ALERT: FTC Delays Enforcement of Red Flags Rule Through December 31, 2010

Posted on May 28, 2010 by Gabriel M. Helmer

Today, the Federal Trade Commission issued a press release and an Enforcement Policy (.pdf) extending the deadline for enforcement of the FTC's Red Flags Rule through December 31, 2010.  The agency cited requests from members of Congress for a postponement of the deadline while legislators tinker with federal law to exclude certain businesses from application of the Rule.  The FTC announcement states:

Several members of Congress have once again asked the Commission to delay the Rule’s enforcement, through the end of the year, to give Congress time to reach a consensus on the types of businesses that should be covered under the Rule. The Commission believes that a limited further postponement is warranted so that it does not begin to enforce a regulation that Congress plans to supersede.

                                                                 *    *    *

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In October 2009, the House of Representatives unanimously passed HR 3763 (.pdf), a bill that would exempt from application of the Rule law firms, accounting firms and medical practices with 20 or fewer employees.  This week, on Tuesday, May 25, 2010, Senators John Thune and Mark Begich introduced S.3416 (.pdf), a parallel bill that amends the law to exclude the same small firms and practices.  The bill is currently before the Senate Committee on Banking, Housing, and Urban Affairs.

This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule.  Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services.  As a result, the FTC has faced backlash from law firms, accounting firms and medical practices.  Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule.  

While it seems likely that Congress will exclude some business from the application of the Red Flags Rule, the current efforts may not represent cause for widespread celebration in the legal, accounting and medical communities.  If the new bill expressly excludes small practices, one effect of the new law may be to confirm a legislative intent that larger law firms, accounting firms and medical practices (i.e., those that employ more that 20 individuals) remain subject to the Red Flags Rule. 

Tags: , , , , , , , , , , ,

Massachusetts Regulators Finalizing Information Security Regulations, Keep March 1, 2010 Deadline

Posted on November 2, 2009 by Gabriel M. Helmer

According to BNA reporter Martha Kessler, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week.  BNA has released what they claim to be the final regulations (.pdf) [also available from BNA here (html)].  The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.  In a redline comparison (.pdf) against the last draft, two primary revisions emerge:

  1. Entities affected by the regulations have been expanded to include businesses and individuals that merely store personal information; and
     
  2. A clarification was made to the provision requiring affected businesses to negotiate written contracts with service providers that handle personal information.  The tweaks make clear that the grandfather provision that permits companies to rely on service provider contracts already in place will expire on March 1, 2012.

The March 1, 2010 deadline remains unchanged. 

While the final regulations have not been posted to the OCABR website, many are eagerly awaiting to see if the OCABR also provides additional guidance on how to comply, as Undersecretary Anthony promised at the public hearing on these regulations in September.

UPDATE: On Wednesday, November 4th, the OCABR released the final Massachusetts information security regulations (.pdf) to the public, as predicted.  In its new release, the OCABR also announced the publication of its report on consumer data breaches between 2007 and 2009 (.pdf).  The report indicates that since the Massachusetts data breach notification law (M.G.L. ch. 93H) went into effect in 2007, over 1 million Massachusetts residents have been affected by a noticed breach.  Among the many practices mentioned in the report, the OCABR has warned against: (1) "poor employee handling;" (2) documents sent to the wrong recipient; and (3) not  taking steps to prevent access by terminated employees.

Tags: , , , , , ,

Federal Judge Rules That Lawyers Need Not Comply With Red Flags Rules

Posted on October 30, 2009 by Gabriel M. Helmer

After hearing argument yesterday, Federal District Judge Reggie B. Walton entered an order (.pdf) this morning granting the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC's) controversial Red Flags Rules.  This comes as the legal community steeled itself for the FTC's imminent November 1st enforcement deadline.  The order does not go into detail to explain the Court's decision, but promises a written legal opinion within the next month.

