Spokeo In Violation of Federal Privacy Laws According to New CDT Complaint Filed With FTC

Posted on July 1, 2010 by Gabriel M. Helmer

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability to look up "people-related information from phone books, social networks, marketing lists, business sites, and other public sources." 

According the CDT's complaint, Spokeo is in violation of the Fair Credit Reporting Act, which requires "consumer reporting agencies" to take certain actions to protect consumer privacy, including allowing consumers the right to access information about themselves, to correct mistakes and to be advised of adverse decisions made based on Spokeo's data.  The FCRA also strictly limits the disclosure of consumer data to a limited number of "permissible purposes," yet the CDT complaint does not appear to raise claims regarding Spokeo's disclosure of consumer data to its users.  The complaint does allege that Spokeo's actions amount to unfair and deceptive acts in violation of the FTC Act.

Tags: , , , , ,

The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry

Posted on March 20, 2009 by Ramzi Ajami

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” -- the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you -- then they probably do.  In this post, we will recap the FTC's recent guidance on who should be complying with the Rules.

In our prior post, Gabriel Helmer and I discussed the scope of the Red Flag Rules and how the FTC has come under fire for broadly interpreting the term “creditor” to include any entity that regularly accepts payment after it delivers goods or services to its customers.  In particular, we discussed a letter (.pdf) from the American Medical Association (AMA) to the FTC chairman challenging the FTC’s application of these regulations to the healthcare industry.

Recently, the FTC has responded (.pdf) to the AMA by articulating the legal support for its interpretation.  In its response, the FTC unambiguously endorses the broad construction of the term “creditor” to include any and all entities that regularly permit payment after the provision of goods or services -- “even [if only] in the normal course of a traditional billing process.” The FTC claims this broad reading is necessary to deter identify theft because “[i]dentity thieves look for opportunities to obtain produces or services that do not require payment up-front.” (emphasis added).

The FTC, with unusual frankness, emphasizes that no industry is exempt as a “creditor” because the definition of “creditor” is “activity-based, not industry based.” In other words, the test of whether you are a “creditor” does not depend on what goods or services you provide, but on the way you bill your clients. The FTC also pulls no punches when identifying potential “creditors,” listing a wide range of industries and businesses, including physicians, lawyers, merchants, repair persons, and even “a local store where a customer runs up a tab.” 

The FTC primarily supports this interpretation with commentary from the Federal Reserve Board on parallel regulations: "[i]f a service provider (such as hospital, doctor, lawyer or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for the purposes of the regulation, even though there is no finance charge and no agreement for payment in installments."  While this commentary has some appeal, the FTC seems unable to find direct support in court decisions and only cites a judicial aside ("obiter dicta") from the district court in Barney v. Holzer Clinic, Ltd., 902 F.Supp. 139 (S.D. Ohio 1995) -- a case in which the healthcare provider was ultimately held not to be a "creditor."  The FTC also attempts to distinguish Reithman v. Berry and Shaumyan v. Sidetex Co., the two appellate court decisions cited by the AMA.  All in all, the FTC letter contains an extended explanation of the FTC's posiiton, but legal scholars will find the FTC letter devoid of any substantive court decision or controlling legal precedent that justifies applying the FTC's broad interpretation of "creditor" to most businesses. 

While the FTC's position may be unyielding with respect to which entities are covered by the Rules, the FTC does appear to be taking a softer approach with respect to compliance. "We are, of course, sensitive to the concern that the Rule requirements could be burdensome for health care providers, potentially leading to unintended costs for consumers."  The FTC’s letter suggests that the Red Flag Rules are highly flexible with respect to what security measures are required.  According to the FTC, covered entities should design identity theft prevention programs commensurate to their level of risk: “high risk entities would tend to have more elaborate [Identity Theft Prevention] Programs, while low risk entities could have streamlined and less complex Programs.”  The FTC lists several security measures that healthcare providers should consider:

  • checking photo identification at the time a patient seeks healthcare services,
     
  • placing a "hold" on efforts to collect debts when notified that a patient's identity has been stolen,
     
  • not reporting fraudulent transactions to credit reporting agencies, and
     
  • maintaining information about a known identity thief separately from the records of the original patient.

The FTC thus continues to maintain its position with respect to the broad scope of the Red Flags Rules and its attempt to push the healthcare industry, among others, to develop risk-based information security programs.

Links

  • The February 4, 2009 letter sent by the FTC to the AMA is available here (.pdf).
  • The September 30, 2008 letter sent by the AMA to the FTC chairman is available here (.pdf) or from the AMA's website here (.pdf).

 
Tags: , , , , , , , , , ,

FTC Says "Dumpster Wrong Place for Consumers' Personal Information"

Posted on January 29, 2009 by Foley Hoag LLP

* By Stacy Anderson and Gabriel M. Helmer.

