I was interviewed for this PC World piece on the potential impact of Facebook's recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction.
Our colleagues have reminded us that on March 1, 2012, the contract grandfathering provisions of the Massachusetts Data Security Law and Regulations will expire:
by Catherine M. Anderson, Jeffrey D. Collins
As we previously noted in our Foley Adviser dated February 3, 2010, “New Massachusetts Data Security Law and Regulations-Comprehensive Information Security Plan required before March 1, 2010”, under the regulations, an investment adviser must require third-party service providers by contract to implement and maintain appropriate security measures for personal information. There currently is a grandfather provision that deems any contract with a service provider entered into before March 1, 2010 to be in compliance even if it makes no reference to data protection.
The grandfather provision expires on March 1, 2012, so any contract regardless of when signed must be brought into compliance by March 1, 2012. You should take steps to ensure that your third party service provider contracts are now in compliance.
A decision in Tyler v. Michaels Stores earlier this month from the United States District Court for the District of Massachusetts, the use of a consumer's Zip Code to find her address and send her mailings was held to be a statutory violation, but did not give rise to a claim for damages.
Melissa Tyler brought suit against Michaels Stores for violation of Massachusetts General Laws, chapter 93, section 105(a) on behalf of herself and a putative class, claiming that Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation
of the section 105(a). She alleged that the violation of section 105(a) amounted to a per se violation of the Massachusetts Consumer Protection law, chapter 93A, section 9, caused unjust enrichment, and entitled Tyler to declaratory relief pursuant.
Judge Young found that "a ZIP code can indeed be personal identification information under
Section 105(a)" but that no harm resulted (that Ms. Tyler's receipt of advertisements for the store was not sufficient to constitute harm):
In the area of identity fraud, a judge in this district has similarly held that where there were no instances of actual data loss or misappropriation, the failure to comply with minimum
statutory security standards did not cause cognizable injury because the added risk of identity fraud did not actually cause harm to the plaintiff. Katz v. Pershing, LLC, Civil Action No.
10–12227-RGS, 2011 WL 3678720, at *4 (D. Mass. Aug. 23, 2011) (Stearns, J)....[R]eceiving unwanted commercial advertising through the mail is simply not an injury cognizable under chapter 93A, since Section 105(a) was enacted to prevent fraud.
Interesting Wall Street Journal article about rival banks joining forces to beat cyber crime. Sounds a lot like the Advanced Cyber Security Center.
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of service on your Websites when an attack occurs. The [SEC staff] wants you to do this risk assessment so you will understand what this is about,” he said.
On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. It follows Chairman Schapiro's June 2011 letter to Senator Rockefeller on the subject.
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal's bill, "The Personal Data Protection and Breach Accountability Act," would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the Justice Department to levy fines of $5,000 per violation per day, up to a total of $20 million per violation. The bill also includes federal data breach notification requirements.
Given the large numbers of such bills pending, the Senator's junior status, and the fact that his bill has no co-sponsors, it is unlikely that this particular bill will be adopted. At present, at least 15 bills contain the phrase "data security" pending in Congress:
Given how many similar bills are pending, it seems likely that something like Sen. Blumenthal's bill will be adopted before this session of Congress is over.
I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy." The program slides can be found at this link.
Interesting article in The Economist, focusing on hackers like Anonymous and Lulz Security.
On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:
The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them. Consumers who want to participate will be able to obtain a single credential--such as a unique piece of software on a smart phone, a smart card, or a token that generates a one-time digital password. Instead of having to remember dozens of passwords, the consumer can use their single credential to log into any website, with more security than passwords alone provide. Since consumers will be able to choose among a diverse market of different providers of credentials, there will be no single, centralized database of information. Consumers can use their credential to prove their identity when they're carrying out sensitive transactions, like banking, and can stay anonymous when they are not.
The White House document is mostly a vision statement, punctuated by text boxes throughout that urge the reader to “Envision it!” but with no real guidance on how to accomplish it. The document suggests how these frameworks might be built, does not promise to build them. Precisely how this vision statement gets turned into action and results will depend on the reception it receives from the public and private sectors, both within the U.S. and abroad. The NSTIC anticipates that the U.S. will meet its interim benchmarks in 3-5 years, and the long term benchmarks in 10 years. As such, it is unlikely that we will see anything concrete on the front in the near future.
While the effect of the federal legislation modifying the FTC Red Flags Rule has been known for a while, the court proceedings that challenged the rule have now caught up. The American Bar Association's suit has been dismissed, and the American Medical Association announced it is voluntarily dismissing its case: "The lawsuit filed by the Litigation Center of the AMA and the State Medical Societies, the American Osteopathic Association and the Medical Society of the District of Columbia, and joined by 26 national medical specialty societies, will now formally end."
By Brian Bialas
On December 18, 2010, President Obama signed into law the Red Flag Clarification Act of 2010. The Act will change a single definition in prior law and reduce the scope of the FTC Red Flags Rule, ending a two-year long saga over the scope of its enforcement.
As we have noted in past entries about Red Flags Rule compliance, the FTC has extended the deadline for enforcement of the FTC's Red Flags Rule several times, most recently through December 31, 2010. The stated reason for these delays was “to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule.” An unstated reason was the mounting number of lawsuits by physicians, lawyers, accountants, and other service providers seeking to exempt themselves from the Red Flags Rule. The lawsuits should now come to an end.
Here’s how the new law will work. The definition of who is considered to be a “creditor” is a key to the application of the Red Flags Rule. As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C. § 1691a(e); see 15 U.S.C. § 1681a(r)(5). The new Act narrows this definition by excluding anyone who advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. Examples of this exclusion would include a doctor who pays upfront for a test that a patient will reimburse him for later, or a lawyer who covers a filing fee for a client until his bill is paid.
With this change, it is likely that the FTC will commence enforcement against the intended targets of the Red Flags Rule – the financial services industry – in 2011.
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
1) This is an area where bipartisan concensus is possible.
2) The industry powers will fight against “Do Not Track” and will win that fight.
3) Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and have shown that these increased protections can be implemented without too much opposition from the business sector. Also, adoption of a single standard for data security and privacy could actually relieve some of the regulatory burden on business: instead of having to comply with 50 different state laws, there would just be one federal law. This is the very same logic that led to the passage of HIPAA (and its standards for health information privacy) in 1996.
The other day at Mass TLC’s Mobility Summit I had a brief conversation with Mark Herrmann (an entrepreneur here in Boston) that touched on the FTC’s recent proposal for protecting consumer privacy online. We were talking about the “do not track” proposal and the consensus in the tech industry that it just won’t fly.
Mark’s comment:
“It is creepy that ‘they’ can and do track you out in the net, but ‘creepy is the new cool.’” There is just no question that some people accept the fact that they are being tracked and fed targeted online advertising. It is not just OK by them; it’s a value add. I don’t disagree. But, for anyone who has read “1984” (and even a lot of people who haven’t) the notion of being tracked is creepy. There are a lot of these folks – perhaps a significant majority of the U.S. population – that feel this way.
In 2011 the FTC and Congress are going to pay attention to these concerns. It is good politics.
Prediction #1: Legislation in this area will be one of the few places where we will see bipartisan consensus in the next Congress.
Why: No Congressperson wants to be opposed to consumer privacy, and they all want to have supported some legislation that passed, when running in the next election. Mark (and others) made the point that if you really end tracking, you will end Facebook. So, whatever happens it won’t be that. However, the political snowball is rolling down the mountain - there will be regulatory activity around consumer privacy. The only question is: What will be the nature and scope of the activity? The big boys (those with well established businesses that either make money or have ready access to capital) are going to be lobbying hard for a regulatory framework that does not dent their current business model.
Prediction #2: The big boys will fight anything that disrupts tracking and they are going to win this battle – no one in Congress wants to run on the platform that they put Facebook (or others) out of business. But the big boys are going to have to trade something. The easy things for them to trade are procedural protections for the consumer.
