By: Michael Ross and Jake Alderdice

On April 13, 2020, a federal district court in Maryland issued one of the first rulings to interpret the provisions of Congress’s Coronavirus Aid, Relief and Economic Security Act (the CARES Act), signed into law by President Trump on March 27, 2020.  At issue before the Court was whether Bank of America could be prevented from adding eligibility restrictions, beyond those in the Act, on small businesses applying for forgivable loans under the CARES Act’s $349 billion Paycheck Protection Program (PPP).  In denying relief to the prospective borrower, the district court found that the bank could impose additional eligibility criteria and that private parties were powerless to bring private actions to enforce the terms of the program.  Although just one data point, the early ruling may signal that courts will give lenders latitude in how they are carrying out CARES Act programs.

Background

Title I of the CARES Act established the Paycheck Protection Program (PPP), which provided for $349 billion in loans to small businesses.  These loans become fully forgivable if the businesses use them for certain purposes, such as maintaining their payroll.  Demand for the emergency loans quickly ate up the funding, with the entire $349 billion fund depleted by April 16, 2020, based on 1.4 million approved applications. Congress is currently debating providing additional funding for the program.

The CARES Act set out eligibility requirements for PPP borrowers, including, among others, that the businesses, with some exceptions, need to have fewer than 500 employees.  Following the program’s launch, news reports indicated that lenders were imposing additional requirements on potential borrowers, particularly to ensure borrowers had certain preexisting relationships with the lender.  In the case of Bank of America (BofA), early reports claimed that the bank required applicants to have both a preexisting deposit account and a lending account in order to apply for a PPP loan.  BofA later changed that requirement so that it only required a deposit account with the bank, and that the applicant not have a lending relationship elsewhere. BofA included simply having a credit card with another bank as a “lending relationship.”

On April 9, 2020, the Board of Governors of the Federal Reserve (Federal Reserve) announced an array of new and expanded programs designed to ease the economic dislocation caused by the COVID-19 pandemic. Together, these programs will provide up to $2.3 trillion in funding to support the flow of credit to US businesses of all sizes, individual households, and state and local governments. Although these programs in many ways mirror those established by the Federal Reserve after the 2008 financial crisis, there are some significant expansions and differences as well.

The support programs include:

• a new “Main Street” lending program that will provide up to $600 billion in loans to small- and medium-sized businesses;
• expanded corporate credit programs that will provide up to $750 billion to purchase corporate debt on the primary and secondary markets, including, in a significant departure for the Federal Reserve, debt that is rated below investment grade;
• a groundbreaking new program that will provide up to $500 billion in lending to state and local governments;
• up to $100 billion in loans for borrowers who pledge certain highly rated asset-backed securities (ABS), which will support consumer and other types of lending; and
• a new lending facility that will provide up to $350 billion in financing to banks to help them meet the overwhelming demand by small businesses for the Paycheck Protection Loans created by the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act).

To read the full article, click here.

By: Tracey Lattimer

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which updates New York’s data breach notification law (as set out in the New York General Business Law and New York State Technology Law) and implements new data security requirements.  On March 21, 2020, the SHIELD Act came into full effect.

The most significant changes introduced by the SHIELD Act include:

• The types of information that may trigger the data breach notification requirements have been expanded to include: (i) in combination with a personal identifier, an account number, credit or debit card number if such number could be used to access an individual’s financial account without additional identifying information, security code, access code or password; (ii) in combination with a personal identifier, biometric information; and (iii) a user name or email address in combination with a password or security question and answer that would permit access to an online account.  (See definition of “private information” within the Act.)
• The Act introduces new data security requirements.  Any person or business that owns or licenses computerized data that includes private information of a New York resident must now develop, implement and maintain “reasonable safeguards to protect the security, confidentiality and integrity of the private information.”  The Act also sets out “reasonable” administrative, technical and physical safeguards that should be included in a compliant data security program.

The amendments to the data breach notification requirements came into force on October 23, 2019.  The new data security requirements came into force on March 21, 2020.

Under the Act, violations of the data breach notification requirements can attract a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, provided the latter amount shall not exceed $250,000 (an increase from the cap of $150,000 under the old law).  Similarly, violations of the data security requirements can attract a civil penalty of not more than $5,000 per violation (as set out in § 350-D of the New York General Business Law).

In order to comply with the SHIELD Act, companies throughout the United States that process information relating to New York residents should review the information they collect and consider whether they need to update their data protection and breach notification policies and procedures.  Such companies should also implement appropriate data security programs and safeguards as detailed in the Act.

By: Jason P. Hipp

As just one of the many aspects of New York State’s response to the coronavirus outbreak, last month, on March 21, 2020, New York Governor Andrew Cuomo issued Executive Order 202.9 (the Order), which directed institutions regulated by the New York Department of Financial Services (DFS) to provide financial relief to any person or business who has a financial hardship as a result of the COVID-19 pandemic for a period of ninety days. 

