Subprime Lending Settlement in Massachusetts

Attorney General Martha Coakley

Massachusetts Attorney General Martha Coakley’s Office announced that it has reached a settlement agreement with Goldman Sachs & Co stemming from the office’s investigation of subprime lending and securitization markets. The Attorney General’s Office has been investigating the role of investment banks in the origination and securitization of subprime loans in Massachusetts.

The Attorney General’s Office began its investigation into the securitization of subprime loans in December 2007, investigating whether securitizers may have:

  • facilitated the origination of “unfair” loans under Massachusetts law;
  • failed to ascertain whether loans purchased from originators complied with the originators’ stated underwriting guidelines;
  • failed to take sufficient steps to avoid placing problem loans in securitization pools;
  • been aware of allegedly unfair or problem loans;
  • failed to correct inaccurate information in securitization trustee reports concerning repurchases of loans; and
  • failed to make available to potential investors certain information concerning allegedly unfair or problem loans, including information obtained during loan diligence and the pre-securitization process, as well as information concerning their practices in making repurchase claims relating to loans both in and out of securitizations.

The settlement didn’t involve court action and Goldman didn’t acknowledge wrongdoing.

Under the agreement, Goldman will restructure loans for borrowers whose loans it holds. The Attorney General said there are about 714 of those borrowers. Goldman’s borrowers with first mortgages could see their principal reduced 25% to 35%, and those with second mortgages held  could see principal reduced 50% or more. Reducing those loan amounts will cost Goldman $50 million. It has also agreed to have its subsidiary, Litton Loan Servicing LP, help qualified borrowers who are in trouble on their loans to avoid foreclosure. Goldman will also pay the state $10 million. Delinquent borrowers will be required to make a “reasonable monthly payment” while trying to sell or refinance their homes.

References:

Corporate Compliance Fraud in Georgia, Florida and Massachusetts

Just like the Corporate Compliance Fraud in Ohio, Compliance Services is also targeting companies in Georgia, Florida and Massachusetts.

The Daily Citizen is reporting Georgia corporations warned about solicitations. The Georgia Secretary of State issued a warning:

“Several corporations registered with the Corporations Division of the Office of the Secretary of State received a letter from Georgia Corporate Compliance, a private company offering to complete corporation meeting minutes on behalf of registered corporations.”

The Attorney General of Florida also issued a warning:

Over the past several months, the Attorney General’s Office has received numerous complaints against several of these companies. Last week the Attorney General settled a lawsuit against one such company, Corporate Compliance Center, over allegations that the company misled Florida businesses relating to the sale of corporate minutes reports. Two other companies, Corporate Minutes Compliance Service and Corporate Minute Services, were prevented from operating in Florida when the Attorney General’s Office threatened litigation.

Bill Galvin, the Secretary of the Commonwealth of Massachusetts issued his warning:

Recently, an entity calling itself “Compliance Services” mailed solicitations entitled “Annual Minutes Requirement Statement Directors and Shareholders” to numerous Massachusetts corporations. This solicitation offers to complete corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitation, Massachusetts corporations are not required by law to file corporate minutes with the Secretary of State.

Thanks to Corporate Compliance Insights: Compliance Scam Alert in Georgia: Corporate Minutes Hoax Not Limited to Ohio.

See also:

Massachusetts Amends and Extends Its Data Privacy Law

According to this press release from the Massachusetts Office of Consumer Affairs and Business Regulation, they have once again extended the deadline for complying the with the regulations. Now the regulations will take effect Jan. 1, 2010.

I have not had a chance to analyze the differences yet, but here are the amended regulations under 202CMR 17.00 (.pdf).

Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00?

Compliance Week broadcast a webcast on the new Massachusetts data privacy regulations: Decoding the Science of Compliance — Are you Ready for 201 CMR 17.00? (and sponsored by Iron Mountain).

