Those Other Laws Dino Tsibouris Attorney at Law dino@tsibouris.com 2006 NCHELP FALL TRAINING...

Those Other LawsDino Tsibouris

Attorney at Law

dino@tsibouris.com

2006 NCHELP FALL TRAINING CONFERENCE

It’s all so regulated…• Licensing requirements to do business

• Limits to interest rates and loan fees

• Privacy and information security

Licensing• National banks and thrifts don’t need a license

from the state

• Non-bank lenders and purchasers of loans may need a license to make or enforce a loan

Licensing• A common test: Are you in the “business of

lending?”

– NJ includes companies that purchase loans from others

– OH includes the original lender only

– MN excludes loans under other state law

Licensing• Physical location concerns

• Limits on assignment

• Specific rates of interest and permissible fees

Loan Pricing• State license lender laws establish permitted

rates and fees

– Interest rates

– Late fees

– Loan origination fees of 1-2%

– Prepayment fees

– Refund of unearned charges

Loan Pricing• National Bank Act (12 USC 85)

• A national bank located in a state may charge interest at the maximum rate permitted to any state-chartered or licensed lending institution by the law of that state

Loan Pricing• National Bank Act (12 USC 85) “Interest"

includes any payment compensating a creditor for:

– An extension of credit

– Making available of a line of credit

– Any default or breach by a borrower

Loan Pricing• National Bank Act 12 USC 85

• “Interest" includes, among other things:

– Numerical periodic rates

– Late fees

– Creditor-imposed NSF fees

Loan Pricing• National Bank Act 12 USC 85

• “Interest" does not ordinarily include:

– Premiums/commissions for insurance guaranteeing repayment of any extension of credit

– Document preparation

– Fees incurred to obtain credit reports

Loan Pricing – Tied to State Law• Ohio Revised Code 1109.20

– Interest/finance charges not exceeding APR of twenty-five per cent

– Also may charge, as interest, other fees and charges that are agreed upon by the bank and the borrower

Loan Pricing – Tied to State Law• RC 1109.20 “Interest”

– Charges for late payments

– NSF fees

– Application, processing, origination fees

– Guarantee fees

– Prepayment fees

Loan Pricing – Tied to State Law• RC 1109.20 “Interest”

• Any fees and charges shall not be included in the computation of the annual percentage rate or the rates of interest or finance charges for purposes of applying the twenty-five per cent limitation

Loan Pricing – Tied to State Law• 12 CFR 7.4001 The term “interest” as used in

12 U.S.C. 85 includes … includes, among other things,…

• RC 1109.20 A bank may charge… as interest, other fees and charges that are agreed upon … including, but not limited to,…

• Many possibilities; uncertain outcomes

Important Considerations

• Make sure rates and fees are properly structured

–Within legal limits–Business case for each fee

• Challenges to the relationship between lenders those who buy their loans

Privacy• GLB

• Contract management

• State privacy law

• FTC

• Breach notification

Privacy – GLB Permitted Sharing• Third party with notice and opt-out• Permitted disclosure without consent

–Service providers (notice, contract)

–Joint marketing agreements (contract)

• Express consent from consumer

Privacy – Consent• GLB: “Clear and Conspicuous”

– Reasonably understandable and designed to call attention to the nature and significance of the information contained

– May combine with other clear and conspicuous notices

• FCRA: “Clear and Conspicuous”– Small type on back of mailer in a paragraph of

type about other matters inadequate (Use different type, color - Cole v. U.S. Capital)

Privacy – Scope of Consent I authorize the release of information pertinent to my

loans: (i) by the school, the lender, and the guarantor, or their agents, to the references on the applicable loans and to members of my immediate family unless I submit written directions otherwise; and, (ii) by and among my schools, lenders, guarantors, the Department of Education, and their agents.

Source: FFELP MPN

Privacy – Scope of Consent• Agent:

A person authorized to act for and under the direction of another person when dealing with third parties. Can enter into binding agreements on the principal's behalf and may even create liability for the principal if the agent causes harm while carrying out his or her duties.

