Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.
Our bank and loan servicing clients also face novel challenges affecting their industry due to COVID-19, particularly the ever-changing rules and regulations concerning evictions and foreclosures. We closely track these updates and have assembled an interactive tracker containing state orders and guidance documents regarding residential foreclosure and eviction moratoriums. You may access this interactive tool at https://covid19.troutman.com/.
To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:
Privacy and Cybersecurity Activities
- On August 27, the U.S. Supreme Court lifted the U.S. Centers for Disease Control and Prevention’s (CDC) moratorium on evictions. The Court found that the CDC lacked authority to impose the moratorium at this point during the COVID-19 pandemic. For more information, click here.
- On August 27, the Board of Governors of the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency released a guide intended to help community banks assess risks when considering relationships with financial technology companies. Community banks are entering into business arrangements with fintech companies to offer enhanced products and services to their customers, increase efficiency, and reduce internal costs. This guide serves as a resource for community banks when performing due diligence on prospective relationships with fintech companies. For more information, click here.
- On August 26, the U.S. Department of Education (DOE) announced it will make $1.1 billion in closed school discharges available to an additional 115,000 borrowers who attended the now-defunct ITT Technical Institute (ITT). This decision is based on a new review of the problems leading up to ITT’s closure. These borrowers did not complete their degree or credential and left ITT on or after March 31, 2008. The DOE estimates that 43% of these borrowers are currently in default. This action brings the total amount of loan discharges approved by the DOE since January 2021 to $9.5 billion, affecting over 563,000 borrowers. For more information, click here.
- On August 25, the Consumer Financial Protection Bureau (CFPB) Ombudsman Wendy Kamenshine issued the 2021 Midyear Update, including news that the CFPB’s post-examination survey of supervised entities program is in the final development stages. For more information, click here.
- On August 27, in response to the Tropical Storm/Hurricane IDA state-declared emergency, the Louisiana Public Service Commission has enacted temporary restrictions on callers, including those using automatic dialing and announcing devices, and has ordered a mandatory prohibition on solicitation. For more information, click here.
- On August 26, Illinois Attorney General Kwame Raoul issued a press release applauding “Governor JB Pritzker for signing legislation Raoul initiated to protect student loan borrowers and help them select a student loan option that best meets their needs.” House Bill 2746, also known as “Know Before You Owe,” provides student borrowers with information about federal aid eligibility before turning to private loans. “For millions of student loan borrowers, the struggle of making loan payments has been exacerbated by the COVID-19 pandemic’s economic impact,” Raoul said. “Students should not be faced with a lifetime of debt because they were unaware they were eligible for federal aid or because they fell victim to the unfair and deceptive practices of a student loan debt relief company.” For more information, click here.
- On August 24, California Attorney General Rob Bonta issued guidance to health care providers and facilities, reminding those entities of their obligations to comply with state and federal health data privacy laws. Attorney General Bonta reminded stakeholder organizations in a bulletin that entities “must notify the California Department of Justice (DOJ) when the health data of more than 500 California residents has been breached.” These obligations are located in California Civil Code Section 1798.82. For more information, click here.
- On August 20, Arizona Attorney General Mark Brnovich issued a legal opinion regarding “COVID-19 vaccine mandates for employees, patrons of businesses, and airline passengers under existing state and federal laws.” In this opinion, Attorney General Brnovich stated: (1) “Schools, public universities, community colleges, and state and local governments are statutorily prohibited from requiring employees to obtain COVID-19 vaccinations;” (2) “private businesses can mandate vaccinations for employees but must provide reasonable accommodations for employees who cannot obtain the COVID-19 vaccine due to a disability or a sincerely held religious belief;” (3) private business may mandate vaccination for patrons but must also “provide reasonable accommodations to patrons who cannot obtain the COVID-19 vaccine due to disability … [or] sincerely held religious belief;” and (4) an “an airline may not refuse a customer based on a communicable disease unless the customer (1) actually has a communicable disease (2) that is a direct threat to other passengers, and (3) cannot obtain a medical certificate setting forth preventative measures.” For more information, click here.
Privacy and Cybersecurity Activities:
On August 24, California Attorney General Rob Bonta reminded health care providers that they need to be in “full compliance with state health data privacy laws[.]” Specifically, the Attorney General told “[health care] entities that they must notify the California Department of Justice (DOJ) when the health data of more than 500 California residents have been breached.” As the pandemic continues, more entities are entrusted with private and deeply personal information. Attorney General Bonta urged health care entities to:
“Keep all operating systems and software housing health data current with the latest security patches;
Install and maintain virus protection software;
Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
Restrict users from downloading, installing, and running unapproved software; and
Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.”
For those interested in reading the full announcement, click here.
On August 23, Wired reported that the Power Apps portal service was misconfigured, which led to more than a thousand web applications accessible to the general public, “including data from a number of [COVID]-19 contact tracing platforms, vaccination sign-ups, [and] [COVID]-19 vaccination status.” The report describes that the exposed data came from the Power Apps development platform, making it easy to create web or mobile apps. “If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.” To read the full report, click here. For those interested in learning about privacy guidelines for COVID-19 contact-tracing app makers, click here.