Garry Watzke, Esq., Senior Vice President Legal & Business Development at Iron Mountain, Inc. started with the basics which I have noted in several other places:

John Jamison, Vice President Consulting Services at Iron Mountain, Inc. moved on to implementation challenges. He points out that this is not a pure IT project. There is no single tool that provides coverage across the multiple platforms in most businesses. There is IT, but there is also a business-wide program that needs to be in place and maintained.

Garry points out that you need to maintain employee compliance and have a way to detect and prevent system failures.

See also these prior posts:

The New Massachusetts Data Security Regulations

goodwinprocter_logoGoodwin Procter sponsored a webinar on the new Massachusetts date security rules

Deb pointed out that you may now need to collect the state of residence of the client to figure out if they are in Massachusetts. That may have the perverse effect of collecting additional information about the person.

Deb points out that “financial account” is not well defined. She looks back to the statute and sees that it is focused on identity theft. If the “financial account” can lead to identity theft or the loss of money from that account then it would probably be a financial account.

In evaluating compliance you can include these factors:

  • size, scope and type of business,
  • entity’s resources,
  • amount of stored data, and
  • seed for security and confidentiality of both consumer and employee information.

Deb points out that the Massachusetts regulators think the rules align with the federal data breach notification requirements. The regulators also think the rules are merely applying more detailed requirements to the broad principles under the federal rules.

The regulators are deferring to the Attorney General for enforcement. The new rules do not provide a private right of action.

The Written Information Security Program has four main groups.

Implementation

  • identify all records use to store information. The rules do not require an inventory. The regulators want you to know the answer. They suggest an information flow to see where information is gathered, where it goes and where it gets stored.
  • Identify and assess risk.
  • Evaluate and improve safeguards. This includes the security system and compliance training.
  • Limit collection and use. Personal information should only be available to those who need it and then only the information they need. Don’t gather it if you do not need it and don’t keep it if you do not need it.

Administrative

  • designate a responsible employee
  • develop security policies
  • verify the capacity of service providers to protect personal information
  • The certification must specifically address the Massachusetts rules and must state that the signatory was authorized to sign it.

Technical and Physical

  • establish a security system
  • restrict physical access
  • prevent access by former employees
  • document responsive actions in event of data breach

Maintain and Monitor

  • post-incident review
  • disciplinary measures for violations
  • regular monitoring
  • annual review (if not more often)

Jacqueline Klosek focused on the computer system requirements. She put together specific requirements:

  • encryption – of stored information on portable devices and information in transit. Portable memory sticks are a big problem.
  • secure user authentication protocols
  • reasonable monitoring of systems
  • firewall
  • malware and virus protection
  • education and training

Agnes laid out 3 things to get done by May 1, 2009:

  • Implement internal policies and practices
  • encrypt company laptops
  • amend contracts with service providers to incorporate data security requirements

By January 1, 2010:

  • obtain written certifications form service providers
  • encrypt other portable devices (non-laptops)

Real Estate Development and Corruption

Wicked Local Newton is reporting that the Maynard, Massachusetts superintendent of public works was arrested for soliciting cash payments from a private developer in exchange for relaxing permitting and inspection requirements: Maynard public works chief, a Newton resident, charged with accepting bribes.

Paul Camilli, 38, of Newton, let an unnamed developer know that he would let the project move easier through the deadlines and technical demands in exchange for cash payments.

Six States Now Require Social Security Number Protection Policies

Miriam Wugmeister, Nathan D. Taylor of Morrison & Foerester wrote the December Privacy and Data Security Update: Six States Now Require Social Security Number Protection Policies.

  • Connecticut – Ct. H.B. 5658.
  • Massachusetts – 201 Mass. Code Regs. §§ 17.01 – 17.04.
  • Michigan – Mich. Comp. Laws § 445.84.
  • New Mexico – N.M. Stat. §§ 57-12B-2 – 57-12B-3.
  • New York – N.Y. Gen. Bus. Law § 3990dd(4).
  • Texas – Tex. Bus. & Com. Code § 35.581 (effective through March 31, 2009); Tex. Bus. & Com. Code § 501.051 – 501.053 (effective April 1, 2009).

