Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf). 

Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain "appropriate administrative, technical, and physical safeguards" to secure the personal information.  The draft bill would also require the FTC to implement new privacy rules and police the new safeguards. 

The bill is also available from Rep. Boucher's website.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Many digital copiers are now able to store the scanned documents on flash memory or hard drives.  This could pose a privacy/security risk, if the drives are improperly accessed, or if they are lost or resold without being scrubbed first.

Even the simple act of making a photocopy now poses privacy risks.  In response to a letter from Massachusetts Congressman Edward Markey, the FTC has responded and agreed to investigate the privacy risks posed by digital copiers that store information on internal hard drives. 

If you have photocopiers, you should investigate what type of storage devices they have.  And if you or your staff use public photocopiers, you should establish policies about what type of information cannot be copied on a public machine.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Department of Health and Human Services announced it will release proposed HIPAA/HITECH Act regulations later this month, according to the HHS's recently-published regulatory agenda, available at 75 Fed. Reg. 217821.  The announcement itself was pretty cryptic:

120. MODIFICATIONS TO THE HIPAA PRIVACY, SECURITY, AND ENFORCEMENT RULES
UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT

Legal Authority: PL 111-5, secs 13400 to 13410

Abstract: The Department of Health and Human Services Office for Civil
Rights will issue rules to modify the HIPAA Privacy, Security, and
Enforcement Rules as necessary to implement the privacy, security, and
certain enforcement provisions of subtitle D of the Health Information
Technology for Economic and Clinical Health Act (Title XIII of the
American Recovery and Reinvestment Act of 2009).

The proposed regulations will apparently cover changes to the HIPAA Privacy Rule, Security Rule, and enforcement, consistent with the mandates of the HITECH Act. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations.   The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and the Commodity Futures Trading Commission (CFTC). 

The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers.  On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement.  Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements. 

The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing. 

GLBA Privacy Notice Forms:

• Privacy Notice Form 1 (.pdf): if you provide an opt out and you want to include affiliate marketing
   
• Privacy Notice Form 2 (.pdf): if you provide an opt out and you do not want to include affiliate marketing
   
• Privacy Notice Form 3 (.pdf): if you do not provide an opt out and you want to include affiliate marketing
   
• Privacy Notice Form 4 (.pdf): if you do not provide an opt out and you want to include affiliate marketing
   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services ("OCR") acknowledged its delay in issuing regulations for HIPAA business associate agreements.  Those regulations are now a month overdue and from OCR's language, they do not appear imminent:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

(Emphasis added.)  What does seem clear from this notice is that OCR enforcement of the underlying law is not imminent and that more guidance on that will come when the regulations are issued.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the past several days, three important information privacy and security deadlines have arrived.  To recap, they are:

• February 17, 2010:  the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now).  Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say.  Others are waiting until they see the regulations to amend those agreements.
   
• February 22, 2010:  FTC rules regarding health information breaches went into effect.  The FTC has provided a standard reporting form for such breaches.  And the FTC is putting its money where its mouth is:  in the Fiscal Year 2011 Congressional Budget Justification, the FTC is seeking two full-time employees for “data security enforcement and rulemakings." 
   
• March 1, 2010:  Last but not least, the Massachusetts Data Security regulations went into effect on March 1, although we have not received word from the Massachusetts Attorney General as to how these regulations will be enforced.  A recent Boston Globe article (for which I was interviewed) details the apparent state of readiness for these regulations. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association.  In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based on the reasoning of the recent court decision that it does not apply to lawyers).  I assume that if the FTC rejects this request, suit will be filed by these groups, just as the AICPA has filed suit on behalf of accountants to except them from the Red Flags Rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission  (FTC) to exempt accountants from the FTC's Red Flags Rules.  We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. to declare that accountants are not subject to the Red Flags Rules.  This followed hot on the heels of the October ruling (.pdf) that lawyers were not required to comply with the Red Flags Rules in a lawsuit filed by the American Bar Association (ABA).  It should be noted that the AICPA's motion will be heard by the same judge that issued the decision in favor of the ABA, Hon. Reggie B. Walton.

Since Judge Walton's preliminary ruling in the ABA case in October, the court published a lengthy opinion (.pdf) explaining his reasoning.  In particular, the decision indicated that lawyers need not comply with the Red Flags rules because the Rules only apply to "financial institutions" and "creditors" and lawyers cannot be classified as such under the Fair and Accurate Credit Transactions Act (the FACT Act or FACTA) or the Equal Credit Opportunity Act (the ECO Act or ECOA).  The FTC has taken the position that lawyers, accountants and anyone else that invoices a customer after services have been provided is extending credit and, which makes them "creditors" under the FACT Act, ECO Act and the Red Flags Rules.  Judge Walton forcefully addressed this position in his opinion in favor of the ABA:

[T]he Commission is essentially taking the position that the period of time between when a service is provided to when a lawyer or law firm invoices a client for the service and the invoice is paid, amounts to a period during which credit was extended if there is any interval of time between the providing of the service and the payment of the invoice. . . This is clearly not what was intended by Congress by its use of the term credit in the ECO Act and its subsequent inclusion of the term in the FACT Act.

The Court further noted that noted that he found it persuasive that there is no evidence that identity theft is an actual problem in the legal profession, one that might necessitate the protections of the Red Flags Rules.

From the record before the Court (or more accurately the lack of a record), the best that can be gleaned is that identity theft in the attorney-client context is only a theoretical problem, especially given the role of state professional codes of conduct and other ethical codes to which attorneys must abide, and the Court cannot conclude that it is an actual problem given the absolute lack of any legislative, regulatory or other evidentiary findings that have been brought to the Court's attention.

The FTC will face the same arguments in the accountants' case.  Will Judge Walton side with the AICPA and rule that accountants, like lawyers, are not subject to the Red Flags Rules as "creditors?"  Or will the Court give the FTC more flexibility to extend the Red Flags Rules outside of the legal profession?  Read the AICPA's papers below and let us know your thoughts.

The FTC's opposition papers are expected next week.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo?  That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC's Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times. 

For some time, I have been asking the question, "Is Consent Dead, and Should We Even Care?"  Now it appears the FTC is asking the very same question.  According to FTC Chair Leibowitz, companies “haven’t given [online] consumers effective notice, so they can make effective choices” about the privacy of their online information.  Mr. Vladeck similarly views traditional advise-and-consent privacy notice models as dependent upon “the fiction that people were meaningfully giving consent.  The literature is clear” that few people read privacy policies.

What, if anything, will this new way of thinking mean in terms of future regulation of consumer online privacy by the FTC?  More information may be forthcoming at the FTC's next privacy roundtable, to be held on January 28 (and available to the public via webcast).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

First it was the lawyers.  Now it's the accountants.  Less than two weeks after a federal judge in the District of Columbia granted the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC) Red Flags Rule, which was followed that same day by an announcement that the FTC was moving the deadline for enforcement of the Red Flags Rule from November 1 to June 1, 2010, the American Institute for Certified Public Accountants (AICPA) has filed a lawsuit in the same court seeking an injunction barring the FTC from enforcing the Red Flags Rule as to accountants.  According to the AICPA's press release, the suit was filed on November 10.  For some reason, the case does not appear on PACER (the electronic system that contains links to court filings in the federal court system), but the AICPA included a link to the complaint on its website.

The AICPA suit seeks declaratory and injunctive relief on the grounds that the FTC exceeded its statutory authority by attempting to impose the Red Flags Rule on AICPA members who, it argues, are already strictly regulated at the state level.  The AICPA makes numerous references to the Court's decision in the ABA suit that the Red Flags Rule may not be applied to lawyers.  As with the ABA lawsuit, the AICPA does not suggest that accountants are just as vulnerable to identity theft as other professionals.

It will be interesting to see how the FTC responds to this new complaint, i.e., whether it will make the same arguments it made in the ABA suit and/or whether it will somehow try to distinguish accountants from lawyers.  It will also be interesting to see if any other large industry groups (such as the American Medical Association) decide to file their own suits.  As we noted in our earlier coverage of the ABA litigation, however, the effect of these suits, if successful, on the burdens of those bringing them is unclear.  Although we are not experts about the duties of accountants, one can imagine that, like lawyers, they will likely be required to take many, if not all, of the same security measures demanded of their clients, because the Red Flags Rule require that companies oversee how their service providers manage customer information and accounts, and because of the duties imposed on service providers by other federal and state laws.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1.  According to the BNA Privacy & Security Law Report, the House Financial Services Committee has sent H.R. 3763, titled a bill "To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses," directly to the House floor without a markup.  The bill proceeded to the House floor after the Republican side of the Financial Services Committee consented to such a move.

The bill, which was introduced on October 8 by Rep. John Adler (D-N.J.), would exclude from the Red Flags Rules health care, accounting and legal practices with 20 or fewer employees.  It would also require the FTC, within 180 days, to issue regulations that set forth the process by which a business may apply for an exemption from the Red Flags Rules.

Of course, the passage of H.R. 3763 likely will not sufficiently narrow the Red Flags Rules in the eyes of the ABA, which has filed suit in federal district court in Washington D.C. to stop the application of the Red Flags Rules to all attorneys (see our prior post on this lawsuit).  In that case, the ABA has already moved for partial summary judgment, and the FTC has filed an opposition.  On October 13, ABA President Carolyn Lamm sent a letter to Rep. Barney Frank (D-MA), the chairman of the Financial Services Committee, urging lawmakers to exempt all attorneys from the rules.

Links:

• BNA Privacy & Security Law Report, "GOP Allows Bill Narrowing FTC Red Flags Rule to Move Directly to House Floor for Vote," 8 PVLR 1491.
• Text of H.R. 3763
• ABA's Motion for Partial Summary Judgment in American Bar Association v. Federal Trade Commission (D.D.C.).
• FTC's Opposition to Motion for Partial Summary Judgment in American Bar Association v. Federal Trade Commission (D.D.C.).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth's information privacy regulations, 201 CMR 17.00.  The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations.  OCABR Undersecretary Barbara Anthony led the meeting with OCABR Deputy General Counsel Jason Egan and Assistant Attorney General Diane Lawton.  The principal author of the original regulations, OCABR General Counsel David A. Murray, could also be seen in the audience.  The highlights of the hearing include:

• Undersecretary Anthony suggested that the OCABR may make additional revisions to the regulations in issuing final rules. 
   
• The Undersecretary admitted that the provision of the regulations governing third party service providers [201 CMR 17.03(2)(f)] "is taken essentially verbatim from the [FTC's] Safeguards Rule" that was promulgated in response to the Gramm Leach Bliley Act in 2001.  The Undersecretary indicated that while OCABR "stole it" from federal regulators at the FTC, she is aware that there may be "confusing language" in the provision and stated that the "final rules will clarify" this aspect of the regulations. 
   
• Confronted with requests for a model information security program, additional training and other outreach efforts, Undersecretary Anthony indicated that "this is something we definitely will do."
   
• There was no mention of any further extensions to the current compliance deadline: March 1, 2010.
   
• The lead enforcement officer of the new regulations and Chief of the Consumer Protection Division, Scott Schafer, began the hearing with a prepared statement crediting the OCABR with successfully addressing an "important issue" and indicating the Attorney General's support for the revised regulations.  In his statement, Mr. Schafer indicated that he believes that the revised regulations provide businesses with "appropriate flexibility" while protecting consumer confidence in the security of personal information involved in commercial transactions.

Over a dozen individuals presented comments to Undersecretary Anthony.  In general, there was a broad call for additional revisions to the requirements with respect to service providers.  There was also repeated request for "practical guidance" from regulators, in the form of revisions to ambiguous elements of the new regulations, as well as model programs, explanatory guides and materials, training and presentations.  After the jump, you will find more detail from my notes on the public comments. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned "Should you receive this package or a similar package DO NOT run the CDs."  The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union. 

As it turns out, the credit union was undergoing security penetration testing and the security firm involved, MicroSolved, Inc., put together the fake Fraud Alert to test whether the credit union was secure against this sort of social engineering scam.  When it learned of this wrinkle, the NCUA issued an update to its Fraud Alert stating:

This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel. The bogus alert was forwarded to NCUA, prompting the issuance of the August 25 Fraud Alert. The false Fraud Alert appears to be confined to that credit union, and is not wide-spread.

It appears that the original credit union passed its security test with flying colors. ComputerWorld obtained a number of noteworthy comments in its article on the subject, but one that stands out is from SANS Institute security researcher, Johannes Ullrich, who observed that the tactic of sending fraudulent regulatory alerts with malware was something seemingly invented by security consultants.  "I thought, 'Finally this is in the wild, because I've only seen it in pen tests before.'"

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 As we reported on August 17th, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has promulgated a revised set of information security regulations (201 CMR 17.00 et seq.) and will hold a meeting for public comment on September 22, 2009.  For those who are still wondering what revisions were made, here is a redline comparison of the amendments (.pdf).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Amidst calls from the legal community, the Federal Trade Commission's (FTC) announced this morning that it was delaying enforcement of the FTC's Red Flag Rules until November 1, 2009.  The FTC's announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC's "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."  The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain about their obligations."  This seems aimed at the recent statements from the American Bar Association (ABA), which has called on the FTC and Congress to exempt lawyers from the FTC's Red Flags Rules and threatened to sue the FTC to stop any enforcement action against the legal industry.  

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After a few months of thought, the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule.  The ABA's June report on "Why the Red Flags Rule Should Not Apply to Lawyers" lays out a legal argument for why billing a client is not really an extension of credit that turns every lawyer and law firm into a "creditor" under Red Flags Rule and the Fair and Accurate Credit Transactions Act (the FACT Act).  More recently, ABA President H. Thomas Wells, Jr. told the Blog of Legal Times that the ABA plans on filing a federal lawsuit during the this week to block enforcement of the Red Flags Rule, if "we don’t get some kind of sign."  And, perhaps on the ABA's urging, a House Appropriations subcommittee apparently asked the FTC to postpone its deadline yet again.  Other blogs and websites have been abuzz with "sources" close to the discussions between the ABA and the FTC and then today, the FTC announced that  delayed the enforcement deadline yet again.

Lest anyone think that the ABA is on its own on this issue, the Massachusetts Bar Association sent the FTC a letter objecting to the application of the Red Flags Rules to lawyers and the New York County Lawyers Association also issued a report objecting to enforcement against lawyers.  State bar associations are joining the ABA in calling on the FTC to excuse them from the reach of the "new" regulations (which are, in fact, more than a year old at this point, after numerous delays in enforcement by the FTC).  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A federal suit has been filed that challenges the legality of the federal HITECH Act.  In the course of 30 often rambling pages, this complaint alleges that "HIPAA codified the Hippocratic Oath" and that HITECH improperly undermines both.  This complaint appears to be the work of a gadfly or two.  The plaintiff's lawyer is her husband; interestingly, he was described by a federal judge as filing claims that were "without merit [and which] would have been perceived as such by any objectively reasonable attorney."  And this same attorney has been disbarred in Connecticut. 

Even if there are questions about the specific allegations in this complaint and questions about the credentials of the counsel who filed it, the complaint points to some legitimate concerns about the move to electronic medical records and health information exchange.  However, it will probably be a different case that brings real scrutiny to these questions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this week, on Monday, June 22, 2009, the American Bar Association (ABA) President H. Thomas Wells, Jr. issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the federal Red Flags Rules, stating:

The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent.  However, the Commission’s application of the Rule to lawyers is unnecessary and not supported by law.  Lawyers are not engaged in the type of commercial activity that Congress was attempting to regulate with the FACT Act and should not be considered creditors under the Red Flags Rule.

