The Federal Trade Commission recently amended the Safeguards Rule, 16 C.F.R. § 314.1, et seq., with significant changes to how an information security program should be designed, what it must include, and who needs to be in charge.  Some may note the similarity to the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00, et seq.

The Rule is now considerably lengthier, but not all the amendments added anything new or substantive.  In this article we will explain which changes look new but are not, which are new and substantial, which do not apply to small businesses, and when certain provisions go into effect.

THE RULE

The Rule was promulgated under the Gramm-Leach-Bliley Act which, in part, requires the FTC to issue rules setting forth standards that financial institutions must implement to safeguard certain information.  The Rule applies to customer information held by non-banking financial institutions and “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of [that information].”

The Rule provides this non-inclusive list of entities that are considered financial institutions under the Gramm-Leach-Bliley Act and subject to the rule:

• Mortgage lenders;
• Pay day lenders;
• Finance companies;
• Mortgage brokers;
• Account servicers;
• Check cashers;
• Wire transferors;
• Travel agencies operated in connection with financial services;
• Collection agencies;
• Credit counselors and other financial advisors;
• Tax preparation firms, non-federally insured credit unions;
• Investment advisors that are not required to register with the SEC; and
• Entities acting as finders.

Additionally, in its definitions, the Rule provides more detailed examples of entities considered financial institutions.

THE AMENDMENTS

The amendments to the Rule became effective Jan. 10, 2022, although some of the most important provisions are not effective until Dec. 9, 2022.  The FTC summarized the highlights as providing:

• More guidance on how to develop and implement specific aspects of an overall information security program.
• New provisions to improve the accountability of information security programs.
• Exemptions for financial institutions that collect less customer information.
• Inclusion of entities engaged in activities that are incidental to financial activities.
• New terms and examples.

WHAT’S NOT NEW

Section 314.1 – Purpose and Scope. Although amended subsection (b) appears significantly lengthier, it simply incorporates the definition of “financial institution” from the Privacy Rule, as modified and with examples, “to allow the Rule to be read on its own, without reference to the Privacy Rule.” 

Section 314.2 – Eleven Old Definitions. Previously, the Rule had only three defined terms and a general provision explaining that the terms used in the Rule had the same meaning as those defined in the Privacy Rule, 16 C.F.R. § 313.3.

Now, the Rule has 18 defined terms, but the majority have been carried over from the Privacy Rule to “improve clarity and ease of use.”  The Rule’s pre-amendment terms and those carried over from the Privacy Rule without substantive change are:

• Consumer;
• Customer;
• Customer Information;
• Customer Relationship;
• Financial Product or Service;
• Information System;
• Nonpublic Personal Information;
• Personally Identifiable Financial Information;
• Publicly Available Information;
• Service Provider; and
• You.

Section 314.3 – Standards for Safeguarding Customer Information. This section is essentially unchanged.

WHAT’S NEW

Section 314.2 – Seven New Definitions. As mentioned above, most of the defined terms are newly added to this section but not new to the Rule because they were previously cross-referenced to their definitions in the Privacy Rule.  Following are the seven new terms, and one that has been modified:

• Authorized User: This new term “means any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.”

• Encryption: This new term “means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.”

• Financial Institution: This term has been modified to include “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. . .” (emphasis added). It specifically applies to “[a] company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution because acting as a finder is an activity that is financial in nature or incidental to a financial activity listed in 12 CFR 225.86(d)(1).”

• Information Security Program: This new term “means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.”

• Multi-Factor Authentication: This new term “means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.”

• Penetration Testing: This new term “means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.”

• Security Event: This new term “means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.”

Section 314.5 – Effective Date. This section identifies certain provisions of § 314.4 that are not effective until Dec. 9, 2022, as described below.

Section 314.6 – Exceptions. This “small business” section identifies certain provisions of § 314.4 that “do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.”  Those provisions are identified below.

WHAT’S HOT

Section 314.4 – Elements. This section has been completely overhauled, and now explains with specificity the elements, new and old, that must be included in an information security program.  Except where indicated, these elements must be incorporated by Dec. 9, 2022.  In summary, the elements checklist includes:

• A single “qualified individual” designated to oversee, implement, and enforce the information security program. Previously, the program could be coordinated by a designated employee or employees. 

