As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal's bill, "The Personal Data Protection and Breach Accountability Act," would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the Justice Department to levy fines of $5,000 per violation per day, up to a total of $20 million per violation. The bill also includes federal data breach notification requirements.
Given the large numbers of such bills pending, the Senator's junior status, and the fact that his bill has no co-sponsors, it is unlikely that this particular bill will be adopted. At present, at least 15 bills contain the phrase "data security" pending in Congress:
Given how many similar bills are pending, it seems likely that something like Sen. Blumenthal's bill will be adopted before this session of Congress is over.
As promised in our earlier entry, here is our detailed discussion of the Supreme Court's decision in Sorrell v IMS Health, Inc.,written by Colin J. Zick, Pat A. Cerundolo, Tad Heuer
On Thursday, June 23, the United States Supreme Court voted 6-3 to strike down a Vermont statute that sought to impose significant restrictions on pharmaceutical detailing and “data mining” activities. Justice Kennedy’s opinion in the closely-watched case of Sorrell v. IMS Health Inc. held that the Vermont statute was an unconstitutional regulation of commercial speech. In so doing, the Court found that the sale, disclosure, and use of redacted pharmacy records containing physician prescribing information constituted “speech in aid of pharmaceutical marketing” and therefore enjoyed First Amendment protection. This case is an important victory for the pharmaceutical, medical device, biotechnology, and related sectors, The following summarizes this ruling and its potential consequences to those involved in these industries.
Background
The case concerned Vermont’s 2007 Act Relating to Increasing Transparency of Prescription Drug Pricing and Information. The Vermont law prohibited pharmacies and similar entities from selling information about physician prescription patterns (“prescriber-identifiable data”), and prohibited pharmaceutical manufacturers from using such data for marketing purposes without the express consent of prescribers. As a result, the law severely restricted the ability of pharmaceutical sales representatives to tailor their “detailing” presentations (the trade term used to describe routine pharmaceutical marketing presentations) to the needs of individual prescribers. The law did include an exception for the use of prescriber-identifiable data in healthcare research.
IMS Health, an entity that collects and sells prescriber data, challenged the law in the United States District Court in Vermont. The District Court upheld the law, finding that it was a valid and constitutional restriction on commercial speech, given Vermont’s asserted interests in both healthcare cost containment and public health. On appeal, the Second Circuit Court of Appeals reversed, finding that these justifications were inadequate. The Second Circuit ruled that the law violated the First Amendment by burdening the speech of pharmaceutical marketers and data mining entities. The United States Supreme Court granted certiorari in order to reconcile the conflict between the Second Circuit’s decision to strike down the Vermont law, and the First Circuit’s recent decision to uphold a similar New Hampshire law.
Supreme Court Ruling
In ruling in favor of IMS Health and affirming the Second Circuit, the Supreme Court first found that the text of the Vermont law constituted more than an incidental burden on speech, as it explicitly disfavored both specific speakers (pharmaceutical manufacturers) and specific contents of speech (marketing activities), and was thus subject to a “heightened” standard of judicial scrutiny. The Court also observed that the law’s legislative history clearly indicated that its express purpose was to diminish the effectiveness of brand-name pharmaceutical marketing efforts. Second, the Court concluded that the Vermont law directly regulated the content of that speech, and was therefore not solely a commercial regulation (whose constitutionality could have been analyzed using a level of judicial scrutiny more deferential to Vermont). Third, the Court ruled that the Vermont law restrained the use and dissemination of information about prescriber habits, and thus specifically burdened the marketing speech of pharmaceutical companies. As a result, the Court ruled that the Vermont law violated the First Amendment.
Futher, the Court noted that even if the Vermont law were viewed only as a limitation on commercial speech, the law still would have failed to pass constitutional muster, as it did not directly and proportionately advance any of Vermont’s asserted reasons for its necessity: physician privacy, healthcare cost control, or public health generally. First, the Court reasoned that the law could not be said to protect physician privacy, because the law still authorized pharmacies to share prescriber-identifying information with essentially anyone for any reason other than marketing. Second, the Court found that Vermont’s indirect approach to controlling healthcare costs — passing a law that restrained speech in an effort to diminish the perceived influence of detailing — constituted a disproportionate burden on free speech. Third, the Court emphasized that the dissemination of truthful information about pharmaceuticals may actually improve public health, by helping prescribers make more informed decisions. Indeed, the Court observed that far from being either false or misleading — two situations in which the Court has previously permitted limited regulation of commercial speech — there was no evidence that the “detailing” at issue here was anything but truthful. In conclusion, the Court observed that the mere fact that Vermont “finds [certain forms of] expression too persuasive does not permit [Vermont] to quiet the speech or to burden its messengers.”
