Meltdown of the Iran Nuclear Deal—Sanctions Update

By Blake B. Goodsell on Posted in Anti-Money Laundering, Federal Agencies, Financial Sanctions, FinCEN, OFAC

Meltdown of the Iran Nuclear Deal—Sanctions UpdateOn May 8, 2018, President Donald Trump announced that the United States would no longer participate in the Joint Comprehensive Plan of Action (JCPOA), the international agreement regarding Iran’s nuclear activities and sanctions imposed on Iran that was entered into in July 2015. The Treasury Department’s Office of Foreign Asset Control quickly issued a frequently asked questions bulletin explaining how the U.S. will re-impose sanctions that had been lifted pursuant to the JCPOA. The U.S. withdrawal from the deal will occur over either a 90-day (ending August 6, 2018) or 180-day (ending November 4, 2018) wind-down period, depending on the type of activity at issue. Here are some key takeaways:

  1. Until the expiration of the applicable wind-down period, all prior guidance, waivers, and licenses effectively remain in place (though under temporary wind-down waivers).
  2. Non-U.S. persons owed payment for goods or services supplied to non-Iranian persons that were legal under the JCPOA can still receive payment even after expiration of the wind-down period provided such payments do not involve U.S. persons or the U.S. financial system.
  3. All persons removed from the SDN (Specially Designated Nationals) List under the deal will be re-designated as such by November 5, 2018. These persons and entities will be subject to secondary sanctions after that date. Secondary sanctions are those targeting non-U.S. citizens and companies abroad that interface with the U.S. financial sector. This category of sanctions has been used particularly aggressively as it relates to Iran.
  4. Any specific or general licenses extended under the JCPOA will be revoked, including the licenses related to commercial aircraft sales and the importation of Iranian carpets and foodstuffs. Any applications still pending will be denied.

Because of the complexity of U.S. sanctions, individuals should confer with an attorney about the application of the new authority to their specific circumstances.

Florida Third District Court of Appeal’s Ruling in Favor of Reverse Mortgage Lender Signals New Positive Outlook for Non-Borrowing Spouse Issue

By James W. Wright Jr. and R. Aaron Chastain on Posted in Litigation Developments, Reverse Mortgage

Florida Third District Court of Appeal’s Ruling in Favor of Reverse Mortgage Lender Signals New Positive Outlook for Non-Borrowing Spouse IssueReverse mortgage lenders received a significant victory in Florida’s Third District Court of Appeal last week when the court issued its decision in OneWest Bank, FSB v. Palmero. After previously ruling in Smith v. Reverse Mortgage Solutions, Inc. and Edwards v. Reverse Mortgage Solutions, Inc. that the surviving spouses of borrowers who had taken out reverse mortgage loans also qualified as “borrowers” under the terms of the mortgage and thus had the right to remain in the property after the death of a spouse, the court changed course in Palmero, outlining the conditions under which a lender could prove that “borrower” meant only the person who actually “borrowed” the money.

In Palmero, the lender brought a foreclosure action against Luisa Palmero, claiming that her deceased husband Roberto had taken out a reverse mortgage and that his death triggered the lender’s right to accelerate the mortgage debt and commence foreclosure proceedings. The mortgage granting the security interest to the lender defined the borrower as “Roberto Palmero, a married man reserving a life estate unto himself with the ramainderman [sic] to Luisa Palmero, Idania Palmero, a single woman and Rene Palmero, a single man.” Mr. and Mrs. Palmero executed the mortgage on separate signature lines underneath the statement “BY SIGNING BELOW, Borrower accepts and agrees to the terms contained in this Security Instrument and in any rider(s) executed by Borrower and recorded with it.” However, only Mr. Palmero signed the promissory note evidencing the payment obligation associated with the reverse mortgage.

Further, only Mr. Palmero was named as the borrower in the loan application and loan agreement. Mrs. Palmero executed a “non-borrower spouse ownership interest certification” in which she certified that “should [her] spouse predecease [her] . . . and unless another means of repayment [was] obtained, the home where [she] reside[s] may need to be sold to repay Reverse Mortgage debt incurred by [her] spouse” and that “[i]f the home where [she] reside[s] [was] required to be resold,” Mrs. Palmero agreed that she understood “that [she] may be required to move from [her] residence.” After trial, the circuit court granted judgment in favor of Mrs. Palmero, concluding that (1) she was not a “borrower” under the terms of the mortgage and thus Mr. Palmero’s death triggered acceleration of the loan, but (2) that federal law prevented the lender from foreclosing on the property while Mrs. Palmero, the non-borrowing spouse, remained alive.

