FBI Warns of Hidden Threats in Remote Hiring: Are North Korean Hackers Your Newest Employees?
The Federal Bureau of Investigation (FBI) recently warned employers of increasing security risks from North Korean workers infiltrating U.S. companies by obtaining remote jobs to steal proprietary information and extort money to fund activities of the North Korean government. Companies that rely on remote hires face a tricky balancing act between rigorous job applicant vetting procedures and ensuring that new processes are compliant with state and federal laws governing automated decisionmaking and background checks or consumer reports.
Quick Hits
The FBI issued guidance regarding the growing threat from North Korean IT workers infiltrating U.S. companies to steal sensitive data and extort money, urging employers to enhance their cybersecurity measures and monitoring practices.
The FBI advised U.S. companies to improve their remote hiring procedures by implementing stringent identity verification techniques and educating HR staff on the risks posed by potential malicious actors, including the use of AI to disguise identities.
Imagine discovering your company’s proprietary data posted publicly online, leaked not through a sophisticated hack but through a seemingly legitimate remote employee hired through routine practices. This scenario reflects real threats highlighted in a series of recent FBI alerts: North Korean operatives posing as remote employees at U.S. companies to steal confidential data and disrupt business operations.
On January 23, 2025, the FBI issued another alert updating previous guidance to warn employers of “increasingly malicious activity” from the Democratic People’s Republic of Korea, or North Korea, including “data extortion.” The FBI said North Korean information technology (IT) workers have been “leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”
Specifically, the FBI warned that “[a]fter being discovered on company networks, North Korean IT workers” have extorted companies, holding their stolen proprietary data and code for ransom and have, in some cases, released such information publicly. Some workers have opened user accounts on code repositories, representing what the FBI described as “a large-scale risk of theft of company code.” Additionally, the FBI warned such workers “could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.”
The alert came the same day the U.S. Department of Justice (DOJ) announced indictments against two North Korean nationals and two U.S. nationals alleging they engaged in a “fraudulent scheme” to obtain remote work and generate revenue for the North Korean government, including to fund its weapons programs.
“FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK regime and evade sanctions,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “The indictments … should highlight to all American companies the risk posed by the North Korean government.”
Data Monitoring
The FBI recommended that companies take steps to improve their data monitoring, including:
“Practice the Principle of Least Privilege” on company networks.
“Monitor and investigate unusual network traffic,” including remote connections and remote desktops.
“Monitor network logs and browser session activity to identify data exfiltration.”
“Monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.”
Remote Hiring Processes
The FBI further recommended that employers strengthen their remote hiring processes to identify and screen potential bad actors. The recommendations come amid reports that North Korean IT workers have used strategies to defraud companies in hiring, including stealing the identities of U.S. individuals, hiring U.S. individuals to stand in for the North Korean IT workers, or using artificial intelligence (AI) or other technologies to disguise their identities. These techniques include “using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.”
The FBI recommended employers:
implement processes to verify identities during interviews, onboarding, and subsequent employment of remote workers;
educate human resources (HR) staff and other hiring managers on the threats of North Korean IT workers;
review job applicants’ email accounts and phone numbers for duplicate contact information among different applicants;
verify third-party staffing firms and those firms’ hiring practices;
ask “soft” interview questions about specific details of applicants’ locations and backgrounds;
watch for typos and unusual nomenclature in resumes; and
complete the hiring and onboarding process in person as much as possible.
Legal Considerations
New vendors have entered the marketplace offering tools purportedly seeking to solve such remote hiring problems; however, companies may want to consider the legal pitfalls—and associated liability—that these processes may entail. These considerations include, but are not limited to:
Fair Credit Reporting Act (FCRA) Implications: If a third-party vendor evaluates candidates based on personal data (e.g., scraping public records or credit history), it may be considered a “consumer report.” The Consumer Financial Protection Bureau (CFPB) issued guidance in September 2024 taking that position as well, and to date, that guidance does not appear to have been rolled back.