Prediction #3: The big boys will trade lots of procedural protections for the consumer to prevent substantive regulation that will directly affect their business models.
Why: The big boys can afford the administrative burden implicit in procedural protections. It is just a matter of more money, more people and more oversight. A company that is well established and profitable or that has easy access to capital can afford to write the code, hire an army of new engineers, consultants, lawyers etc. and create an entire Department of Privacy Compliance and Protection. In fact, to the extent that having to do all that makes it harder for start-ups, it may even be helpful to the established companies. Some folks I talk to have expressed real concern about this looming regulatory push and how it might affect the entire ecosystem for digital media start-ups. There is still a chance to influence the inevitable regulation that is upcoming and I am working on assembling a group of industry leaders to do just that. I recently sent out a letter (here’s a link) to people I thought might be concerned enough to actually do something.
Read it and let me know what you think.
Our colleagues in Foley Hoag's Emerging Enterprise Center have summarized the FTC preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation. During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations. If they cannot find it, one will likely be imposed on them.
* * *
The Federal Trade Commission (FTC) just published its preliminary Staff report setting out its proposed framework for protecting privacy in the digital economy. View the FTC’s press release here. The FTC is seeking comments on its proposed framework by January 31, 2011 and expects to issue a final report in 2011.
Every digital media business that attracts advertising revenue online and/or through mobile devices, as well as the venture capital and private equity funds that invest in them, has a stake in the outcome of this proposed framework. It can affect current business models, future financial performance and potential exit opportunities for current and potential companies that rely on collecting data from consumers.
The final report, and possible new regulations and/or federal legislation to follow, will help shape substantive law, enforcement policies and commercial best practices regarding consumer privacy practices that will need to be followed.
Notably, the FTC staff cites flaws in commercially available, privacy-related plug-ins and browser features, and supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising than currently exists. This is often called “Do Not Track,” in a nod to the currently mandated “Do Not Call” registry that restricts the activities of telemarketers. FTC staff identified and requested comment on a number of issues concerning the formulation and adoption of any such “Do Not Track” mechanism.
Other important components of the proposed framework include:
Before this framework is submitted in final form to the FTC for a vote by its commissioners, which will accelerate the process further, the FTC is requesting comment by interested parties on a variety of key related issues, including:
A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months. This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade's version of Y2K. It seems likely that were are due for a long-term presence of privacy and security protection in our business and private lives. While Y2K was a one-time event and and the huge amounts spent (waste?) on it left investors with a New Year's Day hangover, the digitization of commerce grows day by day, resulting in concomitant needs for information privacy and security, which may justify the faith of investors.
Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010. The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule. The FTC announcement states:
Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.
* * *
The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.
In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees. This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices. The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.
This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule. Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services. As a result, the FTC has faced backlash from law firms, accounting firms and medical practices. Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.
While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities. If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule.
Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations. The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and the Commodity Futures Trading Commission (CFTC).
The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers. On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement. Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements.
The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing.
GLBA Privacy Notice Forms:
Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG's Fort Lauderdale office to shred evidence of fraud.
In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme. Prosecutors obtained a temporary restraining order (.pdf) that expressly prohibited any attempt to destroy documents (among a litany of other bad behavior). In the indictment filed against Raffanello (.pdf), federal prosecutors allege that on the day SFG received the SEC's complaint and court order, Raffanello and another executive corresponded by email and planned to hire a commercial shredding service to pay a visit to SFG 's office so they could unload a 95 gallon container of evidence.
Apparently, during their hurry to destroy the evidence, they did not manage to delete the emails discussing their plan. This reminds me of something a friend once told me: if you are setting out to bury the truth, remember to bury the shovel too.
On July 3, 2009, FBI arrested Sergey Aleynikov, a Goldman Sachs programmer, as he disembarked at Newark airport on charges that he violated the Electronic Espionage Act (18 U.S.C. sec. 1832) when he sent company data to an overseas document server.
