State Law

NYDFS Reports Major Cybersecurity Settlement

March 11, 2021 By Consumer Finance Team, James Harvey

In early March, the New York Department of Financial Services (NYDFS) announced a settlement involving a $1.5M penalty and mandatory remediation in response to a mortgage lender’s alleged failure to report a cyber breach, and other alleged cybersecurity failures. This enforcement action marks the second public enforcement action under 23 NYCRR Part 500 (the “Cybersecurity Regulation”) (see our post on the prior action here).

It is noteworthy that the settlement follows a routine safety and soundness exam by the regulator which included a review of security issues under the Cybersecurity Regulation. This settlement provides an example of both the alleged failure to have reported a security incident and the potential that any such failure will later be detected by the NYDFS in routine examinations.

The consent order noted two major cybersecurity failings on the part of the licensee, Residential Mortgage Services, Inc. (“Residential Mortgage”), according to the NYDFS:

Failure to Adequately Investigate and Respond to a Cybersecurity Event. The consent order recounts a successful phishing attack that resulted in a “cyber intruder” accessing an employee’s email account. Residential Mortgage’s IT staff determined that improper access had occurred and quickly took steps to prevent further unauthorized access. However, the consent order faults Residential Mortgage for failing to conduct any further investigation to determine (1) whether the compromised inbox “contained private consumer data,” (2) “which consumers were impacted,” and then (3) “apply the applicable state notice requirements triggered by the breach.” The consent order notes that, following the NYDFS’s examination and investigation of the Cybersecurity Event, Residential Mortgage did determine that it was obligated to notify individuals under various state laws based on a review of all data elements “that could have been accessed” during the intrusion. According to the consent order, Residential Mortgage subsequently made notifications to individuals as required by those laws.
Lack of “Comprehensive Cybersecurity Risk Assessment.” The consent order states that Residential Mortgage “was missing a comprehensive cybersecurity risk assessment.” Such risk assessments are required under the Cybersecurity Regulation to periodically evaluate vulnerabilities and inform operation of the cybersecurity program.

In addition to assessing a $1.5M civil penalty, the settlement provisions require Residential Mortgage to make the following submissions to the NYDFS within 90 days:

“a comprehensive written Cybersecurity Incident Response Plan;”
a comprehensive risk assessment;
“Policies, procedures and controls” relating to monitoring user activity and detecting unauthorized access or use of personal or confidential information; and
“Cybersecurity awareness training for all personnel, updated to reflect risks identified by Residential Mortgage in its Cybersecurity Risk Assessment.”

Residential Mortgage also agreed to “fully cooperate” with the NYDFS “regarding all terms of this Consent Order,” and the NYDFS reserved all rights to take further action in the event of noncompliance. The consent order notes Residential Mortgage’s “commendable cooperation” with the investigation and remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program.”

New Virginia Privacy Law Promises Big Impacts

March 3, 2021 By Dorian Simmons, Consumer Finance Team

Virginia became the second state after California to pass a comprehensive privacy law when the governor signed the Consumer Data Protection Act, which contains many elements found in the California Consumer Privacy Act and other proposed privacy frameworks, as well as a number of new requirements for businesses.

In a client advisory, our Privacy, Cyber & Data Strategy Team pinpoints critical steps companies should take to ensure compliance.

How is it different from California’s CCPA and the EU’s GDPR?
What is its scope and how will it be enforced?
How extensive are consumers’ opt-out and other rights?

New York State Revises Restrictive HECM Foreclosure Law

February 11, 2021 By Stephen Ornstein

A&B ABstract

On December 15, 2020, New York State enacted legislation amending the New York Real Property Law that would have placed various restrictions and requirements on the servicing of Home Equity Conversion Mortgages secured by New York properties effective as of April 14, 2021 (the “Foreclosure Law”). The new law would significantly hinder a servicer’s ability to foreclose on a defaulted HECM, and could conflict with existing default procedures promulgated by the Department of Housing and Urban Development (“HUD”) relating to the foreclosure of HECMs.

On January 6, 2021, legislation was introduced in the New York State Senate to eliminate certain of these burdensome provisions (the “Revised Law”). Both the Senate and the New York State General Assembly have approved this measure, and it currently awaits Governor Cuomo’s signature.

The Foreclosure Law as Enacted

As enacted, the Foreclosure Law would impose a series of requirements on foreclosures comments on or after April 14, 2021.

First, the law would, among other things, upon the commencement of a foreclosure proceeding of a HECM secured by real property in New York State, require transmission to the New York Department of Financial Services (“NYDFS”) of

proof that HUD has granted prior approval to accelerate the loan,
proof of the default leading to the foreclosure action and notice to the mortgagor, and
any other information required by the NYDFS.

Second, the Foreclosure Law would require mortgagees to engage in mandatory loss mitigation activities to be specified in regulations promulgated by the NYDFS before commencing a foreclosure action.

Third, the Foreclosure Law would prohibit the making of advance payments for any obligation arising from the related Mortgaged Property and provide that payments by the Servicer for insurance premiums and taxes may only be made when they are in arrears.

