Category: Administrative & Regulatory

Cybersecurity Crunch: Building Strong Data Security Programs with Limited Resources – Insights from Tech and Financial Services Sectors

In today’s digital age, cybersecurity has become a paramount concern for executives navigating the complexities of their corporate ecosystems. With resources often limited and the ever-present threat of cyberattacks, establishing clear priorities is essential to safeguarding company assets.

Building the right team of security experts is a critical step in this process, ensuring that the organization is well-equipped to fend off potential threats. Equally important is securing buy-in from all stakeholders, as a unified approach to cybersecurity fosters a robust defense mechanism across all levels of the company.Digit

This insider’s look at cybersecurity will delve into the strategic imperatives for companies aiming to protect their digital frontiers effectively.

Where Do You Start on Cybersecurity?
Resources are limited, and pressures on corporate security teams are growing, both from internal stakeholders and outside threats. But resources to do the job aren’t. So how can companies protect themselves in real world environment, where finances, employee time, and other resources are finite?

“You really have to understand what your company is in the business of doing,” Wilson said. “Every business will have different needs. Their risk tolerances will be different.”

“You really have to understand what your company is in the business of doing. Every business will have different needs. Their risk tolerances will be different.”

BRIAN WILSON, CHIEF INFORMATION SECURITY OFFICER, SAS
For example, Tuttle said in the manufacturing sector, digital assets and data have become increasingly important in recent years. The physical product no longer is the end-all, be-all of the company’s success.

For cybersecurity professionals, this new reality leads to challenges and tough choices. Having a perfect cybersecurity system isn’t possible—not for a company doing business in a modern, digital world. Tuttle said, “If we’re going to enable this business to grow, we’re going to have to be forward-thinking.”

That means setting priorities for cybersecurity. Inskeep, who previously worked in cybersecurity for one of the world’s largest financial services institutions, said multi-factor authentication and controlling access is a good starting point, particularly against phishing and ransomware attacks. Also, he said companies need good back-up systems that enable them to recover lost data as well as robust incident response plans.

“Bad things are going to happen,” Wilson said. “You need to have logs and SIEMs to tell a story.”

Tuttle said one challenge in implementing an incident response plan is engaging team members who aren’t on the front lines of cybersecurity. “They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right,” she said. “They need to be thinking, ‘What should I be looking for and what’s my response?’”

“They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right. They need to be thinking, ‘What should I be looking for and what’s my response?’”

LISA TUTTLE, CHIEF INFORMATION SECURITY OFFICER, SPX TECHNOLOGIES
Wilson said tabletop exercises and security awareness training “are a good feedback loop to have to make sure you’re including the right people. They have to know what to do when something bad happens.”

Building a Security Team
Hiring and maintaining good people in a harrowing field can be a challenge. Companies should leverage their external and internal networks to find data privacy and cybersecurity team members.

Wilson said SAS uses an intern program to help ensure they have trained professionals already in-house. He also said a company’s Help Desk can be a good source of talent.

Remote work also allows companies to cast a wider net for hiring employees. The challenge becomes keeping remote workers engaged, and companies should consider how they can make these far-flung team members feel part of the team.

Inskeep said burnout is a problem in the cybersecurity field. “It’s a job that can feel overwhelming sometimes,” he said. “Interacting with people and protecting them from that burnout has become more critical than ever.”

“It’s a job that can feel overwhelming sometimes. Interacting with people and protecting them from that burnout has become more critical than ever.”

TODD INSKEEP, FOUNDER AND CYBERSECURITY ADVISOR, INCOVATE SOLUTIONS
Weighing Levels of Compliance
The first step, Claypoole said, is understanding the compliance obligations the company faces. These obligations include both regulatory requirements (which are tightening) as well as contract terms from customers.

“For a business, that can be scary, because your business may be agreeing to contract terms with customers and they aren’t asking you about the security requirements in those contracts,” Wilson said.

The panel also noted that “compliance” and “security” aren’t the same thing. Compliance is a minimum set of standards that must be met, while security is a more wide-reaching goal.

But company leaders must realize they can’t have a perfect cybersecurity system, even if they could afford it. It’s important to identify priorities—including which operations are the most important to the company and which would be most disruptive if they went offline.

Wilson noted that global privacy regulations are increasing and becoming stricter every year. In addition, federal officials have taken criminal action against CSOs in recent years.

“Everybody’s radar is kind of up,” Tuttle said. The increasingly compliance pressure also means it’s important for cybersecurity teams to work collaboratively with other departments, rather than making key decisions in a vacuum. Inskeep said such decisions need to be carefully documented as well.

“If you get to a place where you are being investigated, you need your own lawyer,” Claypoole said.

“If you get to a place where you are being investigated, you need your own lawyer.”

TED CLAYPOOLE, PARTNER, WOMBLE BOND DICKINSON
Cyberinsurance is another consideration for data privacy teams, but it can help Chief Security Officers make the case for more resources (both financial and work hours). Inskeep said cyberinsurance questions also can help companies identify areas of risks and where they need to prioritize their efforts. Such priorities can change, and he said companies need to have a committee or some other mechanism to regularly review and update cybersecurity priorities.

Wilson said one positive change he’s seen is that top executives now understand the importance of cybersecurity and are more willing to include cybersecurity team members in the up-front decision-making process.

Bringing in Outside Expertise
Consultants and vendors can be helpful to a cybersecurity team, particularly for smaller teams. Companies can move certain functions to third-party consultants, allowing their own teams to focus on core priorities.

“If we don’t have that internal expertise, that’s a situation where we’d call in third-party resources,” Wilson said.

Bringing in outside professionals also can help a company keep up with new trends and new technologies.

Ultimately, a proactive and well-coordinated cybersecurity strategy is indispensable for safeguarding the digital landscape of modern enterprises. With an ever-evolving threat landscape, companies must be agile in their approach and continuously review and update their security measures. At the core of any effective cybersecurity plan is a comprehensive risk management framework that identifies potential vulnerabilities and outlines steps to mitigate their impact. This framework should also include incident response protocols to minimize the damage in case of a cyberattack.

In addition to technology and processes, the human element is crucial in cybersecurity. Employees must be educated on how to spot potential threats, such as phishing emails or suspicious links, and know what steps to take if they encounter them.

Key Takeaways:
What are the biggest risk areas and how do you minimize those risks?
Know your external cyber footprint. This is what attackers see and will target.
Align with your team, your peers, and your executive staff.
Prioritize implementing multi-factor authentication and controlling access to protect against common threats like phishing and ransomware.
Develop reliable backup systems and robust incident response plans to recover lost data and respond quickly to cyber incidents.
Engage team members who are not on the front lines of cybersecurity to ensure quick identification and escalation of potential threats.
Conduct tabletop exercises and security awareness training regularly.
Leverage intern programs and help desk personnel to build a strong cybersecurity team internally.
Explore remote work options to widen the talent pool for hiring cybersecurity professionals, while keeping remote workers engaged and integrated.
Balance regulatory compliance with overall security goals, understanding that compliance is just a minimum standard.

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.

by: Theodore F. Claypoole of Womble Bond Dickinson (US) LLP

For more on Cybersecurity, visit the Communications Media Internet section.

American Privacy Rights Act Advances with Significant Revisions

On May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the American Privacy Rights Act (“APRA”), which was released just 36 hours before the markup session. With the subcommittee’s approval, the APRA will now advance to full committee consideration. The revised draft includes several notable changes from the initial discussion draft, including:

  • New Section on COPPA 2.0 – the revised APRA draft includes the Children’s Online Privacy Protection Act (COPPA 2.0) under Title II, which differs to a certain degree from the COPPA 2.0 proposal currently before the Senate (e.g., removal of the revised “actual knowledge” standard; removal of applicability to teens over age 12 and under age 17).
  • New Section on Privacy By Design – the revised APRA draft includes a new dedicated section on privacy by design. This section requires covered entities, service providers and third parties to establish, implement, and maintain reasonable policies, practices and procedures that identify, assess and mitigate privacy risks related to their products and services during the design, development and implementation stages, including risks to covered minors.
  • Expansion of Public Research Permitted Purpose – as an exception to the general data minimization obligation, the revised APRA draft adds another permissible purpose for processing data for public or peer-reviewed scientific, historical, or statistical research projects. These research projects must be in the public interest and comply with all relevant laws and regulations. If the research involves transferring sensitive covered data, the revised APRA draft requires the affirmative express consent of the affected individuals.
  • Expanded Obligations for Data Brokers – the revised APRA draft expands obligations for data brokers by requiring them to include a mechanism for individuals to submit a “Delete My Data” request. This mechanism, similar to the California Delete Act, requires data brokers to delete all covered data related to an individual that they did not collect directly from that individual, if the individual so requests.
  • Changes to Algorithmic Impact Assessments – while the initial APRA draft required large data holders to conduct and report a covered algorithmic impact assessment to the FTC if they used a covered algorithm posing a consequential risk of harm to individuals, the revised APRA requires such impact assessments for covered algorithms to make a “consequential decision.” The revised draft also allows large data holders to use certified independent auditors to conduct the impact assessments, directs the reporting mechanism to NIST instead of the FTC, and expands requirements related to algorithm design evaluations.
  • Consequential Decision Opt-Out – while the initial APRA draft allowed individuals to invoke an opt-out right against covered entities’ use of a covered algorithm making or facilitating a consequential decision, the revised draft now also allows individuals to request that consequential decisions be made by a human.
  • New and/or Revised Definitions – the revised APRA draft’s definition section includes new terms, such as “contextual advertising” and “first party advertising.”. The revised APRA draft also redefines certain terms, including “covered algorithm,” “sensitive covered data,” “small business” and “targeted advertising.”
Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.2154by: Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth
For more on the American Privacy Rights Act, visit the NLR Communications Media Internet section.

Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles for $40 Million

MicroStrategy’s founder is alleged to have falsified tax documents for ten years. The settlement resolves the first whistleblower lawsuit filed under 2021 amendments to the DC False Claims Act.

Key Takeaways
On June 3, the District of Columbia Office of the Attorney General announced the $40 million settlement with Michael Saylor
It is the largest income tax recovery in D.C. history
The settlement, which resolves a qui tam lawsuit filed under the DC False Claims Act, underscores the power of whistleblowers in combatting tax fraud
On June 3, the District of Columbia Office of the Attorney General (OAG) made a landmark announcement. The billionaire founder of MicroStrategy Incorporated, Michael Saylor, settled a tax fraud lawsuit for a staggering $40 million. This case, stemming from a qui tam whistleblower suit filed under the District’s False Claims Act, marks a significant milestone in the fight against tax fraud. The OAG declared this as the largest income tax recovery in D.C. history, underscoring the importance of this case.

The DC False Claims Act
This settlement is not just a victory for the District but also a testament to the power of whistleblowers. Under the 2021 extension of the D.C. False Claims Act, individuals have the power to file qui tam suits against large companies and suspected tax evaders. The 2021 amendments even offer monetary awards to those who report tax cheats. This settlement, the first settlement under these amendments, serves to put would-be tax cheats on notice.

As the District of Columbia expands its arsenal against tax fraud, other states should take note. The DC False Claims Act, now covering tax fraud, has become a powerful tool in the fight against financial misconduct. With the District joining the ranks of Delaware, Florida, Illinois, Indiana, Nevada, New York, and Rhode Island as states where false claims suits may be brought based on tax fraud claims, the fight against tax cheats looks promising.

The Case Against Saylor
In 2021, unnamed whistleblowers filed a lawsuit against Saylor, alleging that he had defrauded the District and failed to pay income taxes from 2014 to 2020. The OAG independently investigated these claims and filed a separate complaint against Saylor. The District’s lawsuit alleged that Saylor claimed to be a resident of Florida and Virginia to avoid paying over $25 million in income taxes. Another suit was filed against MicroStrategy, claiming it falsified records and statements that facilitated Saylor’s tax avoidance scheme.

The District’s allegations against Saylor paint a picture of a lavish lifestyle. Saylor is accused of unlawfully withholding tens of millions in tax revenue by claiming to live in a lower tax jurisdiction to avoid paying D.C. income taxes. The OAG’s investigation revealed that Saylor owned a 7,000-square-foot luxury penthouse overlooking the Potomac Waterfront and docked multiple yachts in the Washington Harbor. He purchased three luxury condominium units at 3030 K Street NW to combine into his current residence and a penthouse unit at the Eden Condominiums, 2360 Champlain St. NW. The Attorney General compiled several posts from Saylor’s Facebook, in which he boasted about the view from his D.C. residence.

Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles For $40 Million

Furthermore, the OAG found evidence that Saylor purchased a house in Miami Beach, obtained a Florida driver’s license, registered to vote in Florida, and falsely listed his residence on MicroStrategy W-2 forms. Attorney General Brian L. Schwalb stated, “Saylor openly bragged about his tax-evasion scheme, encouraging his friends to follow his example and contending that anyone who paid taxes to the District was stupid.”