Source: www.nolo.com

Security• 88,348,579+ persons had their PFI improperly

accessed/stolen between February 15, 2005 and June 16, 2006 (Privacy Rights Clearinghouse)

• A consumer calling the FTC helpline reported that in one day thieves used her stolen PFI to open 9 credit card accounts and charged $15,000

Technical Security• Hackers

• Unprotected Wireless Access

• Compromised Passwords

• Unencrypted Data Storage and/or Transmissions

Physical Security• CDs/Files Lost/Stolen During Transport

• Files Lost/Stolen from Storage

• Improper Destruction of Files

• Lost/Stolen Laptops

Humans, Contractors, and Vendors

• Dishonest Persons

• Failure to Follow Corporate Security Regulations

• Mistakes/Errors

Privacy – Contract Management• Privacy Agreements

– Limits on use

– Audit rights

– Notice if breached

– Indemnity for claims and losses

– No limit on liability

If a Breach Occurs• Key steps

– Identify the information lost

– Identify “affected persons”

– Notify law enforcement

– Prepare customer and media response plan

– Notify affected persons

State Laws• Consumer protection and deceptive trade

statutes

• State AGs offices are pursuing loss or breach of consumer personal information through traditional consumer protection and deceptive trade practices statutes

Federal Laws• Federal Trade Commission Act (FTC

Act) prohibits “unfair or deceptive acts or practices.”

• Gramm Leach Bliley Act governs the collection and disclosure of NPI (Privacy Rule); requires design, application, and maintenance of safeguards to protect NPI (Safeguards Rule)

DSW, Inc.

Both state and federal cases were filed against DSW, Inc.

– DSW is based in Ohio and sells shoes in 206 stores nationwide

– Ohio Attorney General filed suit under Ohio Consumer Sales Practices Act

– Federal Trade Commission filed suit under FTC Act

DSW, Inc.• DSW retained consumers’ names, credit/debit

card numbers, checking account information and drivers’ license numbers

• March 8, 2005 DSW learns that the data it retained from some 1.4M sales transactions was removed from its custody

State of Ohio v. DSW, Inc.• Attorney General suit claimed DSW’s failure to

notify all affected consumers was “unfair or deceptive” act under Ohio’s Consumer Sales Practices Act

• Asked court to order DSW to send written notice to all affected consumers

State of Ohio v. DSW, Inc.• DSW: Difficult to contact all customers

because it did not keep detailed information on all customers' addresses

• DSW SEC filing: Set aside $6.5 million to handle claims from the case and indicated total exposure could reach $9.5 million

In re DSW, Inc.

FTC: DSW violated FTC Act when it “failed to provide reasonable and appropriate security for personal information collected at its stores”

In re DSW, Inc.• Alleged violations:

– Storing data it didn’t need to keep – Not using available security measures to

limit wireless access to computer networks– Storing data in unencrypted files, accessed

via a well known user ID and password– Failing to employ sufficient measures to

detect unauthorized access

In re DSW, Inc. Settlement DSW must establish a comprehensive information security program:

– Reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers

– Fully documented in writing– Contain administrative, technical, and

physical safeguards appropriate to DSW’s size and complexity

In re DSW, Inc. Settlement• “Security Program” Requires:

– Designated employee(s) to coordinate and be accountable for IS program

– Identify internal/external risks to NPI that could result in unauthorized disclosure or misuse

– Assessment of the sufficiency of any safeguards used to control risks

– Regular testing of the key controls, systems, and procedures

– Evaluation and adjustment of the program based on results of testing, material changes to operations or business arrangements

– Initial/biennial assessments and reports from independent third-party professional, using industry procedures and standards for a period of twenty (20) years

Gramm Leach Bliley Act– Violations of the G-L-B Act’s Privacy

and Safeguards Rules are an “unfair or deceptive act or practice” in violation of the FTC Act

– Privacy Rule mainly concerns drafting and delivery of “Privacy Notices” to consumers

– Safeguards Rule mainly concerns security protection for NPI

In re NATIONWIDE MTGE GRP, INC.

