Security Breach-the New Bandwagon
Twenty states have already passed legislation governing notification of affected persons in the event of a security breach. Another dozen or more states are cooking up legislation. Even New York City has its own ordinance, although it will be trumped by the New York State statute when it becomes effective in December. Some states’ laws (e.g. Oregon) are so badly drafted that a worker who misplaces a Blackberry could face fines for violating peoples’ privacy. In the meantime, class action lawyers who used to wait by the ticker tape for inspiration nowadays scan the news headlines for the latest corporate security breach.
Like snowflakes, no two security-notification bills are exactly like. Until Congress enacts a uniform data breach law, one that preempts state laws, compliance following a security breach can mean having to assemble a mosaic of state notification laws to figure out what to do, whom to notify, how, and when—often in a matter of days.
The good news is, we’ve already done that.
Hacking in Hackensack
Now that the kids are back in school and the foliage is turning, compliance officers and bank attorneys returning from vacation will find a high-risk environment for companies that fail to make data security a top priority. Consider the stakes. Several financial institutions severed or are considering severing ties with CardSystems, Inc., a payment processing company, after it announced in May that 40 million credit and debit card accounts were left vulnerable to hackers in one of the biggest breaches of consumer data security to date. That could put the company out of business.
Meanwhile, the hackers were busted in Hackensack, NJ. We couldn’t make that up.
For more information, contact Obrea Poindexter (firstname.lastname@example.org).
When an NSF Fee is a "Loan"
Consumer groups are taking aim at overdraft fees, sometimes called "bounce" protection services. They want them treated as short-term loans, subject to the Truth in Lending Act. H.R. 3449, just introduced in August, would force banks to treat overdraft protection fees as a finance charge subject to TILA disclosures, require prior written consent for financial institutions to charge overdraft fees, and require ATM operators to alert consumers when transactions are likely to trigger overdraft protection fees. Consumer groups are also challenging payment processing protocols, attacking the common industry practice of processing items from high to low, and seeking legislation that would require sequential processing. In addition, the federal banking agencies released guidance earlier this year encouraging financial institutions (i) to avoid the promotion of poor account management and (ii) to provide clear disclosures about the imposition of NSF fees.
For more information, contact Charlie Kennedy (email@example.com).
FDIC’s New Stored Value Proposal—Different, But Not Necessarily Better
Recently, the Federal Deposit Insurance Corporation issued a new proposed rule to replace the April 2004 proposed rule. The new proposal is intended to clarify when funds underlying stored value cards issued by depository institutions would constitute "deposits" under the Federal Deposit Insurance Act. The outcome of this proposal could affect the views of other agencies and the applicability of other laws, such as Regulation E (Electronic Fund Transfers), the USA PATRIOT Act section 326 rules, or Regulation D (reserve requirements). In addition, under the new proposal the FDIC solicits comment on whether it should treat the funds as "non-deposits" in those cases in which the insured depository institution sells stored value cards directly to cardholders without keeping any information relating to the cardholders’ identities.
No BS in BSA
The Federal Financial Institutions Examination Council released its 330-page Bank Secrecy Act/Anti-Money Laundering Examination Manual. The Manual was developed in conjunction with the federal banking agencies, and others. It emphasizes a banking organization’s responsibility to establish and implement risk-based policies, procedures, and processes to comply with the BSA and safeguard its operations from money laundering and terrorist financing.
Fast Fax Fix
The Junk Fax Prevention Act of 2005, S. 714, overturns a pending FCC rule that, as of January 2006, would have eliminated the "existing business relationship" exception to the do-not-fax rules. Signed into law in July, the bill will allow businesses to continue to send faxes (such as rate sheets) to customers without a formal opt-in so long as they have an "existing business relationship" with the recipient. But there must be a "a clear and conspicuous notice on the first page" explaining how customers can remove themselves from distribution.
For more information, contact William Stern (firstname.lastname@example.org).