On appeal, a majority of the panel of the Third District Court of Appeal affirmed the circuit court’s holding that Mrs. Palmero was not a “borrower,” but reversed the judgment in favor of Mrs. Palmero by rejecting the argument that federal law precluded foreclosure. In holding that the circuit court properly determined that Mrs. Palmero was not a “borrower,” the court held that it was required to read all of the documents executed at the origination of the reverse mortgage together. The court determined that reading the definition of “borrower” in the mortgage, along with the loan application executed by Mr. Palmero, the note executed by Mr. Palmero, and the non-borrower spouse certification executed by Mrs. Palmero, made it clear that Mrs. Palmero was not a “borrower” under the reverse mortgage. The court recognized its prior holdings in Smith and Edwards in which it held that a foreclosing entity failed to demonstrate that it was entitled to foreclose against the surviving spouse on a reverse mortgage, but distinguished those cases based on the evidence of the contemporaneously signed documents that made it clear that Mrs. Palmero was not a “borrower.”

The court further held that federal law did not preclude the lender’s foreclosure. The court first held that Mrs. Palmero had failed to raise at trial the defense that federal law precluded the foreclosure, and thus the defense had been waived. The court also rejected the argument on the merits, finding that federal law did not require Mrs. Palmero to be a “borrower” in order for the reverse mortgage to be insurable by the federal government.

Going forward, Palmero stands as a significant cut against the broad interpretation of Smith and Edwards that many Florida trial courts had adopted in order to hold that a surviving spouse had the legal right to remain in property secured by a reverse mortgage after the borrower’s death. Palmero demonstrates that a lender may demonstrate that the surviving spouse is not a “borrower” under the mortgage by introducing the other documents executed at the time the loan is originated—most significantly, the non-borrower spouse ownership interest certification, in which the non-borrowing spouse expressly recognized the fact that the borrower’s death would allow the lender to accelerate the loan and proceed to foreclosure.

FFIEC Highlights Cyber Insurance for Financial Institutions

By G. Benjamin Milam on Posted in Cybersecurity, Data Privacy, FFIEC, Insurance

FFIEC Highlights Cyber Insurance for Financial InstitutionsThe Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement emphasizing the need for lenders and servicers to include cyber insurance in their risk management program. Although the FFIEC did not announce new regulatory requirements or expectations, the announcement is further evidence of what most in the industry have already recognized: Cyber coverage is quickly becoming indispensable.

Among the points highlighted by the FFIEC:

  • Financial institutions face a variety of risks from cyber incidents, including risks resulting from fraud, data loss, and disruption of service.
  • Traditional insurance coverage may not cover cyber risk exposures.
  • Cyber insurance can be an effective tool for mitigating risk.
  • Insurance does not remove the need for an effective system of controls as the primary defense to cyber threats.
  • The cyber insurance marketplace is growing and evolving, requiring due diligence to determine what insurance products will meet an organization’s needs.

Although not specifically mentioned in the FFIEC statement, financial institutions should be aware that cyber coverage can be an important source of mitigating regulatory risk associated with data breaches – if the organization purchases a policy that provides regulatory coverage. Today, there are a number of insurers offering products that reimburse costs for investigating and responding to a regulatory investigation or enforcement proceeding, as well as provide coverage for administrative penalties. Given amplified scrutiny from regulators in the area of data security, the importance of such coverage continues to increase. With a rapidly changing market, institutions should carefully review policies to be sure that the scope and limitations of coverage match their exposure.

SEC Action Highlights Importance of Specific Language in Directors and Officers Insurance for Fintech and Other Startup Companies

By Heather Howell Wright on Posted in Federal Agencies, FinTech, Insurance

SEC Action Highlights Importance of Specific Language in Directors and Officers Insurance for Fintech and Other Startup CompaniesThe founder of Mozido, the fintech startup once claimed to be valued at $5.6 billion, has been named as a defendant in a civil lawsuit filed by the Securities and Exchange Commission (SEC). The complaint names Michael Liberty (and others) individually and also names corporate entities related to Mozido as defendants. This action by the SEC highlights the importance of ensuring adequate Directors and Officers (D&O) insurance for startup fintech entities and for their directors and officers. In addition, the fraud allegation illustrates the significance of negotiating specific language in the standard D&O fraud exclusion.

In its civil complaint, the SEC asserts that the defendants engaged in a “long-running fraudulent scheme using multiple fraudulent securities offerings” that “tricked investors into believing they were funding fast-growing startup companies.” The complaint further alleges that this fraudulent scheme “centered on MDO, a financial technology company (then known as Mozido LLC), and later on Mozido, Inc.” and that “Liberty claimed to be the founder of MDO and served as a de facto officer of MDO and Mozido, Inc.” The 66-page complaint asserts a number of securities fraud claims and seeks injunctive relief, disgorgement, and civil monetary penalties.

The typical D&O policy provides insurance coverage under three different insuring agreements, commonly known as Side A, Side B, and Side C coverage. Side A provides “direct” or personal liability coverage for individual directors and officers where the company cannot legally provide a defense or indemnify loss (where such indemnity is prohibited by state law) or where the company is financially unable to do so. Side B indirectly covers the individual directors and officers of the company by reimbursing the company for defense or indemnity payments that the company has made or is required to make on behalf of its directors and officers. Side C, which is also known as “entity coverage,” provides coverage for claims against the company itself. In short, D&O insurance may protect corporations from potentially sizable losses and also protects the individual directors or officers against those losses when corporate indemnification is not available.

The insuring agreement of most D&O policies will provide coverage for “loss” that is incurred as a result of a “claim” made for a “wrongful act.” While the specific language of D&O policies varies, the term “claim” typically refers to an assertion of a legal right or demand for payment by a third party against the insured, and the term “wrongful act” generally is defined as “actual or alleged act, error, misstatement, misleading statement, omission or breach of duty.” Importantly, the term “loss” usually includes defense costs; the value of the D&O policy in providing coverage in response to claims such as the SEC complaint is that the insurer should advance defense costs to an individual, or corporation, accused of offenses.

In addition, most D&O policies will include a “fraud exclusion,” which excludes coverage for claims based on an insured’s fraudulent act. A policyholder may incorrectly assume that a claim alleging a “long-running fraudulent scheme,” such as the SEC complaint, is excluded by a D&O policy. It is important to understand, however, that under the fraud exclusion language found in many D&O policies, allegations of fraud alone are insufficient to trigger the exclusion. For example, the fraud exclusion may apply only when there is an “actual finding of dishonesty or fraud,” a “final adjudication of fraud,” or better yet, fraud that is “established by a final and non-appealable adjudication.” Courts interpreting such narrow fraud exclusions, which are construed against the insurer, have generally found that “actual finding” requires a finding of fraud by a court. When such language is included in the fraud exclusion, the D&O insurer should provide coverage for claims such as the SEC complaint, unless and until a court finds the defendant has committed fraud.

Any fintech startup should work with coverage counsel and an experienced broker to identify risks and consider procurement of insurance to offset those risks. Counsel and the broker can help ensure that policy language, such as a narrow fraud exclusion, will maximize coverage to the insured in the event of a claim.

Do Servicers Have to Monitor Whether a Successor in Interest is in Bankruptcy? CFPB’s FAQ Suggests the Answer is “Yes”

By Jonathan R. Kolodziej on Posted in Bankruptcy, CFPB, Compliance, Mortgage Servicing, RESPA, TILA

Do Servicers Have to Monitor Whether a Successor in Interest is in Bankruptcy? CFPB’s FAQ Suggests the Answer is “Yes”As the effective date for the CFPB’s successor in interest and bankruptcy billing statement requirements quickly approaches, one question we’ve heard multiple times is whether a mortgage servicer is required to know when a confirmed successor in interest is in bankruptcy. The question stems from upcoming provisions in Regulations X and Z that will collectively say, in essence, that a confirmed successor in interest must be treated as if he or she is a borrower for the purposes of the mortgage servicing rules. Combine that mandate with specific requirements in the periodic billing statement and early intervention contexts that apply when “any consumer [or borrower] on a mortgage loan is a debtor in bankruptcy” and it becomes clear why many servicers have wondered whether a confirmed successor in interest’s bankruptcy might trigger the various bankruptcy-specific requirements in the mortgage servicing rules.

On March 20, 2018, the CFPB arguably settled the debate when it published a set of Frequently Asked Questions that primarily addresses issues related to the upcoming periodic billing statement requirements for borrowers in bankruptcy. However, towards the end of the FAQ the CFPB includes the following question:

Do servicers have a responsibility to know if a confirmed successor in interest is in bankruptcy for purposes of complying with the early intervention and periodic statement requirements?

