The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule. The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction. The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule’s scope. That bill (which would exclude certain entities with 20 or fewer employees from the rule’s definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the House by a margin of 400 to 0 and was referred to the Senate Committee on Banking, Housing and Urban Affairs. Please refer to our recent post regarding other developments that limit the rule’s application.
The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts. The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009. The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.
It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association’s argument that the FTC’s Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers. The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act"). In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly. The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered. For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.
On November 4, join our privacy professionals at the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, Spain. Participate in various presentations on ways to manage the most challenging data protection issues in today’s global environment. In addition, the International Association of Privacy Professionals (“IAPP”) will host a Data Protection and Privacy Workshop in conjunction with the conference.
On Friday, October 23, 2009, the German Railways Operator Deutsche Bahn AG announced that they would pay a fine of over €1.1 million that was imposed on October 16, 2009 by the Berlin data protection authority. This fine is the highest ever imposed by a German data protection authority. The imposition of this fine follows a major data protection scandal that reportedly broke out within the company. From 2002 to 2005, Deutsche Bahn had screened a large quantity of employee data and compared it to supplier data in an effort to combat corruption, but without specific suspicions related to individual employees. In addition, the regulator considered activities by the company’s security department from 2006 to 2007, which included monitoring the email communications of all employees who used external email accounts at work. The purpose of this monitoring was to identify communication with journalists and employees of members of the federal parliament to detect which employees may have disclosed company information. At the time it broke, the scandal cost the CEO and several top managers their jobs. Thereafter, a major restructuring was undertaken within the company. In addition to the changes in top management, a separate position was created at the CEO level for compliance, data protection and legal affairs. Furthermore, it was agreed with the works council, that the company will develop new guidelines for HR data protection by the end of November.
Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data. These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces. The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest. Also, the potential penalties for violation are manageable in most cases. In addition, these provincial regulations could be superseded by national-level data protection legislation, depending on its terms. Read more…
The November 1st deadline for compliance with the FTC’s Red Flags Rule Identity Theft Prevention Program requirements is rapidly approaching. Of late, there has been a flurry of activity aimed at limiting the scope of the rule. The Red Flags Rule, which was jointly promulgated by several federal agencies in November 2007, requires all “creditors” that offer or maintain a “covered account” to implement a written identity theft prevention program. A “creditor” is defined broadly to include “any person who regularly extends, renews, or continues credit.” In March 2009, the Federal Trade Commission (“FTC”) published a how-to guide for businesses to comply with the Red Flags Rule that confirmed the FTC will broadly construe the rule, stating that the definition of a “creditor” includes all businesses that “provide goods or services and bill customers later.”
The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice. The model notice incorporates financial institutions’ required disclosures pursuant to Section 503 of the GLBA. Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA. Once adopted and published in the Federal Register, the financial services agencies’ final model notice will take effect in 30 days.
The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices. The privacy notice must describe a financial institution’s disclosure of nonpublic personal information to affiliated and nonaffiliated third parties. In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.
The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.
The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists. The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule. MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada. The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions. The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC’s Red Flags Rule, including employee training and ongoing monitoring to detect fraud.
Hunton & Williams is pleased to announce that Richard Thomas CBE, the former UK Information Commissioner, has joined the firm as Global Strategy Adviser. Richard Thomas was the UK’s Information Commissioner from November 2002 until his retirement at the end of June 2009. He was appointed by HM The Queen and held independent status, reporting directly to Parliament, on a range of regulatory, promotional and advisory responsibilities under the Data Protection Act 1998, the Freedom of Information Act 2000 and related laws. He also served as a member of the European Union’s Article 29 Working Party on Data Protection. In June 2009, Richard was awarded Commander of the British Empire (“CBE”) for public service. Read the announcement.