The ABA sued the FTC in August to obtain this relief after lobbying both the FTC and Congress to exempt lawyers from the Red Flags Rules.  News of the judge's ruling spread after the hearing yesterday.  ABA President Carolyn B. Lamm stated "By voiding the FTC’s interpretation of a statute that was clearly not intended to apply to the legal profession, the court has ensured that lawyers stay focused on the mission of their work: providing aid and counsel to the individuals and organizations that need us."  No public comment has been posted by the FTC.

Caution may be warranted here, however.  Lawyers, like many other consultants that handle clients' documents and data, will likely be required to take many, if not all of the same security measures demanded of their clients.  The Red Flags Rules require, among many things, that companies oversee how their service providers manage customer information and accounts (16 CFR Part 681.1(e)(4)).  As a result, lawyer may find themselves complying with the Red Flags Rules because they represent companies that must comply with the Rules, which currently includes financial institutions and a range of businesses. 

It should be noted that a range of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records. Many state identity theft regulations, such as the strict Massachusetts regulations promulgated as 201 CMR 17.00, require that companies obtain written certifications that service providers are taking all the same security measures as their clients.  Moreover, financial institutions governed by the Gramm Leach Bliley Act and health care providers covered by HIPAA have similar requirements.  Under these overlapping obligations, lawyers and law firms who represent regulated businesses may have little to celebrate as a result of the ruling in favor of the ABA.

Tags: , , , , ,

ALERT: Massachusetts Proposes Revised Information Security Regulations, Delays Enforcement Until March 1, 2010

Posted on August 17, 2009 by Gabriel M. Helmer

Today, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) issued proposed amendments to the Massachusetts information security regulations, 201 CMR 17.00 to 17.05 (.doc). The highlights of the proposed regulations include the following:

  • Enforcement of the regulations is postponed until March 1, 2010. 
     
  • Businesses affected by the regulations include anyone that "receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
     
  • The written information security program required by the regulations should be appropriate to the size and scope of the business, the resources available to the business and the need for security.
     
  • The revised regulations require that businesses enter into written contracts with service providers that require that service providers to adopt appropriate security measures.  There is a grandfather provision that deems any contract entered into before March 1, 2010 to be in complaince with this aspect of the regulations.
     
  • All technical (i.e., computer, network and electronic) security measures are only required "to the extent technically feasible."  The FAQ accompanying the revised regulations has this to say about what is technically feasible: "if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used."

OCABR also issued a useful FAQ on the proposed amendments (.doc) that takes on questions such as "Do all portable devices have to be encrypted?" (Answer: no, only the ones that contain personal information) and "Must I encrypt my backup tapes?" (Answer: yes, on a going forward basis). In OCABR's press release (.doc), Undersecretary Barbara Anthony states that the amended regulations reinforce that "technical feasibility plays a role in what many businesses, especially small businesses can do to protect data."  OCABR will hold a public hearing on the proposed rules at 10:00 a.m. on September 22, 2009 (see OCABR's notice of public hearing (.pdf)).

These regulations ignited a storm of controversy begining in late 2008 and the deadline has been progressively postponed from January 1, 2009, to May 1, 2009, then to January 1, 2010, and finally to March 1, 2010.  In May,  Massachusetts State Senate Chairman Michael Morrissey criticized the regulations as "beyond [the law's] intent" at a public hearing on proposed Senate Bill 173 (.pdf), a bill to substantially revise the Massachusetts law and scale back OCABR's onerous information security regulations.  Progress on the bill stalled when newly-appointed OCABR Undersecretary Anthony agreed to issue amended regulations to bring the regulations closer to the legislative intent and respond to the concerns voiced by the small business community.

Tags: , , , ,

FTC Releases "Template" Identity Theft Prevention Program for Red Flags Rules Compliance

Posted on May 13, 2009 by Gabriel M. Helmer

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August 1, 2009 (see our posting here or our more detailed client alert here).

The FTC template is divided into two parts.  The first section outlines how businesses should evaluate whether they are at low risk for identity theft.  Under the FTC's guidance, low risk businesses include:

  • Businesses, such as doctor or lawyer practices, that are personally familiar with their customers and therefore are unlikely to be fooled by impostors.
  • Businesses that provide services at customers' homes.
  • Businesses that have never received a complaint or discovered an incident of identity theft.
  • Industries in which identity theft is uncommon.

While the template does not discuss this point, those businesses that do not fall into the category of "low risk" presumably are required to undertake a more in depth review of the risks and implement a substantially more detailed identity theft prevention program. 

The second section of the template is essentially an identity theft prevention program checklist that requires the business to fill in the procedural and administrative blanks.  Anyone using the FTC template should recognize that the template is a guide for performing the assessments required by the federal regulations - it does not excuse low risk businesses from compliance.  For instance, the template requires that a business identify any red flags it is aware of in addition to a mandatory red flag: receiving a notice from a customer or law enforcement.  While the template provides helpful structure to the process of compliance, low risk businesses appear to be subject to the same requirements.  In particular, the template program requires a business to identify applicable red flags, identify procedures it will take to detect these warning signs, identify a coordinator, develop a training program, identify key service providers who will need to be appropriately vetted and keep the program up to date.  The template does help us understand what level of compliance the FTC will be looking for at many smaller businesses.

Links:

 

Tags: , ,

Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 - Will Release "Template" For Compliant Identity Theft Prevention Program

Posted on May 1, 2009 by Gabriel M. Helmer

 On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009.  Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a "template" identity theft prevention program.  "For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."  The FTC indicates that it will make the template available through their website.

In delaying enforcement, the FTC continues to maintain that the Red Flags Rules apply broadly to any business that bills its customers (i.e., "all entities that regularly permit deferred payments for goods or services").  In particular, the FTC specifically mentions that the statutory term "creditor" encompasses "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."  The notice conceeds that considerable confusion has surrounded the preliminary question of who is covered under the new rules.  The FTC directs businesses looking for more information to the FTC's new microsite on the Red Flags Rules.

Links:

Tags: , , , , ,

Class Action Lawsuit Continues Against Blockbuster For Making Video Rental Information Available to Facebook Users

Posted on April 30, 2009 by Jeff Bone

On April 15, 2009, a federal district court issued a decision that keeps alive a woman's suit "against Blockbuster and the way it offers information to the social networking site Facebook."  This was reported in the Dallas Business Journal.  In the ruling (.pdf), the court denied Blockbuster's motion to compel arbitration by holding that an arbitration clause in the "Terms and Conditions" of Blockbuster Online was unenforceable. 

The case is being brought as a class action under the Video Privacy Protection Act, 18 U.S.C. s. 2710, which was enacted after a newspaper published a list of 146 video tapes rented by the family of Supreme Court judge nominee Robert Bork.  According to the court's opinion, Blockbuster entered into an agreement with Facebook which caused the movie rental choices of Blockbuster Online's customers to be sent to Facebook, which would then broadcast those choices to the customer's Facebook friends.  Plaintiffs claimed this violates that Video Privacy Protection Act, which prohibits a videotape service provider from knowingly disclosing personally identifiable information concerning any customer of the provider unless the customer gives informed, written consent at the time the disclosure was sought (the Act provides for certain other exceptions not applicable to the case).  The Act provides for liquidated damages of $2,500.00 for each violation. 

According to the Plaintiffs' complaint, when a Blockbuster Online customer rented a movie or placed a movie into their queue, a notification would pop up in the bottom right hand corner of the screen informing the customer that the information would be sent to the user's Facebook friends.  The customers were allegedly given an opportunity to prevent friends from seeing the information by marking an "x no thanks box," but if they did not respond quickly enough, the pop up went away and a "yes" was sent to Facebook.  The customer's selection was then placed in the customer's news feed on their Facebook profile and in their friends' news feeds, along with a picture of the individual and a Blockbuster ad.  The complaint also alleges that the summary is sent to a user's Facebook profile even before the user has a chance to decline the distribution of his/her personal information (unless the user has marked a privacy feature telling Blockbuster never to send summaries).

