ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Posted on May 28, 2010 by Gabriel M. Helmer

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

Tags: , , , , , , , , , , ,

REMINDER: Red Flags Rule Enforcement Deadline Falls Next Week

Posted on May 27, 2010 by Gabriel M. Helmer

This Tuesday, June 1, 2010, marks the official deadline for compliance with the Federal Trade Commission's Red Flags Rule.  The deadline for enforcement of the Red Flags Rule has been delayed repeatedly since its original deadline in November 2008, but the FTC has remained silent on further delays since it announced the current deadline in October of last year.  

The FTC's Red Flags Rule is a set of regulations that require financial institutions and creditors to adopt written identity theft prevention programs.  The FTC sparked considerable controversy when it announced that the Rule applies broadly to a range of businesses unused to being subjected to financial industry regulation (i.e., any individual or company that bills its customers after it provides goods or services).  As a result, a number of industry groups have filed lawsuits to challenge the FTC's application of the Red Flags Rules to lawyers, accountants and, most recently, medical professionals.

As Tuesday approaches, we look to the FTC to announce whether the agency is ready to begin enforcement of the Red Flags Rule.

Tags: , ,

Rep. Boucher and Stearns Release Discussion Draft of Comprehensive Federal Privacy Legislation

Posted on May 25, 2010 by Gabriel M. Helmer

Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf)

Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain "appropriate administrative, technical, and physical safeguards" to secure the personal information.  The draft bill would also require the FTC to implement new privacy rules and police the new safeguards. 

The bill is also available from Rep. Boucher's website.

Tags: , , ,

Medical Groups Challenge June 1 Application of FTC Red Flags Rule

Posted on May 21, 2010 by Colin J. Zick

Earlier today, the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed a complaint that seeks to block the application of the Federal Trade Commission's Red Flags Rule to their members.  

According to its press release, the AMA filed this suit because it unfairly treats physician practices like "banks, credit card companies and mortgage lenders,” according to AMA President-elect Cecil B. Wilson, M.D. He added, “The extensive bureaucratic burden of complying with the red flags rule outweighs any benefit to the public.”

Given the impending June 1 deadline, it is somewhat curious that these groups have not sought an injunction to stop the FTC from applying the rule to their members (as it is unlikely their complaint will be resolved by June 1).  It would appear that these groups are going to let the American Bar Association and its earlier challenge do the heavy lifting here.

Tags: , , , , , ,

One More Thing to Worry About -- Hard Drives on Digital Copiers

Posted on May 20, 2010 by Colin J. Zick

Many digital copiers are now able to store the scanned documents on flash memory or hard drives.  This could pose a privacy/security risk, if the drives are improperly accessed, or if they are lost or resold without being scrubbed first.

Even the simple act of making a photocopy now poses privacy risks.  In response to a letter from Massachusetts Congressman Edward Markey, the FTC has responded and agreed to investigate the privacy risks posed by digital copiers that store information on internal hard drives. 

If you have photocopiers, you should investigate what type of storage devices they have.  And if you or your staff use public photocopiers, you should establish policies about what type of information cannot be copied on a public machine.

 

Tags: , , ,

Incident of the Week: Blogger Shows Us How to Listen In On Private Facebook Chat

Posted on May 6, 2010 by Gabriel M. Helmer

Yesterday, Facebook took down their Chat services to patch a flaw in Facebook's new privacy settings that allowed users to listen in on private chat conversations.  This apparently came hours after  TechCrunch EU blogger Steve O'Hear  taught the world how to exploit the flaw in his TechCrunch post and video.  O'Hear was "tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their 'friends'." 

Facebook rolled out its Facebook Chat feature in February of this year.  The service allowed users to send live text messages to other Facebook users on their "Friends" list.  The flaw apparently allowed users to listen in on these conversations, as well as see other private information about friends' Facebook accounts.

Once Facebook was informed of the exploit, Chat services quickly became unavailable.  A few hours later, Facebook provided the following statement:

For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.

This is an ironic twist in Facebook's recent efforts to combat criticism of the service by adding more advanced privacy features; however, the problem appears to have been resolved. 


 

Tags: , , ,

Ponemon Study Finds Average Cost of Data Breach Was $3.4 million in 2009

Posted on May 3, 2010 by Gabriel M. Helmer

Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports].  The highlights of the survey were announced in PGP's press release.  Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, the average cost of a data breach was $3.4 million.  That is $142 per customer affected by the breach. 

Unfortunately for U.S. businesses, the survey found that data security breaches In the U.S. were more expensive that in other countries, $204 per customer on average.  The survery found that the existence of breach notification laws, such as the 45 state notification laws adopted in the U.S., correspond to substantially increased costs of data breaches.

The survey's other findings include:

  • The most expensive breach remediation cost one U.S. company $31 million, while the least expensive was $750,000.
  • 35% of all breaches involved outsourced data provided to third parties, while 36% of breaches were caused by hackers.
  • Businesses that have a Chief Information Security Officer (CISO) incurred reduced costs for data breaches, 21% less on average.

 

Tags: , , , , , ,

Coming This Month -- Proposed HIPAA Regs!

Posted on May 2, 2010 by Colin J. Zick

The Department of Health and Human Services announced it will release proposed HIPAA/HITECH Act regulations later this month, according to the HHS's recently-published regulatory agenda, available at 75 Fed. Reg. 217821.  The announcement itself was pretty cryptic:

120. MODIFICATIONS TO THE HIPAA PRIVACY, SECURITY, AND ENFORCEMENT RULES
UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT

Legal Authority: PL 111-5, secs 13400 to 13410

Abstract: The Department of Health and Human Services Office for Civil
Rights will issue rules to modify the HIPAA Privacy, Security, and
Enforcement Rules as necessary to implement the privacy, security, and
certain enforcement provisions of subtitle D of the Health Information
Technology for Economic and Clinical Health Act (Title XIII of the
American Recovery and Reinvestment Act of 2009).

The proposed regulations will apparently cover changes to the HIPAA Privacy Rule, Security Rule, and enforcement, consistent with the mandates of the HITECH Act. 

 

 

Tags: