Privacy Law Blog : Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of Frequently Asked Questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.  Among the answers to the FAQs:

• Although there is no specific record retention requirement under the Rules, covered entities must be able to demonstrate that they have complied with the requirements of the Rules;

• All banks, savings associations, and credit unions are covered by the Red Flags Rules as “financial institutions,” whether or not they hold a transaction account belonging to a consumer;

• The Red Flags Rules do not apply to the foreign branches of U.S. banks but, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws;

• “Covered accounts” include accounts established in the U.S. by non-U.S. residents;

• A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the FCRA is covered by the Red Flags Rules, including any such entity that is a subsidiary of a bank or savings association;

• Corporate credit unions are covered by the Red Flags Rules;

• If a consumer loan is purchased by another financial institution or creditor, then that entity becomes responsible for applying its Identity Theft Prevention Program to the loan as an existing covered account;

• The Address Discrepancy Rules only apply to notices of address discrepancy received from an NCRA (Experian, Equifax, and TransUnion).  However,  a notification of address discrepancy received from an entity that is not an NCRA may be a red flag for purposes of the Red Flags Rules;

• If a consumer withdraws his or her application to open a new account, a user of a consumer report that receives a notice of address discrepancy need not take steps to establish a reasonable belief that the consumer report relates to the consumer.

For more, check out the FAQs here, and our prior discussions of the Red Flags and Address Discrepancy Rules here.

• Email This
• Print
• Comments
• Trackbacks

I don’t know, but I could probably find out. 

There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice.  Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be used in the future to authenticate users when they have forgotten their passwords.  The problem is twofold:

(1) The answers to many of these questions can be relatively easily guessed by an unauthorized individual to gain access to the account.

(2) In many cases, the authorized user forgets the answer to the question when it is needed later to access the account.

A recent study conducted by researchers at Microsoft and Carnegie Mellon University (“It’s no secret: Measuring the security and reliability of authentication via ‘secret’ questions”) found that 17% of users’ security answers were guessed correctly by mere acquaintances, and 20% of the study participants forgot their answers within six months. 

• Email This
• Print
• Comments
• Trackbacks

I spoke with Health Leaders Media about the Red Flag Rules and the FTC's further extension of the compliance deadline, previously discussed here.  The title of the article says it all:  "Don't Delay Because of Red Flags Rule Delay."

• Email This
• Print
• Comments
• Trackbacks

Last month, we blogged about whether the Red Flag Rules apply to medical care providers.  According to the FTC, they may also apply to retailers. 

The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most retailers have been caught off guard by this interpretation, since they are not accustomed to being considered “creditors.” Fortunately for them, in the nick of time for the May 1^st compliance deadline, the FTC extended the deadline to August 1, 2009, giving retailers time to put their policies in place in a thoughtful and reasoned manner.

• Email This
• Print
• Comments (1)
• Trackbacks (2)

On Monday, the Northern District of California granted Gap, Inc.'s Motion for Summary Judgment in Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC, holding that Ruiz's allegations of an increased risk of identity theft "do[] not rise to the level of appreciable harm necessary to assert a negligence claim under California law."

• Email This
• Print
• Comments
• Trackbacks

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know. 

The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA. 
 

• Email This
• Print
• Comments (7)
• Trackbacks

The New York State Consumer Protection Board has released a guide for New York businesses regarding the handling of personal identifiable information and the avoidance of identity theft. The guide also includes a form for reporting breaches to NY state agencies.  The guide is available here.

• Email This
• Print
• Comments
• Trackbacks

The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program.  In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

• Email This
• Print
• Comments
• Trackbacks

• Email This
• Print
• Comments
• Trackbacks

Where the only “damages” alleged following a data security breach are the costs of credit monitoring, a plaintiff has no case, so ruled the Seventh Circuit on August 23, 2007. The decision dealt another blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information, as the Seventh Circuit’s ruling joined the unanimous line of lower court decisions denying recovery in the absence of actual, present harm.

In Pisciotta v. Old National Bancorp, -- F.3d --, 2007 WL 2389770 (7th Cir. Aug. 23, 2007), the court ruled that “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.” Id. at *6. In doing so, the Seventh Circuit joins a chorus of federal district courts that uniformly reject such costs as a form of cognizable injury sufficient to support legal claims for damages.

• Email This
• Print
• Comments
• Trackbacks

• Email This
• Print
• Comments
• Trackbacks

A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.   

On August 27, 2005, the defendant, Litton Loan Servicing LP, experienced a break-in involving the theft of more than $60,000 of computer equipment. The perpetrators took six unmarked hard drives, four of which contained the personal information of 229,501 people, including the plaintiff Patricia Kahle. The police conducted an investigation and Litton hired a private investigator who conducted a separate investigation. Litton provided notice of the theft to each person whose information was on the stolen hard drives approximately four weeks after the break-in. The notice included the type of information stolen, a Federal Trade Commission website that could be of assistance, and a toll free contact number at Litton. The notice also recommended that affected consumers place a fraud alert on their credit file.

• Email This
• Print
• Comments
• Trackbacks

The protection of Social Security numbers (SSNs) from identity thieves has emerged as a hot news topic in the past few weeks. In California, it was revealed that, for the past three years, the Secretary of State’s office has been selling in bulk electronic UCC filings containing SSNs. Those filings were available to the public on the Secretary’s website, so that lenders and creditors could verify the availability of personal property used as collateral. Approximately one-third of the state’s two million UCC filings contained SSNs. Secretary of State Debra Bowen immediately shut off web-based access to the UCC filings and took down the offending part of the website.

• Email This
• Print
• Comments
• Trackbacks