CFPB and New York Enter Into Consent Order over Credit Card Practices

By J. Riley Key, Lee Gilley and Jonathan R. Kolodziej on Posted in CFPB, Credit Card

CFPB and New York Enter Into Consent Order over Credit Card PracticesOn January 16, 2019, the Consumer Financial Protection Bureau (“CFPB”) and the Attorney General for the State of New York announced a consent order with Sterling Jewelers, Inc. (“Sterling”) related to Sterling’s credit card practices.

The consent order alleges that Sterling employees indicated they were either checking to see how much credit the consumer would qualify for or that the consumers were completing a survey or enrolling in a rewards program, when, in reality, Sterling was completing credit card applications for consumers without their knowledge or consent. The CFPB and New York characterized this conduct as a deceptive act or practice in violation of the Consumer Financial Protection Act of 2010 (“CFPA”). The CFPB and New York also alleged that this conduct violated the Truth in Lending Act’s prohibition against issuing a credit card except in response to an oral or written request or application.

The CFPB and New York also cited Sterling for violations of the CFPA related to alleged misrepresentations regarding certain financing terms, including the applicable interest rate, monthly payment amount, and eligibility for promotional financing. Finally, the CFPB and New York alleged that Sterling engaged in unfair acts or practices by enrolling consumers in optional payment protection plan insurance without informing consumers that they were being enrolled or by misleading consumers as to the product for which they were signing up.

Under the terms of the consent order, in addition to injunctive relief, Sterling is required to pay a $10 million civil money penalty to the CFPB and a $1 million civil money penalty to the State of New York.

While the CFPB has adopted a more business friendly approach since Director Richard Cordray’s resignation, this consent order illustrates the CFPB’s willingness to use the CFPA to pursue penalties related to conduct that it deems to be unfair or deceptive.

Credit card issuers would be wise to carefully review account opening practices to identify potential unfair, deceptive, or abusive conduct.

As Federal Shutdown Continues, Financial Regulators Seek to Address Related Impacts

By David Roth and J. David Stewart III on Posted in Federal Agencies

As Federal Shutdown Continues, Financial Regulators Seek to Address Related ImpactsWith no immediate end in sight to the current federal shutdown, financial regulators are seeking to minimize the adverse impacts of the shutdown on individuals. In a January 11, 2019, press release, the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and other regulators issued a joint press release wherein the agencies acknowledged that “affected borrowers may face a temporary hardship in making payments on debts such as mortgages, student loans, car loans, business loans, or credit cards.” While the agencies suggested that these effects “should be temporary,” they “encourage[d]” the regulatory community to “consider prudent efforts to modify terms on existing loans or extend new credit to help affected borrowers.” The agencies specifically opined that “[p]rudent workout arrangements that are consistent with safe-and-sound lending practices are generally in the long-term best interest of the financial institution, the borrower, and the economy.” Perhaps most importantly, the agencies offered an olive branch to a regulated community that might be reticent to take the agencies’ advice and pursue strategies to address borrower issues and financial exigencies caused by the shutdown: “Such efforts should not be subject to examiner criticism.” As the shutdown continues, regulators and Congress may continue to intervene in the ordinary operations of the financial system to assist impacted employees and families who find themselves facing unexpected financial difficulties. Additionally, the financial services industry should consider developing standardized processes and strategies to address shutdown-related hardship requests submitted by borrowers and also monitor closely legislative and regulatory activities to see what additional measures may be considered as the shutdown remains in place.

Effect of Government Shutdown on Consumer Bankruptcy Proceedings

By Elizabeth R. Brusa and Alexandra Dugan on Posted in Bankruptcy, Federal Agencies

Effect of Government Shutdown on Consumer Bankruptcy ProceedingsOn December 22, 2018, the federal funding for certain agencies lapsed, and the United States government entered into a partial shutdown. The U.S. Department of Justice (DOJ), including the United States Trustee Program (USTP), was one of the agencies that shut down. United States Trustees (“UST”) representing the USTP appear and litigate in a multitude of bankruptcy proceedings. USTs also actively participate in out-of-court settlement discussions, plan negotiations, and the like. Pursuant to the partial shutdown, regular operations at the USTP ended, with only “excepted employees” continuing work on limited matters.

USTP excepted employees comprise a total of 35 percent of its employees. Excepted employees work without pay during the shutdown but will receive back pay after the government reopens.  Remaining USTP employees who are not excepted are furloughed and will only receive compensation if Congress passes a bill allowing for it.

