Financial Services Law Developments: 12/31/23

Thursday, January 4, 2024

FYI: Data Privacy & Security Roundup: New Laws, Regulations and Important Dates in 2024

The upward trend in data privacy legislation continued in 2023. According to the National Conference of State Legislatures, "[a]t least 40 states and Puerto Rico introduced or considered at least 350 consumer privacy bills in 2023," a significant increase from the 200 bills in 2022.

Many of these bills were limited in scope, relating to, for example, biometric, genetic and geolocation data, data brokers, and internet service providers.

STATE COMPREHENSIVE CONSUMER DATA PRIVACY LAWS

Narrowing the focus to legislation that conveys certain rights to consumers and restricts the use of personal information, more than 60 bills were considered in almost 30 states. A comparison chart of those bills can be accessed here.

In 2023, seven states joined California, Virginia, Colorado, Utah and Connecticut in passing comprehensive data privacy legislation.

Iowa SF 262 was enacted March 28 and goes into effect Jan. 1, 2025.

Indiana SB 5 was enacted May 1 and goes into effect Jan. 1, 2026.

Tennessee HB 1181 was enacted May 11 and goes into effect July 1, 2024.

Montana SB 384 was enacted May 19 and goes into effect Oct. 1, 2024.

Texas HB 4 was enacted June 18 and goes into effect July 1, 2024.

Oregon SB 619 was enacted July 18 and goes into effect July 1, 2024.

Delaware HB 154 was enacted Sept. 11 and goes into effect Jan. 1, 2025.

Although there are differences worth attention, these laws are very similar to those enacted after the California Consumer Protection Act, and most include:

Right to access

Right to correct (except Iowa)

Right to delete

Right to obtain

Right to opt-out of certain processing

Data and entity-level Gramm-Leach-Bliley Act exemptions (Oregon is data-level only but includes an entity-level exemption for financial institutions as defined in Rev. Stat. Ann. § 706.008)

Requirements for contracts between controllers and processors

Risk assessments for processing certain data (except Iowa)

No private right of action

A chart comparing the comprehensive data privacy laws is available here.

STATE DATA BREACH NOTIFICATION LAWS

Utah SB 127 was enacted March 23 and went into effect May 3. Amendments include:

Creation of the Utah Cyber Center tasked with, among other things, developing a cybersecurity plan for government agencies, identifying, assessing, and mitigating cyber threats, and promoting cybersecurity best practices;

Requiring notification to the attorney general and the Utah Cyber Center.

Texas SB 768 was enacted May 27 and went into effect Sept. 1. Amendments include:

Shortening the time to notify the attorney general from 60 days to 30;

Requiring notification be submitted electronically using a form provided on the attorney general's website.

Nevada SB 355 was enacted June 15 and went into effect Oct. 1. The law amends Nevada's data breach notification statutes (Nev. Rev. Stat. Ann. § 603A.300, et seq.) by exempting installment loan companies and making them subject to different data breach notification provisions, including:

Determination whether notice is required is based in part on an analysis of the risk of harm to affected residents;

The notice deadline is 30 days, as opposed to "in the most expedient time possible and without unreasonable delay";

Breach notification by email is prohibited if a breach involves a username, password or other login credentials to an email account furnished by the licensee;

The law specifies information that must be included in a breach notification;

Notice must be made to the attorney general if there are more than 500 affected residents;

There is no safe harbor for data controllers subject to and compliant with the privacy and security provisions of the Gramm-Leach-Bliley Act;

Notice must be provided to consumer reporting agencies if the breach affects more than 1,000 persons.

Connecticut SB 1058 was enacted June 26 and went into effect Oct. 1. Amendments include:

Adding "precise geolocation data" to the definition of "personal information";

Depositing civil penalties into a "privacy protection guaranty and enforcement account";

Designating a violation as an unfair trade practice under Conn. Gen. Stat. § 42-110b.

Rhode Island SB 5684 was enacted June 27 and went into effect upon passage. Amendments include:

Adding definitions for "classified data" and "cybersecurity incident";

Shortening the notification period to individuals from 45 days to 15;

Requiring notification to the state police within 24 hours;

Specifying what must be included in a notification.

STATE REGULATION

California

In March, the California Privacy Protection Agency received approval of its first substantive rulemaking implementing the California Consumer Protection Act as amended by the California Privacy Rights Act. The regulations became effective March 29, but enforcement of some provisions has been delayed until March 29, 2024. The regulations include:

Methods for allowing consumers to exercise the right to correct personal information;

Required terms that must be included in contracts between businesses and the service providers and third parties with whom personal information is shared or disclosed;

Modified notice requirements;

Additional guidance on what constitutes a "dark pattern";

Expectations regarding opt-out preference signals.

New York

In November, amendments to New York's cybersecurity regulations were adopted by the Department of Financial Services with staggered implementation dates for covered entities, small businesses, and Class A companies.

