House Approves Social Security Number Protection Act

Posted on December 9, 2010 by Hunton & Williams LLP

On December 8, 2010, the U.S. House of Representatives approved the Social Security Number Protection Act of 2010 (S. 3789), which is aimed at reducing identity theft by limiting access to Social Security numbers.  The bill prohibits printing Social Security numbers, or any derivative of a Social Security number, on government-issued checks, and bars federal, state and local government entities from employing prisoners in jobs that would allow them to access Social Security numbers.  Although there are numerous state laws on the books to safeguard Social Security numbers, the Social Security Number Protection Act will provide federal coverage.  The bill was introduced by Senators Dianne Feinstein (D-CA) and Judd Gregg (R-NH) and passed in the Senate by unanimous consent on September 28, 2010.  It is now headed for signature by President Obama.

Tags: , , , ,

Senate Passes Bill to Limit Red Flags Rule Scope

Posted on December 3, 2010 by Hunton & Williams LLP

The “Red Flag Program Clarification Act of 2010” (S. 3987) has passed the Senate.  The legislation would limit the scope of the Red Flags Rule, which requires certain “creditors” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.  The new legislation would exclude from the definition of “creditor” certain entities that “[advance] funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  As we previously reported, companion legislation has been introduced in the House of Representatives.

Tags: , , ,

French Data Protection Authority Publishes Opinion Regarding New Security Bill

Posted on July 14, 2010 by Hunton & Williams LLP

On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d’orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate’s Commission of Laws on June 2, 2010.

Continue reading…

Tags: , , , ,

Health Care Providers Potentially Exempt from Red Flags Rule

Posted on June 17, 2010 by Hunton & Williams LLP

As reported in BNA’s Privacy Law Watch, the Federal Trade Commission intends to agree to temporarily exempt health care providers from the FTC’s Identity Theft Red Flags Rule.  The Red Flags Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The FTC previously has stated that health care providers could be deemed “creditors” under the Rule.  The agreement will grant relief to health care providers until the resolution of litigation pending before the U.S. District Court for the District of Columbia, in which the American Medical Association and other health groups have asked the court to prevent the FTC from applying the rule to physicians.  As we reported in our previous blog post, the FTC has delayed enforcement of the Red Flags Rule until December 31, 2010, to allow Congress to take action to clarify the Rule’s scope.

Tags: , , ,

FTC Further Extends Enforcement Deadline for Red Flags Rule

Posted on May 28, 2010 by Hunton & Williams LLP

On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule.  This is the fifth time the Commission has announced an extension of the enforcement deadline, after most recently extending the deadline to June 1, 2010.  The Red Flags Rule requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate identity theft.  The enforcement date is now December 31, 2010, for creditors and financial institutions subject to FTC jurisdiction.  The FTC stated that the delay had been requested by members of Congress who are currently considering a bill that would limit the rule’s scope.  If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date.

Please refer to our previous post regarding other developments that may limit the Red Flags Rule’s application.

Tags: , ,

FTC Investigating Privacy Risks to Data Stored on Digital Copiers

Posted on May 26, 2010 by Hunton & Williams LLP

Federal Trade Commission Chairman Jon Leibowitz recently sent a letter to Congressman Edward Markey, Co-Chairman of the bipartisan Congressional Privacy Caucus, announcing that the FTC will address the privacy risks associated with the use of digital copiers.  Congressman Markey had urged the FTC to investigate this issue after a CBS News exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information.

Continue reading…

Tags: ,

Hacking Overtakes Theft and Loss as Leading Cause of Reported Security Breaches

Posted on March 12, 2010 by Hunton & Williams LLP

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

Continue reading…

Tags:

LifeLock to Pay $12 Million Over False Claims of Identity Theft Protection

Posted on March 9, 2010 by Hunton & Williams LLP

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services.  The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers.  The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity theft, and only limited protection against other types of fraud.

The FTC’s complaint and further details concerning the settlement are available on the FTC’s website.  The FTC also has posted a page to provide information on the redress program for current and former LifeLock customers.

Tags: , ,

FTC Set to Appeal the Red Flags Rule Exemption for Attorneys and Law Firms

Posted on March 1, 2010 by Hunton & Williams LLP

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC.  The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms.  The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent and mitigate the risk of identity theft.  Prior to the district court’s decision, the FTC had taken the position in publications and numerous panels that attorneys and law firms meet the Rule’s definition of “creditor” because they allow clients to pay for legal services after the services are rendered.

To read more about the Red Flags Rule, please see our previous blog posts

View the FTC’s notice of appeal.

Tags: , , ,

FTC Warns Organizations of P2P-Related Data Security Breaches

Posted on February 23, 2010 by Hunton & Williams LLP

On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud.  In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers.  The letters also recommended that the companies identify affected individuals and consider whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws.  Samples of the FTC’s letters were published with the news release and are available on the FTC’s website.

In addition, to help companies manage security risks related to P2P networks, the FTC published a Guide for Businesses on Peer-to-Peer file sharing and provided a link to a P2P Security Guide for consumers. 

Hunton & Williams partner, Lisa J. Sotto, discussed the FTC’s release in USA Today’s Technology Live Blog.

Tags: