On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d'orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate's Commission of Laws on June 2, 2010.
Continue Reading...As reported in BNA’s Privacy Law Watch, the Federal Trade Commission intends to agree to temporarily exempt health care providers from the FTC’s Identity Theft Red Flags Rule. The Red Flags Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The FTC previously has stated that health care providers could be deemed “creditors” under the Rule. The agreement will grant relief to health care providers until the resolution of litigation pending before the U.S. District Court for the District of Columbia, in which the American Medical Association and other health groups have asked the court to prevent the FTC from applying the rule to physicians. As we reported in our previous blog post, the FTC has delayed enforcement of the Red Flags Rule until December 31, 2010, to allow Congress to take action to clarify the Rule’s scope.
On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule. This is the fifth time the Commission has announced an extension of the enforcement deadline, after most recently extending the deadline to June 1, 2010. The Red Flags Rule requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate identity theft. The enforcement date is now December 31, 2010, for creditors and financial institutions subject to FTC jurisdiction. The FTC stated that the delay had been requested by members of Congress who are currently considering a bill that would limit the rule’s scope. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date.
Please refer to our previous post regarding other developments that may limit the Red Flags Rule’s application.
Federal Trade Commission Chairman Jon Leibowitz recently sent a letter to Congressman Edward Markey, Co-Chairman of the bipartisan Congressional Privacy Caucus, announcing that the FTC will address the privacy risks associated with the use of digital copiers. Congressman Markey had urged the FTC to investigate this issue after a CBS News exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information.
Continue Reading...In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft. The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking. The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.
Continue Reading...On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services. The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers. The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity theft, and only limited protection against other types of fraud.
The FTC’s complaint and further details concerning the settlement are available on the FTC’s website. The FTC also has posted a page to provide information on the redress program for current and former LifeLock customers.
On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC. The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms. The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent and mitigate the risk of identity theft. Prior to the district court’s decision, the FTC had taken the position in publications and numerous panels that attorneys and law firms meet the Rule’s definition of “creditor” because they allow clients to pay for legal services after the services are rendered.
To read more about the Red Flags Rule, please see our previous blog posts.
View the FTC’s notice of appeal.
On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud. In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers. The letters also recommended that the companies identify affected individuals and consider whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws. Samples of the FTC’s letters were published with the news release and are available on the FTC’s website.
In addition, to help companies manage security risks related to P2P networks, the FTC published a Guide for Businesses on Peer-to-Peer file sharing and provided a link to a P2P Security Guide for consumers.
Hunton & Williams partner, Lisa J. Sotto, discussed the FTC’s release in USA Today's Technology Live Blog.
The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule. The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction. The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule's scope. That bill (which would exclude certain entities with 20 or fewer employees from the rule's definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the House by a margin of 400 to 0 and was referred to the Senate Committee on Banking, Housing and Urban Affairs. Please refer to our recent post regarding other developments that limit the rule's application.
It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers. The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act"). In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly. The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered. For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.
Continue Reading...The November 1st deadline for compliance with the FTC’s Red Flags Rule Identity Theft Prevention Program requirements is rapidly approaching. Of late, there has been a flurry of activity aimed at limiting the scope of the rule. The Red Flags Rule, which was jointly promulgated by several federal agencies in November 2007, requires all “creditors” that offer or maintain a “covered account” to implement a written identity theft prevention program. A “creditor” is defined broadly to include “any person who regularly extends, renews, or continues credit.” In March 2009, the Federal Trade Commission (“FTC”) published a how-to guide for businesses to comply with the Red Flags Rule that confirmed the FTC will broadly construe the rule, stating that the definition of a “creditor” includes all businesses that “provide goods or services and bill customers later.”
Continue Reading...On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program. The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule. The new enforcement deadline for creditors and financial institutions is November 1, 2009. The FTC news release is available here.