Blockbuster has appealed the court's decision to the U.S. Court of Appeals for the Fifth Circuit.  The issue of whether the case is subject to arbitration is a narrow one that has little, if anything, to do with the actual merits.  What will be more interesting is to see how the case plays out if the Fifth Circuit affirms and the case moves forward in the district court.

Links

Continue Reading...
Tags: , , , , ,

Swine flu and privacy in the workplace

Posted on April 29, 2009 by Colin J. Zick

With swine flu on everybody's mind right now (even leading President Obama's news conference this evening), employers and employees should understand what questions can be asked and what information can be obtained from employees in the midst of apparent pandemic.  At the federal government's pandemic flu website, the basic rules are set out.  In general, during a pandemic, employers may require employees to disclose whether they have been exposed to pandemic influenza.  Employers also may ask about exposures of the employee’s family members and associates.  However, once this information is gathered, it has to be used appropriately and maintained securely. 

Tags:

Limits of Privacy in Schools: Supreme Court Hears Arguments on School Strip Search Case

Posted on April 21, 2009 by Aaron Wright

Today, the Supreme Court heard oral arguments in Safford Unified School v. Redding, a dispute concerning the propriety of a school-ordered a strip-search of a 13-year-old student who was believed to be in possession of prescription strength ibuprofen in violation of the school’s zero-tolerance drug policy.  The case has received a good deal of media coverage (see the New York Times article for an example) because the facts are attention grabbing.  But, attention-grabbing facts aside, the case has the potential to clarify the Fourth Amendment rights of students and, in particular, whether suspicion of violating school policy may justify strip searches in schools.

The Supreme Court granted certiorari, in part, to address the question (.pdf): “Whether the Fourth Amendment prohibits public school officials from conducting a search of a student suspected of possessing and distributing a prescription drug on campus in violation of school policy.”  Early reporting from today’s oral arguments suggests that the Court is likely to reach that question.  

Links:

Tags: , , ,

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

Posted on February 13, 2009 by Gabriel M. Helmer

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010. 

The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before January 1, 2010. 

In the OCABR press release, Daniel C. Crane, undersecretary of the OCABR, indicated that the new deadline acknowledges that many businesses are having trouble complying with the new regulations in the wake of recent economic pressures. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.” 

The new deadline makes clear that the OCABR is willing to give businesses additional time to improve information security measures, but also that regulators want all affected businesses to meet the new security standards by 2010. For most affected businesses, the new deadline does not mean they should delay their compliance efforts. Many businesses will need the additional time to analyze existing security threats and implement the necessary administrative, physical and electronic security measures. 

Links:

  • The OCABR homepage
  • The OCABR's February 12, 2009 announcement
  • The amended Massachusetts Identity Theft Regulations (17 C.M.R. 17.00-17.05) are available here (.pdf) or from the OCABR's website here (.pdf)
Tags: , , , , , , , ,

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

Posted on November 15, 2008 by Gabriel M. Helmer

In September, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued broad identity theft regulations that require virtually every business that retains information on Massachusetts residents to develop comprehensive policies and procedures to address the risk of identity theft by January 1, 2009. 

On Friday, November 14, 2008, OCABR announced that it will give businesses until May 1, 2009 to comply with the new regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same date, May 1, 2009. 

In conjunction with the recently enacted Massachusetts identity theft statute, Mass. Gen. Laws ch. 93H, the Massachusetts identity theft regulations published as 201 CMR 17.00 set specific standards for businesses that own, license, store or maintain personal information about any Massachusetts residents. There are several key provisions in the new regulations:

  • Businesses subject to the regulations include any company, whether or not based in Massachusetts, that owns, licenses, stores or maintains “personal information” about Massachusetts residents.
  • “Personal information” is defined to include a resident’s name in combination with a Social Security number, driver’s license number, credit card or bank account information.
  • Affected businesses are required to develop, implement, maintain and monitor a comprehensive information security program that would identifying and mitigate the risks of potential identity theft.
  • Businesses are required to set limits on when employees may access, keep and transport records containing personal information outside of company offices and impose disciplinary measures on employees that violate the information security policies.
  • The regulations also specifically require that computer systems containing personal information are protected by encryption, secure user logins, firewall systems, virus and malware protection and reasonably up-to-date system software. 

The Massachusetts Attorney General is authorized to enforce these regulations, but at this stage, as with any new regulatory framework, the form and level of government enforcement is unclear. However, the new regulations direct the Attorney General to take into account the size and nature of the business, as well as the resources available to it, when assessing compliance.

2.13.2009 UPDATE: As we report in our client alert, the OCABR has filed amended regulations to extend the deadline for compliance with Massachusetts identity theft regulation to January 1, 2010.

Tags: , , , , , , , ,

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC "Red Flags" Regulations

Posted on October 23, 2008 by Gabriel M. Helmer

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.  This delay does not apply to users of consumer reports handling notices of address discrepancies, which still has a November 1, 2008, deadline. Likewise, enforcement against banks, credit unions and other financial institutions by the U.S. Treasury, Federal Reserve, Federal Deposit Insurance Corporation and other agencies is not affected by the FTC’s action.

The “Red Flag” rules had their genesis in 2003, when Congress enacted the Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681 (“FACTA”). FACTA required the FTC and a group of other regulatory agencies and committees to adopt regulations to help consumers avoid the growing epidemic of identity theft. Under the final “Red Flags” regulations that came into effect on January 1, 2008, U.S. companies that maintain customer accounts used to make periodic payments, transfers or transactions were initially given until November 1, 2008 to develop formal policies to detect the warning signs or “Red Flags” of potential identity theft and set up procedures to prevent and mitigate the harm caused by identity theft. The FTC’s latest announcement provides businesses with an additional seven months, until May 1, 2009, to assess whether they are covered by the “Red Flags” regulations and put in place a compliant Identity Theft Prevention Plan.

While the language of the regulations covers “financial institutions” and “creditors” maintaining “covered accounts,” the FTC has made clear that the “Red Flag” regulations are intended to cover a broad range of businesses, many of which may not consider themselves traditional “financial institutions”. In particular, the FTC maintains that the new regulations apply to: (1) businesses that maintain any type of account that permits multiple payments or transactions or any other account that presents a reasonably foreseeable risk of identity theft, (2) credit card issuers, and (3) companies that use or receive consumer credit reports. 

The FTC estimates that the new regulations apply to over 11 million businesses in the U.S., including lenders, mortgage brokers, and brokerage firms, but also automobile dealers, utilities and telecommunications companies, collection agencies and other businesses that participates in credit decisions about their customers. Any business that provides customers with any type of account that permits the customer to make repeated payments or enter into regular financial transactions needs to assess whether they are subject to the new “Red Flags” regulations.

If your business is covered by the new “Red Flag” regulations, you will need to develop an Identity Theft Prevention Plan containing procedures to:

  1. Identify any indicators of a possible risk or existence of identity theft in their business — what federal regulators are calling “Red Flags” — such as discrepancies in customer information and suspicious account activity.
  2. Respond appropriately to any Red Flags in order to prevent identity theft from occurring, including by monitoring suspicious activity, contacting customers and notifying law enforcement.
  3. Continually assess the identity theft risks to customers and update the company’s Identity Theft Prevention Plan as necessary.

In addition, the new Red Flag regulations require an affected business to obtain approval from its board of directors for the Identity Theft Prevention Plan, train staff to administer the program and exercise oversight over any service providers retained to manage customer accounts and information. 

At present, it is still unclear what form the FTC’s enforcement of the “Red Flags” regulations will take. The regulations do provide for enforcement actions, regulatory penalties and fines, but do not provide individuals with a right to sue for failure to comply with the new rules.

Tags: , , , , , , , ,