These state SSN protection policy requirements highlight the importance of maintaining up-to-date privacy policies that comply with the evolving requirements under applicable state laws.  To get started, an organization should consider taking the following steps:

  • determine if you collect or maintain SSNs;
  • review your policies and procedures that are employee-facing to determine if you have sufficient policies to meet the obligations under the various state laws;
  • update your policies and procedures as needed;
  • train employees on the new policies and procedures; and
  • audit your employees to ensure that they are complying with your policies and procedures.

Data Privacy Roundtable

Deloitte hosted an executive roundtable on Massachusetts Data Protection. The room was packed full of us trying to figure what to do with these regulations.

Mark Schreiber of Edwards Angell Palmer & Dodge kicked things off with a look at the history of the regulation and the regulators view of the regulations. The regulators acknowledge that the regulations are burdensome. Tough!! they say. “Look at all of the data breaches!”

The regulations started with the MGL c. 93H addressing data breaches and Section 2(a) of MGL c. 93H providing for the promulgation of regulations.  Waht came out were some of the toughest regulations in the country. There are no exemptions for industry, sector or size. If you have personal information on a Massachusetts resident you need to comply. That means every company with operations in Massachusetts and any company with information on a Massachusetts resident. These regulations go beyond the Red Flag Rules from the FTC.

Companies to address whether they are going to implement full enterprise protection or merely selective protection. If you can isolate the data on Massachusetts people you can treat that differently than other data.

The panelists also brought up the concept of “data in motion” versus “data at rest.”  You need to look at how you are transmitting data as well as how it is stored.

What happens if you do not comply? There is no private right of action under the statute or regulations. But there will be law suits under these statutes. The panel foresees two types of class action suits coming out the law. One will be a negligence claim for allowing a data breach. The law creates the standard. Failure to comply with the law is negligence per se. They also see suits over the failure to properly notify the individuals affected by the data breach.

Audience poll: How many have a team assembled to implement the new regulations:

  • 72% Yes
  • 24% No
  • 4%  Not sure

Audience poll: How many have read the new regulations and guidance:

  • 45% Yes
  • 55% No

Audience poll: How many have addressed whether to do selective encryption or selective protection:

  • 29% Yes
  • 62% No
  • 9% Not sure

Everyone who said yes has decided to use encryption.

The panel moved on to stress the importance of ownership of the Written Information Security Policy required by the law. You need to address the physical requirements as well as the electronic requirements. This requires a team approach, including HR, compliance, IT and building security.

You also need to focus on how to handle data security breaches. The Massachusetts statute as well as other states have a very short time frame for notification. less than half the audience had a well defined plan or even a somewhat defined plan.

On the training front, you need to decide on a discipline for failure to comply. You also need to decide who to train and the level of training.

Audience poll: How many have training programs on information security:

  • 30% Training for all employees
  • 13% Training for selected employees
  • 52% None
  • 5%  Not sure

The paradigm of the Massachusetts law is that you should only collect the information you need, store it for only the time needed and make it available only to the people who need it.

In assessing the biggest challenges to complying with the law the audience found indentifying and assessing risks to be the biggest challenge.  53% of the audience has not done an audit of personal information sources. 49% of the audience does not monitor access to personal information.

Vendor management is another big issue under the law. If you share personal data with vendors, they need to be in compliance with the law. The law requires a certification of compliance, but there is no standard form of certificate. the firs step is to identify vendors and then to assess the risk profile for that vendor.  59% of the audience had not identified vendors that handle personal data.

As part of vendor management, you will need to continually monitor vendors that share personal data. You need to negotiate compliance into the vendor agreements and include oversight provisions. You need to incorporate vendor risk management as part of the governance program.

Public Hearing on Massachusetts Data Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business has published a Notice of Public Hearing on 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. (.pdf)

The hearing is on Friday, January 16, 2009 at 2:00 pm in Room No. 5-6, Second Floor of the Transportation Building, 10 Park Plaza, Boston.