Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

On August 10, 2010, Illinois Governor Pat Quinn signed the Employee Credit Privacy Act, which prohibits most Illinois employers from inquiring about an applicant’s or employee’s credit history or using an individual’s credit history as a basis for an employment decision.  The definition of “employer” under the Act exempts banks, insurance companies, law enforcement agencies, debt collectors and state and local government agencies that require the use of credit history.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).  Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the '34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007.  There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher.  The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule.  This is the fifth time the Commission has announced an extension of the enforcement deadline, after most recently extending the deadline to June 1, 2010.  The Red Flags Rule requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate identity theft.  The enforcement date is now December 31, 2010, for creditors and financial institutions subject to FTC jurisdiction.  The FTC stated that the delay had been requested by members of Congress who are currently considering a bill that would limit the rule’s scope.  If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date.

Please refer to our previous post regarding other developments that may limit the Red Flags Rule’s application.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 7, 2010, the data protection authority of the German federal state of North Rhine-Westphalia imposed a fine of €120,000 on Deutsche Postbank AG for illegal disclosure of customers’ bank account transaction data.  The bank unlawfully allowed approximately 4,000 self-employed agents to access information on more than a million customer accounts for sales purposes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 12, 2010, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined D.A. Davidson & Co. $375,000 for failing to protect its customers’ confidential information.  In late 2007, the firm’s system was compromised when hackers employed a SQL injection attack to download the confidential customer information of approximately 192,000 individuals.  The security breach came to light when one of the persons responsible for the intrusion attempted to blackmail D.A. Davidson via email on January 16, 2008.  The firm responded quickly by notifying law enforcement authorities and providing affected individuals with two years of credit monitoring.  While D.A. Davidson neither admitted nor denied the charges in settling the case, the firm consented to the entry of FINRA’s findings.  To date, there has been no evidence of identity theft resulting from this incident.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches.  Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities:  businesses, processors and vendors.  Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Provisions of the FTC’s revised rule that regulate advertisements for free credit reports become effective April 2, 2010.  As required by the Credit CARD Act of 2009, the FTC promulgated the revised rule on February 22, 2010, to prevent the deceptive marketing of free credit reports by companies that required consumers to sign up for paid products and services such as credit monitoring in order to receive the reports. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC.  The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms.  The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent and mitigate the risk of identity theft.  Prior to the district court’s decision, the FTC had taken the position in publications and numerous panels that attorneys and law firms meet the Rule’s definition of “creditor” because they allow clients to pay for legal services after the services are rendered.

To read more about the Red Flags Rule, please see our previous blog posts. 

View the FTC’s notice of appeal.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On February 11, 2010, the plenary of the European Parliament rejected by a vote of 378 to 196 the agreement reached in 2009 between the EU and the U.S. to allow access by U.S. law enforcement authorities to the payment database of the financial consortium SWIFT.  The agreement had been negotiated between the EU Council of Ministers and the European Commission with the U.S. government to allow continued access to the database, a mirror copy of which had been moved by SWIFT from the U.S. to Europe.  With the Lisbon Treaty’s entry into force, the Parliament gained new powers to approve measures affecting law enforcement and civil liberties, and a number of members of the Parliament have expressed concern regarding the level of data protection provided for in the agreement.  According to news reports, several top U.S. government officials (including Secretary of State Hillary Rodham Clinton and Treasury Secretary Timothy Geithner) had been lobbying the European Parliament to approve the agreement, on the grounds that it was essential to fight terrorism in both the U.S. and Europe.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 8, 2010, the Swiss Federal Administrative Court (“Bundesverwaltungsgericht”) published a decision that declared the transfer of banking data to U.S. law enforcement authorities by the Swiss bank UBS to be illegal.  In late 2009, UBS transferred the data of over 300 customers suspected of evading U.S. taxes to the U.S. Department of Justice and Internal Revenue Service following an order issued by the Swiss Financial Market Supervisory Authority (“Finma”) pursuant to an agreement Finma reached with the U.S. authorities.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On November 30, the Council of the European Union agreed to allow U.S. anti-terrorism authorities access to financial data of individuals located in the EU under certain circumstances. Under the agreement, U.S. authorities will continue to have access to data collected by Society for Worldwide Interbank Financial Telecommunication ("SWIFT") after a SWIFT database located in Switzerland becomes active later this year (the data had previously been processed in a database located in the U.S.). The agreement contains restrictions on access to the data that have been negotiated between the EU and the U.S. (e.g., access will be limited to data that relate to individuals with links to terrorist activities; U.S. authorities will not have access to data concerning intra-European transactions; and U.S. authorities seeking access to personal data will have to tailor their requests narrowly and justify their requests to the U.S. Department of the Treasury). The agreement will run until October 31, 2010, after which time a further agreement between the U.S. and the EU would have to be negotiated for the U.S. authorities to continue to have access to the data. The agreement was reached despite the abstention from voting of the governments of Austria, Germany, Greece and Hungary because of data protection concerns. Under the EU's new Lisbon Treaty (which went into effect on December 1, 2009), any further agreement will require participation by the European Parliament, which has been highly critical of the agreement.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, eight federal financial regulatory agencies issued a final Gramm-Leach-Bliley Act ("GLBA") model privacy notice.  The final model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  The GLBA requires, in relevant part, that financial institutions provide consumers with information regarding their collection and sharing of nonpublic personal information.  Financial institutions that adopt the final model notice will be deemed in compliance with the GLBA notice requirements.  The final model notice is the result of the agencies' consumer research and testing.  It is touted as succinct, easy to use and consumer friendly. The final model notice will take effect 30 days after publication in the Federal Register. Publication is anticipated shortly.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule.  The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction.  The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule's scope.  That bill (which would exclude certain entities with 20 or fewer employees from the rule's definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the House by a margin of 400 to 0 and was referred to the Senate Committee on Banking, Housing and Urban Affairs.  Please refer to our recent post regarding other developments that limit the rule's application.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice.  The model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA.  Once adopted and published in the Federal Register, the financial services agencies' final model notice will take effect in 30 days.

