Proskauer on Privacy

Category Archives: Identity Theft

Subscribe to Identity Theft RSS Feed

Standing to Sue: Is Theft of Drivers’ License Numbers Sufficient to Allege Imminent Threat of Future Harm?

Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach.  In … Continue Reading

California Amends Data Breach Notification Law to Require Notification of Breach of Encrypted Personal Information When Encryption Key Has Been Leaked

On September 13, 2016, California Governor Jerry Brown signed into law AB 2828, an amendment to the law that requires businesses to disclose data breaches to California residents whose personal information has been compromised. Currently, the law requires notification of a breach when a California resident’s unencrypted personal information is compromised. However, effective January 1, … Continue Reading

Tales from the (Quantum) Crypt

The dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satellite,” a project the Chinese government hopes will enable it to build a communication system incapable of being hacked. Such a system, if perfected, would allow for encrypted communications between any two devices … Continue Reading

An Ounce of Prevention…Is Tax-Free: IRS Expands Tax Relief to Pre-Data Breach Identity Theft Protection Services

As reported here [http://www.proskauertaxtalks.com/2015/09/irs-provides-some-relief-after-data-hacks/], after last year’s customer data security breaches at major U.S. corporations, the IRS announced special tax relief for identity protection services provided to individuals affected by a security breach.  In response to comments solicited in connection with that announcement, the Treasury Department and IRS have in Announcement 2016-02 [https://www.irs.gov/pub/irs-drop/a-16-02.pdf] extended that … Continue Reading

California Updates State Breach Notification Law, Expands Security Procedures to Entities that “Maintain” Personal Information

On September 30, 2014, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security laws (Cal. Civ. Code §§ 1798.81.5, 1798.82 and 1798.85).  The amended law, which is effective January 1, 2015, updates existing law in three significant ways: Under current law, … Continue Reading

A $1.2 Million Photocopier Mistake: Health Plan Settles with HHS in HIPAA Breach Case

We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of … Continue Reading

California Court of Appeal Says Chevron Can Collect ZIP Code Information for Pay-at-the-Pump Transactions

On June 20, 2013, the California Court of Appeal affirmed the dismissal of a putative class action which alleged that Chevron violated California’s Song-Beverly Credit Card Act (“Song-Beverly”) by requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud. Flores v. Chevron U.S.A. Inc., No. … Continue Reading

The SEC and CFTC Adopt Identity Theft Red Flag Rules

The Securities and Exchange Commission (the “SEC”) and Commodity Futures Trading Commission (the “CFTC”) recently adopted rules requiring entities subject to their respective enforcement authorities to adopt and implement programs to detect and respond to indicators of possible identity theft, as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the … Continue Reading

Standing on the Precipice: Privacy Litigation and Standing Requirements

The U.S. Supreme Court heard arguments last month in Clapper v. Amnesty International, a case that asks the Court to determine whether a group of lawyers, journalists, and human rights workers have standing to challenge the federal government’s international electronic surveillance program under the Foreign Intelligence Surveillance Act.  The plaintiffs alleged Fourth Amendment privacy violations among … Continue Reading

Twitter’s Settlement With the FTC Demonstrates that “Reasonable Security” Isn’t Only About Online Commerce

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter's promises on its website to protect the personal information of its users, Twitter's practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users. … Continue Reading

FTC Extends (Yet Again) Enforcement Deadline for Identity Theft Red Flags Rule

The Federal Trade Commission announced today that it is once again extending the deadline for enforcing its "Red Flags" Rule, while Congress considers legislation that would affect the scope of entities covered by the Rule. The FTC is delaying enforcement of the Rule until December 31, 2010 in response to a request from members of Congress who are working to finalize legislation that would limit the scope of business covered by the Rule. … Continue Reading

Massachusetts Finally Finalizes Data Security Regulations – We Think

In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts’ “Act Relative to Security Freezes and Notification of Data Breaches,” which was enacted in Jul 2007. Regulation 201 CMR 17.00 (“Standards For The Protection … Continue Reading

We Were Wrong About the Third Time Being A Charm: FTC Delays Enforcement of Red Flags Rule Yet Again

Today, at the urging of Members of Congress, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its Red Flags Rule for the fourth time. Financial institutions and creditors subject to enforcement by the FTC will now have until June 1, 2010 to develop written policies and procedures to detect and respond … Continue Reading

DC Court Sides with the ABA – No Red Flag Rules for Lawyers

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission’s Red Flags Rules cannot be enforced against lawyers, saying that the FTC’s interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s … Continue Reading

Third Time’s A Charm: FTC Delays Enforcement Of The Red Flags Rule Again

The Federal Trade Commission (“FTC”) announced today that, for the third time, it will delay enforcement of the Red Flags Rule until November 1, 2009 – a year after the original November 1, 2008 compliance deadline. In delaying enforcement yet again, the Commission stated that it intends to engage in an “expanded business education campaign” in … Continue Reading

What elementary school did you go to?

I don’t know, but I could probably find out.  There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice.  Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be … Continue Reading

Red Flag Rules Blindside Retailers, But Extension of Compliance Deadline Helps

Last month, we blogged about whether the Red Flag Rules apply to medical care providers.  According to the FTC, they may also apply to retailers. The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most … Continue Reading

Red Flag Rules Leave Health Care Industry Wondering

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know. The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and … Continue Reading

FTC Suspends Enforcement of Red Flag Rules For Six Months

The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program.  In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged … Continue Reading
LexBlog

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.

OK