The answer, which may be surprising to some, is “yes”:

Under Regulation X, § 1024.30(d) and Regulation Z, § 1026.2(a)(11), confirmed successors in interest are considered “borrowers” for purposes of the early intervention requirements and “consumers” for purposes of the periodic statement provisions. Because confirmed successors in interest are considered to be “borrowers” and “consumers” for the relevant parts of Regulation X and Regulation Z, servicers need to know whether confirmed successors in interest are in bankruptcy and may want to include them in any normal checks they utilize to identify borrowers in bankruptcy.

This means that yes, mortgage servicers do have to monitor whether a confirmed successor in interest is in bankruptcy and will, therefore, have to figure out how to include confirmed successors in interest in their standard bankruptcy checks. This may mean obtaining a confirmed successor in interest’s Social Security number or figuring out another way to determine whether a confirmed successor in interest is impacted by bankruptcy.

As the CFPB noted, if a borrower or consumer—and now a confirmed successor in interest—is a debtor in bankruptcy, a servicer’s obligations change in terms of early intervention contact and periodic billing statements. Although there are some nuances to the early intervention requirements when someone is in bankruptcy, servicers generally seem much more comfortable in that context as compared to the upcoming billing statement requirements when someone is impacted by bankruptcy. On April 19, 2018, new billing statement requirements will go into effect for when someone is in active bankruptcy or has received a discharge. There are certain scenarios where a servicer may be exempt altogether from sending periodic statements, but, when those exemptions do not apply, the upcoming law requires very detailed content and formatting modifications that take into account different chapters of bankruptcy.

In terms of required content on a periodic billing statement and whether a confirmed successor in interest’s status as a debtor in bankruptcy will trigger the modified billing statement obligations, the CFPB posed the following question in its FAQ:

Do the modifications to the periodic statement required for borrowers in bankruptcy apply if the borrower is a confirmed successor in interest in bankruptcy?

Given the CFPB’s response to the first question, you might not be surprised to learn that the answer is “yes”:

Under Regulation Z, § 1026.2(a)(11), confirmed successors in interest are borrowers for purposes of the periodic statement provisions, and so the periodic statement modification requirements for borrowers in bankruptcy in § 1026.41(f) would apply to the periodic statements supplied to that confirmed successor in interest in bankruptcy.

This means that not only will servicers have to figure out how to track whether a confirmed successor in interest is in bankruptcy, they will also have to figure out how to appropriately populate the periodic billing statement, in many cases with information that is specific to the successor’s bankruptcy case.

Together, these two questions and answers shed light on how the CFPB currently interprets the new law. They very clearly do believe that a confirmed successor in interest must be treated as a borrower or consumer for the purposes of all mortgage servicing rules, including those triggered by bankruptcy. Although it is helpful to have some clarity from the CFPB in advance of the rules’ effective date, the timing—approximately just one month before servicers are expected to be fully compliant—is likely to leave some servicers scrambling at the last minute.

CFPB Issues Implementation Guidance for Mortgage Servicing Rule Amendments

By Jonathan R. Kolodziej on Posted in Bankruptcy, CFPB, Compliance, Mortgage Servicing, RESPA, TILA

CFPB Issues Implementation Guidance for Mortgage Servicing Rule AmendmentsOn March 29, 2018, the Consumer Financial Protection Bureau (CFPB) released two important implementation tools that may help mortgage servicers ensure compliance with recent amendments to the mortgage servicing rules in Regulations X and Z. This release comes shortly after the CFPB published a set of Frequently Asked Questions that primarily addressed issues related to the upcoming periodic billing statement requirements for borrowers in bankruptcy, and certain interactions with successors in interest.

First, the CFPB updated its Small Entity Compliance Guide so that it now reflects the status of the law that will become effective on April 19, 2018. The new version 3.1 incorporates the latest timing requirements related to the transition to and/or from modified periodic billing statements that account for a consumer’s status as a debtor in bankruptcy. That change stems from the CFPB’s March 8, 2018, final rule that amended the 2016 Mortgage Servicing Rules. Additionally, version 3.1 now removes aspects of the mortgage servicing rules that will no longer be in effect on or after April 19, 2018. For example, the blanket exemption from sending periodic billing statements to all accounts impacted by bankruptcy is removed, and the guide now reflects the upcoming rule that will soon be in effect.

Second, the CFPB published a Mortgage Servicing Coverage Chart that explains the applicability and exclusions of each section of the mortgage servicing rules in Regulations X and Z. The new version replaces the prior chart that the CFPB released in 2014, and now incorporates all of the CFPB’s amendments to the original rules. This type of document has historically been one of the more valuable and relied upon tools issued by the CFPB.

