Privacy Law Blog : March 2007

Home > March 2007

SEC Ratchets Up Privacy Enforcement Under Regulation S-P

Posted on March 29, 2007 by Proskauer Rose LLP

Broker-dealer firms are well advised to review and update their privacy policies, in light of the Securities and Exchange Commission’s (“SEC”) recent enforcement and investigation activities arising from Regulation S-P.

According to trade press, recently the SEC informed one independent broker-dealer firm, Next Financial Group, Inc. of Houston, Texas, that it may file a “privacy” suit under Regulation S-P. The suit would be based on the practice, which Next maintains is common among independent broker-dealer firms, of requiring broker recruits from other firms to provide Next with customer information in anticipation of the move. According to the press, the SEC contends that before the brokers left their firms to join Next, they should have asked clients for their consent to use any information at the new firm. Alternatively, Next should have only required brokers to provide this information if the brokers’ prior firms had stated in their privacy policies that departing brokers may take certain customer information to competing firms (and the particular consumers had not opted-out of this policy). The SEC is reportedly considering suing Next for violations of Regulation S-P, as well as for aiding and abetting the violations by the brokers it recruited.

Tags: Financial Privacy, Gramm-Leach-Blilely Act, Regulation S-P, SEC, broker-dealers, investment companies

Federal Regulators Propose Federal Privacy Notice and Seek Comments

Posted on March 21, 2007 by Proskauer Rose LLP

On March 21, 2007, eight federal regulatory agencies (“Joint Agencies”) with jurisdiction over Gramm-Leach-Bliley Act (“GLBA”) regulated “financial institutions” issued an interagency proposal for a new model privacy form. The proposal is the result of a lengthy process the Joint Agencies began in 2001 to improve the format of GLBA privacy notices to make them more comprehensible to consumers. In addition to a lack of clarity, the Joint Agencies and consumer and privacy advocates have been concerned about the length of notices and the overuse of legal terms.

Section 503 of the GLBA, 15 U.S.C. § 1603 and current rules, require financial institutions to provide their customers with a notice that describes, among other things, how they protect nonpublic personal information, the categories of nonpublic personal information collected, the affiliates and the nonaffiliated third parties to whom such information is disclosed, and a description of the customer’s right to prevent certain disclosures to nonaffiliated third parties. These notices must be provided at the outset of the institution’s relationship with a customer and, in the case of long-standing relationships, on an annual basis. Current rules do not mandate a standard format or particular wording for the notices, however, they provide sample clauses that financial institutions can use to satisfy the notice requirements.

Tags: Financial, Financial Privacy, Gramm-Leach-Bliley, Institution, Notice, opt-out, privacy

Inspector General Eyes Slipups in FBI's Spying Programs

Posted on March 15, 2007 by Brendon Tavelli

The Office of the Inspector General (“OIG”) recently issued a 199-page report detailing the FBI’s use, and abuse, of national security letters (“NSLs”) to obtain information in the name of national security. The report cites repeated failures by the FBI to follow even the abbreviated procedures available under the current NSL regime for seeking customer and consumer records from communications providers, financial institutions, and credit agencies. The report reveals that the FBI’s failure both to provide consistent guidance regarding NSLs and adhere to internal oversight procedures has led to problems ranging from minor technical deficiencies in NSLs to the issuance of NSLs without proper authorization. Continue Reading...

Tags: FBI, NSL, National Security, inspector general, national security letter, patriot act

Welcome

Posted on March 8, 2007 by Proskauer Rose LLP

Welcome to the Proskauer Privacy Law Blog. Proskauer’s Privacy and Data Security Practice Group is tremendously pleased to bring you what we hope will become a trusted source for summary and analysis of breaking legal developments in the evolving field of privacy and data security law. This blog is designed in part to complement our recent privacy treatise published by PLI entitled Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age.

Today we bring you posts regarding (1) the introduction of federal legislation that would give the Attorney General very broad authority to enact rules requiring Internet Service Providers to retain records so law enforcement can access customers’ online activities; (2) adoption by the EU Data Protection Working Party of a new model application form for Binding Corporate Rules; and (3) some of the many new proposed bills in the 110^th Congress regarding data security breach notification that would preempt the more than 35 currently existing state laws.

In addition, you can find posts that I previously contributed to the California Privacy Law blog hosted by the Los Angeles County Bar Association.

Of course, we are interested in your feedback, and welcome your suggestions and comments. We look forward to hearing from you.

Tags: Proskauer, Welcome, on, privacy

EU Working Party Adopts Model Application Form for Binding Corporate Rules

Posted on March 8, 2007 by Jeremy Mittman

On January 10, 2007 the Article 29 Data Protection Working Party announced the adoption of a new Model Application for the submission of a company’s Binding Corporate Rules to any European Union Data Protection Authority (DPA). The EU’s approval of the Model Application is long-awaited and a welcome addition to help make Binding Corporate Rules a truly viable alternative to the two other current approved methods of international data protection transfers, safe harbor and model contractual clauses.

Tags: European Union

ISP Data Retention Legislation Introduced; ISPs and Privacy Advocates Fear Broad Mandates

Posted on March 7, 2007 by Proskauer Rose LLP

Last month, a group of eight Republican lawmakers introduced H.R. 837, the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth (SAFETY) Act 2007. The bill would give the Attorney General very broad authority to enact rules requiring Internet Service Providers (“ISPs”) to retain records so law enforcement could access their customers’ online activities. The ostensible purpose of the bill is to give the Government greater tools to fight child pornography and terrorism. As introduced, however, there is no limitation on the scope of any Attorney General rules as long as they govern ISP record retention. The only substantive guidance the SAFETY Act provides is that the regulations, “at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.” The Act would therefore result in rules requiring ISPs to at least retain logs that associate specific users with specific Internet Protocol (“IP”) addresses.

Tags: ECPA, Electronic Communications Privacy Act, ISPs, Online Privacy, SAFETY Act, data retention

110th Congress Proposes Sweeping Federal Data Security Legislation

Posted on March 6, 2007 by Proskauer Rose LLP

Senators and Representatives from both sides of the aisle have introduced several new pieces of legislation proposing sweeping new frameworks for data privacy law:

            S. 239 (“Notification of Risk to Personal Data Act”);
            H.R. 958 (“Data Accountability and Trust Act”);
            H.R. 836 (“Cyber-Security Enhancement and Consumer Data Protection Act of 2007”); and
            S. 495 (“Personal Data Privacy and Security Act of 2007”).

S. 495 and H.R. 958 establish requirements for data security, as well as breach notification standards; S. 239 is limited to breach notification requirements; and H.R. 836 criminalizes the concealment of data breaches, enhances penalties for identity theft, and requires the reporting of breaches to federal law enforcement agencies. Whatever the final text of data privacy legislation, we are likely to see this Congress pass federal data security legislation. Congressional leaders have emphasized that data privacy and breach notification are top priorities.

Federal legislation is necessary, some believe, in order to standardize what currently is a patchwork of requirements among the 35 states with data security and breach notification requirements.

Following are some of the more notable provisions of the proposed bills: Continue Reading...

Tags: 110th Congress, Security Breach Notification Laws, breach notification, data privacy, legislation, privacy