Anyone required to comply with the FTC’s Disposal Rule [the text of the rule can be found here], which requires companies to take reasonable steps to dispose of information contained in consumer credit reports, should take note of a recent FTC enforcement action in federal court from the District of Nevada. On December 30, 2008, the FTC filed a complaint against Las Vegas businessman Gregory Navone alleging that he violated the Disposal Rule and the Fair Credit Reporting Act (FCRA) when he discarded forty boxes of documents into a public dumpster behind an office building in Las Vegas. The boxes contained tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and other sensitive customer information collected by Navone’s businesses. The FTC seeks monetary damages and an injunction against further violations under the Disposal Rule and the FRCA for Navone’s alleged failure to take reasonable measures to protect customer information.  Interestingly, the complaint also asserts claims under the FTC Act on the basis that Navone failed to abide by his own customer privacy policy, which stated:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction. . . . From time to time, we enter into agreements with other companies to provide services to us or make products and services available to you. Under these agreements, the company may receive information about you but they must safeguard this information and they may not use it for any other purposes

While the case remains pending, it serves as a reminder from the FTC on the importance of not only taking reasonable steps to protect sensitive customer information, but also living up to customer assurances regarding information security.

Links:

  • The text of the FTC's Disposal Rule, 16 C.F.R. Part 682 can be found here (.pdf) or from the FTC's website here (.pdf)
  • The complaint filed in FTC v. Navone is available here (.pdf) or from the FTC's website here (.pdf)
Tags: , , , , , ,

Do The Red Flags Regulations Apply to Me? -- Understanding Whether You Are A "Creditor" Under Federal Law

Posted on January 21, 2009 by Gabriel M. Helmer

If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses, even whole industries, were “confused” about whether they are governed by the new regulations. (See the FTC’s October 2008 release and Enforcement Policy statement.)

For some industries, this is less a point of confusion and more of a fundamental difference in opinion over whether the federal regulations apply to them at all. For many traditional financial institutions, like banks and credit card companies, there is no dispute because there are specific Red Flags regulations directed at them. See, e.g., 12 C.F.R. Pars 334 & 364. For most other industries, the legal issue at the heart of the matter is whether one can be considered a “creditor” under the general purpose Red Flags regulations, 16 C.F.R. Part 681, and the operative federal statute, the Fair and Accurate Credit Transaction Act of 2003 (FACT Act or FACTA). 

The FTC claims that the term “creditor” applies to any business or entity that allows customers to pay for goods or services after they have been delivered and is has made clear that it intends to enforce the regulations broadly. For example, see the FTC’s October 2008 Enforcement Policy. According to the FTC, virtually anyone that bills its customers is a “creditor” subject to the Red Flags regulations. This means utility companies are covered entities (see the comments to the November 2007 Final Rules [.pdf]), but also consultants, lawyers, doctors, dentists and everyone who gets a check in the mail. The FTC’s construction is so broad, it seems to encompass someone selling an autographed baseball card on eBay who only gets paid after delivery, as well as an employee who receives a paycheck every two weeks in exchange for services rendered.  I'll wager that most of us who receive paychecks did not know that somewhere along the line we have become creditors subject to the Red Flags regulations as well as the federal laws governing lending practices.

The real problem with the FTC's interpretation is that it does not seem to bear legal scrutiny.  If everyone is a "creditor", then everyone is subject a host of legal requirements that are primarily enforced against traditional lending institutions. Because of this FTC's broad interpretation of “creditor” would severely expand federal lending laws, it is unlikely to find much support among federal courts. Two courts of appeals issued key decisions in 1990 and 2002 indicating that the term "creditor" was not intended to apply to everyone, but only to entities that we might consider lenders by trade or practice. These cases discredit the FTC’s underlying legal position and suggest, as industry groups throughout the country have urged, that the Red Flags regulations only apply to more traditional financial institutions and commercial lenders. 

Below, Ramzi Ajami and I explain in greater detail the underlying legal differences in these positions and discuss why the FTC may find itself unable enforce the new regulations as broadly as it has announced.

The FTC's Bright-Line Rule: A “Creditor” Is Any Business That Receives Payment After Delivery of Goods or Services 

The FTC has made it clear that it broadly interprets the term “creditor” to apply to any business or entity that allows customers to defer payment for goods or services until after they have been provided to the customer. This would include doctors, lawyers and a broad range of for-profit and non-profit businesses and organizations. The FTC has presented this interpretation in a number of public statements:

  • In the commentary to the November 2007 Final Rules, the FTC and other federal rulemakers indicated that the term “creditor” includes traditional lenders “such as banks, finance companies,” but also automobile dealers, mortgage brokers, utility companies, and telecommunications companies. 
     
  • In June 2008 guidance, the FTC indicated “[w]here non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.” 
     