• An information security program based on a risk assessment. This is a current requirement, as well as the need to periodically perform additional risk assessments.  However, effective Dec. 9, 2022, the risk assessment must include, except for small businesses:
  • Criteria for the evaluation and categorization of identified security risks or threats;
  • Criteria for the assessment of the confidentiality, integrity, and availability of information, including the adequacy of the existing controls in the context of the identified risks or threats; and
  • Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

• Safeguards designed to control identified risks through:
  • Access controls, including technical and physical controls, to authenticate and limit access;
  • Identification and management of data, personnel, devices, systems, and facilities;
  • Encryption of all customer information held or transmitted;
  • Secure development practices and security testing for applications used for transmitting, accessing, or storing customer information;
  • Multi-factor authentication for any individual accessing any information system;
  • Procedures for the secure disposal of customer information no later than two years after the last date the information is used;
  • Procedures for change management;
  • Policies, procedures, and controls to monitor and log the activity of authorized users and detect unauthorized access, use or tampering.

• Regular testing and monitoring of the safeguards’ effectiveness. This general requirement is currently in effect, but new requirements effective Dec. 9, 2022, and not applicable to small businesses, are:
  • Annual penetration testing; and
  • Vulnerable assessments.

• Policies and procedures that include:
  • Security awareness training;
  • Use of qualified information security personnel to manage risks and oversee the program;
  • Security training and updates to address risks; and
  • Verification that information security personnel maintain current knowledge of changing information security threats and countermeasures.

• Service provider oversight through:
  • Selecting service providers capable of maintaining appropriate safeguards, which is a current requirement;
  • Requiring the safeguards by contract, which is also a current requirement; and
  • Periodically assessing service providers based on the risk they present and the adequacy of their safeguards, effective Dec. 9, 2022.

• A written incident response plan, with seven specific requirements, designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information. This is not required for small businesses.

• A regular written report, prepared at least annually, by the qualified individual to the board of directors that includes the status of, and compliance with the information security program, and any related material matters. This is not required for small businesses.

COMPLIANCE

The elements described in § 314.4 are not new concepts and many entities are already compliant.  However, because the elements are now far more specific and detailed than before, we recommend those subject to the Rule compare its elements to those of their own programs to ensure compliance, leaving time for compliance by Dec. 9, 2022. On March 15, join me for a Receivables Management Association International webinar to learn more about the amendments and the steps you need to take now to bring your company into compliance by Dec. 9, 2022.

The U.S. Court of Appeals for the Eighth Circuit recently reversed a trial court’s judgment in favor of a consumer for claims of alleged violation of the federal Fair Debt Collection Practices Act, finding that the consumer lacked Article III standing to bring his claim in federal court as the consumer failed to allege or later show a concrete injury in fact.

A copy of the opinion in Ojogwu v. Rodenburg Law Firm is available at:  Link to Opinion.

In Minnesota, a creditor may issue a garnishment summons to any third party “at any time after entry of a money judgment in [a] civil action.” Minn. Stat. § 571.71(3). The statute further provides that a copy of the garnishment summons, copies of other papers served on the third-party garnishee, and the applicable garnishment disclosure form “must be served by mail at the last known mailing address of the debtor not later than five days after the service is made upon the garnishee.” § 571.72, subd. 4 and 5.

This appeal arose out of a judgment creditor’s attorney (“Creditor”) mailing a consumer debtor (“Debtor”) a copy of a garnishment summons which was served on garnishee, and other state-law-mandated garnishment forms, knowing that Debtor had retained counsel after the default judgment was entered and knowing that Debtor “dispute[d] the debt.”

Debtor brought suit under 15 U.S.C. § 1692c(a)(2) of the FDCPA.

The trial court held that § 571.72, subd. 4 was inconsistent with and preempted by the FDCPA provision stating “[w]ithout the prior consent of the consumer … or the express permission of a court of competent jurisdiction, a debt collector may not communicate with a consumer in connection with collection of any debt … if the debt collector knows the consumer is represented by an attorney with respect to such debt.” § 1692c(a)(2). This court expressly disagreed with the opinion of another District of Minnesota district judge.

The parties stipulated as to remedy, and the trial court entered final judgment awarding Debtor statutory damages plus attorney’s and filing fees. Creditor appealed.

On appeal, the Eighth Circuit held that it could not resolve the merits of the intra-district conflict, finding that Debtor lacked Article III standing to pursue his claim in federal court because he failed to allege and the record did not show that Debtor suffered a concrete injury in fact from Creditor’s violation of § 1692c(a)(2).

Debtor had the burden of proving Article III standing by showing “(i) that he suffered an injury in fact that [wa]s concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez, 141 S. Ct.  2190, 2203 (2021).

The Court further noted that a concrete and particularized injury is required even when Congress creates a private cause of action, such as it did in the FDCPA. See § 1692k.

The Eighth Circuit found that Creditor’s mailing of the garnishment summons on Debtor caused him no tangible injury. The Court further found that serving the summons on Debtor was a benefit to him, as it gave him timely notice and an opportunity to claim an exemption to satisfy the garnishment in such a way that did not disturb his relations with the garnishee.