According to the criminal complaint and supporting affidavit (.pdf) filed in the federal court for the Southern District of New York, Aleynikov was part of the team that developed a high-speed, automated trading system for Goldman Sachs. He resigned and left the company on June 5th, but federal prosecutors allege that in his last four days of work, Aleynikov encrypted and transferred 32 megabytes of source code relating to the automated trading system from Goldman's servers in New Jersey to a privately run document server in Germany.
Below we detail some of the evidence behind the arrest - evidence that demonstrates why adequate workplace monitoring and an appropriate response plan is key in protecting proprietary information.
Continue Reading...On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft. The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Some of the highlights from the FAQ are:
While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful. For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions. Moreover, much of the guidance given was extremely vauge. For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft." It would have been helpful for the agencies to provide some examples or other more concrete information. Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.
Links:
On Tuesday, May 5, 2009, in a press release devoted largely to the FTC's congressional testimony on peer-to-peer file sharing, the FTC announced that it had reached a settlement of its claims against James B. Nutter & Company, a mortgage company that did not implement information security measures to meet federal minimums. According to the FTC, the result of this alleged failure was that an intruder in the company's systems sent "millions of outgoing spam emails" and "could have accessed personal information without authorization." In a consent order (.pdf) that parallels settlements in a number of prior FTC enforcement cases, the company has agreed to implement an information security program and subject itself to biennial security audits for 10 years.
In the FTC complaint (.pdf), federal regulators claimed, among other things, that the mortgage company "failed to provide reasonable and appropriate security for personal information," including by failing to implement a "comprehensive written information security program." Such a program is a requirement for financial institutions, including lenders and mortgage companies, under the FTC Safeguard's Rule, a regulation promulated in 2002 to implement Section 501(b) of the Gramm Leach Bliley Act (GLBA). The complaint also alleged that Jame B. Nutter & Company failed to provide customers adequate notice of its security practices, as required by the FTC Privacy Rule. The Privacy Rule was promulgated in 2000 to implement Sections 501 through 509 of the GLBA.
Notably, the complaint makes few allegations of damage to consumers. The only alleged harm consisted of spam email and the possibility of unauthorized access to customer information. No doubt this is the reason why the settlement did not involve a substantial fine, as the FTC sought, at least nominally, in its last enforcement action in this area (see our posting on the FTC's settlement with Rental Research Services). The case thus suggests that the FTC may be willing to undertake enforcement efforts when only consumer privacy interests are affected, even in the absence of concrete financial harm.
* Update: an attorney representing James B. Nutter & Company has contacted us to provide Security, Privacy and the Law with the company's press release on this incident (.pdf) and to clarify that the company is obligated to submit to only 5 biennial security audits over 10 years.
Links:
On Thursday, March 5, 2009, the FTC announced that it had reached a settlement with financial research firm Rental Research Services, Inc. (RRS) and its managing officer, Lee Mikkelson, to resolve the FTC's claims that the firm had failed to provide adequate security for sensitive consumer information provided to identity thieves posing as legitimate users. According to the FTC, the the faults in RSS's security amounted to "unfair acts or practices" in violation of the FTC Act. RRS and Mikkelson were fined $500,000, but the fine was suspended in light of the company's present financial condition. Also, in a move that echos the FTC's past enforcement of information security standards under the FTC Act and foreshadows future enforcement of Red Flags regulations, the terms of the FTC's court order require RRS to develop a "comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers" and submit itself to independent security audits every 2 years until 2029.
Especially in view of the upcoming May 1, 2009 deadline for compliance with federal Red Flags regulations, this case may be a good example of what we can expect to see from federal and state regulators in enforcing existing and future information security standards, especially with respect to consumer data providers. Below I will summarize the case and identify the key elements of the information security program that the FTC required.
Continue Reading...On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:
According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.” [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.
ITRC considers “accidental exposure” to be those breaches caused by “inadvertent internet/web posting.” For example, consider the accidental exposure the ITRC labels as “ITRC20080709-02”. In this highly publicized case, an employee at Wagner Resource Group installed the peer-to-peer file sharing software, LimeWire, on a computer that contained personal information relating to the company’s clients. Presumably, the employee installed the software because he wanted to download an MP3, a movie or some piece of software (in violation of copyright law). However, by failing to properly configure the software, the employee inadvertently opened up company files on the computer to any LimeWire user on the Internet. This turned out to be especially disastrous from a public relations standpoint: the data exposed included a number of powerful Washington D.C. area attorneys as well as Supreme Court Justice Stephen Breyer. The story was published on the front page of the Washington Post and received attention from other national papers, such as the L.A. Times. While the breach exposed data involving only a relatively modest number of people, 2,000 individuals, the fact that the lapse involved some high profile victims created substantial bad press. Referring to the file-sharing software, Wagner Resource Group founder Phylyp Wagner stated "I didn't even know what peer-to-peer was. I do now."
Because accidental exposures are caused by human error, a prime problem with this type of breach is that they generally make the company look much worse than a breach caused by a hacker or an ill-intentioned insider. A consumer can understand a company being outsmarted by a thief, even being compromised by a disgruntled ex-employee, but there is often much less forgiveness for companies who appear to have disclosed their information through sheer carelessness. (See the link for the Breach Blog’s candid response to the news that personal data may have been exposed by an employee of Vonage placing it online in a Google Notebook).
Protecting against accidental exposure usually does not require expensive solutions. An appropriate computer usage policy prohibits the installation of unauthorized software, like LimeWire and other peer-to-peer file sharing programs that have come under intense fire from the recording and motion picture companies in the last decade. Educating staff, whether through training programs or the occasional reminder, about what to do and what not to do may often be the least expensive solution to accidental exposure. In addition, system administrators need to make sure they are taking appropriate steps to block or monitor peer-to-peer network traffic originating from inside the company network.
Links:
* By Stacy Anderson and Gabriel M. Helmer.
As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act of 1999 (GLBA) and its implementing regulations. As a result, even industries that are not required to comply with GLBA may wish to become familiar with its requirements.
Section 501(b) of GLBA requires agencies with oversight over financial institutions to establish standards relating to administrative, technical and physical safeguards for three purposes: 1) to insure the security and confidentiality of customer information, (2) to protect against any anticipated threats to the security of customer information, and (3) to protect against unauthorized access or use of customer information.
In 2001, the Department of Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines require that financial institutions adopt an information security plan, which must be approved by the institution’s Board. The plan must assess, manage and control threats that could result in unauthorized disclosure of information. The risk guidelines are flexible – they do not require that institutions implement specific risk control or assessment systems, but rather encourage them to adopt measures appropriate to their circumstances. Institutions are then required to monitor the plan and report to the Board annually. In addition, they must also ensure that their service providers implement appropriate measures to secure customer information. In 2005, the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This guidance requires that institutions develop a response plan to address unauthorized access to customer information. As part of this process, institutions must notify customers if sensitive customer information has been improperly accessed and misuse of that information has occurred or is likely to occur.
In 2002, the Federal Trade Commission (FTC) issued its “Standards for Safeguarding Customer Information,” commonly referred to as the Safeguards Rule. The rule apples to financial institutions over whom the FTC has oversight and resembles the interagency guidelines for safeguarding customer information. Like those guidelines, the Safeguards Rule affords institutions considerable flexibility in implementing safeguards. Unlike the guidelines, the Safeguards Rule does not require that the information security plan be approved by the institution’s board, and does not contain customer notification requirements such as those set out in the Guidance on Response Programs, although the FTC does encourage entities to consider notifying customers in the event of a breach. In considering these federal regulations, it is worth noting that the FTC’s recently issued Red Flag Rule implements the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and not GLBA, although the FTC does anticipate that many institutions may have implemented some of the practices required under the Red Flag Rule as part of their efforts to conform with GLBA.
Of course, it remains to be seen whether broad federal legislation governing customer data security will be enacted and if so, whether GLBA requirements will be used as a blueprint for such legislation. Regardless, an understanding of GLBA requirements and their effectiveness can help inform the debate around such legislation.
Links:
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...