The Securities and Exchange Commission (the “SEC”) and Commodity Futures Trading Commission (the “CFTC”) recently adopted rules requiring entities subject to their respective enforcement authorities to adopt and implement programs to detect and respond to indicators of possible identity theft, as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the… Continue Reading
Category Archives: Identity Theft
Subscribe to Identity Theft RSS FeedStanding on the Precipice: Privacy Litigation and Standing Requirements
Posted in Data Breaches, Fourth Amendment, Identity Theft, Privacy LitigationThe U.S. Supreme Court heard arguments last month in Clapper v. Amnesty International, a case that asks the Court to determine whether a group of lawyers, journalists, and human rights workers have standing to challenge the federal government’s international electronic surveillance program under the Foreign Intelligence Surveillance Act. The plaintiffs alleged Fourth Amendment privacy violations among… Continue Reading
Twitter’s Settlement With the FTC Demonstrates that “Reasonable Security” Isn’t Only About Online Commerce
Posted in FTC Enforcement, Identity Theft, Online PrivacyThe social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.
FTC Extends (Yet Again) Enforcement Deadline for Identity Theft Red Flags Rule
Posted in Identity TheftThe Federal Trade Commission announced today that it is once again extending the deadline for enforcing its “Red Flags” Rule, while Congress considers legislation that would affect the scope of entities covered by the Rule. The FTC is delaying enforcement of the Rule until December 31, 2010 in response to a request from members of Congress who are working to finalize legislation that would limit the scope of business covered by the Rule.
Massachusetts Finally Finalizes Data Security Regulations – We Think
Posted in Identity TheftIn response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts’ "Act Relative to Security Freezes and Notification of Data Breaches," which was enacted in Jul 2007. Regulation 201 CMR 17.00 ("Standards For The… Continue Reading
We Were Wrong About the Third Time Being A Charm: FTC Delays Enforcement of Red Flags Rule Yet Again
Posted in Identity TheftToday, at the urging of Members of Congress, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its Red Flags Rule for the fourth time. Financial institutions and creditors subject to enforcement by the FTC will now have until June 1, 2010 to develop written policies and procedures to detect and respond… Continue Reading
DC Court Sides with the ABA – No Red Flag Rules for Lawyers
Posted in Identity TheftThe U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission’s Red Flags Rules cannot be enforced against lawyers, saying that the FTC’s interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s… Continue Reading
Third Time’s A Charm: FTC Delays Enforcement Of The Red Flags Rule Again
Posted in Identity TheftThe Federal Trade Commission (“FTC”) announced today that, for the third time, it will delay enforcement of the Red Flags Rule until November 1, 2009 – a year after the original November 1, 2008 compliance deadline. In delaying enforcement yet again, the Commission stated that it intends to engage in an “expanded business education campaign” in… Continue Reading
State Law Claims in an Identity Exposure Case Preempted by Federal Fair Credit Reporting Act
Posted in Data Breaches, Identity Theftthe Federal Fair Credit Reporting Act preempted an identity exposure plaintiff’s state law claims for, among other things, negligence, breach of contract, and violation of the New York Deceptive Trade Practices Act
Red Flags and Address Discrepancies FAQs
Posted in Financial Privacy, Identity TheftOn Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of FAQs to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.
What elementary school did you go to?
Posted in Identity TheftI don’t know, but I could probably find out. There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice. Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be… Continue Reading
Red Flag Rules Compliance Deadline Extension Not Grounds to Procrastinate
Posted in Identity TheftI spoke with Health Leaders Media about the Red Flag Rules and the FTC’s further extension of the compliance deadline.
Red Flag Rules Blindside Retailers, But Extension of Compliance Deadline Helps
Posted in Identity TheftLast month, we blogged about whether the Red Flag Rules apply to medical care providers. According to the FTC, they may also apply to retailers. The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most… Continue Reading
California District Court Closes the Gap Left by Ruiz
Posted in Data Breaches, Identity TheftOn Monday, the Northern District of California granted Gap, Inc.’s Motion for Summary Judgment in Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC, holding that Ruiz’s allegations of an increased risk of identity theft “do[] not rise to the level of appreciable harm necessary to assert a negligence claim under California law.”
Red Flag Rules Leave Health Care Industry Wondering
Posted in Identity Theft, Medical PrivacyThe health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know. The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and… Continue Reading
NY State Releases Business Guide to Handling Personal Identifiable Information
Posted in Identity TheftThe New York State Consumer Protection Board has released a guide for New York businesses regarding the handling of personal identifiable information and the avoidance of identity theft. The guide also includes a form for reporting breaches to NY state agencies. The guide is available here.
FTC Suspends Enforcement of Red Flag Rules For Six Months
Posted in Identity TheftThe Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program. In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged… Continue Reading
Red Flag Alert — Compliance Deadline is November 1, 2008
Posted in Financial Privacy, Identity TheftAccording to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft. Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs. The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.
No Harm, No Lawsuit: Seventh Circuit Refuses Data Breach Lawsuit Where Credit Monitoring Costs Are the Only “Damages” Sought
Posted in Identity TheftWhere the only “damages” alleged following a data security breach are the costs of credit monitoring, a plaintiff has no case, so ruled the Seventh Circuit on August 23, 2007. The decision dealt another blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information, as the Seventh… Continue Reading
Breach Law Data
Posted in Identity Theft, Security Breach Notification LawsWe thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included). We also provide links, or uploaded copies, where available.
Consumer Unable to Demonstrate Injury Based on Credit Monitoring Costs in Data Breach Case
Posted in Identity Theft, Security Breach Notification LawsA recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.
Social Security Numbers for Sale
Posted in Identity TheftThe protection of Social Security numbers (SSNs) from identity thieves has emerged as a hot news topic in the past few weeks. In California, it was revealed that, for the past three years, the Secretary of State’s office has been selling in bulk electronic UCC filings containing SSNs. Those filings were available to the public… Continue Reading