– FTC complaint alleged Nationwide and its owner collected NPI and failed to protect it

– Violation of Privacy Rule is an unfair and deceptive practice under the FTC Act

– Violation of Safeguards Rule is an unfair and deceptive practice under the FTC Act

Security Rule settlement requirements:

– Assign employee(s) to oversee program; – Conduct a risk assessment; – Put safeguards in place to control the risks

identified and regularly test them; – Require service providers, by written

contract, to protect NPI; and – Periodically update its security program

• Additional requirements:

– Nationwide must obtain an assessment on its safeguards from a qualified, independent third-party

– Must use industry procedures and standards

– biennially for ten (10) years

Guin v. Brazos Higher Education Service Corp., Inc.

• NO duty under GLB to encrypt; Brazos acted with “reasonable care”

• Laptop containing unencrypted NPI stolen from employee’s home office

• Guin alleged Brazos’ failure to encrypt violated duty under GLB Act to protect security and confidentiality of NPI

Questions?

Dino Tsibouris

dino@tsibouris.com

Those Other Laws Dino Tsibouris Attorney at Law dino@tsibouris.com 2006 NCHELP FALL TRAINING...

Documents

Dino Tails

Dino Publishing

DINO Communications

Dino Thoughts

COMPLETE RANGE OF DINO · dino® 180 xt dino® 210 xt dino® 260 xtd dino® xtb-series dino® tb-series dino® 160 xt dino ® 160 xt dino ® 180 xt dino ® 210 xt dino ® 260 xtd

Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016

Dino Tsibouris (614) 360-1160 dino@tsibouris.com Enforcement Issues in E-Commerce to Originate, Retain, and Produce Electronic Records 1

Dino Tsibouris (614) 360-1160 dino@tsibouris.com Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches

Deceptive Trade Practices Enforcement in Private Student Loans Dino Tsibouris Tsibouris & Associates, LLC

DINO-LITE WIRED SERIES (AF SERIES) DINO-LITE …...DINO-LITE WIRELESS 100% WIRELESS | 100% VERSATILE | 100% QUALITY DINO-LITE WIRED SERIES (AF SERIES) AF4515ZT AF4915ZT The Dino-Lite

Teacher Resource Guide: DiNO-Light - Playhouse Squarestatic.playhousesquare.org/documents/Education/DiNO-TeacherGuid… · Teacher Resource Guide: DiNO-Light Community engagement

1 Records Management and Electronic Discovery Ken Sperl ken.sperl@tsibouris.com@tsibouris.com (614) 360-2023 Martin

Dino-Lite 3 fold flyer wf20 ENG Lambda · dino-lite wireless 100% wireless | 100% versatile | 100% quality dino-lite wired series (af series) af4515zt af4915zt the dino-lite af4515zt

Dino Tsibouris Mehmet Munur Privacy and Information Security Laws and Updates

Managing Cyber Risk Through Insurance and Vendor Contracts Dino Tsibouris (614) 360-3133 dino@tsibouris.comdino@tsibouris.com Tom Srail, SVP, FINEX NA

Dino Kraspedon

The Rat Pack Dino Tsibouris dino@tsibouris.comdino@tsibouris.com (614) 360-1160

DINO Dino is a compact and light kaiak, built for the ... · DINO Dino is a compact and light kaiak, built for the thrill-seeking adventure# With a max load of 90 kg, the Dino surely

Orchids of Bosnia and Herzegovina - RHS · Dino Zelenika Dino Zelenika Dino Zelenika Dino Zelenika Dino Zelenika Dino Zelenika Mount Velež (1,969m) viewed from the top of Hum mountain

Did You Run that Past Legal? Larry Laskey, Windham Professionals Arthur Rotatori, McGlinchey Stafford John Culhane, Ballard Spahr Dino Tsibouris, Tsibouris