Antidiscrimination Laws: These processes, especially as they might pertain to increased scrutiny or outright exclusion of specific demographics or countries, could disproportionately screen out protected groups in violation of Title VII of the Civil Rights Act of 1964 (e.g., causing disparate impact based on race, sex, etc.), even if unintentional. This risk exists regardless of whether the processes involve automated or manual decisionmaking; employers may be held liable for biased outcomes from AI just as if human decisions caused them—using a third-party vendor’s tool is not a defense.
Privacy Laws: Depending on the jurisdiction, companies’ vetting processes may implicate transparency requirements under data privacy laws, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Economic Area (EEA), when using third-party sources for candidate screening. Both laws require clear disclosure to applicants about the types of personal information collected, including information obtained from external background check providers, and how this information will be used and shared.
Automated Decisionmaking Laws: In the absence of overarching U.S. federal legislation, states are increasingly filling in the gap with laws regarding automated decisionmaking tools, covering everything from bias audits to notice, opt-out rights, and appeal rights. If a candidate is located in a foreign jurisdiction, such as in the EEA, the use of automated decisionmaking tools could trigger requirements under both the GDPR and the recently enacted EU Artificial Intelligence Act.
It is becoming increasingly clear that multinational employers cannot adopt a one-size-fits-all vetting algorithm. Instead, companies may need to calibrate their hiring tools to comply with the strictest applicable laws or implement region-specific processes. For instance, if a candidate is in the EEA, GDPR and EU AI Act requirements (among others) apply to the candidate’s data even if the company is U.S.-based, which may necessitate, at a minimum, turning off purely automated rejection features for EU applicants and maintaining separate workflows and/or consent forms depending on the candidate’s jurisdiction.
Next Steps
The FBI’s warning about North Korean IT workers infiltrating U.S. companies is the latest involving security risks from foreign governments and foreign actors to companies’ confidential data and proprietary information. Earlier this year, the U.S. Department of Homeland Security published new security requirements restricting access to certain transactions by individuals or entities operating in six “countries of concern,” including North Korea.
Employers, particularly those hiring remote IT workers, may want to review their hiring practices, identity-verification processes, and data monitoring, considering the FBI’s warnings and recommendations. Understanding and addressing these risks is increasingly vital, especially as remote hiring continues to expand across industries.
California AG Announces New CCPA Enforcement Sweep Targeting Location Data Industry
California Attorney General Rob Bonta recently announced a new enforcement sweep targeting the location data industry’s compliance with the CCPA. Specifically, the California AG sent letters to (1) mobile app providers that collect precise geolocation data about California consumers and (2) data brokers and advertising networks with whom such data is shared. The focus of the sweep is to investigate how businesses comply with the CCPA’s requirements to offer consumers the right to opt out of the sale and sharing of their personal information and to limit the use of their sensitive personal information, including geolocation data. The announcement also provides guidance to consumers on how to limit mobile device tracking features for Apple and Android users.
Full-Court Coverage for Risks Associated With Major Sporting Events
NCAA March Madness tournaments are among the most anticipated and exciting events in American sports, drawing millions of viewers and generating significant economic activity. But the massive popularity of the tournaments comes with risks that can affect participants, venues, sponsors, and fans. From injuries to property damage and event-related cancellations, this post explores the potential risks and the insurance products available to mitigate the risks associated with major sporting events, concerts, or festivals.
Common Risks
Injury Risks: March Madness, as a high-stakes basketball tournament, inherently involves physical risks for players. Injuries to athletes, whether from collisions, falls, or overexertion, can have serious consequences for the individuals involved and the tournament’s operations.
Liability Claims: Like the athletes, fans and spectators attending the tournament may face also accidents or injuries while at the venue. Additionally, third-party vendors providing services or merchandise at the event could face liability claims if their products or services result in harm.
Event Cancellations or Delays: Unexpected events, such as natural disasters, power outages, or public health emergencies, can cause cancellations or delays in the tournament. These disruptions may lead to financial losses for event organizers, sponsors, and other stakeholders.
Property Damage: The venues hosting the tournament, including arenas and surrounding areas, face potential risks of property damage above and beyond those experienced in their normal operations. Whether from crowd surges, accidents, or other unforeseen incidents, the costs of repairs or compensation can be significant.
Insurance Coverage Options
Several insurance products can manage the risks associated with March Madness and similar events.