Debtor alleged that the mailing of the garnishment summons resulted in intangible injury as held by prior courts, “actual damages in the form of fear of answering the telephone, nervousness, restlessness, irritability, amongst other negative emotions.” But, “In determining whether an intangible harm constitutes injury in fact, both history and the judgment of Congress play important roles.”  Spokeo, 578 U.S. 330, 340 (2016).

The historical analysis is used to determine whether the alleged injury has “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” TransUnion, 141 S. Ct. at 2204. The role of Congress is important, as, by statute, it may “elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate at law. Spokeo, 578 U.S. at 341 (quotation omitted).

However, Congress “may not simply enact an injury into existence, using its lawmaking power to transform something that is not remotely harmful into something that is.’” TransUnion, 141 S. Ct. at 2205 (quotation omitted).

Using this analysis, the Eighth Circuit found that the intangible injuries alleged by Debtor were insufficient to establish concrete injury in fact. Debtor was not caused to act to his detriment or fail to protect his interests. The Court further found that Debtor’s alleged tangible injuries “f[e]ll short of cognizable injury as a matter of general tort law. Buchholz v. Meyer Njus Tanick, PA, 946 F.3d 855, 864 (6th Cir. 2020).

The Eighth Circuit also found that Debtor failed to show that his “negative emotions” were caused by Creditor commencing a lawful garnishment action.

Finally, the Court emphasized the relevance of the fact that Debtor’s attorney notified Creditor that Debtor disputed the debt. 

Subsection 1692c(c)(3) provides that, “[i]f a consumer notifies a debt collector in writing that the consumer refuses to pay a debt … the debt collector shall not communicate further with the consumer with respect to such debt, except … to notify the consumer that the debt collector or creditor intends to invoke a specified remedy.” 

In Heintz v. Jenkins, the Court addressed this exception finding that “Courts can read these exceptions [in §§ 1692c(c)(2), (3)], plausibly, to imply that they authorize the actual invocation of the remedy that the collector ‘intends to invoke.’…  [This] interpretation is consistent with the statute’s apparent objective of preserving creditors’ judicial remedies.” § 514 U.S. 291 (1995).

The Eighth Circuit noted that the comment was not obviously applicable as Debtor did not assert a violation of § 1692c(c), the Court nevertheless found it reinforced its conclusion that Debtor failed to allege a concrete injury in fact as, under Minnesota law, garnishment is an independent proceeding ancillary to “an ordinary debt-collecting lawsuit.”

As such, the Eighth Circuit found that the Debtor lacked Article III standing because Debtor failed to plausibly allege or later show a concrete injury in fact. The judgment of the trial court was vacated and the case remanded with instructions to dismiss the complaint. However, the parties were granted leave to file supplemental briefs on the issue of Article III standing.

GENESEO, N.Y.– Coast Professional, Inc. (Coast) recently promoted Jennie Durkee to Senior Director of Compliance. Durkee, Coast’s former Director of Compliance, has over 20 years of experience in the accounts receivable management industry. Durkee began her Coast career in 2019, where she ensured organizational compliance with contracts, policies, and procedures. Under Durkee’s guidance, Coast was named a Training APEX Award (previously Training 100, formerly Training 125) winner by Training Magazine for three consecutive years (2020-2022).  

In her new role, Durkee will be responsible for overseeing Coast’s Compliance Department and ensuring the company’s adherence with all applicable laws associated with accounts receivable management. In addition to overseeing the Compliance Department, she will also develop the policies and procedures for the Legal/Regulatory, Training/Education, and Quality Assurance Departments, as well as coordinate the compliance activities of other departments within the organization.  

According to Michael Del Valle, Coast Chief Compliance Officer and General Counsel, Durkee’s promotion is a direct result of her exceptional worth ethic and dedication to the company.  

“Jennie’s ability to get things done, coupled with her exemplary leadership skills, makes her one of the most dynamic compliance leaders in the industry,” said Del Valle. “She demonstrates an unwavering commitment to Coast’s overall mission through her continued efforts to strengthen our compliance initiatives.”  

[article_ad]

Ms. Durkee is Credit and Compliance Collection Officer® (CCCO) certified by ACA International. 

About Coast Professional, Inc.: 

Coast Professional, Inc. is an accounts receivable management and contact center-based company, dedicated to the respectful and ethical communication with consumers. Coast provides essential collection and business process outsourcing services to hundreds of campuses; universities; federal, state, and county governments; municipalities; and courts. Coast is an eight-time honoree on the Inc. 5000 list for America’s Fastest-Growing Private Companies provided by Inc. Magazine and in 2021, was recognized for the sixth time as one of the “Best Places to Work In Collections” by insideARM.com and Best Companies Group. Since 1976, Coast has worked closely with clients to increase recoveries by assisting consumers in resolving their financial obligations. Coast’s success is exemplified by exceptional recoveries, superior service, and dedication to the highest levels of compliance. More information about Coast can be found at www.coastprofessional.com.  

