On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program. The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule. The new enforcement deadline for creditors and financial institutions is November 1, 2009. The FTC news release is available here.
On July 28, 2009, the Data Privacy Subgroup meeting at the Asia-Pacific Economic Cooperation (APEC) Forum in Singapore reported a number of privacy-related legislative developments on the horizon. Among the highlights:
- On July 15, the Malaysian Cabinet approved privacy legislation to be enacted by the Parliament in early 2010
- Vietnam is set to enact consumer protection legislation including privacy provisions in 2010
- Hong Kong’s Privacy Commissioner will soon begin a review process to evaluate how privacy law has kept up with changing technology
- The Philippines is set to enact privacy legislation based on the APEC Principles by the end of 2009
- Thailand is expected to pass privacy legislation in the near future
- The Law Reform Commission in New Zealand is laying the groundwork for legislation in 2010
- Chile plans to enact legislation creating a government authority responsible for privacy and transparency
The Centre for Information Policy Leadership facilitated workshops contributing to the legislative processes in Vietnam and the Philippines.
On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the “Federal Act”). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law provisions.
The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers’ confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.
Kaiser Permanente Bellflower Hospital has again been penalized for failing to prevent unauthorized access to confidential patient information. On July 16, 2009, the California Department of Public Health announced that it had levied administrative penalties totaling $187,500 on the hospital after it was determined that eight Kaiser employees had compromised the privacy of four patients’ medical information. On May 14, 2009, the same facility was fined $250,000 — the maximum allowable penalty under the new state health privacy provisions that came into effect on January 1st — for violations related to unauthorized employee access to the medical records of Nadya Suleman. The latest fine included a $25,000 penalty for each of four patients whose medical records allegedly were breached, plus $17,500 per incident for five subsequent alleged breaches of those medical records after the first.
The Federal Trade Commission (“FTC”) recently issued new rules and guidelines to promote the accuracy of consumer information included in credit reports. The final rules and guidelines were issued in conjunction with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (the “Agencies”) pursuant to Section 312 of the Fair and Accurate Transactions Act of 2003 (“FACTA”). The Agencies’ release regarding the new rules, entitled “Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act” and “Guidelines for Furnishers of Information to Consumer Reporting Agencies,” was issued on July 1, 2009. The final rules and guidelines will take effect on July 1, 2010.
The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.
The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”). The Regulations are expected to come into force as of October 1, 2009.
In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”
On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).
On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA"). Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act. To date, these powers have been shared among all financial services regulators, including the Federal Trade Commission ("FTC"). Under the proposal, the FTC would retain primary responsibility for preventing fraud and encouraging security in the financial markets.
While some regulatory authority for financial products and services protections would flow from the FTC to the CFPA, the FTC would have increased powers to issue rules related to unfair and deceptive practices, and an enhanced ability to issue civil monetary penalties. The proposal also includes expanded FTC authority over the banking sector with respect to data security. While the legislation proposes transferring staff from certain financial services regulators, there would be no transfer of staff from the FTC. Accordingly, the FTC may have more resources to pursue other consumer protection issues, including privacy in non-financial markets.
The Administration’s full report on its financial reform plan can be viewed here.