The Revised Foreclosure Law

The Revised Law would eliminate many of these burdensome provisions. Specifically, the Revised Law would:

require lenders to send a notice to consumers that will be promulgated by the NYDFS relating to the borrower’s rights in foreclosure,
authorize the NYDFS to regulate the notice of such rights,
require lenders to send the NYDFS proof that they received permission from HUD to foreclose on a reverse mortgage,
require lenders to maintain policies on loss mitigation to ensure compliance with all applicable law, and
require lenders to maintain certain loss mitigation and foreclosure records.

If signed by Governor Cuomo, the Revised Law would take effect 120 days after enactment.

Significant Penalties for Failure to Comply

Under both the Foreclosure Law and the Revised Law, consumers “injured” by a violation of the law are entitled to recover treble damages in a private right of action. Further, adherence to the requirements of the law is a condition precedent to filing the foreclosure in New York State, and failure to comply with these provisions constitutes a complete defense to such foreclosure.

Takeaway

Even as amended, the legislation is cumbersome and creates additional hurdles for servicers foreclosing on delinquent HECMs in New York State. Arguably, the existing HUD HECM pre-foreclosure procedures provide ample consumer protection. Nevertheless, with many consumers struggling financially during the COVID pandemic, New York State seeks to provide additional consumer protections to elderly New Yorkers who have HECMs.

Virginia Ready to Pass First State Privacy Statute after CCPA

February 8, 2021 By Dorian Simmons

Both houses of Virginia’s legislature recently passed the Virginia Consumer Data Protection Act (S.B. 1392; H.B. 2307) (VCDPA). If approved by the state governor, the VCDPA would become the United States’ second comprehensive state privacy law behind the California Consumer Privacy Act (CCPA). For a comparison of the VCDPA to the CCPA and the European Union’s General Data Protection Regulation, see the Alston & Bird Privacy, Cyber and Data Strategy Blog.

Federal Court Dismisses Lawsuit Challenging Minnesota Eviction Moratorium

January 11, 2021 By Consumer Finance Team

A&B ABstract: A federal district court dismissed a lawsuit filed by two landlords who sought to invalidate the Governor of Minnesota’s moratorium on evicting residential tenants for failure to pay rent during the pandemic.

The Eviction Moratorium

In an Executive Order dated March 23, 2020, Minnesota Governor Timothy Walz suspended landlords’ ability to file eviction actions and prevented them from terminating residential leases except where a tenant took actions that “seriously endangered” other tenants or violated certain state criminal laws. The Executive Order did not relieve tenants of their obligation to pay rent. The moratorium was to stay in place until the statewide COVID-19 emergency declaration elapsed or the Executive Order was rescinded.

The Governor issued several later clarifications to the eviction moratorium, including Executive Order No. 20-79 on July 14, which is the version currently in effect. It expanded certain tenant protections, and additionally permitted eviction of tenants who “significantly damage” rental property or overstay beyond a prior notice to vacate. Landlords who violate the moratorium are subject to criminal fines and imprisonment of up to 90 days.

The Lawsuit

Two companies that own rental properties in Minnesota, Heights Apartments and Walnut Trails, claimed to have “troublesome” tenants that they would seek to evict but for the moratorium. They sued the Governor in federal district court in Minnesota, seeking to invalidate Executive Order No. 20-79 for several alleged violations of their constitutional rights. The landlords also claimed that the moratorium was an unauthorized action under state law. The complaint sought a preliminary injunction against enforcement of the moratorium, pending its invalidation. The Governor filed a motion to dismiss.

The Decision

On December 31, 2020, the court granted the Governor’s motion to dismiss and denied the landlord’s request for a preliminary injunction. Much of the court’s opinion addresses – and rejects – standing, jurisdictional, and immunity arguments raised by the Governor. On the merits, the court concluded that nothing in the moratorium interfered with the landlords’ ultimate right to collect rent pursuant to their lease agreements, and that the moratorium therefore did not “substantial impair” their contractual rights or infringe their constitutional rights.

As the court explained:

But the fundamental nature of a lease of a residential unit is that the landlord provides the tenant a place to live; the tenant, in turn, pays the landlord rent. The landlord’s end of the contractual bargain is receiving rent payments. Nothing in the [executive orders] interferes with that right, and each of the eviction moratoria clearly states that it does not affect a tenant’s obligation to pay rent. And although, under the [executive orders], a landlord cannot enforce its contractual right to rent through an eviction proceeding, it can still sue tenants for rent owed.

The court found further that the executive orders advance an important state interest – preventing the spread of COVID-19 – and the court determined they “appropriately and reasonably advance that interest.” The court also noted that the moratorium does not completely prohibit evictions, which the court believed would not reasonably advance the state’s interest in protecting public health. For example, evictions may still be allowed if a tenant poses a risk to other residents or engages in dangerous criminal activity. On these grounds, the court also made short order of the landlords’ First Amendment and Takings claims.

Takeaways

This decision is in line with others from across the country that have upheld statewide eviction moratoriums against legal challenges. As a consequence, a large volume of eviction proceedings will likely be filed nationwide once the moratoriums expire, assuming tenants are unable to pay rent. Real estate entities and landlords should prepare for a backlog of these cases, and for the potential that they will take longer to adjudicate as a result.