The contingency plan sets forth changes in the duties of DOJ employees. The contingency plan directs that civil litigation be halted except where the safety of human life or protection of property are at stake. Much of the civil litigation in which the USTP is a party does not involve such issues. The contingency plan further notes that DOJ attorneys should request stays in civil cases and reduce civil litigation staffing only to that necessary to protect human life and property. Several UST and DOJ attorneys involved in bankruptcy litigation have filed motions seeking stays of proceedings and extension of deadlines until the government reopens.

As the USTP continues to operate with its skeletal staff, certain bankruptcy processes will likely encounter delays. Although federal courts have rearranged funds to remain operational through January 18, should the shutdown extend beyond that date, bankruptcy matters such as plan confirmations and other court hearings will encounter similar delays.

Proceedings involving Chapter 7 and 13 trustees, including out-of-court discussions or negotiations, are unlikely to be delayed as these parties receive payments outside of government assistance.

What Does This Mean for the Financial Services Industry?

It appears that the shutdown will most strongly impact bankruptcy litigation in which the USTP is a party or heavily involved and final disbursements in cases which require USTP approval. Out of court, because the USTP is directed by the contingency plan to work only on crucial matters, certain matters such as settlement discussions and plan negotiations will likely be postponed. Accordingly, although the shutdown may interfere with proceedings that would require USTP approval, other activities in consumer bankruptcy cases should not be impacted or altered. However, court delays may occur if the shutdown continues past January 18.

Ohio Updates Licensing Requirements to Include Servicers, MSR Holders

By Kristen Birdsall Brenchley on Posted in Compliance, Licensing, Mortgage Servicing, State Law Developments

Ohio Updates Licensing Requirements to Include Servicers, MSR HoldersFollowing a recent trend in the financial services regulatory arena, Ohio recently passed legislation requiring mortgage servicers, including entities that merely hold mortgage servicing rights (MSRs), to obtain a Residential Mortgage Lending Act Certificate of Registration in the state. Substitute House Bill 489, which passed the legislature on December 5, 2018, and was signed by Gov. John Kasich on December 19, 2018, amends the Ohio Residential Mortgage Lending Act to include mortgage servicers among those companies that must obtain a Certificate of Registration.

Notably, the added definition of “mortgage servicer” under the revised statutes includes an entity that holds MSRs. The inclusion of MSR holders follows a recent trend among states to capture this activity under state licensing regimes. For example, Pennsylvania’s recent statutory updates included requirements for MSR holders to obtain a mortgage servicing license.

The statute takes effect 91 days from the date that it is sent to the Secretary of State, which has not yet occurred. If you have questions regarding filing an application or compliance with this new requirement, we would be happy to assist.

U.S. Fifth Circuit Rejects “Vicarious Liability” Theory under RESPA

By Michael Bentley on Posted in Banking, RESPA

U.S. Fifth Circuit Rejects “Vicarious Liability” Theory under RESPAThe Real Estate Settlement Procedures Act (RESPA), 12 U.S.C. § 2605, regulates loan servicers and makes servicers liable for violations of and consumer-protection regulations promulgated under the act. In many cases, plaintiffs seek to hold banks and mortgage owners—so called “principals”—vicariously liable for a servicer’s violations of RESPA. That theory has met with some success in federal district courts, which are divided on the question (see Benner v. Wells Fargo Bank, N.A., which discusses the split of authority and joining minority of district courts that allow “vicarious liability” claims under RESPA). Though the theory has been pursued and discussed in district court opinions for at least eight years, no federal appellate court had addressed the issue of vicarious liability under RESPA – until now.

In December 2018, the U.S. Court of Appeals for the Fifth Circuit rejected the “vicarious liability” theory under RESPA, becoming the first—and, to date, only—circuit court to address the issue.  In Christiana Trust v. Riddle, the plaintiff—facing a judicial foreclosure suit—alleged that her mortgage servicer, Ocwen Loan Servicing, LLC, had violated loss-mitigation regulations promulgated by the Bureau of Consumer Financial Protection pursuant to RESPA. The plaintiff also alleged that Bank of America, N.A., the mortgage holder, was vicariously liable for Ocwen’s alleged RESPA violations. The district court dismissed the RESPA claims against Bank of America, and the Fifth Circuit affirmed.

