Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

In her introductory remarks, outgoing FTC Commissioner Pamela Jones Harbour identified many of the key issues addressed over the course of the day, including (1) the importance of defaults, (2) the lack of consumer knowledge regarding how data are collected and used, (3) the lack of consumer engagement with online notices, (4) the special challenges presented by mobile devices and cloud computing, and (5) the role of de-identified data.

In his opening comments, David Vladeck, Director of the Bureau of Consumer Protection, identified what he perceived to be the three main messages from the first Exploring Privacy workshop, which was held in Washington, D.C., on December 7, 2009.  First, consumers have little understanding of how their data are used and transferred.  Second, notices often are not an effective tool for communicating with consumers, but they remain important to facilitate transparency.  And finally, consumers do care about privacy even though they may behave otherwise.  Vladeck also stressed that the roundtables are not the only tool the FTC is using to address privacy.  “We continue to maintain an active law enforcement practice to protect privacy,” Vladeck noted.

Over the course of the day, 35 panelists addressed technology’s role in protecting privacy and how the government should encourage the adoption and use of privacy-enhancing technologies.  There was broad agreement that stand-alone privacy-enhancing technologies have met with little consumer acceptance, but that these technologies have been adopted by businesses and have been introduced into operating systems, browsers and email clients.  When encountering these protective measures, consumers often avoid or turn off privacy features of technologies that interfere with their access to the material and services they want.

As at the first workshop, there was broad agreement that, although notice and choice have offered little privacy protection, there is no clear consensus as to what might replace or supplement that framework.  Two approaches that were frequently mentioned are the Centre for Information Policy Leadership’s use model and its accountability project.

Thursday’s roundtable revealed a surprising amount of agreement in favor of the FTC playing a more pronounced regulatory role in, at a minimum, identifying the objectives of “good” privacy protection, as well as setting standards for measuring the achieved objectives.  This position was supported not only by privacy advocates and academics, but also by a number of business participants who noted the need for greater certainty in privacy regulation.

Speaking on the final panel, the Centre for Information Policy Leadership’s Senior Policy Advisor, Fred Cate, echoed two themes from his earlier presentation at the December roundtable: first, that the government should be careful to avoid creating disincentives for good privacy behavior or otherwise discouraging efforts to protect privacy; and second, that government can contribute to enhancing privacy in many ways, including by funding the development of more useful privacy-enhancing technologies and then helping to create a market for such technologies by purchasing them itself.

Whatever the government’s ultimate role may be, there seemed to be general agreement that protecting privacy responsibly requires, in Peter Cullen’s words, “people, processes, and technologies.”  Essentially, although technologies alone are not sufficient, technological considerations must not be left out of the equation.

The FTC’s third and final roundtable in this series will take place in Washington, D.C., in March 2010.  In addition, Danny Weitzner, Associate Administrator for Policy at the National Telecommunications and Information Administration, announced that the Department of Commerce is looking at the linkage between privacy and innovation and is observing the FTC’s process.  He further welcomed input from stakeholders as to the Department’s role in helping protect privacy.

The lack of meaningful consent has raised the possibility that privacy is moving beyond the advise-and-consent model toward a post-disclosure era.  It remains to be seen how the post-disclosure era will evolve and how the new paradigm will replace consumer notice and choice.  The FTC is examining the issue, and aims to publish a report by July 2010.  Although the final content of the report is yet to be determined, Chairman Leibowitz stated, “I have a sense, and it’s still amorphous, that we might head toward opt-in.”

For further information, view The New York Times blog post.

The Forum’s paper presents the details of a model for data protection in which the use of data, rather than its collection, sets in motion an organization’s obligations to apply fair information practices.  The model employs the full complement of fair information practices: notice, choice, access and correction, collection limitation, use minimization, data retention, data quality and integrity, data security and accountability.  The paper describes in granular detail how each of these practices applies to various uses of data (e.g., fulfillment, internal business processes, marketing, fraud prevention and authentication and national security and legal).  The approach proposes a means to implement fair information practices in a way that reflects the data environment of the 21st century.

Barbara Lawler of Intuit represented the Forum at the FTC’s “Exploring Privacy” event.  In introducing the concepts presented in the paper, she built upon the observation of panelists at the FTC event that the “choice” model is of increasingly limited utility in the new data environment.  Ms. Lawler noted that consumers would have to read and act on privacy notices almost constantly throughout the day to exercise any kind of control over their data, and that consumers cannot be expected to police a marketplace full of complex business models, vendor relationships and technologies.