In support of this position, the ABA President references federal caselaw suggesting that lawyers are not "creditors" under federal law and suggests that forcing lawyers to comply would be costly and pointless.  "Compliance with the Act would complicate client arrangements and require a major commitment of lawyers’ time, yet the FTC has failed to identify a single case of identity theft in the legal service context, suggesting that such a scenario is far-fetched, if not impossible."

As we reported in our earlier post on this topic, the ABA has been considering what action to take since it asked the FTC to delay enforcement of the Red Flags Rules in April and the FTC complied, postponing broad enforcement until August 1, 2009.  The ABA statement further suggests that the ABA may already be lobbying Congress behind the scenes to relieve the legal industry from the burden of compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On March 15, 2006, the European Parliament issued Directive 2006/24/EC (.pdf), outlining a new program that woud require internet service providers (ISPs) and telecommunications carriers to begin retaining comprehensive records of customer communications.  Specifically, the Directive required member states to ensure that a range of communications data be retained by service providers, including:

1. The names, addresses, telephone numbers, Internet Protocol (IP) addresses and user IDs involved in Internet access, email and Internet telephony services;
2. The date and time of the start and end of communications;
3. The telephone numbers involved during a telephone call and the registered owners' names and addresses;
4. Information allowing the identification of mobile phones used to make telephone calls and their geographic location when used to make calls.

The Directive expressly states that "[n]o data revealing the content of the communication may be retained pursuant to this Directive."  Under the Directive, service providers will be required to retain these records "not less than six months and not more than two years" and ensure that the retained records can be communicated to government authorities "without undue delay." 

Implementation of Directive 2006/24/EC to Internet communications has been delayed (if, for no other reason to figure out how to store the terrabytes of information as required under the new Directive).  During the interim, Ireland challenged the Directive in the European Court of Justice.  Examining the Directive, the ECJ held that it essentially pertained to commercial activities of service providers, rather than police and security matter, and dismissed the case. 

Member states recently have begun implementing the Directive. In the United Kingdom, the Home Office has prepared draft regulations transposing Directive 2006/24/EC into law (.pdf) that requires the retention of communications data for 12 months. This has led to significant criticism of the retention rules (see news coverage at the BBC and the Telegraph). Sweden has stated that it intends to postpone implementation of the Directive to Internet activity. 

Between the implementation of Directive 2006/24/EC and other invasive surveillance law being considered in Europe (France appears to be on the verge of legalizing government spyware), the landscape of Internet communications is evolving rapidly.  Anyone transacting business in Europe or who may transfer data through member states may need to consider the privacy implications of and retention obligations imposed by the new rules.

Links:

• Directive 2006/24/EC (.pdf)
• The Home Office site on the transposition of Directive 2006/24/EC
• UK draft regulations transposing Directive 2006/24/EC into law (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With the deadline for complying with the Massachusetts identity theft law just six months away, at least one state senator is still seeking changes to that law.  In Senate Bill S173, which until now  has received little public notice, State Senator Michael Morrissey proposes to make it easier for small businesses to comply, by requiring the state's regulations to take account of a business's resources as it requires compliance:  "[S]aid department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources."  This type of language is reminiscent of the HIPAA security rules and their scalability for businesses of different sizes. 

S173 also addresses the issue of what businesses can do with employees who violate the law, by making it easier to fire them:  "A willful violation of this chapter or regulations implementing this chapter, or a written information security plan issued by a person covered by state or federal privacy laws shall provide just cause for the termination of an employee, whether the employee is employed by a private person, public agency or political subdivision of the state."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 27, 2009, Information Security and Privacy Advisory Board (ISPAB) issued a report entitled "Toward A 21st Century Framework for Federal Government Privacy Policy" (.pdf) that calls on Congress to amend the Privacy Act of 1974, establish the position of Chief Privacy Officer in numerous executive agencies and develop a Chief Privacy Officers’ Council. ISPAB is a group that advises the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Commerce Department.

In its report, ISPAB indicates that rising threats to privacy and advancements in computer technology and usage are unaddressed by outdated provisions in the Privacy Act. It also suggests that inattention by policymakers and the absence of guidance from the White House has led to a patchwork of inconsistent approaches by federal agencies. The report concludes that these factorhave contributed to the difficulty agencies have experienced in adapting to technological change. ISPAB urges the creating of a “new framework to protect privacy” by making the following recommendations:

• Amend the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 to improve Government privacy notices and re-define “System of Records” based on function and use of data and not merely possession;
   
• Institute Chief Privacy Officers at all “CFO agencies;”
   
• Institute a Chief Privacy Officers’ Council; and
   
• Develop uniform privacy policies emanating from the OMB.

The Senate Homeland Security and Governmental Affairs Committee report that they intend to modernize the law in this area.

Links:

• The ISPAB Report  "Toward A 21st Century Framework for Federal Government Privacy Policy" (.pdf), also available from the NIST website here (.pdf)
• The Computer Security Resource Center website developed by the Computer Security Division of NIST
• News report regarding possible Senate action.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC's enforcement.  (For background on the Red Flag Rules, see our prior postings here, here and here). 