The lawsuits allege that records from Saylor’s security detail provide Saylor’s physical location and travel from 2015 to 2020 and show that across six years, Saylor spent 449 days in Florida and 1,397 days in the District. Saylor allegedly directed MicroStrategy employees to aid his scheme to avoid paying District income taxes. The District claims that for the last ten years, MicroStrategy has falsely reported its income tax exemption on Saylor’s wages, claiming he was tax-exempt due to his residential status.

Saylor agreed to pay the District $40 million to resolve the allegations against him and MicroStrategy.

A copy of the settlement can be found here.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.

by: Whistleblower Law at Kohn Kohn Colapinto of Kohn, Kohn & Colapinto

For more on Whistleblowers, visit the NLR Criminal Law / Business Crimes section.

Acting U.S. Attorney Levy Forecasts False Claims Act COVID Cases Targeting Private Lenders Of CARES Act Loans That Failed In Their Obligation To Safeguard Government Funds

Acting U.S. Attorney Joshua Levy discussed the enforcement priorities for the Massachusetts U.S. Attorney’s Office (USAO) during a Q&A session on May 29, 2024, and made clear that the historical focus of the office remains the top priority: detecting and combating health care fraud, waste, and abuse. In particular, both Levy and Chief of the USAO’s Civil Division, Abraham George, have recently indicated that the government will pursue large dollar COVID fraud cases both criminally and civilly. As we have discussed previously, we expect False Claims Act (FCA) COVID cases to materialize in the coming years as the government zeroes in on wrongdoers via enhanced data analytics and AI tools as well as via traditional investigative methods and the forthcoming Whistleblower Rewards Program.

Recent COVID FinTech Lender, Kabbage, $120 MM False Claims Act Settlement

The recent Kabbage settlement is illustrative of the types of COVID cases the office is looking to bring pursuant to the FCA. Acting U.S. Attorney Levy discussed the settlement, publicized in May, with now-bankrupt online lender, Kabbage Inc. Kabbage allegedly knowingly processed and submitted thousands of false claims for Paycheck Protection Program (PPP) loan forgiveness, loan guarantees, and processing fees. The PPP – a loan program for small businesses created via the Coronavirus Aid, Relief, and Economic Security (CARES) Act – was administered the federal Small Business Administration (SBA). The CARES Act authorized private lenders to approve PPP loans for eligible borrowers who could later seek forgiveness for the loans if borrowers used the loans for eligible expenses, including employee payroll.

Among other things, participating PPP lenders were obligated to 1) confirm borrowers’ average monthly payroll costs by PPP loan documentation; and 2) follow applicable Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements. SBA guaranteed any unforgiven or defaulted PPP loans as long as the private lender adhered to PPP requirements.

Private lenders received a fixed fee calculated as a percentage of the loan amount. Here, U.S. Attorney Levy’s office alleged that Kabbage awarded inflated and fraudulent loans to maximize its profits, then sold its assets and left the remaining company financially depleted, leading to bankruptcy. Kabbage was allegedly aware of the following errors as of April 2020, failed to correct them, and continued to make improper loan disbursements after learning of the issues:

  1. double-counting state and local taxes paid by employees when calculating gross wages;
  2. failing to exclude annual compensation above $100,000 per employee; and
  3. improperly calculating employee leave and severance payments.

Kabbage also allegedly failed to implement appropriate fraud controls to comply with the PPP, BSA, and AML by knowingly:

  1. removing underwriting steps to facilitate processing a high volume of loan applications and maximizing loan processing fees;
  2. setting substandard fraud check thresholds;
  3. relying on automated tools that were inadequate in identifying fraud;
  4. devoting insufficient personnel to conduct fraud reviews;
  5. discouraging its fraud reviewers from requesting information from borrowers to substantiate their loan requests; and
  6. submitting to the SBA thousands of dubious PPP loan applications that were fraudulent or highly suspicious.

The settlement, which will result in the U.S. securing up to $120 million pursuant to bankruptcy proceedings, resolves qui tam complaints brought by two separate whistleblowers: an accountant who submitted PPP loan applications to multiple lenders and a former analyst in Kabbage’s collection department.