Sports Accident Insurance: Under NCAA rules, athletes must have a basic health and accident plan. Coverage can be provided through the school, a parent or guardian’s policy, or the student-athletes’ own policy. The NCAA also provides an insurance program that covers student-athletes who are catastrophically injured while participating in a covered intercollegiate athletic activity. Schools or athletes can purchase more comprehensive programs designed specifically for athletes that also cover potential loss of income if the athlete is unable to play. Sports accident coverage is essential for protecting players during high-risk events, such as NCAA basketball tournaments, and protecting current and future earnings.
General Liability Insurance: General liability insurance covers claims related to injuries or accidents occurring on the premises. For example, general liability insurance may cover injuries to spectators caused by falling objects or slip and falls. Event organizers, sponsors, and venue owners rely on this coverage to protect against legal and medical costs.
Event Cancellation Insurance: Event cancellation insurance helps cover financial losses resulting from event cancellations or delays due to unforeseen circumstances, such as natural disasters or other emergencies. This coverage is particularly important for organizers and sponsors, as it protects their investment against the risk of event cancellation due to circumstances beyond their control. Depending on the specific policy, event cancellation insurance may also cover enforced reduced attendance at the insured event, which covers loss the insured incurs due to unforeseeable circumstances that result in attendance falling below budgeted expectations. For example, if a severe weather event forces a game relocation or results in a reduced crowd due to travel restrictions, event cancellation insurance may compensate organizers for lost revenue.
Property Insurance: Property insurance covers any damage that occurs to the event venue or other associated facilities. It can cover physical damage to the building, as well as the equipment, signage, and other property used during the event. For example, property insurance may cover damage to signs, light poles, or windows caused by students celebrating a tournament win.
Conclusion
While March Madness is thrilling, the risks associated with the tournament are significant, requiring careful planning and protection. Insurance coverage tailored to the unique needs of a major sporting or music event can help mitigate these risks, ensuring that participants, organizers, and fans are protected. By understanding and securing appropriate insurance products, all those involved in the tournament can focus on what really matters—celebrating the excitement of the game.
Maine Considers Bill to Establish Maximum Levels of PFAS in Farm Products
If passed, Maine’s SB130, titled An Act to Establish the PFAS Response Program and to Modify the Fund To Address PFAS Contamination, would be the first state law to establish PFAS limits in food (PFAS limits have been established for other categories of goods).
The bill would formally establish a PFAS response program to “respond to and address PFAS contamination affecting agricultural producers in the State, to assist commercial farms affected by PFAS contamination and to safeguard public health.” We note that the bill would in part codify existing portions of Maine’s PFAS response program, which has already set an action level for PFOS (a type of PFAS) in milk of 210 ppt.
Specifically, under the proposed bill, the PFAS response program would, among other things:
Establish maximum levels for PFAS in farm products (defined as “plants and animals useful to humans” and includes, by way of example, products ranging from grains and food crops to Christmas trees).
Provide PFAS testing support to help agricultural producers understand the extend of PFAS contamination and provide technical support to assist in mitigation efforts.
Provide financial assistance to PFAS-impacted agricultural producers.
Establish baseline criteria that agricultural producers would have to adhere to in order to receive technical and financial assistance, including granting property access to conduct PFAS investigations and providing relevant information to program staff.
We will continue to monitor and report on PFAS regulation.
Kentucky Amends Consumer Privacy Law to Exempt Certain HIPAA-Covered Data
On March 15, 2025, Kentucky Governor Andy Beshear signed into law HB 473. The bill amends the Kentucky Consumer Data Protection Act (“KCDPA”) to exempt from the law’s application (1) information collected by health care providers acting as covered entities under HIPAA that maintain protected health information in accordance with HIPAA; and (2) information maintained in limited data sets by HIPAA covered entities in accordance with HIPAA’s relevant requirements. The KCDPA as amended will go into effect on January 1, 2026.