The FTC has previously indicated that it plans to enforce the Red Flags Rules against lawyers along with any other business that sells goods or services now and bills its customers later (see our prior discussion here).  However, according to the ABA, the first it heard of this issue was when federal regulators notified the ABA of the government's position on April 23, 2009.  This was just a week before the FTC was to begin enforcement of the Red Flags Rules.  The next day, after the FTC attended an emergency meeting with the ABA Government Affairs Office, President H. Thomas Wells, Jr. directed a letter to FTC Chairman Jonathan D. Leibowitz (.pdf) requesting an additional three to six months delay in enforcement so that the ABA could consider its stance on this issue.  The FTC appears to have acquiesced to the ABA request a few days later, when the FTC postponed the May 1, 2009 enforcement deadline until August 1, 2009 . 

In the president's letter as well as a separate public statement (.pdf), the ABA indicated that "some" believe that federal precedent contradicts the FTC's expansive interpretation of the law (for more information, see our detailed discussion of the caselaw here and here).  The ABA has also noted that "the FTC has no examples of identity theft arising from an attorney-client relationship." 

Given the looming compliance deadline, it seems likely that we will hear from the ABA shortly -- possibly as early as next week.  In view of the FTC's response (.pdf) to the public objection raised by the American Medical Association (.pdf), the ABA may need to take a different tack to effect a change in the FTC's enforcement policy.

[I should note that an attorney in California called me up yesterday to discuss the FTC's view that that lawyers should be considered "creditors" subject to federal Red Flags Rules.  Thanks are owed to her for raising the question of whether the ABA has articulated a view on this issue.]

Links:

• The April 24, 2009 ABA letter to the FTC (.pdf), also available from the ABA website (.pdf).
• Public statement on Red Flags Rules by the ABA (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of  “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups.  Consumers' concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled, to the impact of behavioral advertising on vulnerable consumers. In recent statements, Leibowitz has suggested that he remains unsatisfied with industry efforts to address these concerns.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today's Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years.  Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address." According to a recent announcement from Senator Cornyn, the new retention provision is needed to enable law enforcement officers to identify individuals involved with online child pornography. Several privacy advocates have taken issue with the bill’s data retention requirements.  According to senior attorney with the Electronic Frontier Foundation, Kevin Bankston, those requirements “unnecessarily threaten the privacy and anonymous speech rights of every law-abiding internet user” and would “create vast new troves of data vulnerable not only to government overreaching but also to any civil litigant wielding a subpoena.”

The legislation has been referred to committee in the House and Senate. 

Links:

• The Internet SAFETY Act of 2009
• The annoucement from Senator Cornyn's office
• A National Journal article on the bill 
• The EFF comment

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals' privacy and security: potentially limitless filings that inadvertently contain individuals' sensitive information, including financial account numbers and Social Security numbers, may be available to anyone with an Internet connection for the small price of $0.08 cents per page.

• Email This
• Print
• Comments (3)
• Trackbacks
• Share Link

As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation.  Last week the Senators introduced two bills.  The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President.  The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network.  The other provisions of the legislation are summarized in my previous post.

Whether the legislation has any chance of passing remains to be seen.  However, some groups are already criticizing aspects of the legislation.  The President of the Center for Democracy and Technology, for example, has stated "[t]he cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."  The bills have been referred to the Committee on Homeland Security and Government Affairs.

Links:

• A draft of S.778 (.pdf)
• A draft of S.773 (.pdf) 
• The CDT's post on the legislation can be found here.
• April 6, 2009 Computerworld Article: "Yet Another Government Attempt At Cybersecurity"

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On March 5, 2005, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted Opinion 3/2009  (.pdf).  The opinion comments on European Commission proposals designed to ensure that all data processors, including contractors hired by other data processors, are contractually required to protect sensitive data.  Those proposals, contained in a Draft Commision decision which has not yet been made public, would update the standard contract clauses for the transfer of personal data to processors outside the European Union. As the Working Party explains, the Draft Commission decision proposes to update the standard contract clauses to reflect increasingly common “global outsourcing,” in which data is transferred from controller to processor to sub-processor, and often to subsequent “sub-sub processors.” In their current form, “the standard contractual clauses of 2002/16/EC do not provide a means to deal with these complex onward transfers.”  Thus, the Draft Commission decision includes additional contract clauses to address these multi-layered transfers, and the Working Party Opinion comments on the proposed clauses.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC's staff has mentioned informally that helpful guidance would be forthcoming.   As of today, the FTC has launched its new Red Flags Rule website and with it, a Red Flags Rule "How-To" guide (.pdf). 

The website is a good collection of the FTC's materials on this issue and it includes official press releases and statements directed to various industries (including the FTC's letter to the healthcare industry (.pdf), the FTC's guide for telecom companies (.pdf) and the FTC's guide for utility companies (.pdf)). 

The FTC's advice in the How-To Guide may be somewhat general (e.g., "Just getting something down on paper won't reduce the risk of identity theft."), but it does simplify compliance into four steps:

1. Identify Red Flags.
2. Develop procedures for detecting Red Flags.
3. Develop responses for Red Flags once you have detected them.
4. Re-evaluate your Identity Theft Prevention Program as circumstances change.