Next year likely will be an important one, as privacy regulators, experts, advocates and business representatives continue to consider ways to provide optimal protection for data while best enabling its productive and creative use.  The use-and-obligations model will likely serve as an important contribution to that discussion.

Issuance of this model notice follows the enactment, in October 2006, of the Financial Services Regulatory Relief Act (“Relief Act”).  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model privacy notice that incorporates all of GLBA-mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy notice.  The final model privacy notice is substantially similar to the proposed model with certain revisions based on comments submitted to the agencies and consumer testing.

For further information regarding the final model privacy notice please refer to our earlier post.

In October 2006, the Financial Services Regulatory Relief Act (“Relief Act”) was enacted.  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model form privacy notice that incorporates all of GLBA mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy form.  The final model privacy form is substantially similar to the proposed model form with certain revisions based on comments submitted to the agencies and consumer testing.

The final model form privacy notice addresses the legal requirements of GLBA and is designed to facilitate consumer comprehension.  In terms of content, it is two pages in length, but may be printed on a single sheet of paper.  The first page is organized in five parts: (i) the title, (ii) an introductory section, (iii) a disclosure table describing the types of sharing by financial institutions and, if appropriate, whether a consumer can limit or opt out of sharing, (iv) a mechanism to limit sharing for opt out purposes, and (v) the financial institution’s customer service contact information.  The second page contains supplemental explanatory information in frequently asked question format, as well as definitions of relevant terms.  The content set forth in the model form must remain unchanged for financial institutions to rely on the safe harbor.

The financial services agencies' announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000.  The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains a list of all currently-certified companies.

The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current.  If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers.  In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC's complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.

The FTC Final Rule requires PHR vendors and PHR related entities to notify U.S. citizens and residents if their PHR identifiable health information is subject to a security breach, and requires additional notification of the FTC and prominent media outlets for breaches that affect 500 or more individuals.  Third party service providers must notify the PHR vendor, or PHR related entities to which they provide services, of any breaches they discover.  To facilitate the notification process, the FTC has developed a standard form entitled “Notice of Breach of Health Information” that PHR vendors and PHR related entities can complete and send to the FTC.  Both the form and the FTC Final Rule are available on the FTC’s website.
 
On August 19, 2009, as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Department of Health and Human Services ("HHS") issued an interim final rule ("HHS Interim Final Rule") addressing security breaches of unsecured protected health information ("PHI").  The regulations will apply to all breaches occurring on or after September 23, 2009 that are discovered by covered entities and business associates, but the HHS Interim Final Rule indicates that HHS will not impose sanctions for failure to notify with respect to breaches that are discovered within the first 180 days after the effective date. 

Notably, unlike the FTC Final Rule, the HHS Interim Final Rule includes a harm threshold limiting the breach notification requirement to breaches that present a significant risk of harm.  This disparity may be due to the fact that breaches common to HIPAA-covered entities, such as those involving disclosures to other HIPAA-covered entities, are less likely to result in actual harm than the kinds of breaches suffered by the service providers and vendors covered under the FTC's Final Rule.  Similar to the FTC Final Rule, the HHS Interim Final Rule requires covered entities to (1) notify individuals if their PHI is subject to a security breach, and (2) notify the Secretary of HHS and prominent media outlets in the event of a breach that affects 500 or more individuals.  Business associates must notify the covered entity to which they provide services of any breaches they discover.  Finally, the HHS Interim Final Rule updated the  information security guidance issued by HHS in April 2009 to emphasize encryption and destruction as the only methods for securing PHI in a manner consistent with the HITECH Act’s breach notification provisions.  The HHS Interim Final Rule is available on the HHS website.

The final rules and guidelines include provisions allowing consumers to dispute inaccuracies in their credit files directly with entities that furnish information to credit reporting agencies, including financial institutions and other organizations.  The Agencies’ guidelines specify the steps credit information furnishers should take to ensure the accuracy and integrity of the information they provide to credit reporting agencies, including suggestions such as when it may be necessary to provide supplemental information in order to avoid creating misleading impressions about creditworthiness.  The accuracy and integrity of information contained in credit reports is critical to individual consumers, as this information is used to assess eligibility for credit, employment, insurance and housing, and consumers with errors in their credit reports may be denied access to benefits.    

