Financial Services Law Developments: 4/30/23

Wednesday, May 3, 2023

FYI: Indiana Enacts Comprehensive Consumer Data Privacy Law

Indiana Gov. Eric Holcomb on May 1, 2023 signed into law Senate Bill 5, making Indiana the seventh state to enact a more comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, and Iowa.

The new Indiana law will take effect Jan. 1, 2026.

APPLICABILITY

The new Indiana law applies to any person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year:

controls or processes personal data of at least 100,000 consumers who are Indiana residents; or
controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50% of gross revenue from the sale of personal data.

EXEMPTIONS

Importantly, the law exempts financial institutions and affiliates, or data subject to the Gramm-Leach-Bliley Act. Other exemptions include covered entities or business associates governed by the privacy, security, and breach notification rules issued pursuant to the Health Insurance Portability and Accountability Act, and the use of personal information to the extent the activity is regulated by and authorized under the Fair Credit Reporting Act.

CONSUMER RIGHTS

Consumers are provided the right to:

confirm whether a controller is processing the consumer's personal data and to access such personal data;
correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller;
delete personal data provided by or obtained about the consumer;
obtain a copy of the consumer's personal data, or a representative summary;
opt out of the sale of personal data.

SENSITIVE DATA

A controller may not process "sensitive data" without a consumer's consent.

"Sensitive data" includes:

Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status;
Genetic or biometric data;
Personal data collected from a known child;
Precise geolocation data.

CONTRACT REQUIREMENTS

A contract between a controller and a processor must include certain provisions to ensure that:

each person processing personal data is subject to a duty of confidentiality;
a processor will delete or return all personal data to the controller upon request;
a processor will provide a controller with all information necessary to demonstrate the processor's compliance;
a processor will allow, and cooperate with, reasonable assessments by the controller;
any subcontractor of the processor will meet the obligations of the processor pursuant to a written contract.

DATA PROTECTION IMPACT ASSESSMENTS

A controller must conduct and document a data protection impact assessment if the processing involves:

targeted advertising;
the sale of personal data;
certain profiling;
sensitive data;
activities posing a heighted risk of harm to consumers.

ENFORCEMENT

The Attorney General has the exclusive authority to enforce the law. Prior to taking any action, the Attorney General must provide a controller or processor 30 days to cure the violation. In the absence of a cure, civil penalties not to exceed $7,500 may be sought for each violation.

PREEMPTION

The law preempts "all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the processing of personal data by controllers or processors."

IMPRESSION

The Indiana law is very similar to the non-California data privacy laws recently enacted, so it should cause few additional compliance challenges.

Similar legislation will soon be eligible for the governors' signatures in Tennessee and Montana.

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6^th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

Monday, May 1, 2023

FYI: Kansas Enacts Financial Institutions Information Security Act

Kansas Governor Laura Kelly has approved enactment of Senate Bill 44 which requires certain financial institutions to establish information security standards consistent with the federal Gramm-Leach-Bliley Act's Safeguards Rule, 16 C.F.R. § 314.1, et seq.

The Kansas Financial Institutions Information Security Act becomes effective July 1, 2023.

A copy of the legislation is available at: Click Here

APPLICABILITY

The new law applies to the following covered entities, as defined by Kansas law:

- Credit services organizations;

- Mortgage companies;

- Supervised lenders;

- Financial institutions engaging in money transmission;

- Trust companies; and

- Technology-enabled fiduciary financial institutions.

REQUIREMENTS

Covered entities must:

1- Adopt standards for developing, implementing, and maintaining reasonable safeguards to protect the security, confidentiality, and integrity of customer information pursuant to 16 C.F.R. § 314, as in effect on July 1, 2023;

2- Develop and organize its information security program into one or more readily accessible parts; and

3- Maintain its information security program as part of the covered entity's books and records in accordance with the record retention requirements of such covered entity.

ENFORCEMENT

The State Bank Commissioner has exclusive authority to implement, administer and enforce the Act, which includes the ability to examine, investigate, and subpoena covered entities. The Commissioner may seek injunctive relief and assess civil penalties not to exceed $5,000 per violation. All enforcement actions are pursuant to the Kansas Administrative Procedure Act.

IMPRESSION

This legislation is a model of simplicity. Instead of reinventing the wheel with lengthy and potentially controversial legislation, Kansas has taken a commonsense approach by simply requiring that certain regulated entities comply with the Safeguards Rule and providing its state regulator with enforcement authority.

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6^th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

PLEASE NOTE:

The editor and sponsoring law firm of this blog represent and serve banks, lenders, loan buyers, loan servicers, debt collectors, and other financial services companies. We do not represent consumers.

Any communications or information obtained may be provided to our clients, including for the purpose of debt collection.

The information in this blog and related updates is general in nature, and should not be considered legal advice.

Legal advice requires a full and complete understanding of a particular situation. Your situation may involve material facts that prevent the direct application of the information in this blog and related updates.

You will not become a client of the editor or sponsoring law firm simply by reading this blog.

In order to become a client of the editor or sponsoring law firm, the editor or sponsoring law firm must agree to represent you in writing.

Until we agree to represent you in writing, we are not prevented from representing any other party.

Until you are a client of the editor or sponsoring law firm, any communications with us will not be confidential.

The Editor's Bio

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, 33rd Floor
Chicago, Illinois 60602
Direct: (312) 493-0874
RWutscher@MauriceWutscher.com
https://www.MauriceWutscher.com/

Ralph Wutscher's practice focuses primarily on representing depository and non-depository mortgage lenders and servicers, as well as mortgage loan investors, distressed asset buyers and sellers, loss mitigation companies, automobile and other personal property secured lenders and finance companies, credit card and other unsecured lenders, and other consumer financial services providers. He represents the consumer lending industry as a litigator, and as regulatory compliance counsel.

Ralph has substantial experience in defending private consumer finance lawsuits, including cases ranging from large interstate putative class actions to localized single-asset cases, as well as in responding to regulatory investigations and other governmental proceedings. His litigation successes include not only victories at the trial court level, but also on appeal, and in various jurisdictions. He has successfully defended numerous putative class actions asserting violations of a wide range of federal and state consumer protection statutes. He is frequently consulted to assist other law firms in developing or improving litigation strategies in cases filed around the country.

Ralph also has substantial experience in counseling clients regarding their compliance with federal laws, and with state and local laws primarily of the Midwestern United States. For example, he regularly provides assistance in connection with portfolio or program audits, consumer lending disclosure issues, the design and implementation of marketing and advertising campaigns, licensing and reporting issues, compliance with usury laws and other limitations on pricing, compliance with state and local “predatory lending” laws, drafting or obtaining opinion letters on a single- or multi-state basis, interstate branching and loan production office licensing, evaluations and modifications of new or existing products and procedures, debt collection and servicing practices, proper methods of responding to consumer inquiries and furnishing consumer information, as well as proposed or existing arrangements with settlement service providers and other vendors, and the implementation of procedural or other operational changes following developments in the law.

Ralph is a member of the Governing Committee of the Conference on Consumer Finance Law. He is also the immediate past Chair of the Preemption and Federalism Subcommittee for the ABA's Consumer Financial Services Committee. He served on the Law Committee for the former National Home Equity Mortgage Association, and completed two terms as Co-Chair of the Consumer Credit Committee of the Chicago Bar Association.

Ralph received his Juris Doctor from the University of Illinois College of Law, and his undergraduate degree from the University of California at Los Angeles (UCLA). He is a member of the national Mortgage Bankers Association, the American Bankers Association, the Conference on Consumer Finance Law, DBA International, the ACA International Members Attorney Program, as well as the American and Chicago Bar Associations.

Ralph is admitted to practice in Illinois, as well as in the United States Court of Appeals for the Seventh Circuit, the United States District Courts for the Northern and Southern Districts of Illinois, and the United States District Court for the Eastern District of Wisconsin, and has been admitted pro hac vice in various jurisdictions around the country.