European Commission Proposes to Extend UK Adequacy Decisions
On March 18, 2025, the European Commission proposed to adopt an extension of the two adequacy decisions with the UK for a period of six months. The adequacy decisions permit the transfer of data subject to the EU General Data Protection Regulation and to the EU Law Enforcement Directive to the UK without restriction. The adequacy decisions were each granted for a period of four years, expiring on June 27, 2025, unless extended. The extensions have been proposed to allow the UK time to finalize the legislative process regarding the draft Data (Use and Access) Bill. Once finalized, the European Commission will assess whether the UK continues to provide an adequate level of protection for personal data under the new regime. If that assessment is positive, the European Commission will propose to renew the UK adequacy decisions.
The draft extension decisions will now be transmitted to the European Data Protection Board for its opinion, as part of the adoption procedure. Once approved, the extension will be valid until December 27, 2025.
California Workplace Safety Update: OSHAB Holds Employer Can Impliedly Consent to Inspection
In a significant decision regarding workplace inspections, the California Occupational Safety and Health Appeals Board (OSHAB) upheld citations against a California employer after finding the employer had consented to an inspection when a third-party individual who was not an employee and did not have actual authority to consent cooperated with an inspector.
Quick Hits
The California OSHAB ruled that an employer can imply consent to a Cal/OSHA inspection through the actions of a third party, even if that individual lacks actual authority to grant such consent.
The board held that Cal/OSHA may establish a prima facie case that an employer did not maintain required records by showing that the employer failed to comply with requests for such records, which shifts the burden of proof to an employer to show that the records do exist.
The board clarified that a single violation of an IIPP can be the basis for a “serious” violation of employers’ duty to identify and correct workplace hazards
The board further clarified that a first aid-trained individual need not be physically present at the jobsite, but available to respond to an incident within minutes.
OSHAB, in Arana Residential and Commercial Painting, Inc., found that the employer, a painting service company, had impliedly consented to a California Division of Occupational Safety and Health (Cal/OSHA) inspection following a workplace safety incident when an individual who presented herself as acting on behalf of the company agreed to produce requested documents and scheduled witness interviews.
OSHAB then upheld two citations. The citations alleged (1) the employer failed to “keep required records of scheduled and periodic safety inspections and employee safety training” and (2) a serious violation of the Injury and Illness Prevention Program (IIPP) regulations for failing “to identify, evaluate, and correct unsafe work practices.”
However, the board vacated another allegation that the “[e]mployer failed to ensure the availability of a suitable number of persons trained in first aid at the job site,” finding that Cal/OSHA had not met its burden of proof.
Background
The case involved a workplace safety incident in which an employee slipped and fell while climbing scaffolding, resulting in an injury. The fire department that responded to the incident and the employer reported the incident to Cal/OSHA, though reporting was not technically required because it did not result in a “serious injury.”
An inspector with Cal/OSHA later contacted the employer, Arana, and reached an individual who identified herself as the employer’s workers’ compensation insurance broker and safety consultant. This person was not an employee of Arana, and, at times, told the inspector that an investigation was unnecessary since the injury to the worker was not “serious” or “reportable,” but agreed to produce documents.
However, according to the decision, the inspector was never told that the broker / consultant lacked the authority to consent to the inspection. Further, in the back-and-forth communication, the broker / consultant had sent the inspector several emails indicating the “[e]mployer’s intention of submitting requested documents and scheduling employee interviews.” Arana’s owner was copied on those emails. Still, the employer did not submit the requested documents, though it later produced some at a hearing.
Consent to an Inspection
The California Occupational Safety and Health (Cal/OSH) Act gives the Cal/OSHA broad authority to inspect places of employment to protect workplace safety and health. If an employer refuses to consent to an inspection, Cal/OSHA may seek an investigative subpoena or a warrant under the Cal/OSH Act. According to the decision, whether consent was given is a fact-specific inquiry.
Arana argued that the third-party broker / consultant did not have the authority to consent to the inspection and never fully consented to the inspection. However, OSHAB found that the third party’s communications and the employer’s actions indicated consent to the inspection. Specifically, OSHAB said the third party’s statements and conduct supported a finding that the broker / consultant did have authority to consent, and even assuming the third party did not, the inspector’s “belief” that the person had the authority “was reasonable and based upon good faith.”
OSHAB also rejected Arana’s arguments that consent had been withdrawn based on objections to the validity of the inspection, in particular assertions that the injury that led to the inspection was “not reportable” and, therefore, Cal/OSHA had no jurisdiction. Arana also argued that demands the inspection be closed with a finding of no citations and its failure to produce documents should have been interpreted as a refusal of consent.
However, OSHAB stated that “[a] workplace injury or accident need not be ‘reportable’ under [Cal/OSH] for the Division to exercise its jurisdiction in investigating the injury or accident.” Nonetheless, OSHAB found that the record did not indicate that Arana had consistently refused consent and had instead indicated that documents might be forthcoming.
“Employer’s disagreement over whether any violation existed, and its desire for the inspection to be closed, are not tantamount to refusing consent, particularly in light of Employer’s statements and conduct indicating its intention to cooperate with the investigation,” OSHAB stated in the decision.
Failure to Maintain Required Records
Additionally, Arana had argued that the citation for failure to maintain records was an improper penalty for failing to respond to the inspector’s document requests. OSHAB ruled that when an employer fails to provide requested records, “it is both reasonable and within” Cal/OSHA’s authority to “conclude that the records do not exist and issue a citation.”
OSHAB further rejected Arana’s argument that such a decision improperly shifts the burden of proof to the employer. The board held that Cal/OSHA may establish a prima facie case by showing that it requested legally required documents but did not receive them. After such a showing, the burden does shift to an employer. In this case, OSHAB said Arana had “failed to present any evidence to challenge” that the records do not exist.
Availability of First Aid–Trained Individual
However, OSHAB sided with Arana, finding Cal/OSHA had failed to meet its burden to prove that a suitable number of employees trained in first aid were not “available” to respond to the workplace safety incident. Even though a person with proper training was not physically present at the jobsite when the incident occurred, the employer had argued that a properly trained person was available to respond and, in fact, did return to the site within minutes of the incident. The Board said its prior precedents indicate that a trained person need not be physically present at all times but available within minutes.
Failure to Correct Workplace Hazards
According to the decision, the employer submitted a video re-enactment of the incident to Cal/OSHA as evidence. In the video, a supervisor and another employee recreated the circumstances leading up to the falling incident, in which the employee climbed up scaffolding instead of using a ladder. Based on that video, Cal/OSHA issued the citation for failure to correct hazards.
OSHAB corrected prior cases issued as decisions After reconsideration, which have been cited as holding that a single IIPP violation cannot be the basis for a citation. OSHAB said this is incorrect, and to the contrary, the board “has held that a single deficiency regarding an essential element of an IIPP or its implementation may support a violation.”
The board then asserted that the video, in which a supervisor “direct[ed] an employee to engage in an activity that had already caused an accident” was sufficient for Cal/OSHA to conclude that there was a “deficiency regarding an essential element” of the employer’s IIPP and thus a violation.
“In addition, the videotape is proof the violation occured [sic], regardless of why it was made,” OSHAB said. “An employer’s desire for evidence in response to a safety inspection does not entitle an employer to generate that evidence by exposing an employee to a safety hazard.”
Next Steps
The Arana decision underscores the importance of clearly and consistently communicating consent or a refusal of consent to a Cal/OSHA inspection. The board interpreted mere statements to a Cal/OSHA inspector that requested documents would be provided as sufficient to show the employer had consented to the investigation, and thereby gave Cal/OSHA jurisdiction to issue citations for any alleged violations discovered. The use of the third-party broker / safety consultant was fraught with miscommunications and a lack of understanding of the consent to the inspection.
The Arana decision further serves as a crucial reminder for employers about California’s requirements to maintain proper safety documentation, ensure the availability of trained first aid personnel, and promptly address unsafe work practices. Employers may want to consider proactive steps to review their safety programs, ensure all records are current and accessible, and train their staff on proper safety protocols.
RFK Jr. Pushes to Ban Synthetic Dyes in Food
On March 10, 2025, the Secretary of the Department of Health and Human Services (HHS), Robert F. Kennedy Jr., met with executives at major companies across the food and beverage industry, including PepsiCo, General Mills, and others. He informed industry leaders that eliminating artificial dyes is going to be a top priority for the Secretary. Kennedy also expressed his desire to collaborate with industry but made it clear that he intends to act unless the industry proactively offers solutions.
The movement to ban synthetic dyes has recently gained momentum, with California and FDA banning FD&C Red No. 3 as we previously blogged, as well and several states moving to ban foods that contain artificial dyes from school lunches.
The public discussion regarding food colors has grossly misstated differences in the regulation of synthetic dyes in food, with critiques often pointing to the EU or Canadian markets as examples of regions that are more restrictive with food color regulation.
However – there are current 15 synthetic dyes approved in the European Union, 10 in Canada, and only 9 approved in the U.S.
Additionally, all food colors in the U.S. must submit a Color Additive Petition to FDA.
While the EU and Canada have premarket requirements for many food colors, naturally derived concentrates and extracts in many cases are exempt from mandatory pre-market review in Canada.
In the EU, ingredients that are derived from edible sources and are used because of their coloring properties are defined as “coloring foods,” which are not subject to a European Food Safety Authority (EFSA) evaluation prior to use and are not assigned an E number.
Keller and Heckman will continue to monitor the development of the new administration’s policy priorities and actions related to synthetic dyes and other food additives.
Trump and Musk Team Up to Destroy the CFPB: A Blow to Consumer Protection!
Trump and Musk Team Up to Destroy the CFPB: A Blow to Consumer Protection! In a shocking move that could leave millions of American consumers vulnerable, President Donald Trump and his controversial ally Elon Musk are plotting the total destruction of the Consumer Financial Protection Bureau (CFPB) — the only federal agency standing between you […]
Litigation Risk for Mortgage Lenders with a Less Active CFPB
With the recent developments at the Consumer Financial Protection Bureau (CFPB), many mortgage lenders have been left wondering about the extent to which the CFPB will enforce federal laws governing the mortgage lending industry. Many industry participants expect a significant reduction in CFPB enforcement activity for the foreseeable future. While the states could ramp up their enforcement efforts to account for a less active CFPB, mortgage lenders should also recognize that borrowers – and by extension the plaintiff’s bar – could step in to any gap left by the CFPB and exercise their private rights of action under various federal and state laws governing mortgage lending.
While the torts adage of “anyone can sue anyone over anything” still rings true, we have identified several prominent mortgage lending laws below that provide borrowers a private right of action and pose litigation risk for mortgage lenders. Mortgage lenders should continue to ensure compliance with these laws for both short-term and long-term mitigation of potential liability. Failure to mitigate these risks today could lead to deficiencies in compliance that are compounded across multiple loans over time and create greater lender exposure to potential borrower litigation.
Federal Law Private Rights of Action
Truth in Lending Act (TILA)
TILA imposes various requirements on mortgage lenders, including disclosure-related requirements for both open-end and closed-end loans. Under 15 U.S.C.A. § 1640(a), a borrower is provided a private right of action for a creditor’s violation of TILA that generally must be brought within one year of the violation. A creditor is liable for actual damages sustained as a result of its TILA violation, attorneys’ fees, and statutory damages depending on the circumstances of the transaction, such as damages between $400 and $4,000 for closed-end mortgage transactions. Some jurisdictions allow for the application of vicarious liability on creditors for the acts of its servicers under TILA(see e.g., Montano v. Wells Fargo Bank N.A., 2012 WL 5233653 (S.D. Fla. Oct. 23, 2012)). TILA also provides for borrower class actions and limits a lender’s liability in those cases to the lesser of $1 million or 1% of the lender’s net worth.
Home Ownership and Equity Protection Act (HOEPA)
HOEPA governs abusive lending practices related to high-cost mortgages. Although HOEPA is technically part of TILA, federal law imposes additional lender liability for HOEPA violations. In addition to the lender liability for TILA outlined above, a lender that violates HOEPA is required to refund all finance charges and fees that were assessed in connection with the particular loan pursuant to 15 U.S.C.A. § 1640(a)(4). Moreover, violating HOEPA’s disclosure requirements (creditor’s must “clearly and conspicuously disclose” the borrower’s rights of rescission) may trigger an extended right of rescission, which expires three years after the date of consummation of the transaction or upon the sale of the property, whichever occurs first (15 U.S.C. § 1635(f)).
HOEPA is also important to consider as industry changes related to interest rates may impact the prevalence of loans that fall under HOEPA. For some mortgage lenders, this new interest rate environment may lead to the lender making an increased number of high-cost mortgage loans.
Homeowners Protection Act (HPA) – PMI Cancellation Act
While seen more prominently in the servicing context, HPA outlines requirements regarding borrower paid private mortgage insurance. More importantly in the originations context, HPA requires the lender provide certain disclosures to borrowers at consummation regarding rights to cancel PMI and the necessary procedures for doing so (12 U.S.C. § 4903(a), (b)). HPA creates a private right of action for violations, and the borrower may recover actual and statutory damages, attorneys’ fees, and costs (with class action defendants liable for costs and attorneys’ fees) (12 U.S.C. § 4907(a)). The borrower must bring an HPA claim within two years of the discovery of the violation.
Equal Credit Opportunity Act (ECOA)
ECOA creates various requirements for lenders related to the extension of credit, including obligations in evaluating a borrower’s credit application and an obligation to provide specific borrower notifications. Under 15 U.S.C.A. § 1691e, a lender is liable for any actual damages, attorneys’ fees, or punitive damages resulting from a violation of ECOA. The punitive damages are capped at $10,000 for an individual borrower, or in the case of class action, punitive damages are capped at the lesser of $500,000 or 1% of the lender’s net worth. Pursuant to 12 CFR § 1002.16(b)(1), a borrower’s claim for an ECOA violation must be brought within five years of the violation or within one year of an administrative enforcement action that is brought within five years of the violation.
Real Estate Settlement Procedures Act (RESPA)
Pursuant to 12 U.S.C. § 2607(d), RESPA provides a private right of action and treble damages for a number of violations, including Section 8 prohibitions on kickbacks and unearned fees. Similarly, borrowers may bring a private action for violations of RESPA Section 9’s prohibition on required usage of title insurance providers under 12 U.S.C. § 2614. Such claims must be brought within one year of the alleged violation. Moreover, 12 U.S.C. § 2605(f) establishes a private right of action for borrowers where the lender fails to provide a notice disclosing whether the loan may be assigned, sold, or transferred. Costs, attorneys’ fees, actual damages and statutory damages are all recoverable (the latter when a pattern or practice of noncompliance is established). Claims under this provision must be brought within three years.
State Law Private Rights of Action
While federal law tends to be at the forefront for most mortgage lenders, all states also have laws that can impact mortgage lenders, including laws that provide borrowers a private right of action against lenders. And at times, these state laws can present an easier route for borrower recovery compared to federal law. For example, federal law prohibits unfair, deceptive, or abusive acts or practices (UDAAP) in the mortgage lending context. This prohibition is indeterminate to the point that it could be applied in a wide variety of factual scenarios. Many states have a comparable prohibition, although the state version of UDAAP typically only prohibits unfair or deceptive acts or practices (UDAP). And while there is some variation in whether state UDAP laws apply to mortgage lenders, almost all state UDAP laws provide borrowers, individually or as a class, a private right of action, unlike the federal UDAAP law.
Many states also regulate a lender’s ability to make high-cost mortgage loans. As indicated above, there are various legal requirements, such as conducting an ability to repay analysis, a mortgage lender must typically satisfy before or in connection with making a high-cost mortgage loan. Many states provide borrowers a private right of action for a lender’s violation of these laws, which can result in anything from lenders refunding excess interest to lenders having to pay actual and statutory damages.
The federal and state laws discussed above are only a portion of the laws governing mortgage lending that grant borrowers a private right of action. Mortgage lenders should keep this in mind even if the CFPB takes a backseat in enforcement, because at the end of the day, those laws are still valid and enforceable in a court of law.
Listen to this post
California AG Again Enjoined from Implementing California Age Appropriate Design Code Act
On March 13, 2025, the U.S. District Court for the Northern District of California granted a second motion for preliminary injunction in favor of the technology trade group NetChoice. The injunction once again enjoins the California Attorney General from enforcing the California Age Appropriate Design Code Act (the “AADC” or “Code”), which was originally intended to take effect on July 1, 2024. The District Court determined that NetChoice is likely to succeed on claims raised in its amended complaint that the AADC is facially invalid under the First Amendment guarantee of free speech. As a result, the California AG is immediately enjoined from enforcing the Code during the pendency of the litigation.