On May 13, 2009, the Federal Trade Commission ("FTC") published a compliance template designed to assist financial institutions and creditors "at low risk for identity theft " in developing the Identity Theft Prevention Program required by the FTC’s Identity Theft Red Flags and Address Discrepancies Rule (the "Rule"). The template is entitled "A Do-It-Yourself Prevention Program for Businesses and Organizations at Low Risk for Identity Theft."
Continue Reading...The White House today released the report from the 60-day cybersecurity review the President ordered in February. Speaking to a packed audience in the East Room, President Obama outlined the broad range of threats facing the digital infrastructure, focusing not only on national security and organized crime attacks, but also on identity theft and incursions into individual privacy.
He promised a “new comprehensive approach to securing our nation’s infrastructure,” including appointment of a White House cybersecurity coordinator reporting to both the National Security Council and the National Economic Council. The coordinator would have broad responsibilities, but little direct authority, although the President did promise that the coordinator would have access to him.
Continue Reading...At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule. The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"). The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008. The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program. The continuing enforcement delays respond to ongoing uncertainty about the Rule's intended scope. In announcing this latest delay, the FTC cited "the ongoing debate about whether Congress wrote this provision [of FACTA] too broadly" and stated that extending the compliance deadline would "allow industries and associations to share guidance with their members . . . and give Congress time to consider the issue further." On March 20, 2009, the FTC published the Red Flags Rule Compliance Guide to assist organizations that must comply with the Red Flags Rule. The FTC stated in its news release yesterday that it will attempt to address some of the concerns regarding compliance with the Rule by publishing an identity theft prevention program template for low risk entities. The FTC's news release is available here.
The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month. Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).
Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants. Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance. Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).
Continue Reading...On March 20, 2009, the Federal Trade Commission (“FTC”) published its long-awaited guide to the Red Flags Rule (the “Rule”), entitled “Fighting Fraud with Red Flags Rule: A How-To Guide for Business.” The guide applies to creditors and certain financial institutions (such as state-chartered credit unions and mutual funds that offer accounts with check-writing privileges) that are subject to the FTC’s jurisdiction and addresses the provision of the Rule that requires implementation of an Identity Theft Prevention Program. For entities subject to the FTC’s jurisdiction, the relevant compliance deadline is May 1, 2009. Financial institutions that are regulated by federal bank regulatory agencies or the National Credit Union Administration (which issues their own versions of the Red Flags Rule) were required to comply with the Rule as of November 1, 2008.
Continue Reading...On March 20, 2009, the Federal Trade Commission published a Red Flags Rule compliance guide for businesses, entitled “Fighting Fraud with the Red Flags Rule.” The guide offers an overview of the Rule and practical steps businesses need to take to comply. In addition, the guide addresses the issue that has raised the most concern among businesses -- the Rule's scope. As expected, the FTC is interpreting the Rule broadly, suggesting, for example, that any company that sells goods or services and bills customers later is a "creditor" subject to the Rule. According to the guide, “creditors” also may include retailers that merely “process” credit applications. Please visit our blog next week for a detailed analysis of the FTC’s guide. The guide is available here.
A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy. Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009).
Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared. During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number. Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information. Pinero alleged that she relied on this statement in her decision to turn over her information.
Continue Reading...A California state Court of Appeal has ruled that a California law barring merchants from collecting “personal identification information” in connection with certain credit card transactions does not prohibit the collection of a five-digit ZIP Code alone. Party City Corp. v. Superior Court of San Diego County, No. D053530, 2008 WL 5264023 (Cal. Ct. App. Dec. 19, 2008).
Continue Reading...In a continuing effort to combat identity theft, New York recently enacted an amendment to the Penal Law making it a crime to impersonate another person or pretend to be a public servant by means of online communication.
Specifically, New York’s Internet impersonation law amends section 190.25 of the Penal Law by adding Subdivision 4, making it a crime to impersonate another person by electronic means, including through use of a website, with the intent to obtain a benefit or injure or defraud another person. It also prohibits using such electronic means to pretend to be a public servant in order to induce another person to submit to false authority or to act in reliance on that false pretense. To read more, click here.
This website is for general information purposes only. Information posted is not intended to be legal advice. For more information, please see the Disclaimer and Privacy Notice links.
Enter keywords:
