Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security.  Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission announced today that it is once again extending the deadline for enforcing its “Red Flags” Rule, while Congress considers legislation that would affect the scope of entities covered by the Rule. The FTC is delaying enforcement of the Rule until December 31, 2010 in response to a request from members of Congress who are working to finalize legislation that would limit the scope of business covered by the Rule.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts' "Act Relative to Security Freezes and Notification of Data Breaches," which was enacted in Jul 2007.  

Regulation 201 CMR 17.00 ("Standards For The Protection of Personal Information of Residents of  the Commonweath") was previoulsly amended in August in response to industry backlash. 

This week's final amendments make very few changes to the regulations that were released in August:

• The regulations apply to persons who "store" personal information in addition to those who receive, maintain, process, or otherwise have access to personal information
• Service Providers include persons who "store" personal information through their provision of services directly to a person that is subject to the regulations (in addition to those who receive, maintain, process, or otherwise are permitted access to personal information)
• The express carve-out of the U.S. Postal Service from the definition of "Service Providers" has been removed
• The amendments clarify that Service Provider agreements that are entered into before March 1, 2010 do not have to be amended to comply with the regulations until March 1, 2012.

The March 1, 2010 effective date of the regulations has not changed.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, at the urging of Members of Congress, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its Red Flags Rule for the fourth time. Financial institutions and creditors subject to enforcement by the FTC will now have until June 1, 2010 to develop written policies and procedures to detect and respond to so-called identity theft “red flags.”

The FTC’s announcement does not impact the separate timeline of the proceeding we reported on here (in which the U.S. District Court for the District of Columbia ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers) or any possible appeals. Moreover, the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers, saying that the FTC's interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s definition of a creditor. Judge Walton ruled from the bench with a written decision to follow.

The American Bar Association, represented by a Proskauer team led by partner Steven Krane, argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers are not covered by the rule. The FTC contended that lawyers should be covered, because many of their billing practices, such as charging clients on a monthly basis rather than up front, made them “creditors.”

The American Bar Association's complaint, prepared on a pro bono basis by Proskauer Rose, said that the application of the Rule to practicing lawyers is “arbitrary, capricious and contrary to law,” and that the FTC has failed “to articulate, among other things: a rational connection between the practice of law and identity theft; an explanation of how the manner in which lawyers bill their clients can be considered an extension of credit under the FACTA; or any legally supportable basis for application of the Red Flags Rule to lawyers engaged in the practice of law.” 

The FTC has not yet indicated whether it will appeal Judge Walton's ruling.

Here is a link to the court’s order.

Here is a link to the ABA’s press release.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission (“FTC”) announced today that, for the third time, it will delay enforcement of the Red Flags Rule until November 1, 2009 – a year after the original November 1, 2008 compliance deadline. In delaying enforcement yet again, the Commission stated that it intends to engage in an “expanded business education campaign” in which the staff will “redouble its efforts to educate [businesses] about compliance.” Such a campaign is designed to “clarify whether businesses are covered by the Rule and what they must do to comply.” The delay does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On July 7, 2009, the U.S. District Court for the Southern District of New York ruled that the Federal Fair Credit Reporting Act (“FCRA”) preempted an identity exposure plaintiff’s state law claims for, among other things, negligence, breach of contract, and violation of the New York Deceptive Trade Practices Act (“DTPA”).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of Frequently Asked Questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.  Among the answers to the FAQs:

• Although there is no specific record retention requirement under the Rules, covered entities must be able to demonstrate that they have complied with the requirements of the Rules;

• All banks, savings associations, and credit unions are covered by the Red Flags Rules as “financial institutions,” whether or not they hold a transaction account belonging to a consumer;

• The Red Flags Rules do not apply to the foreign branches of U.S. banks but, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws;

• “Covered accounts” include accounts established in the U.S. by non-U.S. residents;

• A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the FCRA is covered by the Red Flags Rules, including any such entity that is a subsidiary of a bank or savings association;

• Corporate credit unions are covered by the Red Flags Rules;

• If a consumer loan is purchased by another financial institution or creditor, then that entity becomes responsible for applying its Identity Theft Prevention Program to the loan as an existing covered account;

• The Address Discrepancy Rules only apply to notices of address discrepancy received from an NCRA (Experian, Equifax, and TransUnion).  However,  a notification of address discrepancy received from an entity that is not an NCRA may be a red flag for purposes of the Red Flags Rules;

• If a consumer withdraws his or her application to open a new account, a user of a consumer report that receives a notice of address discrepancy need not take steps to establish a reasonable belief that the consumer report relates to the consumer.