In dissent, Justice Breyer (joined by Justices Ginsburg and Kagan) argued that although the Vermont law may have adversely affected speech, it did so only as part of a lawful governmental effort to regulate a commercial enterprise. Breyer emphasized that the prescriber information is only retained because pharmacists are required by law to do so, and argued that in such a situation, the First Amendment does not require the Court to apply a heightened level of judicial scrutiny. Breyer further argued that even if “intermediate” scrutiny were applied to the Vermont law (the legal standard that is usually applied to a review of restrictions on purely commercial speech), the Vermont law would have met this test. Breyer concluded that the law directly advanced Vermont’s substantial interest in public health because it would encourage detailing discussions that focused on safety, effectiveness, and cost, rather than on past prescribing history.
Outlook
The Supreme Court’s Sorrell decision is an important development for the pharmaceutical, medical device, biotechnology, and related sectors, because it confirms the legal right of industry sales staff to access prescriber-identifiable data for marketing and other purposes. The Sorrell ruling will almost certainly require a reexamination of similar statutory and regulatory restrictions in other states, particularly if those state laws burden the access to and use of this type of prescriber information.
Finally, it remains to be seen whether Sorrell represents a move toward granting commercial speech greater constitutional protections than it has been afforded in the past. The Court concluded that the Vermont law would have been unconstitutional under either the “intermediate” scrutiny standard traditionally applied to commercial speech regulations or the “heightened scrutiny” standard alluded to by the majority. However, the implication that a new “heightened” standard exists in the commercial speech context — and precisely what such a standard would look like in practice — is a development that merits being monitored closely.
If Tuesday night’s failure to give fast-track approval to an extension of certain surveillance powers under the Patriot Act is any indication, Congress is in the mood to protect individual privacy. As such, a series of anticipated online privacy protection bills are likely to garner bipartisan support in the weeks and months ahead.
Proposals will come from both sides of the aisle. According to Hillicon Valley, Rep. Jackie Speier (D-Calif.) will shortly introduce an online privacy bill directing FTC to implement a “do not track” regime applicable to online advertisers (this although public comments to the FTC report supporting such a measure, Protecting Consumer Privacy in an Era of Rapid Change, are still coming in). Rep. Speier’s bill is said not to include any safe harbor provision. In contrast, the privacy bill forthcoming from Rep. Bobby Rush (D-Ill.) will not include a “do not track” mandate, but is anticipated to be very similar to the bill he proposed in 2010 that provided a safe harbor to marketers participating in a FTC-approved, self-regulatory “Choice Program.” Any approved “Choice Program” would, true to its name, be required to provide users with a robust set of options concerning the collection and use of their information.
On the Republican side, Rep. Cliff Stearns (R-Fla.) plans to introduce a new version of the 2010 draft Boucher-Stearns bill which would have required websites to inform users of how they collect and use personally identifiable information and then allow users to opt out of having such information collected. Collection of certain sensitive information and the sharing of personally identifiable information with third parties would require users to opt in.
Other politicians reported to have an interest in addressing internet privacy this year include Rep. Joe Barton (R-Texas), and Senators Jay Rockefeller (D-W. Va.) and John Kerry (D-Mass.).
So with the ink barely dry on public comments to the Commerce Department’s Dynamic Policy Framework, and with public comments to the FTC Report still incoming, it appears legislators may be ready to run with the presumption inherent in both reports that the existing notice and choice mechanism for protecting Internet user privacy is outdated and ineffective.
All this activity is focused on achieving increased transparency, simplification of consumer choice, and ensuring users are able to give true informed consent to the collection and use of their information. However, a rush to regulate without providing sufficient flexibility for different business models could stunt innovation and hurt the user experience. In this dynamic marketplace, where large businesses and emerging companies alike are beginning to innovate consumer privacy solutions and may soon compete on that basis, passage of rigid laws and reactionary regulations may be counter-productive.
