that they failed to qualify because Wells Fargo is prohibited from adjusting the original terms of the mortgage due to state law restrictions under Article 16, Section 50(a)(6) of the Texas Constitution.

The Borrowers subsequently filed a lawsuit against Deutsche Bank National Trust Company and Wells Fargo Bank, N.A. (the “Creditors”) asserting violations of the TDCA, among other things, alleging that the Creditors used false representations or deceptive means to collect a debt and obtain information concerning a consumer.  In particular, Borrowers allege that Creditors “deceptively instructed and encouraged” Borrowers to apply for the HAMP loan modification and made affirmative statements about the loan and a HAMP loan modification even though the HAMP loan modification was not available to Borrowers.

The U.S. Court of Appeals for the Fifth Circuit indicated that the TDCA prohibits debt collectors from “using any other false representation or deceptive means to collect a debt or obtain information concerning a consumer”; but to maintain a cause of action under this “catchall provision” of the TDCA, the debt collector must have made an affirmative statement that was false or misleading.  The Court affirmed the judgment of the lower court and held that the Creditors’ statements were not an affirmative statement upon which relief may be granted.

The Court further indicated that communications in connection with the renegotiation of a loan do not concern the collection of a debt, but instead, relate to its modification and thus they do not state a claim under the TDCA.

InfoBytes Blog, February 16, 2018–Buckley Sandler, LLP

On February 14, the Alabama Attorney General’s Office announced the establishment of the Cybercrime Lab, which was created in partnership with the U.S. Secret Service, the Federal Bureau of Investigation, U.S. Department of Homeland Security Investigations, the Alabama Fusion Center, the Alabama Office of Prosecution Services, and U.S. Attorney Louis Franklin. In addition to supporting cyber-related investigations in areas such as network intrusions and data breaches conducted by law enforcement in Alabama at the federal, state, and local levels, the Cybercrime Lab will provide assistance to agencies seeking access to digital evidence. Alabama Attorney General Steve Marshall commented that his office also has new resources for reporting suspected debit/credit card skimming devices.

InfoBytes Blog--Buckley Sandler, LLP

On February 6, Maine Governor Paul LePage signed updates to a provision of the state’s Fair Debt Collection Practices Act (Maine FDCPA), which clarify licensing requirements for persons engaged in the business of collecting debts in the state. S.P. 613, “An Act to Improve the Regulation of Debt Collectors,” includes the following:

1. removes the licensing condition that requires a debt collector to be “face to face” when soliciting business from Maine creditors; and
2. requires a debt collector to be licensed in the state before collecting a debt from a consumer in the state, regardless of the debt collector’s actual location.

The law will take effect 90 days following the adjournment of the legislative session, or April 18, 2018.

InfoBytes Blog--Buckley Sandler, LLP

On February 7, the New York Department of Financial Services (NYDFS) issued a guidance document reminding virtual currency entities (VC entities) licensed by the state or chartered as limited purpose trust companies that they are required to have policies and procedures in place to guard against fraud, and that they should be particularly vigilant concerning efforts at market manipulation.

The guidance requires VC entities to implement written policies that will (i) identify and assess fraud-related areas of risk, including market manipulation; (ii) provide procedures and controls to protect against identified risks; (iii) allocate risk monitoring responsibilities; (iv) periodically evaluate and revise risk monitoring processes to “ensure continuing effectiveness” and “compliance with all applicable laws and regulations; and (v) “provide for the effective investigation of fraud and other wrongdoing.” NYDFS also requires VC entities to submit incident reports detailing any identified wrongdoing, follow-up reports outlining any material developments, measures taken or to be taken concerning the developments, and a statement outlining any changes to the VC entity’s operations to prevent repeat occurrences.

InfoBytes Blog--Buckley Sandler, LLP

On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, which is available through the agency’s Security Breaches site. Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the Massachusetts Data Breach Notification Law (law), M.G.L. c. 93H.

According to the announcement, the law requires any entity that “owns or licenses a consumer’s personal information” to notify the attorney general’s office, among others, “any time personal information is accidentally or intentionally compromised.” The announcement notes that organizations are not required to use the online portal and may still send written notice to the attorney general’s office through the mail.  Use of the portal does not relieve an organization of its obligations under chapter 93H to also notify OCABR and affected Massachusetts residents.