The Fifth Circuit rejected the vicarious liability theory based on a plain reading of RESPA, which imposes duties only on loan “servicers.” The court reasoned that Congress could have imposed liability broadly on “whoever fails to comply or whoever has hired an agent who fails to comply” with RESPA, but Congress specifically limited RESPA’s obligations to “servicers” and restricted liability to “whoever fails to comply with any provision of [the Act].” Only servicers, the court reasoned, can fail to comply with the act. In reaching its conclusion, the Fifth Circuit expressly rejected the rationale of Rouleau v. US Bank, N.A., which is the leading case adopting vicarious liability under RESPA. In the Fifth Circuit’s view, Rouleau’s view that Congress incorporated ordinary tort rules, including broad vicarious liability rules, into RESPA was refuted by Congress’s decision to expressly limit liability to the person who actually fails to comply with the act—the servicer alone.

While the Fifth Circuit’s decision in Christiana Trust does not resolve the nationwide split of authority on the RESPA vicarious liability issue, it could spell the end of the theory’s advancement. For starters, the decision is binding precedent that forecloses vicarious liability claims in three states, including Texas—the second most populous state in the country. And because circuit court opinions are persuasive authority in district courts outside of the circuit, the Fifth Circuit’s rejection of the vicarious liability theory may make district courts around the country more hesitant to embrace it—effectively locking the theory into an extreme minority position.

New Year, New Data Security Requirement: South Carolina Adopts New Data Security Law

By Erin Jane Illman and Heather Cain Hutchings on Posted in Cybersecurity, Data Privacy, Insurance

New Year, New Data Security Requirement: South Carolina Adopts New Data Security LawOn January 1st, South Carolina became the first state to adopt the model insurance data security law requiring certain insurance licensees to investigate and report cybersecurity events in the state of South Carolina. The law also requires licensees to develop, implement and maintain written information security programs that are tailored to the size, complexity and risk level of the particular licensee. The information security program must contain administrative, technical and physical safeguards to protect nonpublic information and the licensee’s information system. Licensees will also be required to impose information security obligations on certain third-party service providers.

The South Carolina Insurance Data Security Act, which became law in mid-2018, applies to South Carolina insurance licensees and registrants and to persons required to be licensed, registered or authorized to conduct insurance business in South Carolina. This does not apply to purchasing groups or risk retention groups chartered and licensed in another state and any licensee that acts as an assuming insurer that is domiciled in a state other than South Carolina. The act exempts certain licensees, including those with fewer than 10 employees (including independent contractors) and those subject to the Health Insurance Portability and Accountability Act (HIPAA), provided that the licensee has established and maintains a HIPAA-compliant information security program and submits a written statement certifying compliance to the director of the South Carolina Department of Insurance.

Notably, the act relates to cybersecurity events involving “nonpublic information.” In addition to consumers’ personally identifiable information and health information, the act covers business-related information of a licensee, the compromise of which could cause material adverse impact to the business, operations or security of the licensee.

A licensee must conduct a prompt investigation if it learns that a cybersecurity event has occurred or may have occurred. The investigation must allow the licensee to: (1) determine whether a cybersecurity event occurred; (2) assess the nature and scope of the event; (3) identify nonpublic information that may have been involved; and (4) take reasonable measures to restore the security of the information systems to prevent further compromise. The licensee’s investigation requirements extend to cybersecurity events that may have occurred in a system maintained for the licensee by a third-party service provider.

Within 72 hours of determining that a cybersecurity event has occurred, a licensee must notify the director if either:

  1. the licensee is an insurer domiciled in South Carolina or a producer whose home state is South Carolina; or
  2. the licensee reasonably believes that the nonpublic information related to at least 250 consumers residing in South Carolina, and
  3. either the cybersecurity event requires the licensee to notify any governmental, regulatory or supervisory body or
  4. the cybersecurity event has a reasonable likelihood of materially harming a South Carolina consumer or material part of the normal operations of the licensee.

The act requires the licensee to report as much information about the event as soon as possible, and sets forth a list of 13 required data points.

Although the cybersecurity incident reporting requirements are effective immediately, licensees have until July 1, 2019, to comply with the internal information security program elements of the act and until July 1, 2020, to comply with the third-party service provider provisions.

Covered entities should have already consulted (or be in the process of consulting) their company’s data security experts, compliance teams, and legal advisers to put in place an information security program and policy that complies with South Carolina’s new law. It is important that companies have a plan and be in position to effectively utilize the plan to ensure compliance with this new requirement.