Predictions for Future COVID Fraud Enforcement

Acting U.S. Attorney Levy’s comments make clear that we can expect to see FCA COVID cases targeting private lenders of CARES Act loans that failed in their obligation to safeguard government funds. To date, COVID fraud prosecution has largely targeted “low-hanging fruit” criminal cases, such as those involving submission of false information to obtain COVID relief funding that the recipient spends on luxury items. We discussed in April that the COVID Fraud Enforcement Task Force (CFETF) and a bipartisan group of Senators had, via a report and draft legislation, pleaded with Congress to increase funding to prosecute COVID fraud. Investigations such as those involving Kabbage require a large investment of resources and, as U.S. Attorney Levy commented, his office must prioritize large-dollar COVID fraud cases most likely to result in specific and general fraud deterrence.

As we have written previously, the government is playing a long game tracking COVID fraud. The Justice Department’s CFETF reported in April that to date, the DOJ had seized or forfeited $1.4 billion in stolen relief funds as well as bringing criminal charges against 3,500 defendants and 400 civil settlements. With a ten-year statute of limitations and increasingly more accurate data analytics tools, we expect the DOJ will continue to identify and recover misappropriated funds from large and lower dollar fraudsters. So long as COVID fraud enforcement remains a well-funded priority of the government, we anticipate a steady stream of FCA COVID settlements involving lenders and borrowers. The government is casting a wide net to recoup the nearly $300 billion in COVID fraud estimates. We will continue to monitor and report on developments.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on COVID, visit the NLR Coronavirus News section.

Paperless Power: Exploring the Legal Landscape of E-Signatures and eNotes

In an era characterized by rapid technological advancements and the profound shift towards remote work, the traditional concept of signing documents with pen and paper has evolved. Electronic signatures, or e-signatures, have emerged as a convenient and efficient alternative, promising to streamline processes, reduce paperwork, and enhance accessibility. Organizations are increasingly embracing e-signatures for a wide range of transactions, prompting a closer examination of their legal validity.

WHAT IS AN “E-SIGNATURE”?

An e-signature encompasses any electronic sound, symbol, or process associated with a record and executed with the intent to sign. These can range from scanned images of handwritten signatures to digital representations generated by specialized software.

GOVERNING LAW:

The governing law for e-signatures in the United States includes both state-specific laws, like those based on the Uniform Electronic Transactions Act (UETA), and the federal ESIGN. ESIGN applies to interstate and foreign transactions, harmonizing electronic transactions across state lines. Many states, including Massachusetts, have adopted UETA, reinforcing the legal standing of e-signatures within their jurisdictions (MUETA).

VALIDITY AND REQUIREMENTS:

Generally, e-signatures are legally binding in the Commonwealth of Massachusetts. However, certain documents like wills, adoption papers, and divorce decrees are excluded from the scope of ESIGN and MUETA to safeguard consumer rights and maintain traditional legal practices.

The following components must be present for e-signatures to be fully protected and upheld under ESIGN and MUETA:

  • Intent: each party intended to execute the document;
  • Consent: there must be express or implied consent from the parties to do business electronically (under MUETA, consumer consent disclosures may also be required). In addition, signers should also have the option to opt-out;
  • Association: the e-signature must be “associated” with the document it is intended to authenticate; and
  • Record Retention: records of the transaction and e-signature must be retained electronically.

Meeting these requirements ensures that e-signatures have the same legal validity and enforceability as traditional handwritten, wet-ink signatures in Massachusetts.

ENFORCEABILITY OF E-NOTES AND CONCERNS FOR FINANCIAL INSTITUTIONS:

An eNote is an electronically created, signed, and stored promissory note. It differs from scanned signatures on paper or PDF copies. Governed by Article 3 of the Uniform Commercial Code (UCC), eNotes are considered negotiable instruments and therefore require special treatment. ESIGN provides a framework for their use, emphasizing the concept of a “transferable record.” This electronic record, meeting UCC standards, grants the same legal rights as a traditional paper note to the person in “control.” The objective of “control” is for there to be a single authoritative copy of the promissory note that is unique, identifiable, and unalterable. Therefore, proving authenticity and lender control over eNotes can be complex.

In Massachusetts, specific foreclosure laws require the presentation of the original note. Thus lenders should be cautious with eNotes, as possessing an original, physical note greatly reduces enforceability risks.