To carry out that general mandate, the Order directed DFS to ensure that “licensed or regulated entities”—which includes banks and savings banks, credit unions, investment companies and mortgage loan servicers, among others—provide to consumers in New York State an opportunity to make an application for a forbearance of mortgage payments (including principal and interest) to “any person or entity facing a financial hardship” resulting from the COVID-19 pandemic and grant such applications in “all reasonable and prudent circumstances.”  While the Order does not specify the precise meaning of the “forbearance,” when read in context of the Order as a whole, it appears to refer solely to a forbearance of mortgage payments for a consumer in New York State.  The Order also empowers DFS to issue regulations directing the restriction or modification of ATM fees, overdraft fees and credit card late fees.

The Order took effect on March 21, 2020, and, under a subsequent executive order issued on April 7, 2020, will remain in effect through May 7, 2020.

Days after the Order, on March 24, 2020, DFS issued emergency regulations implementing the Order.  Under the emergency regulations—which remain in effect for the same period of time as the Order— “New York regulated institutions” (which include both banking organizations and mortgage servicers) are required to grant forbearances of payments due on a residential mortgage for property in New York for ninety days for individuals who reside in New York and demonstrate COVID-19-related financial hardship.  3 NYCRR § 119.3(a).  Denial of such forbearance will subject an institution to a review by DFS of whether that activity constituted an unsafe or unsound practice (relying on several factors enumerated by DFS).  3 NYCRR § 119.3(f).  All DFS-regulated institutions are subject to such a review, notwithstanding language in the Order limiting the review to the practices of any “bank.”

By: Madeline Skitzki and Kate T. Spelman

As Zoom’s popularity has soared in recent weeks, the company has begun facing increasing scrutiny from both government regulators and consumer advocates.  Much of this scrutiny has focused on privacy and security concerns, including the following:

• “Zoombombing” incidents in which unauthorized individuals have allegedly hijacked Zoom meetings, often with racist or pornographic imagery;
• Zoom’s allegedly unauthorized disclosure of user data to third parties; and
• Zoom’s alleged use of transport encryption, rather than end-to-end encryption, which allegedly allows Zoom to access user video and audio content.

Government regulators at both the state and federal level have expressed concerns regarding these perceived privacy and security deficiencies.  Multiple state attorneys general, including those in New York, Florida, and Connecticut, have sought information on Zoom’s privacy practices.  Further, the Boston office of the FBI issued a warning and related guidance regarding Zoom’s privacy settings in response to reported “zoombombing” incidents.

By: Alexander N. Ghantous

On April 6, 2020, Richard Cordray, former director of the Consumer Financial Protection Bureau (CFPB), posted a white paper addressed to current CFPB Director Kathy Kraninger, listing 16 actions the agency should take to protect consumers during the COVID-19 pandemic.[1]  Cordray wants the CFPB to ensure that financial institutions continue complying with consumer protection laws.[2]  The recommended actions relate to mortgage servicing, foreclosure and eviction, vehicle repossession, debt collection and credit reporting.[3]  Examples of these recommendations are as follow:   

• Collect data regarding consumers’ experiences and widely disseminate the findings.[4] Cordray encourages the CFPB to use all of its tools to compile consumer marketplace data, particularly regarding what consumers need at this difficult time.[5]  According to Cordray, the CFPB can only protect consumers if it identifies current issues in the consumer marketplace.[6] 

• Provide assistance with preventing foreclosure.[7] The CARES Act (Act), recently passed by Congress, offers consumers protection against foreclosure if they are unable to pay their mortgage loans during the COVID-19 crisis.[8]  For mortgage loans that fall within the purview of the Act, the CFPB, with its supervisory power, can ensure that consumers are afforded this protection.[9]  Cordray encourages the CFPB to work alongside servicers and lenders to attempt to establish similar protections for mortgage loans that are not protected by the Act.[10]

In a recent blog post, TechGC highlighted a dinner that Jenner & Block hosted with TechGC in New York to discuss the use of alternative data when making consumer facing decisions.  At their dinner, “Navigating Enforcement Risks Associated with the Use of Alternative or Sensitive Data,” Kali Bracey, Joseph L. Noga, Michael W. Ross, Damon Y. Smith and Kate T. Spelman discussed what alternative data is, why consumers should care about it, what regulators are focused on and what consumers need to know when it comes to alternative data.

To read the blog post, please click here. 

A key part of the historic $2 trillion package to address the economic fallout from the coronavirus pandemic (the CARES Act or the Act) is the Paycheck Protection Program (PPP), which extends $349 billion in fully forgivable loans to small businesses, generally those with 500 or fewer employees, through the US Small Business Administration (SBA). In the past week, the SBA and the US Department of Treasury have issued initial guidance for the new program, which they then expanded and revised just hours before the program was officially launched on Friday, April 3, 2020. The preexisting lineup of 1,800 authorized SBA lenders can now distribute the loans, and lenders have reportedly processed over $2 billion in program funds as of Friday afternoon. To read more about this program, please click here. If you have any questions or feel that we can assist, please reach out to our task force.

On March 27, 2020, Congress passed the Coronavirus Aid, Relief and Economic Security Act (CARES Act), a historic $2 trillion stimulus package to address economic fallout from the COVID-19 pandemic. With the deep experience of Jenner & Block lawyers who served in government, including former Special Inspector General of the Troubled Asset Relief Program  Neil Barofsky, our COVID-19 Response Team includes members who played key leading roles in the country’s response to the last economic crisis. To read what they have to say, please click here. If you have any questions or feel that we can assist, please reach out to our task force.