The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices.  The privacy notice must describe a financial institution's disclosure of nonpublic personal information to affiliated and nonaffiliated third parties.  In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and financial institutions is November 1, 2009.  The FTC news release is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission (“FTC”) recently issued new rules and guidelines to promote the accuracy of consumer information included in credit reports.  The final rules and guidelines were issued in conjunction with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (the “Agencies”) pursuant to Section 312 of the Fair and Accurate Transactions Act of 2003 (“FACTA”).  The Agencies’ release regarding the new rules, entitled “Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act” and “Guidelines for Furnishers of Information to Consumer Reporting Agencies,” was issued on July 1, 2009.  The final rules and guidelines will take effect on July 1, 2010. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA").  Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act.  To date, these powers have been shared among all financial services regulators, including the Federal Trade Commission ("FTC").  Under the proposal, the FTC would retain primary responsibility for preventing fraud and encouraging security in the financial markets. 

While some regulatory authority for financial products and services protections would flow from the FTC to the CFPA, the FTC would have increased powers to issue rules related to unfair and deceptive practices, and an enhanced ability to issue civil monetary penalties.  The proposal also includes expanded FTC authority over the banking sector with respect to data security.  While the legislation proposes transferring staff from certain financial services regulators, there would be no transfer of staff from the FTC.  Accordingly, the FTC may have more resources to pursue other consumer protection issues, including privacy in non-financial markets.

The Administration's full report on its financial reform plan can be viewed here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Obama Administration today formally announced its sweeping proposal for new regulation of the financial industry.  The plan proposes the formation of a new watchdog agency that would seek to protect consumers' interests.  The proposal raises a number of privacy and data security questions, such as the role of the new financial services consumer protection agency in protecting privacy and data security and the continued role of the Federal Trade Commission as the lead agency in this area.  The announcement is available here.  We will keep you posted as more details regarding the plan emerge.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A lawsuit that will soon commence in Arizona has the potential to alter the data breach liability landscape by making data security auditors liable for data breaches experienced by the companies they audit.  The case, Merrick Bank Corp. v. Savvis Inc., has its origins in events that began in 2003, when Merrick Bank (“Merrick”) offered to hire CardSystems Solutions (“CardSystems”) to process credit card transactions for its merchant customers.  The offer was contingent upon CardSystems achieving certification under VISA’s Cardholder Information Security Program (“CISP”), which is the predecessor to the Payment Card Industry Data Security Standard (“PCI DSS”).  Savvis audited CardSystems in 2004 and found that it had “implemented sufficient security solutions” and followed “industry best practices.”  VISA certified CardSystems shortly after receiving Savvis’ audit report.  In 2005, CardSystems revealed that it had experienced an information security breach that compromised forty million payment cards.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link