After comparing the new version to the older one, a few notable changes become evident:

  • The CFPB now clarifies in the escrow context that annual escrow statements are not required for “certain default, foreclosure, or bankruptcy situations, per 1024.17(i)(2).”
  • Early intervention partial exemptions for borrowers in bankruptcy and “certain debt collection-related situations,” meaning borrowers who are protected by the Federal Fair Debt Collection Practices Act and who properly submit a cease communication request, are now included.
  • Small servicer obligations in the loss mitigation and dual tracking context are more accurate and specific. The prior version suggested that small servicers were prohibited from filing foreclosure if a borrower is performing pursuant to a loss mitigation agreement or is less than 120 days delinquent. The new version more accurately explains that a small servicer must comply with “certain prohibitions on foreclosure referral, moving for judgment or order of sale, or conducting a sale.”
  • The new version now specifies that a servicer may be exempt from sending the otherwise required notice in conjunction with the first interest rate change on an ARM loan in “certain debt collection-related situations,” meaning when borrowers who are protected by the Federal Fair Debt Collection Practices Act properly submit a cease communication request.
  • New periodic billing statement exemptions for certain charged off loans and certain consumers impacted by bankruptcy are now included.
  • Applicable mortgage servicing requirements that were not part of the original 2014 rules (e.g., escrow cancellation notices in 1026.20(e) and mortgage loan transfer disclosures in § 1026.39) are not included on the chart.

As mentioned above, the CFPB’s scope chart has long been a valuable tool for mortgage servicers to ensure compliance and assist in deciphering what rules apply in certain scenarios. The newest version appears to be a more complete view into the law as it currently stands.

New Decision from the D.C. Court of Appeals Recognizes Additional Defenses to HOA Super-Priority Lien Statute

By R. Aaron Chastain, Jon H. Patterson and Andrew J. Narod on Posted in Foreclosure, HOA Super Priority Liens, Litigation Developments

New Decision from the D.C. Court of Appeals Recognizes Additional Defenses to HOA Super-Priority Lien StatuteAs we noted in last week’s blog post, the District of Columbia Court of Appeals issued a decision on March 1, 2018, that created a new wave of uncertainty for lenders with loans secured by deeds of trust on condominium units in the District of Columbia. In the Liu decision, the court held that a condominium association’s foreclosure on its statutory lien could wipe out a first priority security interest on the same property even when the association expressly purported to foreclose subject to the first deed of trust. But a new decision in U.S. Bank, N.A. v. Green Parks, LLC, issued on March 13, 2018, offers insight into what secured lenders can do to avoid the outcome in Liu.

Green Parks involved a similar fact pattern. In 2013, a condominium association foreclosed on its statutory lien but advertised its sale and described it in the memorandum of purchase and deed as having taken place “subject to” U.S. Bank’s deed of trust.

After the D.C. Court of Appeals issued its decision in Chase Plaza Cond. Ass’n v. JPMorgan Chase Bank (which indicated that a condominium’s foreclosure on its statutory lien could extinguish a first deed of trust), U.S. Bank brought an action to establish the validity of its security interest in relation to Green Parks, which bought the property at the foreclosure sale. Green Parks filed a counterclaim, seeking a judgment that under Chase Plaza, it had acquired title to the property free and clear of U.S. Bank’s interest. U.S. Bank responded to the counterclaim with an answer that raised affirmative defenses – including unconscionability and unclean hands – and moved to dismiss, citing the extensive evidence that the association intended to foreclose on a lien that was subordinate to U.S. Bank’s interest.

In considering U.S. Bank’s motion, the trial court flipped the script. It first converted the motion to dismiss to a motion for summary judgment and denied it. It then went even further by dismissing U.S. Bank’s counterclaim and granting summary judgment against U.S. Bank, even though Green Parks had not requested that relief.

On appeal, the D.C. Court of Appeals quickly reasoned that the trial court’s order was incorrect because it failed to provide the parties with proper notice that it was considering granting summary judgment and because it failed to view the evidence in the light most favorable to U.S. Bank in granting summary judgment for Green Parks. But especially noteworthy is how the court framed the prejudice U.S. Bank suffered as a result of these actions. In the court’s words, “The surprise entry of judgment was not harmless for it deprived the Bank of an adequate opportunity to dodge the bullet.”

The Court of Appeals also noted that Liu left an important question unsettled: What happens if an association forecloses on a lien greater than the six months of unpaid assessments given super-priority status under D.C. law? The Green Parks court described it as an open question as to whether such a lien is “entirely lower in priority than a first deed of trust or whether a portion of the lien enjoys super-priority status.”