A copy of the final rules and guidelines is available here.

The FTC's Rule will apply to vendors of personal health records and entities that offer products or services through the websites of such vendors. Also included in the Rule's scope are entities that are not covered by the Department of Health and Human Services' rules, but that offer products or services through the websites of DHHS-covered entities, and those that interface with an individual's personal health records. Because ARRA does not limit the FTC's enforcement authority to its enforcement jurisdiction under Section 5 of the FTC Act, the proposed FTC Rule would apply to these entities whether or not they would otherwise fall within the scope of the FTC's regulatory jurisdiction.

Public comments on the proposed rule are due by June 1, 2009. Currently, the rule is set to apply to breaches discovered on or after September 18, 2009. The text of the Federal Register Notice can be accessed on the FTC's website by clicking here.

Richard A. Feinstein, who was appointed Director of the Bureau of Competition, is rejoining the agency from a partnership at Boies, Schiller & Flexner LLP, where he focused on antitrust litigation and counseling. He was formerly an Assistant Director in the Bureau of Competition’s Health Care Services and Products Division, focusing on antitrust enforcement, including anticompetitive practices and mergers involving health care providers and payers, and anticompetitive conduct in the pharmaceutical industry. Feinstein worked previously at McKenna & Cuneo, LLP, and he was a trial attorney and supervisor in the Antitrust Division of the U.S. Department of Justice.

David C. Vladeck, who will serve as Director of the Bureau of Consumer Protection, has been a Professor of Law at Georgetown University Law Center, teaching federal courts, government processes, civil procedure, and First Amendment litigation. He co-directed the Center’s Institute for Public Representation, a clinical law program for civil rights, civil liberties, First Amendment, open government, and regulatory litigation. Vladeck previously spent almost 30 years with Public Citizen Litigation Group, including 10 years as Director. He has argued a number of First Amendment and civil rights cases before the U.S. Supreme Court, and more than 60 cases before the federal courts of appeal and state courts of last resort.

Joseph Farrell, who was named Director of the Bureau of Economics, has been a Professor of Economics at the University of California, Berkeley, where he has been Chair of the Competition Policy Center and an Affiliated Professor in the Haas School of Business. He also has served as Deputy Assistant Attorney General and Chief Economist for the Antitrust Division of the U.S. Department of Justice, and as Chief Economist for the Federal Communications Commission. His research has centered on competition policy, compatibility standards, and innovation. Farrell is a Fellow of the Econometric Society.

Susan S. DeSanti, who will be Director of Policy Planning, joins the Commission from Sonnenschein Nath & Rosenthal, where her practice has focused on antitrust counseling and litigation in a variety of industries. She previously spent 15 years at the Commission, during which she helped develop federal antitrust policy in standard setting, intellectual property licensing, antitrust and patent issues, generic drug entry, mergers, and joint ventures among competitors. During that time, she served in a variety of positions, including Director of Policy Planning, Deputy General Counsel for Policy Studies, senior attorney advisor to Chairman Robert Pitofsky, and attorney advisor to Commissioner Dennis Yao. In addition to several years in private practice before she joined the Commission, DeSanti recently served as Senior Counsel to the Antitrust Modernization Commission.

Jeanne Bumpus, who was re-appointed as Director of the Office of Congressional Relations, has served in that position since June 2006. She was a principal advisor to Senator John McCain and served as Staff Director and Chief Counsel for the U.S. Senate Committee on Commerce, Science, and Transportation. Bumpus began her work on Capitol Hill in the office of Washington State Senator Slade Gorton, where she served as Legislative Counsel. Earlier, she worked as an associate in the law firm of Davis Wright Tremaine in Seattle, Washington.

Joni Lupovitz, who will serve as Chief of Staff to the Chairman, joined the FTC in 1999 as an attorney in the Bureau of Consumer Protection’s Division of Enforcement and was promoted to Assistant Director for Enforcement the following year. Since 2005, she has served as an attorney advisor in the Office of Commissioner (now Chairman) Leibowitz, focusing on consumer protection matters. Before joining the FTC, Lupovitz was a partner with McDermott, Will & Emery, where she had a diverse civil litigation and administrative practice.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

MEDIA CONTACT:

Office of Public Affairs
202-326-2180

The guide follows the broad interpretation of the Rule that FTC lawyers have previously articulated on various panels and in FTC publications.  First, the guide confirms that any entity that is a “creditor” under the Rule’s broad definition is subject to the Rule.  The FTC appears to interpret this definition to encompass entities that may have little or no involvement in credit decisions, such as retailers that accept credit card applications for forwarding to credit card companies.  Second, the guide sets out an expansive view of “covered accounts.”  For example, the guide would require a “creditor” to evaluate not only accounts that involve credit but any accounts the business offers or maintains, including non-credit and single transaction accounts, to determine which of its accounts are “covered” under the Rule.  Financial institutions, which had been required to evaluate consumer and non-consumer accounts that involve multiple transactions and have check-writing or similar withdrawal or transfer privileges, may now also have to determine whether their single transaction accounts and accounts without check-writing privileges may be “covered.”

Broad Definition of “Creditor”
According to the guide, any business that sells goods or services and allows customers to pay for them later is a “creditor” under the Rule and, therefore, is subject to the provisions requiring the implementation of an Identity Theft Prevention Program.  This definition of “creditor” may encompass any “invoice billing” arrangements, including those often utilized by law firms, doctors, manufacturers, utility companies and myriad other businesses that do not require immediate payment for their products or services.  Based on the FTC guide, retailers that offer “no interest/no payment” programs are also likely “creditors” under the Rule. 

The second category of “creditors” is entities that “participate” in credit decisions.  This definition, found in Regulation B (from which the definition of “creditor” is derived for purposes of the Rule), covers businesses that may: (i) arrange for loans, (ii) participate in decisions to renew, continue or extend credit, (iii) set the terms of credit, or participate in credit decisions in other, often relatively tangential ways.   A business may be deemed a “creditor” under the Rule if it participates in conducting an initial assessment of credit applications, deciding which applications to send to a lender, receiving proceeds from a portion of the interest rate charged on a loan, restructuring the terms of the sale in order to meet the concerns of the creditor, or advocating for extending credit.  

Notably, Regulation B also defines “creditors” for certain purposes as businesses that “do not participate in credit decisions” but rather only: (i) accept applications, (ii) refer applicants to creditors, or (iii) select or offer to select creditors to whom credit requests can be made.  This definition, relevant only to the Equal Credit Opportunity Act’s anti-discriminatory provisions, suggests that businesses that merely accept credit applications and are in not involved in the approval process or any of the activities that constitute “participating” in a credit decision (for example, retailers, restaurants, hotels or airlines) are “creditors” subject to the Rule.  The FTC appears to take this position in its guide, which lists as an example of creditors, “retailers that offer financing or help consumers get financing from others… by processing credit applications.”

Expanded Scope of “Covered Accounts”
After a business determines that it is a “creditor” or a “financial institution” within the meaning of the Rule, the next step is to determine if the business offers or maintains any “covered accounts.”  If it does, the business must implement an Identity Theft Prevention Program for those accounts.

The guide appears to take a broader view of the definition of “covered accounts” than what had previously been the conventional wisdom.   For example, it was thought that “creditors” needed to consider only consumer and non-consumer credit accounts in deciding which accounts were “covered.”  Under the guide’s interpretation of the Rule, however, a creditor’s covered accounts could include any accounts, rather than only those involving credit.  Thus, for example, if an insurance company allows some consumers to pay for policies after the coverage period and requires others to make periodic payments that prepay coverage, the guide appears to suggest that all such accounts would be “covered” and that the insurance company would need to evaluate the risk of identity theft associated with its non-consumer credit and non-credit accounts to determine if those accounts are covered.  The implication of the guide’s interpretation for financial institutions subject to the FTC’s jurisdiction is that the coverage of the Rule would extend to non-transaction accounts (i.e., accounts that do not allow check writing or similar withdrawal or transfer transactions). 

Finally, the guide suggests that in deciding which accounts are “covered,” financial institutions and creditors  must evaluate the risks associated with “single transaction” accounts. This requirement appears to significantly expand the scope of the Rule, which defines an account only as a “continuing relationship.”  Here, the guide also appears to be in conflict with the position the FTC and the federal banking agencies articulated in the preamble to the Rule that the agencies “determined that… the burden that would be imposed upon financial institutions and creditors by a requirement to detect, prevent and mitigate identity theft in connection with single, non-continuing transaction by non-customers would outweigh the benefits of such a requirement.”

The FTC guide is available on the new FTC website dedicated to the Red Flags Rule, located here.