Further, financial institutions often face heightened scrutiny when using e-signatures due to the sensitive nature of financial transactions and the potential risks involved to ensure security, compliance, and consumer protection.

RECORDABLE DOCUMENTS:

E-signatures have become widely accepted for recording purposes, including in real estate transactions, due to their convenience and efficiency. The implementation of e-signatures for recording has been facilitated and standardized by legislation such as the Uniform Real Property Electronic Recording Act (URPERA). While URPERA offers a comprehensive framework for electronic recording, its adoption varies from state to state. In Massachusetts, URPERA has not yet been formally adopted, leaving recording procedures subject to individual county regulations.

BEST PRACTICES:

Despite the legal recognition of e-signatures under both ESIGN and MUETA, to ensure compliance, organizations should adopt the following best practices:

  1. Obtain Consent: Obtain (and retain) affirmative consent from parties to conduct transactions electronically.
  2. AssociationEstablish a clear and direct connection between an electronic signature and the electronic record it is intended to authenticate.
    • Embedding: One common method of meeting the association requirement is embedding e-signatures directly within electronic documents.
    • Metadata and Audit Trails: Another method is using metadata and audit trails. Metadata contains signature details like signing date, time, signer identity, and transaction specifics. Audit trails chronicle all document actions, reinforcing the link between signatures and records.
  3. Ensure the Integrity of Electronic Records
    • Authenticity and Integrity: Use secure methods to authenticate the identity of signatories and ensure the integrity of the electronic records. This can include digital signatures, encryption, and secure access controls.
    • Single Authoritative Copy: For transferable records (eNotes), ensure that there is a single authoritative copy that is unique, identifiable, and unalterable except through authorized actions.
  4. Maintain Accessibility and Retainability: Ensure that electronic records are retained in a format that is accessible and readable for the required retention period. This includes being able to accurately reproduce the record in its original form.
  5. Security Measures: Implement robust cybersecurity measures to protect against unauthorized access, alteration, or destruction of electronic records. This includes using firewalls, encryption, and secure user authentication methods.
  6. Provide Consumer Protections: Ensure that consumers have the option to receive paper records and can withdraw their consent to electronic records at any time.
  7. Legal and Regulatory Updates: Keep abreast of any updates or changes in the legal and regulatory landscape regarding electronic transactions and records. Adjust policies and practices accordingly to remain compliant.

CONCLUSION:

While e-signatures offer significant benefits for modern commerce, including efficiency and convenience, their adoption requires careful consideration, especially regarding legal and regulatory compliance. By adhering to best practices and remaining vigilant, businesses and individuals can leverage e-signatures effectively in today’s digital economy.

© 2024 SHERIN AND LODGEN LLP
For more news on Financial Institution Legal Compliance, visit the NLR Financial Institutions & Banking section.

CFPB Launches Public Inquiry into Rising Mortgage Closing Costs and ‘Junk Fees’

Go-To Guide:
  • The Consumer Financial Protection Bureau (CFPB) has launched a public inquiry into rising mortgage closing costs, seeking to understand the reasons behind the increase, identify who benefits, and find ways to reduce costs for both borrowers and lenders.
  • This inquiry, part of a broader effort against “junk fees,” aims to gather public input on the impact of these fees on consumers’ financial health and the mortgage lending market, with a focus on third-party costs, fee beneficiaries, and the evolving nature of these expenses.

On May 30, 2024, the CFPB issued a new request for information (RFI) from the public regarding “why closing costs are increasing, who is benefiting, and how costs for borrowers and lenders could be lowered.”

As part of a wider effort targeting what both the CFPB and the Biden administration refer to as “junk fees,” the CFPB is focusing on evaluating how these fees affect consumers’ financial health and the broader impact on mortgage lenders. This follows the CFPB’s continued expression of interest in “junk fees,” on which GT reported in a May 2024 blog post.

“Junk fees and excessive closing costs can drain down payments and push up monthly mortgage costs,” CFPB Director Rohit Chopra said in a separate press release. “The CFPB is looking for ways to reduce anticompetitive fees that harm both homebuyers and lenders.”

The Request for Information

According to a recent CFPB analysis, mortgage closing costs surged by over 36% from 2021 to 2023. The CFPB alleges that these unavoidable fees can strain household budgets and limit the ability to afford a down payment, while also hindering lenders from offering competitive mortgage options due to the higher costs they must absorb or pass on.