FDIC Signals Strong Support for De Novo Bank Formations

By R. Alan Deer on Posted in Banking, Federal Agencies, Insurance

FDIC Signals Strong Support for De Novo Bank FormationsThe FDIC over the past few years has taken meaningful steps to facilitate and promote the formation of de novo banks. Late last week, the agency made several significant moves to bolster that effort. In separate actions, the FDIC:

  • issued a request for information seeking comments on how to improve the deposit insurance application process;
  • issued an update to its publication entitled Applying for Deposit Insurance – A Handbook for Organizers of De Novo Institutions and issued its Deposit Insurance Applications Procedures Manual in final form;
  • established a process to allow prospective organizers the option to request FDIC review of a draft deposit insurance proposal prior to filing an official application; and
  • republished its timeframe guidelines for processing deposit insurance applications for de novo banks and other filings.

These actions leave little doubt that regulatory conditions are more receptive to bank startups than at any time since the financial crisis, which should be welcome news for interested organizers and investors. For more information on the application process, including our own experiences, see our recent article De Novo Banks on the Rise.

Financial Institutions Targeted by “London Blue” Hackers Group

By Steve Snyder on Posted in Banking, Cybersecurity, Data Privacy, Identity Theft / Privacy, Phishing

Financial Institutions Targeted by “London Blue” Hackers GroupA cyber threat detection company has identified a Nigerian-based hacking group that is engaging in a spearphishing campaign against financial institutions. Spearphishing is a directed email phishing campaign that is typically aimed at those with responsibilities relating to financial transactions. In this case, the group in question has compiled a list of over 35,000 CFOs working at financial institutions, with over half of them in the U.S. While the existence of this group, “London Blue,” and this list of CFOs is new, the scam the group is perpetrating, referred to as business email compromise, is not new. In fact, it is a progression of social engineering scams perpetrated in large part by Nigerians. The “Nigerian prince” email scam has been around almost as long as email, originating from a scam using written letters that dates back to the 1800s. The Nigerian prince scam typically identifies some wealthy individual that needs help transferring money with promises of riches in exchange for assistance. But first the mark has to contribute a small amount of money to facilitate the big payday. The Nigerians, having honed their social engineering skills with that scam, have now turned to the more organized and lucrative business email compromise scam.

What Is Business Email Compromise?

There is a reasonably high likelihood that your corporate email accounts are besieged by phishing emails with those handling financial transactions receiving more particularized treatment. Hopefully, all of it is being caught before it reaches your inbox. But if not, you may encounter several variants. Some try to trick you into entering your credentials into a fake login screen, allowing the perpetrator to capture your username and password. Others induce you to open a file or click a link that installs malware. This constant probing has been going on for years, but most people may not know what happens when the perpetrators succeed. Well, as we have seen in the news, there are all sorts of dangers that can spawn from such an attack. It can be the entry point for ransomware, an active ongoing attack (referred to as an advance persistent threat), or it could just be used passively to monitor until the time is right. But perhaps the most likely purpose is to gain access to perpetrate business email compromise.

The typical business email compromise involves the scenario where a party is duped into transferring money to a fraudulent account through email correspondence. While there are innumerable scenarios as to how it can play out, the typical scenario is that one or both parties to a transaction have their business email accounts compromised, and the perpetrator uses the compromised accounts to trick one party into wiring money to a fraudulent account.  This is often done by either intercepting a legitimate invoice and altering the details, or sending a follow up to an original invoice informing the payee that payment details have changed.

Fallout

These scams are particularly damaging because they often result in the loss of large sums of money and both parties to the transaction feeling aggrieved. One is out the money, and the other has not been paid for goods or services. They also leave victims feeling completely helpless when they finally figure out something went wrong. The responsibility often appears to fall to one or two people who, in hindsight, could have identified the attempt and avoided the transfer. But companies need to look beyond just one person’s actions. There are many layers of policies, procedures, and controls that can prevent business email compromise from succeeding.

What Can Be Done?

If you have gotten this far, you have taken the first and most important step of starting to educate yourself. First, you need to understand and accept that this is very common. The FBI has tracked over 40,000 incidents totaling over $5 billion in a three-year period ending in December 2016, and this number is only growing. Business email compromise was the No. 1 internet crime reported to the FBI in 2017 as ranked by victim loss. If you are involved in the transfer of money or managing those that do, you are one of the prime reasons that hackers are sending waves of phishing emails, and groups such as London Blue are using more and more sophisticated spearphishing means. They may specifically target you, or they may seek you out once they have already infiltrated your corporate network. In any case, the best assumption you can make is that every email that contains wire transfer instructions was not written by the person it purports to be from and the account numbers are not legitimate. In other words, trust emailed money transfer instructions at your own peril. Whatever convenience businesses may achieve from relying on emailed wire instructions is almost certainly offset by the huge risk created by the practice.