The amendments include:

Creation of a category for "Class A companies" based on revenue in New York, and number of employees or global revenue;

Heightened security measures for Class A companies;

Annual penetration testing by a qualified internal or external party;

Automated or manual scans of information systems;

Risk assessments reviewed and updated annually, or as necessary;

Multi-factor authentication for any individual accessing any information system;

Notification to the Superintendent of any cybersecurity incident within 72 hours;

Annual certification of compliance, or acknowledgment of noncompliance;

Notice and explanation of extortion payments made in connection with a cybersecurity incident.

FEDERAL REGULATION

Safeguards Rule

In September, the Federal Trade Commission announced its approval of an amendment to the Gramm-Leach-Bliley Act Safeguards Rule requiring nonbank financial institutions to report to the FTC the unauthorized acquisition of unencrypted customer information involving at least 500 consumers (a "notification event"). The amendment, which becomes effective May 13, 2024, also provides:

Notification must be made as soon as possible, and no later than 30 days after discovery of the event;

Notice must be provided through an online form that will be available on the FTC's website;

The notice must include:

the name and contact information of the reporting financial institution;

a description of the types of information that were involved in the notification event;

if the information is possible to determine, the date or date range of the notification event;

the number of consumers affected or potentially affected by the notification event;

a general description of the notification event; and

whether any law enforcement official provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.

CONCLUSION

2024 will undoubtedly be a remarkable year with respect to data privacy and security legislation and regulation and we expect an increased focus on issues related to the use of artificial intelligence. For more information and insight from Maurice Wutscher on data privacy and security laws and how to stay compliant click here.

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

PLEASE NOTE:

The editor and sponsoring law firm of this blog represent and serve banks, lenders, loan buyers, loan servicers, debt collectors, and other financial services companies. We do not represent consumers.

Any communications or information obtained may be provided to our clients, including for the purpose of debt collection.

The information in this blog and related updates is general in nature, and should not be considered legal advice.

Legal advice requires a full and complete understanding of a particular situation. Your situation may involve material facts that prevent the direct application of the information in this blog and related updates.

You will not become a client of the editor or sponsoring law firm simply by reading this blog.

In order to become a client of the editor or sponsoring law firm, the editor or sponsoring law firm must agree to represent you in writing.

Until we agree to represent you in writing, we are not prevented from representing any other party.

Until you are a client of the editor or sponsoring law firm, any communications with us will not be confidential.

The Editor's Bio

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, 33rd Floor
Chicago, Illinois 60602
Direct: (312) 493-0874
RWutscher@MauriceWutscher.com
https://www.MauriceWutscher.com/

Ralph Wutscher's practice focuses primarily on representing depository and non-depository mortgage lenders and servicers, as well as mortgage loan investors, distressed asset buyers and sellers, loss mitigation companies, automobile and other personal property secured lenders and finance companies, credit card and other unsecured lenders, and other consumer financial services providers. He represents the consumer lending industry as a litigator, and as regulatory compliance counsel.

Ralph has substantial experience in defending private consumer finance lawsuits, including cases ranging from large interstate putative class actions to localized single-asset cases, as well as in responding to regulatory investigations and other governmental proceedings. His litigation successes include not only victories at the trial court level, but also on appeal, and in various jurisdictions. He has successfully defended numerous putative class actions asserting violations of a wide range of federal and state consumer protection statutes. He is frequently consulted to assist other law firms in developing or improving litigation strategies in cases filed around the country.

Ralph also has substantial experience in counseling clients regarding their compliance with federal laws, and with state and local laws primarily of the Midwestern United States. For example, he regularly provides assistance in connection with portfolio or program audits, consumer lending disclosure issues, the design and implementation of marketing and advertising campaigns, licensing and reporting issues, compliance with usury laws and other limitations on pricing, compliance with state and local “predatory lending” laws, drafting or obtaining opinion letters on a single- or multi-state basis, interstate branching and loan production office licensing, evaluations and modifications of new or existing products and procedures, debt collection and servicing practices, proper methods of responding to consumer inquiries and furnishing consumer information, as well as proposed or existing arrangements with settlement service providers and other vendors, and the implementation of procedural or other operational changes following developments in the law.

Ralph is a member of the Governing Committee of the Conference on Consumer Finance Law. He is also the immediate past Chair of the Preemption and Federalism Subcommittee for the ABA's Consumer Financial Services Committee. He served on the Law Committee for the former National Home Equity Mortgage Association, and completed two terms as Co-Chair of the Consumer Credit Committee of the Chicago Bar Association.

Ralph received his Juris Doctor from the University of Illinois College of Law, and his undergraduate degree from the University of California at Los Angeles (UCLA). He is a member of the national Mortgage Bankers Association, the American Bankers Association, the Conference on Consumer Finance Law, DBA International, the ACA International Members Attorney Program, as well as the American and Chicago Bar Associations.

Ralph is admitted to practice in Illinois, as well as in the United States Court of Appeals for the Seventh Circuit, the United States District Courts for the Northern and Southern Districts of Illinois, and the United States District Court for the Eastern District of Wisconsin, and has been admitted pro hac vice in various jurisdictions around the country.