Furthermore, the Green Parks decision instructed that, on remand, the trial court had to consider the merits of U.S. Bank’s arguments that the association’s foreclosure sale should be set aside based on equitable doctrines such as unclean hands or unconscionability. While Liu may have established the legal priority of the association’s lien, U.S. Bank’s arguments that the sale was invalid based on equitable defenses were still to be decided.

Going forward, lenders now have a road map as to how to protect their deeds of trust on condominiums in the District of Columbia that have been placed in jeopardy as a result of an association’s foreclosure. The first step is determining whether the association included more than six months of unpaid assessments in its advertised lien amount. According to the Green Parks court, such a foreclosure may mean that the entire association lien is subordinate to the deed of trust. Second, and independently, lenders can raise equitable defenses to the association’s foreclosure sale and seek to have it invalidated on those grounds.

Better Late than Never? Alabama, the 50th State to Pass a Data Breach Law

By Erin Jane Illman and Niya T. McCray on Posted in Cybersecurity, Data Privacy

Better Late than Never? Alabama, the 49th State to Pass a Data Breach Law

On March 1, 2018, the Alabama Senate unanimously passed the Alabama Data Breach Notification Act of 2018 (SB 318). On March 22, 2018, the House of Representatives, following an amendment by the Technology and Research Committee, also passed SB 318. Just a day prior to the Alabama House passing SB 318, South Dakota Governor Dennis Daugaard signed SB 62 into law, making his state the 49th to pass a data breach notification law.

Spearheaded by the Attorney General’s Office, SB 318 would make Alabama the 50th and final state to enact data breach notification legislation. Now, all that remains is for Alabama Governor Kay Ivey to sign the bill into law.

The Statute

SB 318 defines a qualifying data breach as any “unauthorized acquisition of data in electronic form containing sensitive personally identifying information (PII).” The proposed bill takes care to include ongoing and repeated data breaches in the definition, as long as the breach is perpetrated by the same offender. The release of publicly available records and law enforcement investigations, though, are not within the scope of SB 318.

Covered Entities and Information

The act has a wide breadth of covered entities ranging from individuals to commercial entities and, notably, nonprofit organizations. Under the act, an affected individual is any Alabama resident whose personal information (PI) is compromised, or “reasonably believed” to be, as a result of a data breach. SB 318 defines the following types of information as PII, when one or more is combined with an individual’s first name or first initial and last name:

  • A non-truncated Social Security number or tax identification number
  • A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other government-issued unique identification number
  • A financial account number in combination with any security code, access code, password, expiration date, or PIN
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
  • A health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer
  • User name or email address combined with a password or security question

Reasonably, the act does not include public records as a category of PII.  Likewise, where the data involved in the breach is encrypted or de-identified, SB 318 does not recognize it as PII and will not require consumer notification.

“Reasonable Security” for Covered Entities and Third Parties

SB 318 also imposes a requirement that each covered entity, as well as any third-party vendor of the covered entity, implement and maintain reasonable security measures to protect PII against a breach of security. The proposed statue would require that covered entities and third parties develop security measures that:

  • designate an employee or employees to coordinate the covered entity’s security measures;
  • identify internal and external risks;
  • adopt appropriate information safeguards and assess the effectiveness of such safeguards;
  • retain service providers, if any, that are contractually required to maintain appropriate safeguards for PII;
  • evaluate and adjust security measures to account for changes in circumstances affecting the security of PII; and
  • keep management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.

Companies should bear in mind that SB 318, will not only require an incident response plan for Alabama residents, but will also require the creation of a reasonable security plan that complies with the requirements set forth above.

Notice Requirements

The highlight of SB 318 for Alabama consumers is the Section 5 notice requirements. Pursuant to Section 5, a covered entity is required to notify individuals in the event of a breach when PII has been or is “reasonably believed” to have been acquired by an unauthorized person. Under SB 318, companies would be required to notify affected individuals within 45 days of the discovery that a data breach has occurred. The notice may be sent through the mail or by email, but must include the following: (1) the date, or an approximation thereof, of the breach, (2) a description of the sensitive PII that was acquired, (3) a general description of the actions taken to restore the security and confidentiality of the PI involved in the breach, (4) a general description of steps a consumer can take to protect himself or herself from identity theft, and (5) contact information that the individual can use to inquire about the breach. However, where the entity will face excessive cost in notifying affected individuals, where there is incomplete contact information, or where over 500,000 individuals are affected, SB 318 allows for substitute notice in the form of TV, newsprint, radio, and online advertisements.