For more specific information on threats and security measures, the FTC's webpage on information security is a useful resource drawn from the FTC's experience with companies that have had lapses in information security.  In particular, the FTC's Protecting Personal Information: A Guide for Business (.pdf) lays out five key principles for developing reasonable security procedures:

1. Take Stock. Know what personal information you have in your records.
2. Scale Down. Keep only what you need for your business.
3. Lock It.  Protect the information that you keep.
4. Pitch it.  Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:

1. Permit the FTC to use "notice and comment" rulemaking to declare business practices used in the financial industry to be unfair and deceptive acts in violation of the FTC Act -- a process that, according to Chairman Liebowitz, could shorten the time taken to put new regulations in place from 3-10 years under the current system to 1 year under a "notice and comment" system; and
    
2. Authorize the FTC to bring civil lawsuits in federal court and to obtain civil penalties for unfair and deceptive practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also

• require intelligence and Homeland Security officials to perform vulnerability assessments;
• create a clearinghouse for information sharing between the government and private sector; and
• fund scholarships for those interested in cybersecurity.

The proposed legislation follows on the heels of three incidents where computers in Senator Nelson's office were hacked .  The current draft legislation contains provisions similar to those recommended by the Commission on Cybersecurity for the 44th Presidency, which released a report in December 2008.

Links:

• The post on Senator Nelson's website can be found here.
• The March 23, 2009 CNET News article, "A bill to shift cybersecurity to the White House" can be found here.
• The December 2008 report from the Commission on Cybersecurity for the 44th Presidency is available here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

On Wednesday, February 11, 2009, the Data Protection Working Party, an independent European advisory body on data protection and privacy, released its Working Document 1-2009 (.pdf) on pre-trial discovery for cross border civil litigation.  The Working Document attempts to reconcile the tension between U.S. discovery rules and the European Union’s Directive 95/46/EC (.pdf), which outlines the EU’s privacy requirements.  What follows is a summary of the Working Document and an analysis of how it begins to bridge the gap between U.S. discovery rules and the European privacy framework.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Thursday, March 5, 2009, Congresswoman Mary Bono Mack (R-CA), Congressman John Barrow (D-GA) and Congressman Joe Barton (R-TX) introduced the Informed P2P User Act (H.R. 1319) which requires peer-to-peer ("P2P") software makers to make certain changes to their software to prevent users from inadvertently sharing files from their computers.  The proposed law would require both "clear and conspicuous notice" of what files the P2P software would being sharing and "informed consent" from the user, both before installation of the software and initial activation of file sharing functions.  The Federal Trade Commission (FTC) would be empowered under the new law to enforce violations as unfair or deceptive trade practices.

Links:

• H.R. 1319, the Informed P2P User Act is available here (.pdf) or from Rep. Mack's website here (.pdf)
• Rep. Mack's press release

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause, without any special carve out for domestic military operations. The DOJ opinion, written by Deputy Assistant Attorney General John C. Yoo and Special Counsel Robert J. Delahunty, also concluded that these constitutionally exempt counter-terrorism operations would include “making arrests, seizing documents or other property, searching persons or places or keeping them under surveillance, intercepting electronic or wireless communications, setting up roadblocks, interviewing witnesses, and searching for suspects.” The evidence recovered from these operations could then be used “for criminal investigations or prosecutions.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation” and is instead “now focused on crafting an industry-wide self-regulatory framework that can be tested over time with a broad range of organizations.” The group has also changed its name to the Business Forum for Consumer Privacy, although it “is still working out legal issues involved with officially becoming a new organization.”

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On Tuesday, February 24, 2009, the Federal Communications Commission (FCC) issued an Omnibus Notice of Apparent Liability alleging that more than 600 telecommunications carriers have violated Section 222 of the Communications Act which "imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers' proprietary information" and the EPIC Customer Proprietary Network Information (CPNI) Order (22 FCC Rcd 6927), which requires each carrier to certify compliance with the regulations governing customer information.  FCC Chairman Michael J. Copps issued a public statement addressing the enforcement action and highlighting that the FCC "continued to mconsumer privacy protection a top priority.  The FCC seeks a $20,000 fine from each of the carriers (around $13 million in total) and has stated that it moderated the amount of the fines because the carriers were small companies and because this was the first year of the certification requirement (certifications were due March 1, 2008).  As the FCC warns in its official Notice, "[t]o the extent that we determine that the proposed forfeiture adpoted herein does not have the intended deterrent effect, future noncompliance will face more severe penalties." 

If you've been looking for signs of how the Obama administration intends to enforce privacy and information security regulations, here is one of a few early signs that federal regulators are under orders to step up enforcement efforts and are begining with the backlog of violations from 2008. 

Links:

• The FCC wesbite and a link to the Enforcement Bureau's page
• The FCC's Omnibus Notice of Apparent Liability is availabe here (.pdf) or from the FCC's website here (.pdf)
• The FCC's press release is available here (.pdf) or from the FCC's website here (.pdf)
• The Electronic Privacy Information Center (EPIC) website and a link to its CPNI page

• Email This
• Print
• Comments
• Trackbacks
• Share Link

For those who want to see the source document, we have provided this link to the text of the American Recovery and Reinvestment Act of 2009.  The health security and privacy provisions start at Section 13000, around page 112.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.

If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.

The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.

What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients' health information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses, even whole industries, were “confused” about whether they are governed by the new regulations. (See the FTC’s October 2008 release and Enforcement Policy statement.)