Every organization should perform a full risk assessment and implement best practices that are appropriate, but the following are some high-level considerations. Taking measures to secure email is a first step. There are many end point protection and network-level security controls that can help minimize the number of phishing emails that reach a user, prohibit a script or program from being run, or prevent a fake login screen that can be used to exfiltrate credentials. Nevertheless, even with a robust set of those controls in place, organizations should also take measures to minimize the ability of any unauthorized party that has credentials to access and use email and other aspects of the network. Many organizations use cloud hosted email services that come with huge vulnerabilities along with the convenience if they are not secured properly. Two-factor authentication is a big deterrent to unauthorized use of email. Also, restricting logins by location can help. There is no reason that merely getting a username and password should allow a hacker from another continent to login and use a corporate email account.

In addition to security controls, procedures around transferring money can all but solve this issue. It may sound simplistic but using some form of two-factor authentication for the confirmation of a wire transfer can defeat this scam in the vast majority of cases. This is typically done by voice verification, i.e., picking up the phone. This is critical because, in many cases, there is no amount of scrutinizing email correspondence itself that will eliminate the risk. It could be actually originating from the correct person’s email account, and everything could be precisely accurate except for the account number. So probably the most important takeaway is to take action today: Initiate procedures to protect your company by requiring a secondary confirmation either over the phone or some other way that is not tied to email credentials whenever a money transfer is involved.

It’s Too Late, So What Do I Do?

If you found this too late and just learned your company was victimized, you need to act very quickly. Immediately contact your bank that originated the transfer and the FBI to report it. Your bank may be able to reverse the transfer and recover some or all of the money, and the FBI has a dedicated portal for this type of activity. You will also want guidance from a trusted legal advisor to navigate these unfortunate waters. And, of course, whatever the outcome, incorporate it into lessons learned and prepare your organization to prevent future loss.

To Catch a Terrorist – Innovation, AI, and Public/Private Partnerships in the World of BSA/AML

By Lyndsay E. Medlin and Erin Jane Illman on Posted in Anti-Money Laundering, Banking, Cybersecurity, Data Privacy, FinCEN

To Catch a Terrorist – Innovation, AI, and Public/Private Partnerships in the World of BSA/AMLOn the heels of FinCen and Federal Banking Agencies releasing a joint statement “Encouraging Innovative Industry Approaches to AML Compliance,” Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker announced a new collaborative era during the American Bankers Association’s Financial Crimes Conference, and emphasized the need for private/governmental working relationships and partnerships in order to combat new and sophisticated avenues that fund terrorism and facilitate money laundering. The message is simple: As technology-enabled crime proliferates, private entities and governments alike must evolve and innovate to combat this growing threat.

The joint statement and Mandelker’s comments are tailored to build trust with financial institutions by focusing on three core principles – information, innovation, and targeted action, the focus on which, is beneficial to banks and companies who, in good faith, are working to strengthen their BSA/AML processes. The government wants financial institutions to “consider, evaluate, and where appropriate, responsibly implement” new machine learning technology to better detect suspicious activity, and regulatory bodies should, moving forward, support pilot programs for the use of emerging technology in data analytics rather than stifling good faith innovation with sometimes antiquated supervisory criticism.

Per Mandelker, the government is engaging in working groups to facilitate relationships with the industry, and it’s the government’s intent that the exchange of information about suspicious transactions and persons won’t be one-sided. The crux of machine learning and predictive intelligence relies on vast quantities of data—and organizations must be comfortable sharing that data in order to fully utilize the promise of these innovations. As a result, regulatory agencies are committing to sharing information with financial institutions. Of note, examples of the type of information the government believes essential to share with financial institutions are advisories, such as FinCen’s October 11, 2018, publication outlining red-flag activities by Iran used to exploit banking systems. Similarly, in the cryptocurrency regulatory “Wild West,” the government recently demonstrated its commitment to sharing information with private partners on a transaction-specific level by publicly sharing, for the first time, the digital currency addresses of cybercriminal co-conspirators involved in the recent SamSam malware attack that devastated cities, universities, and medical centers.