The CFPB is seeking public input to address these concerns and make mortgage costs more manageable. Some key areas of interest include:

  • Competitive pressure. The CFPB aims to evaluate the extent to which consumers or lenders currently apply competitive pressure on third-party closing costs, seeking to understand market barriers that limit competition.
  • Fee beneficiaries. The CFPB aims to identify the beneficiaries of required services and determine whether lenders have control or influence over the third-party costs that are transferred to consumers.
  • How fees are evolving and their impact on consumers. The CFPB seeks details on which expenses have surged the most in recent years and the factors driving these increases, such as the higher prices for credit reports and credit scores. Additionally, the CFPB is interested in understanding how closing costs affect housing affordability, access to homeownership, and home equity.

Takeaways

The CFPB oversees numerous laws and regulations concerning mortgage lending and real estate settlement, such as the Truth in Lending Act, the Fair Credit Reporting Act, and the Real Estate Settlement Procedures Act. The insights gained from this inquiry are poised to shape rulemaking, guidance, and various policy initiatives moving forward.

The CFPB invites comments and data from the public and stakeholders within 60 days of the RFI being published in the Federal Register.

We have provided ongoing analysis and commentary on this issue as it has developed. See below more context on legislative and regulatory efforts to curb “junk fees”:

Zeba Pirani contributed to this article

©2024 Greenberg Traurig, LLP. All rights reserved.
For more on the CFPB, visit the NLR Financial Institutions & Banking section.

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post

© 2024 Bradley Arant Boult Cummings LLP
For more on Cybersecurity, visit the NLR Communications, Media & Internet section.

Summer, Baseball and H-1B Visa Filings in Full Swing

As summer and baseball season are now in full swing, so is the H-1B filing season. The U.S. Citizenship and Immigration Services (USCIS) completed its initial round of selections on April 1, prompting immigration practitioners and employers to get filings across the home plate by June 30. However, many potential employees are stuck in the dugout, so to speak, unable to get in the game, as they were not selected in the H-1B lottery.

The H-1B visa category provides temporary work authorization to individuals employed in a role involving a specialty occupation. Most commonly known for its restrictive numerical limitations, the H-1B visa category caps the number of new visas issued each year at 65,000, with an additional 20,000 available to graduates of U.S. master’s degree programs. While 85,000 H-1B visa holders would exceed more than twice the occupancy of the Atlanta Braves’ Truist Park, it has become increasingly difficult to obtain an H-1B visa under the current lottery system due to a high volume of submissions, the increased likelihood of fraud, and the number of submissions designed to beat the system.

While the H-1B remains a first choice among U.S. employers for the temporary employment of foreign nationals, many wonder whether it continues to be a game worth playing. Such thoughts have prompted employers to turn to other non-immigrant visa lineups, such as the H-1B1, E-3, TN, and O-1:

H-1B1, Specialty Occupation Workers from Chile or Singapore

The H-1B1 visa is a subcategory of the H-1B category, providing work authorization options to specialty occupation workers from Chile and Singapore. Current laws limit the annual number of qualifying foreign workers eligible to obtain an H-1B1 visa to 6,800, allocating 1,400 for nationals of Chile and 5,400 for those of Singapore.

The greatest advantage of this subclassification is the ability to forego the H-1B visa lottery. Further, the H-1B1 visa does not have a six-year limit. The period of employment is one year, with subsequent extensions available in one-year increments.

E-3, Specialty Occupation Workers From Australia

Applying only to nationals of Australia, the E-3 nonimmigrant visa classification provides another option for specialty occupation workers. Similar to the H-1B1, participation in the annual H-1B lottery is not a prerequisite to admission in E-3 status.

TN, Temporary Workers From Mexico and Canada

Yet another alternative to the H-1B visa is the TN visa, designated for select professionals who are citizens of Canada and Mexico. The U.S. Mexico-Canada Agreement, formerly the North American Free Trade Agreement (NAFTA), provides special economic and trade relationships for the U.S., Canada and Mexico. This classification permits qualified Canadian and Mexican citizens to work temporarily in the U.S. at a professional level. Professions on the list include accountants, engineers, lawyers, pharmacists, scientists and teachers.

Employers focused on expediency surely are interested in this nonimmigrant visa category. Not only does the TN visa forego the H-1B lottery, but it also can circumvent the Labor Condition Application requirement, which is a Department of Labor process requiring approximately seven days.

