April 30, 2013

Before You're Hacked: Risks Associated With Data Security Breaches And How To Address Them Now

Don Hankins / Foter.com / CC BY
Data security breaches continue to increase as a source of financial, legal, and reputational risk for a wide array of businesses.  Financial institutions have long been aware of the significant risks they face, and other industries are catching on quickly.

In the event of a significant breach, most states require a company to notify the affected customers, the attorney general, and the consumer reporting bureaus.  A recent article in Inc. magazine counted 46 states and the District of Columbia as currently having data breach notification laws.

One result of the notices required by these laws is that watchdog groups are better able to monitor breaches.  According to the Identity Theft Resource Center, a nonprofit group that tracks data security breach reports, there were 447 data security breaches reported in 2012, covering 17,317,184 individual records.  However, this is not the entire picture.  Breaches affecting a smaller number of customers may not be required to be reported, and are therefore not included in the publicly-available statistics.  For example, under North Carolina's Identity Theft Protection Act, only breaches affecting 1,000 or more individuals must be reported to the Attorney General's office and consumer reporting bureaus.

Data security breaches can be very, very expensive.  A study conducted by online risk management firm NetDiligence reported that in 2011, the average total cost to a company of a security breach was $3.7 million, with an average legal settlement cost of $2.1 million and average legal fees of $582,000. The same study indicates that 26% of data breach lawsuits were brought against companies in the financial services sector, with 20% in the health care sector and 10% in the retail sector. 

What can a company do now--before a breach--to address this risk?
  • Commercially Reasonable Security Measures and Policies.  Companies should know the most common types of threats and take reasonable measures to prevent them.  This should include technological standards and well-thought-out policies.  

  • Due Diligence on Third Parties.  Several recent major data security breaches have arisen out of vendors who obtained customer information from another company.  The vendor usually has no direct relationship with the customer, and the customers typically sue the company with which they have a relationship in addition to the vendor.  Selecting third party vendors to handle your customers' information should involve a commercially reasonable due diligence process to ensure only responsible vendors are deemed eligible.  Knowing the right questions to ask is key.

  • Well-Drafted Contracts.  Some risks of loss arising from data security can be reduced through well-drafted contracts with customers, third-party vendors or financial institutions.  Most of the proposed contracts I have seen presented to companies by third party vendors are woefully inadequate to protect the company if the vendor fails to prevent a breach of the company's customer data.  A lawyer who understands the issues can help a company save large amounts in litigation fees and liability in the event of a subsequent breach.  This can be a case of a few hundred well-spent dollars saving potentially millions down the road. 
  • Cybersecurity Insurance.  A number of firms now offer insurance against losses arising from data security breaches.  I have seen this coverage available as an addition to directors and officers liability insurance coverage (a.k.a. D&O policy).   Again, this is an opportunity to spend a small amount that may ultimately save a company massive amounts later.
Given the enormous losses sustained as a result of the the reported breaches, it is conceivable that recognizing the risks presented by data security breaches and addressing them before they occur may ultimately make the difference between a company's survival and failure.

April 13, 2013

Will a More Consumer-Friendly Version of Payday Lending Return to North Carolina?

North Carolina was the first state to outlaw payday lending.  That was in 2001, after a four-year experiment beginning in 1997.  Now, a bill has been introduced in the North Carolina Senate to permit payday lending subject to various limitations designed to avoid the abuses that led to the ban. 

What is payday lending?

The term “payday lending” generally refers to a transaction in which a borrower writes a check to a lender for a small amount in exchange for cash in the amount of the check, minus a fee to the lender, and the lender promises not to present (cash or deposit) the check until a future date. The lender is aware that the borrower’s account on which the check is drawn does not then have sufficient funds to cover the amount of the check, but agrees because the borrower expects to receive a payroll check or other deposit between the date the check is written and the date it is to be presented for payment, and therefore the account will have sufficient funds at the future date. Proponents argue that payday lending provides important access to credit for individuals who could not otherwise get quick, unsecured credit from a traditional lender.

The problems with payday lending

Payday lending typically involves a “fee” rather than, or in addition to, interest.  If the payday loan is not paid off in a very short time period (usually a month or less), it will "roll over" and another fee will be due.  Over time, these fees may accumulate.  In the course of a year, the fees may be more than the interest payments on a loan would have been at an annual interest rate of over 300 percent.  Because of the dangers to irresponsible or vulnerable consumers, a majority of states regulate payday lending, and a small number have banned it entirely, according to the National Association of State Legislatures.  Payday lenders point out that high fees are necessary to justify the comparatively high risks of nonpayment.

Bill to reintroduce payday lending in North Carolina

Senate Bill 89 would allow "deferred presentment transactions," which are transactions in which the "lender" accepts a check dated as of actual date it was written but agrees, in writing, to hold the check for a period of time before depositing or cashing the check.  The Bill is patterned after the 1997 law that first regulated payday lending, but contains many consumer protection provisions, such as the following:
  • The Bill would require payday lenders to be licensed as a "check-cashing business" by the North Carolina Commissioner of Banks.
  • The lender would be allowed to charge a fee "to defray operational costs."  The fee would be limited to no more than fifteen percent (15%) of the cash advance amount.  (However, the fee for cashing a government check would remain capped at 3% or $5.00, as under current law.)  The fee would not be deemed interest for purposes of North Carolina law. (I suspect it would under federal law.)
  • No other fees or interest would be allowed to be charged or collected.
  • The maximum cash advance amount would be five hundred dollars ($500.00).
  • Each customer would be provided a written explanation in "clear and understandable language" of (i) the fees charged and (ii) the date on which the check will be deposited or presented for payment. 
  • A lender would not be allowed to defer presentment of a personal check for more than 35 calendar days after the date that the check is given to the lender.
  • A lender and its affiliate would be prohibited from rolling over a deferred presentment transaction.  Upon payment in full, the lender would be prohibited from entering into another deferred presentment transaction with the same customer for 24 hours.
  • The lender would be required to ask whether the borrower has outstanding checks at other check-cashing businesses and would be forbidden from knowingly entering into a deferred presentment transaction with a customer who did.
  • No customer whose check  is returned due to insufficient funds will be subject to criminal prosecution unless the customer lied to the lender. 
  • Pledges of collateral and guaranties would be prohibited.  
  • A notice must be conspicuously displayed at every place of business of a licensed lender stating the fees charged.
  • A licensed lender would be required to file with the NC Commissioner of Banks a current fee schedule. 
  • Members of the armed forces would be ineligible for the payday loans.  (Opponents of payday lending had argued that military members were particularly susceptible to predatory practices and that financial issues created by payday borrowing generated security clearance problems.)
The payday lending industry has reportedly hired ten lobbyists to push for this or similar legislation, and given the consumer protections built into the bill, it may have a chance at passage.  If approved by both houses of the General Assembly and signed by the Governor, the bill would become effective July 1, 2013.