On February 16, 2022, the CFPB announced that the public can now submit petitions for rulemaking directly to the CFPB. These petitions will be posted on public dockets for review and comment.

Members of the public can request that the agency pursue a new rule, amend an existing one, or repeal a rule. Former government employees and other individuals who are paid to influence the agency’s rulemaking agenda behind the scenes will be asked to submit their petitions for public inspection instead. 

This move comes in an effort to combat the belief by individuals and small businesses that they must hire former government officials, lawyers, or lobbyists in order to be heard by an agency. According to CFPB Director Rohit Chopra, ”Americans should be able to easily exercise their Constitutional rights without hiring a high-priced lawyer or lobbyist…Our new program will broaden access to the agency’s rulemaking process.”

All petitions, including attachments and other supporting materials, will become part of the public record and subject to public disclosure. Proprietary information or sensitive personal information, such as account numbers or Social Security numbers, or names of other individuals, should not be included. Petitions will not be edited to remove any identifying or contact information. 

The CFPB may, in its discretion, decide not to post submissions and other materials, or portions thereof, including the following:

• Duplicate identical submissions (submitted by the same submitter(s) through different means)
• Copyrighted material owned by someone other than the submitter
• Confidential business information (CBI)
• Spam submissions
• Threats of harm or violence
• Submissions that are disavowed by the named author or submitter

The complete process for submitting a petition can be found here. 

On February 14, 2022, the Consumer Relations Consortium (CRC) submitted comments to the the New York Department of Financial Services (NYDFS) regarding the proposed amendments to its debt collection rules. The proposed amendments seek to update disclosure requirements, statute of limitations disclosures, substantiation requirements, and telephone and electronic communications.

The CRC’s comments were prepared by Legal Advisory Board (LAB) members Joann Needleman of Clark Hill, Jim Schultz of Sessions Israel & Shartle, Brit Suttel of Barron and Newburger, John Rossman of Moss and Barnett, PA. as well as non LAB member Abigail Pressler, General Counsel of NCB Management Services, Inc. 

In its comments, the CRC asked NYDFS to consider the following:

[article_ad]

• Allow debt collectors to continue to use the charge-off date as the itemization date. The proposed amendment would prohibit debt collectors from using the charge-off date as the itemization date..” This conflicts with Regulation F.  It is also likely to uniquely disadvantage New York consumers who are accustomed to debt itemization based on the charge-off date by suddenly forcing collectors to use older or less predictable dates for itemization and increasing the likelihood of consumers receiving letters reflecting different itemizations based on different reference points over time.

• Remove the requirement to disclose the applicable statute of limitations for the debt, and allow debt collectors to use the previous time-barred debt language. The proposed amendment would require debt collectors to make a definitive determination regarding the statute of limitations, and disclose that determination to the consumer. The proposed amendments create a serious risk of violating rules prohibiting the unlicensed practice of law by requiring non-attorney debt collectors to analyze the law to determine which statute of limitations applies (an extremely complex legal question involving in-depth analysis), applying the law to the facts of a specific consumer’s account, and then advising the consumer about the law that applies to their accounts. Such legal analysis and advice should be given by a licensed attorney, not a layperson.

• Clearly outline the disclosure required for each type of debt. The proposed amendment has conflicting requirements for certain types of debt.

• Eliminate calling restrictions aimed at time-barred debt. The proposed amendment seeks to ban calls to collect time-barred debt. While there are limited exceptions, they are unclear and unlikely, rendering them functionally non-existent. Banning calls would increase the cost of collection, incentivizing creditors to sue New York consumers earlier and more often than consumers in other states where calls are allowed. 

The comment period ended on February 14, 2022. 

About the Consumer Relations Consortium

The Consumer Relations Consortium (CRC) is an organization comprised of more than 60 national companies representing the diverse ecosystem of debt collection including creditors, data/technology providers and compliance-oriented debt collectors that are larger market participants. Established in 2013, CRC is evolving the debt collection paradigm by engaging stakeholders—including consumer advocates, Federal and State regulators, academic and industry thought leaders, creditors and debt collectors—and challenging them to move beyond talking points and focus on fashioning real-world solutions that actually improve the consumer experience. CRC’s collaborative and candid approach is unique in the market.  CRC is managed by The iA Institute.

Learn more at www.crconsortium.org.