O-1, Individuals of Extraordinary Ability

The O-1 nonimmigrant visa is for the individual who possesses extraordinary ability in the sciences, arts, education, business, or athletics, or who has a demonstrated record of extraordinary achievement in the motion picture or television industry and received recognition nationally or internationally for such achievements. Those eligible for O-1A classification are individuals with an extraordinary ability in the sciences, education, business, or athletics (not including the arts, motion pictures or television industry).

The O-1B visa category is intended for individuals with an extraordinary ability in the arts or extraordinary achievement in motion picture or television industry.

Of particular importance, one of the top benefits of an O-1 visa in comparison to an H-1B is the lack of annual limits on the number of O-1 visas issued. Moreover, as numerical caps and a lottery process do not restrict the O-1 visa, the application period is not limited to a specific filing window. Further, unlike some nonimmigrant visa categories, O-1 filings are not restricted by an annual filing period, and the overall cost of the O-1 process can be significantly less.

The O-1 visa category also boasts employer flexibility as the beneficiary does not have to be directly employed by the entity for which they will work, but could work for a U.S. agent. The O-1 also provides significant relief with respect to the potential length of the visa, as this nonimmigrant visa classification offers unlimited one-year extensions of the initial three-year period.

As many potential H-1B employees have not received the call-up, these other nonimmigrant visa categories present viable alternatives.

Tieranny L. Cutler, independent contract attorney, co-authored this article.

© 2024 BARNES & THORNBURG LLP
For more information on H-1B Filings, visit the NLR Immigration section.

Mid-Year Recap: Think Beyond US State Laws!

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.

On the industry law, there has been activity focused on data brokers, those in the health space, and for those that sell motor vehicles. The FTC has focused on the activities of data brokers this year, beginning the year with a settlement with lead-generation company Response Tree. It also settled with X-Mode Social over the company’s collection and use of sensitive information. There have also been ongoing regulation and scrutiny of companies in the health space, including HHS’s new AI transparency rule. Finally, in this area is a new law in Utah, with a Motor Vehicle Data Protection Act applicable to data systems used by car dealers to house consumer information.

On the activity side, there has been less news, although in this area the “activity” of protecting information (or failing to do so) has continued to receive regulatory focus. This includes the SEC’s new cybersecurity reporting obligations for public companies, as well as minor modifications to Utah’s data breach notification law.

Finally, there have been new laws directed to particular individuals. In particular, laws intended to protect children. These include social media laws in Florida and Utah, effective January 1, 2025 and October 1, 2024 respectively. These are similar to attempts to regulate social media’s collection of information from children in Arkansas, California, Ohio and Texas, but the drafters hope sufficiently different to survive challenges currently being faced by those laws. The FTC is also exploring updates to its decades’ old Children’s Online Privacy Protection Act.

Putting It Into Practice: As we approach the mid-point of the year, now is a good time to look back at privacy developments over the past six months. There have been many developments in the privacy patchwork, and companies may want to take the time now to ensure that their privacy programs have incorporated and addressed those laws’ obligations.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Privacy, visit the NLR Consumer Protection section.

White House Publishes Steps to Protect Workers from the Risks of AI

Last year the White House weighed in on the use of artificial intelligence (AI) in businesses.

Since the executive order, several government entities including the Department of Labor have released guidance on the use of AI.

And now the White House published principles to protect workers when AI is used in the workplace.

The principles apply to both the development and deployment of AI systems. These principles include:

  • Awareness – Workers should be informed of and have input in the design, development, testing, training, and use of AI systems in the workplace.
  • Ethical development – AI systems should be designed, developed, and trained in a way to protect workers.
  • Governance and Oversight – Organizations should have clear governance systems and oversight for AI systems.
  • Transparency – Employers should be transparent with workers and job seekers about AI systems being used.
  • Compliance with existing workplace laws – AI systems should not violate or undermine worker’s rights including the right to organize, health and safety rights, and other worker protections.
  • Enabling – AI systems should assist and improve worker’s job quality.
  • Supportive during transition – Employers support workers during job transitions related to AI.
  • Privacy and Security of Data – Worker’s data collected, used, or created by AI systems should be limited in scope and used to support legitimate business aims.
Jackson Lewis P.C. © 2024
For more on AI Risks, visit the NLR Communications, Media & Internet section,