  • On a July 22, 2008 conference call with municipal and state utilities organizations, FTC representatives apparently indicated that the Red Flag requirements apply to all business “operations which provide services before they bill the customer.” [For an industry report on that call see this link (.pdf).]
  • During a conference call with members from the healthcare industry, FTC staff attorneys apparently stated that physicians and hospitals are “creditors” subject to Red Flags regulation “if they do not require full payment up front at the time they see patients, but rather bill patients after the physician’s services are rendered.” The American Medical Association and several other healthcare groups objected to this broad interpretation in a September 30, 2008 letter (.pdf) to the FTC chairman.>
     
  • In its October 2008 Enforcement Policy (.pdf) statement, the FTC affirmed this broad interpretation when it affirmed that “any person that provides a product or service for which the consumer pays after delivery is a creditor.” 
  • The FTC’s Chief Privacy Officer Mark Groman reiterated that a “creditor” is any business, including law firms, that “defers payment” in exchange for goods and services during a January 2009 presentation at the Boston Bar Association. [See our piece on that event here.] 

From these public statements, it is clear that the FTC has adopted a bright line test: anyone that accepts payment after he/she/it provides goods or services is a “creditor” subject to the Red Flags regulations. In the FTC’s view, the regulations apparently apply equally to doctors who bill their patients after an office visit, to lawyers and consultants who present their clients with bills for past services on a periodic basis, as it does to banks and credit card companies.  Any business that does not demand up-front payment before it provides goods or services to its customers would apparently be a “creditor under the FTC’s current interpretation and, according to the FTC, should be developing a compliant identity theft prevention program (and, by the way, complying with federal lending laws). 

Federal Courts of Appeals: No Bright-Line Rule, Businesses That Accept Payment After Delivery May Not Be A “Creditor”

Notwithstanding the FTC’s statements on this issue, federal court of appeals decisions interpreting who is a “creditor” under federal law have construed the term somewhat narrowly. Importantly, the federal appeals courts have pointedly refused to adopt a bright line standard like the one announced by the FTC. 

Neither the Red Flags regulations nor the FACT Act define the term “creditor.” Instead, they incorporate the definition of “creditor” from a parallel federal statute, the Equal Credit Opportunity Act (ECOA). Under the ECOA, “creditor” is defined as “any person who regulatory extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation off credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” “Credit,” in turn, is defined in turn as the “right granted by a creditor to a debtor” to: (1) “defer payment of debt right granted by a creditor”; (2) “incur debts and defer its payment”; or, most broadly of all, (3) “purchase property and services and defer payment therefore.” As a result, the legal question for many businesses is whether they become a “creditor” simply by accepting payment for their services after they have been completed.

In Shaumyan v. Sidetex Co., 900 F.2d 16 (2d Cir. 1990), the Second Circuit Court of Appeals found that a contractor was not a “creditor” when it allowed a client to make incremental payments for home improvements that included installing siding and replacing doors and windows. In that case, the plaintiffs agreed to make a series of payments over time after work was completed, including an initial deposit, a payment when the work commenced, a payment after the project was half complete, a payment when the siding was installed and a final payment when the project after the windows and doors had been completed. Shaumyan, 900 F.2d at 17. The Second Circuit considered and rejected the argument this arrangement made the contractor a creditor under the ECOA merely because payment was not made before work begun or “instantaneously” when the services were provided. The Court reasoned that “[i]f this proposition were strictly applied . . . countless transactions in which compensation for services is not instantaneous would be characterized as credit transactions. Such indiscriminate application of the ECOA is not appropriate.” Shaumyan, 900 F.2d at 18-19 (internal citation omitted). Instead, the Second Circuit held that the contractor was not a “creditor” because payment was made “substantially contemporaneous” with the work that was performed. Shaumyan, 900 F.2d at 19 (“Since the … payment obligation was substantially contemporaneous with [the contractor’s] performance, the contract was not a credit transaction.”). 

More recently, in Riethman v. Berry, 287 F.3d 274 (3d Cir. 2002), the Third Circuit Court of Appeals flatly rejected the FTC’s current interpretation of “creditor.” There, the Third Circuit considered whether a law firm could be considered a creditor because it entered into an attorney fee arrangement that permitted the client to make payments after services were rendered, and allowed for late payments. The Court rejected the plaintiff’s argument that any “post-service billing” (or billing for services or goods already rendered) transformed the law firm into a “creditor” and suggested that the term “creditor” must be limited to more traditional financial institutions. Otherwise “in addition to attorneys' fees, [plaintiff’s] interpretation of the ECOA would embrace doctors' fees, dentists' fees, accountants' fees, psychologists' fees and virtually all other professional fees. In view of the statutory purpose underlying the ECOA, it seems implausible that Congress intended to cover not only banks and other such financial institutions but also all professions.” Riethman, 287 F.3d at 278. 

