If You Let Them Build It, They Will Come: Regulatory Agencies Release Model Privacy Notice Online Form Builder

Posted on May 6, 2010 by Kevin Khurana

More than five months ago, eight federal regulatory agencies released their final model privacy notice form (“Model Form”) (which we blogged about here) to help financial institutions satisfy the disclosure requirements established by the Gramm-Leach-Bliley Act (“GLBA”) and help consumers understand how these institutions collect and share their information. On April 15, 2010, those same agencies attempted to ease the burden of completing the Model Form by releasing an Online Form Builder.

The Online Form Builder provides the financial institution with the choice of four form options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.

Some financial institutions will gravitate towards the Model Form because by using it, they will obtain a legal “safe harbor” which confirms their compliance with the GLBA’s disclosure requirements. It remains to be seen, however, whether all financial institutions will adopt the Model Form given the difficulty a financial institution may have in conveying its complex affiliate relationships and the fact that the Model Form rules do not allow the form to be modified in any material respect.
Tags: , , , , , ,

Bellwether or Bust? Washington Governor Signs Payment Card Data Breach Liability Provisions Into Law

Posted on April 13, 2010 by Brendon Tavelli

On March 22, 2010, Washington Governor Christine Gregoire signed H.B. 1149 into law, making her state the second behind Minnesota (see our post here) to hold businesses and governmental entities responsible to financial institutions for certain costs arising from payment card information breaches. As of July 1, entities that process more than 6 million credit or debit card transactions annually (referred to in PCI parlance as “level 1” merchants) who fail to reasonably safeguard card information can be required to reimburse financial institutions for the costs related to the re-issuance of cards as well as attorneys fees and costs in the event that a security breach involving payment card information is a proximate result. H.B. 1149 also includes a provision to make vendors of card processing software and equipment liable to financial institutions for these costs to the extent such damages are proximately caused by the vendor’s negligence. The amount of such damages, of course, will depend on the particular breach.

H.B. 1149’s safe harbors and exemptions, however, help to minimize the scope and potential impact of the new law. For example, the new law exempts businesses that are certified as compliant with the Payment Card Industry Data Security Standards (“PCI DSS”) at the time of a breach. Most large merchants and card processors are well-acquainted with PCI DSS requirements and have already implemented safeguards aimed at PCI DSS compliance. So the new law should not require Herculean efforts or wholesale changes to covered entities’ cardholder information security programs. However, their liability exposure for losses arising from non-compliance is increased as a result of H.B. 1149.

Entities also are not liable if the payment card information was encrypted at the time of the breach.

The bill signed by Governor Gregoire does not include provisions from earlier versions of the bill that would have, among other things, prohibited covered entities from retaining cardholder data without the express consent of customers and held such entities liable in the event of a breach involving unencrypted cardholder data about more than 5,000 individuals. Likewise, a provision that would have allowed merchants to charge an extra two cents for each payment card transaction in order to cover the cost of insurance against potential liabilities under the law did not survive in the enacted version of the legislation.

With the enactment of H.B. 1149, Washington joins Minnesota as the only state to statutorily impose liability for breach-related costs on negligent merchants, payment card processors and vendors. It also distinguishes itself from the handful of other states in which attempts to enact such laws have failed; states like California, where Governor Schwarzenegger vetoed a similar measure in 2007. Additionally, with the adoption of H.B. 1149, Washington joins Nevada in its quest to incorporate parts of the PCI DSS into its state law. As we previously wrote, Nevada exempts certain entities that are PCI DSS compliant from some of the state’s encryption requirements.
Tags: , , , , ,

Innocent Mall Shoppers, You're Off the Hook: Federal Agencies Release Model GLBA Privacy Notice Form

Posted on November 20, 2009 by Brendon Tavelli

On November 17, 2009, eight federal regulatory agencies released their final model privacy notice form that is intended to make it easier for consumers to understand how financial institutions collect and share information about them. The model privacy notice form, which features a version that offers consumers an opt-out and one with no opt-out, represents the culmination of extensive research and testing by the various agencies, which included a nationwide mall-intercept study (see our previous post here), and their analysis of public comments on the model form first proposed on March 29, 2007. The agencies’ efforts in this regard were spurned by the Financial Services Regulatory Relief Act of 2006, which amended the Gramm-Leach-Bliley Act (“GLBA”) and called upon the federal financial services agencies to jointly propose a succinct and comprehensible format for GLBA privacy notices.

The final model privacy notice form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. It is hailed as a consumer-friendly notice that allows consumers to easily compare the privacy practices of different financial institutions. Financial institutions that choose to use the model form, which will take effect 30 days after publication in the Federal Register, will obtain a “safe harbor” that declares them in compliance with the GLBA’s disclosure requirements. Publication of the final model privacy notice in the Federal Register is expected soon.

With the release of the model form, despite opposition from major industry players, the agencies plan to eliminate the existing sample clauses and accompanying compliance safe harbors, which limited the liability of financial institutions that issued privacy notices containing these sample clauses. Existing safe harbors and sample clauses will be phased out over a one-year period.
Tags: , , , , , ,

We Were Wrong About the Third Time Being A Charm: FTC Delays Enforcement of Red Flags Rule Yet Again

Posted on October 30, 2009 by Brendon Tavelli

Today, at the urging of Members of Congress, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its Red Flags Rule for the fourth time. Financial institutions and creditors subject to enforcement by the FTC will now have until June 1, 2010 to develop written policies and procedures to detect and respond to so-called identity theft “red flags.”

The FTC’s announcement does not impact the separate timeline of the proceeding we reported on here (in which the U.S. District Court for the District of Columbia ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers) or any possible appeals. Moreover, the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight.

 

Tags: , , , , , ,

Red Flags and Address Discrepancies FAQs

Posted on June 15, 2009 by Proskauer Rose LLP

On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of Frequently Asked Questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.  Among the answers to the FAQs:

  • Although there is no specific record retention requirement under the Rules, covered entities must be able to demonstrate that they have complied with the requirements of the Rules;
  • All banks, savings associations, and credit unions are covered by the Red Flags Rules as “financial institutions,” whether or not they hold a transaction account belonging to a consumer;
  • The Red Flags Rules do not apply to the foreign branches of U.S. banks but, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws;
  • “Covered accounts” include accounts established in the U.S. by non-U.S. residents;
  • A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the FCRA is covered by the Red Flags Rules, including any such entity that is a subsidiary of a bank or savings association;
  • Corporate credit unions are covered by the Red Flags Rules;
  • If a consumer loan is purchased by another financial institution or creditor, then that entity becomes responsible for applying its Identity Theft Prevention Program to the loan as an existing covered account;
  • The Address Discrepancy Rules only apply to notices of address discrepancy received from an NCRA (Experian, Equifax, and TransUnion).  However,  a notification of address discrepancy received from an entity that is not an NCRA may be a red flag for purposes of the Red Flags Rules;
  • If a consumer withdraws his or her application to open a new account, a user of a consumer report that receives a notice of address discrepancy need not take steps to establish a reasonable belief that the consumer report relates to the consumer.

For more, check out the FAQs here, and our prior discussions of the Red Flags and Address Discrepancy Rules here.

Tags: , , , , , , , , , , , , , , , , , , , , ,