For more, check out the FAQs here, and our prior discussions of the Red Flags and Address Discrepancy Rules here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I don’t know, but I could probably find out. 

There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice.  Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be used in the future to authenticate users when they have forgotten their passwords.  The problem is twofold:

(1) The answers to many of these questions can be relatively easily guessed by an unauthorized individual to gain access to the account.

(2) In many cases, the authorized user forgets the answer to the question when it is needed later to access the account.

A recent study conducted by researchers at Microsoft and Carnegie Mellon University (“It’s no secret: Measuring the security and reliability of authentication via ‘secret’ questions”) found that 17% of users’ security answers were guessed correctly by mere acquaintances, and 20% of the study participants forgot their answers within six months. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I spoke with Health Leaders Media about the Red Flag Rules and the FTC's further extension of the compliance deadline, previously discussed here.  The title of the article says it all:  "Don't Delay Because of Red Flags Rule Delay."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last month, we blogged about whether the Red Flag Rules apply to medical care providers.  According to the FTC, they may also apply to retailers. 

The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most retailers have been caught off guard by this interpretation, since they are not accustomed to being considered “creditors.” Fortunately for them, in the nick of time for the May 1^st compliance deadline, the FTC extended the deadline to August 1, 2009, giving retailers time to put their policies in place in a thoughtful and reasoned manner.

• Email This
• Print
• Comments (1)
• Trackbacks (2)
• Share Link

On Monday, the Northern District of California granted Gap, Inc.'s Motion for Summary Judgment in Ruiz v. Gap, Inc., et al., Case No. 07-5739 SC, holding that Ruiz's allegations of an increased risk of identity theft "do[] not rise to the level of appreciable harm necessary to assert a negligence claim under California law."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know. 

The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA. 
 

• Email This
• Print
• Comments (8)
• Trackbacks
• Share Link

The New York State Consumer Protection Board has released a guide for New York businesses regarding the handling of personal identifiable information and the avoidance of identity theft. The guide also includes a form for reporting breaches to NY state agencies.  The guide is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program.  In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Where the only “damages” alleged following a data security breach are the costs of credit monitoring, a plaintiff has no case, so ruled the Seventh Circuit on August 23, 2007. The decision dealt another blow to so-called “identity exposure” plaintiffs seeking to recover damages stemming from the unauthorized disclosure of their personal information, as the Seventh Circuit’s ruling joined the unanimous line of lower court decisions denying recovery in the absence of actual, present harm.

In Pisciotta v. Old National Bancorp, -- F.3d --, 2007 WL 2389770 (7th Cir. Aug. 23, 2007), the court ruled that “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.” Id. at *6. In doing so, the Seventh Circuit joins a chorus of federal district courts that uniformly reject such costs as a form of cognizable injury sufficient to support legal claims for damages.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.   

On August 27, 2005, the defendant, Litton Loan Servicing LP, experienced a break-in involving the theft of more than $60,000 of computer equipment. The perpetrators took six unmarked hard drives, four of which contained the personal information of 229,501 people, including the plaintiff Patricia Kahle. The police conducted an investigation and Litton hired a private investigator who conducted a separate investigation. Litton provided notice of the theft to each person whose information was on the stolen hard drives approximately four weeks after the break-in. The notice included the type of information stolen, a Federal Trade Commission website that could be of assistance, and a toll free contact number at Litton. The notice also recommended that affected consumers place a fraud alert on their credit file.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The protection of Social Security numbers (SSNs) from identity thieves has emerged as a hot news topic in the past few weeks. In California, it was revealed that, for the past three years, the Secretary of State’s office has been selling in bulk electronic UCC filings containing SSNs. Those filings were available to the public on the Secretary’s website, so that lenders and creditors could verify the availability of personal property used as collateral. Approximately one-third of the state’s two million UCC filings contained SSNs. Secretary of State Debra Bowen immediately shut off web-based access to the UCC filings and took down the offending part of the website.

• Email This
• Print
• Comments
• Trackbacks
• Share Link