The Shaumyan and Riethman decisions appear to reject the FTC’s broad interpretation of “creditor” under the ECOA and, not surprisingly, industry groups such as the American Medical Association, brought these cases to the FTC’s attention in their September 2008 letter (.pdf). While other cases interpreting the ECOA may offer less support to industry groups resisting the FTC’s broad interpretation, they make clear that the federal courts that have examined issues have not adopted any bright line tests like the one announced by the FTC.   

In particular, the issue of who is a “creditor” under the ECOA has been hotly contested in the context of residential and commercial leases. This led to a number of decisions from federal circuit courts and the Federal Reserve Board, the agency empowered to issue interpretive guidance on the ECOA, has weighed in on the issue with a non-binding interpretation asserting that “Congress did not intend the ECOA . . . to cover lease transactions” and warning that enforcing the ECOA against lessors “could impose significant burdens for certain segments of the industry — such as furniture and appliance leasing.” 50 Fed. Reg. 48018, 48019-20 (1985). Key court decisions on this issue include the following cases:

  • In Laramore v. Ritchie Realty Mgt. Co., 397 F.3d 544 (7th Cir. 2005), the Seventh Circuit Court of Appeals held that a residential landlord was not a “creditor” under the ECOA. The Court reasoned that “typical” rental payments are better seen as credits for future services, rather than a deferral of debt for the underlying lease obligation. Laramore, 397 F.3d at 547. However, the Court explicitly left the door open for the ECOA to cover a non-typical residential lease that requires payment at the end of the month for the preceding month’s rent. “For the purposes of this case, we are concerned only with leases that provide for the lease of residential property for a term and roughly equal rental payments are due to the landlord at the beginning of each month during that term.” Laramore, 397 F.3d at 547 n.2.
  • The Court of Appeals for the D.C. Circuit held in Micks at Pa. Ave., Inc. v. BOD, Inc., 389 F.3d 1284, 1289 (D.C. Cir. 2004) that a residential sublease did not transform the sublessor into a “creditor” under the ECOA. The Court was skeptical that merely collecting monthly rental payments constitutes an ECOA “credit transaction” and also justified its holding based on the fact that the ECOA requires that a “credit transaction” be in the “regular” course of business, but the sublessor at issue in the case was a restaurant who did not “regularly” extend subleases. Micks, 389 F.3d at 1289. This decision suggests that the D.C. Circuit, much like the Third Circuit in the Riethman case, may be reluctant to identify “creditors” without also considering the types of goods and services purchased.
  • In a break with other courts, the Ninth Circuit Court of Appeals held that an automobile lease transformer the lessor into a “creditor” under the ECOA. In Brothers v. First Leasing, 724 F.2d 789 (9th Cir. 1984), the Ninth Circuit held that the lessor was a “creditor” because an automobile lease requires a lessee to defer payment of the debt. Brothers, 724 F.2d at 798 n.8.

This much is clear: federal courts of appeals have not adopted the FTC’s bright-line test for what businesses are “creditors.” Instead, the federal courts have applied the ECOA on a case-by-case basis and exhibited a clear reluctance to define “creditor” so broadly that it includes all businesses that bill their customers for past services. In particular, several federal appeals courts and the Federal Reserve Board have indicated that the ECOA was not intended to apply the term “creditor” to industries beyond traditional lending institutions. 

Beyond legal formalities and abstractions, the concern expressed by these courts is grounded in common sense. If the FTC’s broad interpretation is not narrowed, who isn't a "creditor"?  Having announced no practical limitations on who is covered by the new rules, the FTC appears ready to push scope of the Red Flags regulations to new limits.  While many individuals and companies may have well-founded legal arguments that they are not subject to Red Flags regulations, anyone that ignores the new rules does so at their peril, given the FTC’s clear intention to enforce the regulations against virtually everyone.

Links:

  • The FTC's website
  •  The Federal Register publication of the final Red Flags Regulations are available here (.pdf), or directly from the FTC's website here (.pdf)
  • The FTC's Business Alert from June 2008 is available here (.pdf) and this guidance is available directly from the FTC's website here.
  • The Oklahoma Municipal League's Municipal Policy Review, which reported on FTC public statements is available here (.pdf), or from the Oklahoma Municipal League's website here (.pdf).
  • The September 30, 2008 letter sent by a long list of medical organizations to the FTC chairman is avaialble here (.pdf) or from the AMA's website here (.pdf).
  • The FTC's October 2008 Enforcement Policy Statement may be found here (.pdf) or on the FTC's website here (.pdf).
  • Reithman v. Berry, 287 F.3d 274 (3d Cir. 2002) (.pdf) or directly from the Court of Appeals website (.pdf)
Tags: , , , , , , , , ,