In addition to notifying affected individuals, SB 318 requires entities to notify the Attorney General’s Office, within 45 days of discovery of a breach, when more than 1,000 people are affected. When notifying the Attorney General, the entity must include a summary of the breach, an estimate of the number of affected individuals, anticipated services that will be offered to individuals because of the breach, i.e. credit monitoring, and a contact to which questions may be directed. Alabama SB 318 also includes a consumer reporting agency notification requirement where more than 1,000 individuals are affected at once.

Penalties

A violation of SB 318 will also stand as a violation of the Alabama Deceptive Trade Practices Act. There is, however, no private cause of action established by the statute and so any suits brought under it must be initiated by the Office of the Attorney General. Noncompliance with SB 318 could result in fines of up to $5,000 per day for each day that the entity fails to take reasonable action to comply with the notice provisions.

Conclusion

Although SB 318 has yet to be signed into law, it appears to have an overwhelming amount of support from the state legislature, as evidenced by the relative ease and quickness with which it passed in both chambers. SB 318 could go into effect as early as June 2018 if Governor Ivey signs it immediately. For those in Alabama, and elsewhere, this is one to keep an eye on in the next few months.

HOA Super-Priority Lien Law Preempted by Federal Statute

By Alex McFall on Posted in Foreclosure, HOA Super Priority Liens, Litigation Developments, Supreme Court

Nevada Supreme CourtGiven the significant role Fannie Mae and Freddie Mac have in the national housing market, it is unsurprising that both have become embroiled in the Nevada HOA super-priority lien litigation. Since July 2008 – well before the Nevada Supreme Court held that an HOA’s foreclosure on its super-priority lien could extinguish a first deed of trust – Fannie Mae and Freddie Mac have been in the conservatorship of the Federal Housing Finance Agency (FHFA). The Housing and Economic Recovery Act of 2008 (Federal Foreclosure Bar), which created FHFA, includes a provision commonly referred to as the Federal Foreclosure Bar, which provides that FHFA’s property shall not be subject to foreclosure without FHFA’s consent. Fannie Mae and Freddie Mac, as well as loan servicers acting on their behalf, have long argued that the Federal Foreclosure Bar preempts the Nevada HOA super-priority lien statute and prevents HOA foreclosure sales from extinguishing the interests of Fannie Mae and Freddie Mac. While the Ninth Circuit already held that the Federal Foreclosure Bar preempts Nevada’s HOA super-priority lien statute, the Nevada Supreme Court had not weighed in until now. On March 21, 2018, the Nevada Supreme Court released a unanimous, en banc opinion in Saticoy Bay LLC Series 9641 Christine View v. Federal National Mortgage Association, siding with the Ninth Circuit on federal preemption.

The case arose after Saticoy Bay purchased the subject property at an HOA foreclosure sale and filed suit against Fannie Mae and others, seeking to quiet title. The trial court granted Fannie Mae’s motion for summary judgment and held that the Federal Foreclosure Bar preempts the Nevada HOA super-priority lien statute. Saticoy Bay appealed and argued (1) that Fannie Mae lacked standing to assert the Federal Foreclosure Bar because the statute protected the property of FHFA and FHFA was not a party to the action, and (2) the Federal Foreclosure Bar did not actually preempt the state law.

The Nevada Supreme Court affirmed the trial court’s judgment, holding that because the Nevada HOA super-priority lien statute allowed an HOA to extinguish Fannie Mae’s interest without the consent of FHFA, it directly conflicted with Congress’ clear goal of protecting Fannie Mae’s property while under FHFA’s conservatorship. The court also confirmed that Fannie Mae has standing to assert the Federal Foreclosure Bar. This decision on standing follows the court’s earlier decision in Nationstar Mortgage, LLC v. SFR Investments Pool 1, LLC that the servicer of a loan owned by Fannie Mae or Freddie Mac has standing to raise the Federal Foreclosure Bar in defense of Fannie Mae’s and Freddie Mac’s property interests.

Importantly, the court rejected Saticoy Bay’s argument that FHFA implicitly consented to extinguishment of the deed of trust by failing to act to prevent the HOA foreclosure sale. Citing the Ninth Circuit’s Berezovsky opinion, the court held that FHFA must affirmatively consent to extinguishment and is not required to actively resist foreclosure.

While this decision is unpublished, it seems to provide an indication as to how the Nevada Supreme Court will rule on the Federal Foreclosure Bar in future published opinions.