The government’s efforts to appear more approachable and enter the 21st century are welcomed by the industry as a much-needed update in the BSA/AML field, where compliance personnel find old frameworks increasingly difficult to apply to today’s real-world situations. As financial institutions invest in machine learning, blockchain and even branch into cryptocurrency (or customers who dabble in exchanges), BSA/AML protocols will continue to improve, and encouragement by the government is an overwhelming positive in the fight against terroristic financing.

Companies should consider how their current BSA/AML practices can be enhanced by current innovations and available data. A strong understanding of both the technology and the law will be essential as we move into a new age of data sharing between public enterprise and government regulators.

Canadian Confidential: Mandatory Data Breach Notifications under PIPEDA

By E. Tyler Samsing on Posted in Cybersecurity, Data Privacy

Canadian Confidential: Mandatory Data Breach Notifications under PIPEDAWhile businesses and consumers were all agog to see the latest variation of the California Consumer Privacy Act passed earlier this year, Canada quietly introduced its latest permutation to the Personal Information Protection and Electronic Documents Act (PIPEDA), which imposes new mandatory breach notification obligations on companies engaged in the collection of Canadians’ personal information. U.S. companies engaged in business across the northern border or that collect personal information of Canadian citizens in the United States should take heed because PIPEDA’s reach is far ranging.

By way of background, PIPEDA is built upon a foundation of 10 fair information principles – accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance. Keen observers may note similarities with certain principles announced in the General Data Protection Regulation’s (GDPR)’s Recitals, but Canada’s 10 principles hew to the tenets set forth in the Model Care for the Protection of Personal Information, which has been recognized as a Canadian national standard since 1996. With these principles in mind, on April 13, 2000, Canadian legislators enacted PIPEDA, which was later amended by the Data Privacy Act on June 18, 2015. The Data Privacy Act set forth new mandatory breach notification obligations, but these obligations were put on hold until November 1, 2018.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based. Moreover, Canadian courts have ruled that U.S. companies with no operations in Canada may still be subject to PIPEDA if they collect the personal information of Canadian citizens. Even the indirect collection of Canadians’ personal information, such as through a service contract, would subject a U.S. company to PIPEDA. In short, U.S. companies should be hyper aware of any transaction that could involve the collection of Canadians’ personal information and ensure that their business practices are compliant with PIPEDA.

There are three main mandatory breach notification obligations as set forth under PIPEDA. First, an organization subject to PIPEDA must keep records of all situations involving a “breach of security safeguards,” which is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information. “Personal information” is defined quite broadly to apply to any information that can be linked to an individual and includes such mundane information as age, name, ID numbers, income, and ethnic origin, but also includes out of the ordinary information such as blood type, opinions, evaluations, comments, and social status, among others. That said, exclusions exist for businesses collecting, using, or disclosing certain business contact information of an individual solely for the purpose of communicating or facilitating communication with the individual in relation to the individual’s employment, business, or profession. A “commercial activity” is any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Second, covered organizations must provide written notice of a breach to the Privacy Commissioner of Canada if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. The report to the commissioner would need to describe the breach, when it occurred, the personal information at issue, the estimated number of individuals affected, and the steps that the organization is taking in response.

Third, covered organizations must notify affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. In addition to the information that should be provided to the commissioner, the notice to the individual would need to include information about the business’ complaints process and the individual’s rights under PIPEDA.

Additionally, businesses are obligated to keep and maintain records of every breach of security safeguards. They also must, on request, provide the commissioner with access to copies of these records. The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred.

Any breach of these obligations may result in the imposition of a fine not exceeding $100,000 for each time an individual is affected by a security breach.

Unlike the notice to the commissioner that must be in writing, an organization can notify affected individuals in person, by telephone, via mail or email, or any other form of communication that a reasonable person would consider appropriate in the circumstances. In a nod to the practicalities of an organization dealing with the immediate aftermath of a breach, PIPEDA only requires notice to be provided “as soon as feasible.”

Unlike the American privacy system, which is a hodgepodge of state and federal laws, the Canadian approach is unified and comprehensive. U.S. companies should review their privacy policies and update their incident response plans to account for data of Canadian citizens. Failure to do so may result in financial damages as well as reputational loss. With these amendments to PIPEDA, Canada is cementing its position as a protector of its citizens’ privacy. Those doing business in the Great White North should engage accordingly.

LexBlog