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
1) This is an area where bipartisan concensus is possible.
2) The industry powers will fight against “Do Not Track” and will win that fight.
3) Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and have shown that these increased protections can be implemented without too much opposition from the business sector. Also, adoption of a single standard for data security and privacy could actually relieve some of the regulatory burden on business: instead of having to comply with 50 different state laws, there would just be one federal law. This is the very same logic that led to the passage of HIPAA (and its standards for health information privacy) in 1996.
The other day at Mass TLC’s Mobility Summit I had a brief conversation with Mark Herrmann (an entrepreneur here in Boston) that touched on the FTC’s recent proposal for protecting consumer privacy online. We were talking about the “do not track” proposal and the consensus in the tech industry that it just won’t fly.
Mark’s comment:
“It is creepy that ‘they’ can and do track you out in the net, but ‘creepy is the new cool.’” There is just no question that some people accept the fact that they are being tracked and fed targeted online advertising. It is not just OK by them; it’s a value add. I don’t disagree. But, for anyone who has read “1984” (and even a lot of people who haven’t) the notion of being tracked is creepy. There are a lot of these folks – perhaps a significant majority of the U.S. population – that feel this way.
In 2011 the FTC and Congress are going to pay attention to these concerns. It is good politics.
Prediction #1: Legislation in this area will be one of the few places where we will see bipartisan consensus in the next Congress.
Why: No Congressperson wants to be opposed to consumer privacy, and they all want to have supported some legislation that passed, when running in the next election. Mark (and others) made the point that if you really end tracking, you will end Facebook. So, whatever happens it won’t be that. However, the political snowball is rolling down the mountain - there will be regulatory activity around consumer privacy. The only question is: What will be the nature and scope of the activity? The big boys (those with well established businesses that either make money or have ready access to capital) are going to be lobbying hard for a regulatory framework that does not dent their current business model.
Prediction #2: The big boys will fight anything that disrupts tracking and they are going to win this battle – no one in Congress wants to run on the platform that they put Facebook (or others) out of business. But the big boys are going to have to trade something. The easy things for them to trade are procedural protections for the consumer.
Prediction #3: The big boys will trade lots of procedural protections for the consumer to prevent substantive regulation that will directly affect their business models.
Why: The big boys can afford the administrative burden implicit in procedural protections. It is just a matter of more money, more people and more oversight. A company that is well established and profitable or that has easy access to capital can afford to write the code, hire an army of new engineers, consultants, lawyers etc. and create an entire Department of Privacy Compliance and Protection. In fact, to the extent that having to do all that makes it harder for start-ups, it may even be helpful to the established companies. Some folks I talk to have expressed real concern about this looming regulatory push and how it might affect the entire ecosystem for digital media start-ups. There is still a chance to influence the inevitable regulation that is upcoming and I am working on assembling a group of industry leaders to do just that. I recently sent out a letter (here’s a link) to people I thought might be concerned enough to actually do something.
Read it and let me know what you think.
First it was the lawyers. Now it's the accountants. Less than two weeks after a federal judge in the District of Columbia granted the American Bar Association's (ABA) request that lawyers be excluded from enforcement of the Federal Trade Commission's (FTC) Red Flags Rule, which was followed that same day by an announcement that the FTC was moving the deadline for enforcement of the Red Flags Rule from November 1 to June 1, 2010, the American Institute for Certified Public Accountants (AICPA) has filed a lawsuit in the same court seeking an injunction barring the FTC from enforcing the Red Flags Rule as to accountants. According to the AICPA's press release, the suit was filed on November 10. For some reason, the case does not appear on PACER (the electronic system that contains links to court filings in the federal court system), but the AICPA included a link to the complaint on its website.
The AICPA suit seeks declaratory and injunctive relief on the grounds that the FTC exceeded its statutory authority by attempting to impose the Red Flags Rule on AICPA members who, it argues, are already strictly regulated at the state level. The AICPA makes numerous references to the Court's decision in the ABA suit that the Red Flags Rule may not be applied to lawyers. As with the ABA lawsuit, the AICPA does not suggest that accountants are just as vulnerable to identity theft as other professionals.