D.C. Circuit Court of Appeals’ TCPA Ruling Is a Mixed Bag

By Grant A. Premo and Edward S. Sledge IV on Posted in Automobile Finance, Compliance, Debt Collection, TCPA

D.C. Circuit Court of Appeals' TCPA Ruling Is a Mixed BagOn March 16, 2018, the D.C. Circuit Court of Appeals issued its long-awaited Telephone Consumer Protection Act (TCPA) opinion in ACA International v. Federal Communications Commission, a consolidated appeal of the FCC’s July 10, 2015, TCPA Declaratory Ruling and Order. While the D.C. Circuit Court of Appeals upheld the FCC’s approach to revocation of consent for autodialed calls and exemption for time-sensitive healthcare calls, the opinion sets aside the FCC’s interpretation of the type of telephone equipment that constitutes an “autodialer” and vacates the FCC’s approach to calls to reassigned numbers.

The opinion should have major implications for TCPA litigation concerning the definition of an autodialer and provides some clarification for compliance with the TCPA’s revocation of consent scheme. The opinion, however, creates more uncertainty regarding calls to reassigned numbers.

The petitioners in ACA International challenged four aspects of the FCC’s 2015 TCPA Declaratory Ruling and Order:

  • The types of telephone equipment that constitute an autodialer for purposes of the TCPA;
  • Whether a call to a reassigned number violates the TCPA;
  • How a party who previously consented to autodialed calls can revoke consent; and
  • The scope of the FCC’s narrow exemption for certain healthcare-related calls.

In its opinion, the D.C. Circuit Court of Appeals struck down the FCC’s expansive definition of what types of telephone equipment constitutes an autodialer for purposes of the TCPA. Citing current FCC Chairman Ajit Pai’s dissenting opinion to the FCC’s 2015 Declaratory Ruling and Order, the court noted that the FCC’s interpretation encompassed any and all smartphones—which are now nearly ubiquitous.  The court stated that the “TCPA cannot reasonably be read to render every smartphone an [autodialer] subject to the Act’s restrictions,” and accordingly found that the FCC’s interpretation was arbitrary and capricious.

In addressing calls to reassigned numbers, the court also set aside the FCC’s one-call, post-reassignment safe harbor and the FCC’s treatment of reassigned numbers more generally.

The TCPA does not prohibit autodialed calls to cells phones “made with the prior express consent of the called party” (47 U.S.C. § 227 (b)(1)(A)(iii)). While the FCC interpreted “called party” to refer to the person actually reached, the petitioners in ACA International contended that the “called party” actually means the person the caller expected to reach—an interpretation which would limit liability for calls to reassigned numbers.  The court sided with the FCC, finding that the FCC could permissibly interpret “called party” to mean the person subscribing to the called number at the time the call is made.  While the opinion appears to further limit what is not an autodialer, it does very little to define what is an autodialer.  Accordingly, this issue will likely continue to be the subject of litigation, as the courts work through the uncertainty over what is and is not an autodialer.

The court, however, went further, striking down as arbitrary the FCC’s safe harbor for just one call to a reassigned number before TCPA liability is imposed. The court noted that the FCC could not justify why a caller’s reasonable reliance on a previous subscriber’s express consent only extended to one call, making the rule arbitrary. Because striking down the one call safe harbor would result in a more severe and strict liability regime for calls to reassigned numbers—which the court did not think the FCC would have intended—the court set aside the FCC’s treatment of reassigned numbers as a whole.

Next, the court upheld the FCC’s approach to revocation of consent, which allows a called party to revoke consent at any time and through any reasonable means (rejecting industry requests for an interpretation that would allow callers to prescribe an exclusive means for revocation of consent). The court’s opinion, however, appears to support the caller’s creation of clearly defined and easy-to-use revocation processes as a means to limit some of the uncertainty of what methods of revocation are considered reasonable. To this end, the court noted that the FCC’s ruling absolves callers of any responsibility to adopt revocation procedures and systems that would entail “undue burdens,” but does not go so far as to define what might constitute an “undue burden.”

The court also noted that the FCC’s ruling does not address revocation procedures contractually agreed upon by the parties. Accordingly, the court stated that nothing in the FCC’s ruling “should be understood to speak to parties’ ability to agree upon revocation procedures.”

Lastly, the court upheld the scope of the FCC’s exemption of certain healthcare-related calls from the TCPA’s prior-consent requirement for calls to wireless numbers. Rite Aid challenged the scope of the FCC’s exemption on the grounds that it conflicted with the Health Insurance Portability and Accountability Act (HIPAA) and was arbitrary and capricious. The court held that HIPPA does not conflict with or supersede the TCPA and that the FCC’s interpretation was reasonable.

LexBlog