The claims of free speech infringement stem primarily from the Code’s requirement for covered businesses to perform a data protection impact assessment (“DPIA”) to identify material risks to children under the age of 18, document and mitigate those risks before such children access an online service, product or feature and provide the DPIA to the California Attorney General upon written request. NetChoice asserts that on this basis the Code violates the expressive rights of NetChoice, its members and is void for vagueness under the First Amendment.
An injunction previously granted by the District Court in respect of the Act’s 2023 implementation was partially upheld by a Ninth Circuit panel in August of 2024, with respect to the DPIA requirement and provisions of the Code not grammatically severable from the DPIA requirement, including notice and cure provisions with respect to non-compliance. The Ninth Circuit vacated the rest of the district court’s first ruling and remanded the case to assess other provisions of the Code in more detail and consider whether the law’s unconstitutional provisions are severable from the remainder of the law.
The District Court determined that the AADC is not sufficiently narrowly tailored (under the strict scrutiny standard) to achieve its interest in protecting children online. On the basis that NetChoice has a colorable First Amendment claim, it would suffer irreparable harm if the Code were to take effect. The District Court also found that the enjoined DPIA provisions are not volitionally severable from the remainder of the AADC, though they are functionally severable.
The District Court determined, on the other hand, that NetChoice had not shown that it is likely to succeed on certain other claims, such as that the AADC was pre-empted by the federal Communications Decency Act or by the Children’s Online Privacy Protection Act.
CIPL Submits Response to India’s Draft Digital Personal Data Protection Rules
Earlier this month, the Centre for Information Policy Leadership at Hunton submitted a response (the “Response”) to India’s Ministry of Electronics and Information Technology (“MeitY”) regarding the Draft Digital Personal Data Protection Rules 2025 (the “Draft Rules”), which were published on January 3, 2025. The Draft Rules provide greater detail on a number of statutory provisions of India’s Digital Personal Data Protection Act 2023 (the “Act”).
As detailed further in the Response, it is CIPL’s view that given the complexities involved for certain operational and technical requirements of the Draft Rules, MeitY should consider a staggered or phased implementation period, particularly with respect to Rule 10 (which addresses verifiable consent) and Rule 13 (which addresses consent managers).
CIPL included the following comments in its Response, among others:
Rule 3 (notice): the notice requirements as drafted could be interpreted as requiring unwieldy and long notices that do not benefit the relevant individuals.
Rule 4 (consent managers): the rule fails to address the interoperability of platforms maintained by different consent managers and to what extent such platforms must be interoperable with systems used by data fiduciaries.
Rule 6 (security): the rule should be amended to provide organizations with a degree of flexibility to employ context-specific security safeguards, as opposed to setting a “minimum” requirement.
Rule 7 (incident notification): the rule should require notification of a personal data breach only where the breach is material, i.e., where it is likely to result in significant harm to individuals.
Rule 8 (retention and deletion): the rule should adopt accountability-based safeguards for data fiduciaries, such as risk assessments and privacy enhancing measures, to determine appropriate retention and deletion practices based on context.
Rule 10 (verifiable consent): the rule requires further clarification on key terms, such as “identity” and “age,” and whether data fiduciaries may meet their compliance obligations based on self-declarations and supporting documents provided by individuals claiming guardianship.
Rule 11 (children’s data exemptions): exemptions for processing children’s data should be broadened to include the personalization of services that do not otherwise have detrimental effects on children.
Rule 12 (significant data fiduciary): MeitY should provide guidance establishing a clear threshold for an entity’s designation as a “Significant Data Fiduciary,” and modify the rule to either delete the reference to algorithmic software, or limit its coverage to address situations that pose significant risk.
Rule 14 (international transfers): the rule should be amended to explicitly recognize lawful data transfer mechanisms that align with global standards—such as standard data protection clauses, binding corporate rules, certification mechanisms, or binding schemes such as Global Cross Border Privacy Rules—thereby ensuring that personal data remains protected while enabling India to remain an active participant in the global digital economy.
View CIPL’s full comments.