For some industries, this is less a point of confusion and more of a fundamental difference in opinion over whether the federal regulations apply to them at all. For many traditional financial institutions, like banks and credit card companies, there is no dispute because there are specific Red Flags regulations directed at them. See, e.g., 12 C.F.R. Pars 334 & 364. For most other industries, the legal issue at the heart of the matter is whether one can be considered a “creditor” under the general purpose Red Flags regulations, 16 C.F.R. Part 681, and the operative federal statute, the Fair and Accurate Credit Transaction Act of 2003 (FACT Act or FACTA). 

The FTC claims that the term “creditor” applies to any business or entity that allows customers to pay for goods or services after they have been delivered and is has made clear that it intends to enforce the regulations broadly. For example, see the FTC’s October 2008 Enforcement Policy. According to the FTC, virtually anyone that bills its customers is a “creditor” subject to the Red Flags regulations. This means utility companies are covered entities (see the comments to the November 2007 Final Rules [.pdf]), but also consultants, lawyers, doctors, dentists and everyone who gets a check in the mail. The FTC’s construction is so broad, it seems to encompass someone selling an autographed baseball card on eBay who only gets paid after delivery, as well as an employee who receives a paycheck every two weeks in exchange for services rendered.  I'll wager that most of us who receive paychecks did not know that somewhere along the line we have become creditors subject to the Red Flags regulations as well as the federal laws governing lending practices.

The real problem with the FTC's interpretation is that it does not seem to bear legal scrutiny.  If everyone is a "creditor", then everyone is subject a host of legal requirements that are primarily enforced against traditional lending institutions. Because of this FTC's broad interpretation of “creditor” would severely expand federal lending laws, it is unlikely to find much support among federal courts. Two courts of appeals issued key decisions in 1990 and 2002 indicating that the term "creditor" was not intended to apply to everyone, but only to entities that we might consider lenders by trade or practice. These cases discredit the FTC’s underlying legal position and suggest, as industry groups throughout the country have urged, that the Red Flags regulations only apply to more traditional financial institutions and commercial lenders. 

Below, Ramzi Ajami and I explain in greater detail the underlying legal differences in these positions and discuss why the FTC may find itself unable enforce the new regulations as broadly as it has announced.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

* By Stacy Anderson and Gabriel M. Helmer.

As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act of 1999 (GLBA) and its implementing regulations. As a result, even industries that are not required to comply with GLBA may wish to become familiar with its requirements.

Section 501(b) of GLBA requires agencies with oversight over financial institutions to establish standards relating to administrative, technical and physical safeguards for three purposes: 1) to insure the security and confidentiality of customer information, (2) to protect against any anticipated threats to the security of customer information, and (3) to protect against unauthorized access or use of customer information. 

In 2001, the Department of Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines require that financial institutions adopt an information security plan, which must be approved by the institution’s Board. The plan must assess, manage and control threats that could result in unauthorized disclosure of information. The risk guidelines are flexible – they do not require that institutions implement specific risk control or assessment systems, but rather encourage them to adopt measures appropriate to their circumstances. Institutions are then required to monitor the plan and report to the Board annually. In addition, they must also ensure that their service providers implement appropriate measures to secure customer information. In 2005, the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This guidance requires that institutions develop a response plan to address unauthorized access to customer information. As part of this process, institutions must notify customers if sensitive customer information has been improperly accessed and misuse of that information has occurred or is likely to occur.

In 2002, the Federal Trade Commission (FTC) issued its “Standards for Safeguarding Customer Information,” commonly referred to as the Safeguards Rule. The rule apples to financial institutions over whom the FTC has oversight and resembles the interagency guidelines for safeguarding customer information. Like those guidelines, the Safeguards Rule affords institutions considerable flexibility in implementing safeguards. Unlike the guidelines, the Safeguards Rule does not require that the information security plan be approved by the institution’s board, and does not contain customer notification requirements such as those set out in the Guidance on Response Programs, although the FTC does encourage entities to consider notifying customers in the event of a breach. In considering these federal regulations, it is worth noting that the FTC’s recently issued Red Flag Rule implements the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and not GLBA, although the FTC does anticipate that many institutions may have implemented some of the practices required under the Red Flag Rule as part of their efforts to conform with GLBA.

Of course, it remains to be seen whether broad federal legislation governing customer data security will be enacted and if so, whether GLBA requirements will be used as a blueprint for such legislation. Regardless, an understanding of GLBA requirements and their effectiveness can help inform the debate around such legislation.

Links:

• The FTC's webpage In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act
• The FTC publication How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (.pdf)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that notice be provided to “major media outlets” within a state if the number of state residents affected by the breach exceeds 5,000, and also requires that notice be given to the Secret Service if the number of affected individuals exceeds 10,000 or if the affected database contains information of more than 1,000,000 individuals. The bill provides for limited exceptions for law enforcement or national security purposes. 

The bill requires that the notice include (1) a description of the categories of information that was acquired by an unauthorized person, (2) a toll-free number that the individual may use to contact the agency or business and learn what types of information the agency or business maintained about the individual, and (3) the toll-free contact telephone numbers and addresses of major credit reporting agencies. The first requirement of the notification’s content is particularly interesting, as several states (including Massachusetts) currently forbid the notification to include the nature of the breach. Bill S. 139 states that it does not provide a private right of action, meaning that a private individual may not bring suit under the bill. Finally, the bill provides that its  provisions “shall supersede any other provision of Federal law or any provision of law of any state relating to notification by a business entity . . . or agency.”

Senator Feinstein introduced a similar bill in 2007 which failed to pass the Senate. This year’s version, which has no co-sponsors, has been referred to the Judiciary Committee. 

Bill S. 141, entitled the “Protecting the Privacy of Social Security Numbers Act,” is co-sponsored by Senators Judd Gregg (R-NH) and Olympia Snowe (R-ME). It prohibits any person from displaying, selling, purchasing an individual’s Social Security number without the affirmative, express consent of the individual, subject to a number of exceptions (e.g., for national security, law enforcement, or public health purposes, or if the display is required, authorized, or excepted under any Federal law). The bill also would prohibit any federal, state, or local government from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks. [These provisions parallel recent recommendations from the FTC as we Further, the bill prohibits any federal, state, or local agency from employing inmates in any position that would give the inmate access to Social Security numbers of other individuals. Finally, the bill would provide limits on when businesses may ask customers for their Social Security numbers. 

Unlike the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act provides for a private right of action, allowing any aggrieved individual to sue for an injunction or monetary damages (which could be tripled if a court finds a willful and knowing violation). As with the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act has been referred to the Judiciary Committee.

Given the many challenges facing the federal government this upcoming year as it transitions into the Obama administration, it is difficult to predict whether Senator Feinstein’s bills will face resistance. However, all signs point to a recession driven boom of cybercrime, identity theft and security breaches that will continue to expand in 2009 as it did in 2008.  Given this environment, Congress will probably enact some version of these proposals sooner rather than later.

Links:

• Senate Bill 139
• Massachusetts General Law c. 93H, s. 3
• Senate Bill 141
• Washington Post Article: Data Breaches Up Almost 50 Percent

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A number of high-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs. This comes as a prelude to the public hearing scheduled today before the Massachusetts Office of Consumer Affairs and Business (OCABR) regarding the upcoming May 1, 2009 deadline for businesses to comply with recent Massachusetts identity theft regulations (201 C.M.R. 17.00 et seq.).  The companies and organizations signing the letter included the Massachusetts Business Roundtable, the Massachusetts Package Store Association, the Massachusetts Hospital Associations, Google, Comcast, CitiGroup, AOL, Microsoft, The Gap, Verizon and Wal-Mart.

Mass High Tech's story on this event can be found here. 

Testimony of the Greater Boston Chamber of Commerce at the January 16, 2009 hearing can be found here.

The Privacy & Security Law Report reports that, at the hearing, representatives of employers, small businesses, financial institutions and universities asked the OCABR to extend the deadline for compliance beyond May 1st. According to these representatives, it will be “virtually impossible” for most of the covered entities to reach compliance by May 1, 2009. In addition, they urged the OCABR to review the new regulations again and make changes.   Whether the OCABR will be swayed by the views of those attending the hearing remains to be seen. Given the economic climate the costs associated with upgrading systems to meet the new regulations, it is a safe bet that most covered entities would breathe a sigh of relief if the OCABR decides to extend the compliance deadline.

2.13.2009 UPDATE: As we report in our alert, OCABR has responded to this request by filing amended regulations that postpone the compliance deadline by eight months, to January 1, 2010. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:

•  Mr. Groman views law firms as businesses subject to FTC Red Flags regulations (“we regulate you, too”), so law firms should be developing identity theft prevention programs to comply with the regulations by the May 1, 2009 deadline.
  
•  To comply with FTC’s Red Flags regulations, companies need to use a “risk-based process” to evaluate potential threats and take reasonable and appropriate steps to mitigate them. Every business needs to adopt a written plan, but the FTC will not be talking to us “about particular technology” because there is a consensus that technology moves too quickly for regulators to approve or disapprove of any particular technology or counter-measures. 
  
• The FTC has brought 23 cases relating to information security issues. If you need guidance on what security measures the FTC believes must be implemented to meet federal regulations in specific circumstance, Mr. Groman suggested that we review the decisions in those cases. In particular, Mr. Groman specifically suggested that everyone should be taking what he views as simple and inexpensive measures to protect against the SQL injection exploit, in which an individual attempts to insert computer code into a company’s database using the company’s website. (The FTC website refers to this exploit as one of many “commonly known and reasonably foreseeable attacks” that can be protected against by implementing “simple, free or low-cost, and readily available security defenses.”)
  
• The primary questions businesses should to be asking themselves when they are drafting an identity theft prevention program are: (1) what have you done to date to protect against existing threats?; (2) what is “the technology of the day” used to address those threats?; and (3) “how much does it cost?”
  
• Mr. Groman confirmed that there is no one-size-fits-all solution to adopting an identity theft prevention program, and the FTC does not have a model plan to provide affected companies. “Privacy plans are like pants; they have to be tailored.” 
• The fact that there has been a data breach incident does not mean that a company’s information security program is necessarily at fault. The FTC has investigated “plenty of breaches where the [company’s] security was reasonable” and has also investigated companies that have not had any incidents where the security was insufficient. 
  
• The FTC recognizes that businesses, lawyers and whole industries are confused by what the new Red Flags regulations require. The FTC is likely to issue additional guidance on this topic soon.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations. 

 The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

• Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.

• “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.

• Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.

• Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.

• The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.  This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports. 

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
3. Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information. 

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link