It will be interesting to see how the FTC responds to this new complaint, i.e., whether it will make the same arguments it made in the ABA suit and/or whether it will somehow try to distinguish accountants from lawyers. It will also be interesting to see if any other large industry groups (such as the American Medical Association) decide to file their own suits. As we noted in our earlier coverage of the ABA litigation, however, the effect of these suits, if successful, on the burdens of those bringing them is unclear. Although we are not experts about the duties of accountants, one can imagine that, like lawyers, they will likely be required to take many, if not all, of the same security measures demanded of their clients, because the Red Flags Rule require that companies oversee how their service providers manage customer information and accounts, and because of the duties imposed on service providers by other federal and state laws.
Two days before they were scheduled to go into effect, and on the same day that a federal judge ruled that lawyers should be excluded from enforcement, the Federal Trade Commission (FTC) announced today that it was delaying enforcement of its Red Flags Rule until June 1, 2010. In the announcement, the FTC stated that the delay was due to "the request of Members of Congress" and highlighted the efforts it has made to provide guidance to covered entities on how to comply with the Rule. However, the announcement specifically mentioned the October 30, 2009 ruling by District Judge Reggie B. Walton of the U.S. District Court for the District of Columbia (see our coverage here), in which the Court granted the ABA's motion for summary judgment, finding that the FTC may not apply the Rule to attorneys. According to the announcement, the delay in enforcement "does not affect the separate timeline" of the ABA's lawsuit "and any possible appeals." Given the timing of the announcement, the most likely explanation for the delay is that the FTC wants to give itself time to appeal the district court's decision in the ABA suit.
To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers. The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic). After the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule in late June, it filed suit in federal district court on August 27, 2009, leading to the ruling in its favor this morning.
However, as we noted in our post on the district court's ruling, caution may be warranted for attorneys because a number "of federal and state laws demand that companies ensure that customer information is protected "downstream" -- i.e., by consultants, accountants, lawyers and anyone else who is given access to customer records . . . . Under these overlapping obligations [along with the fact that the FTC will almost certainly appeal Judge Walton's decision to the D.C. Court of Appeals] lawyers and law firms who represent regulated businesses may ultimately have little to celebrate as a result of the ruling in favor of the ABA" and the delay in enforcement of the Rule.
It appears that certain groups, such as the American Bar Association (ABA), may be partially successful in their efforts to convince Congress to narrow the scope of the FTC Red Flags Rules, which are currently scheduled to go into effect on November 1. According to the BNA Privacy & Security Law Report, the House Financial Services Committee has sent H.R. 3763, titled a bill "To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses," directly to the House floor without a markup. The bill proceeded to the House floor after the Republican side of the Financial Services Committee consented to such a move.
The bill, which was introduced on October 8 by Rep. John Adler (D-N.J.), would exclude from the Red Flags Rules health care, accounting and legal practices with 20 or fewer employees. It would also require the FTC, within 180 days, to issue regulations that set forth the process by which a business may apply for an exemption from the Red Flags Rules.
Of course, the passage of H.R. 3763 likely will not sufficiently narrow the Red Flags Rules in the eyes of the ABA, which has filed suit in federal district court in Washington D.C. to stop the application of the Red Flags Rules to all attorneys (see our prior post on this lawsuit). In that case, the ABA has already moved for partial summary judgment, and the FTC has filed an opposition. On October 13, ABA President Carolyn Lamm sent a letter to Rep. Barney Frank (D-MA), the chairman of the Financial Services Committee, urging lawmakers to exempt all attorneys from the rules.
Links:
On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.
In his opening statement, Congressman Bobby Rush (D-IL), Chairman of the Subcommittee on Commerce, Trade and Consumer Protection, noted the lack of federal laws governing behavioral advertising and establishing a comprehensive privacy policy and expressed his hope that the hearing would help answer the question whether such legislation is necessary. In his opening remarks, Congressman Rick Boucher (D-VA), Chairman of the Subcommittee on Communications, Technology and the Internet restated his desire to work with other members to develop legislation "extending to Internet users the assurance that their online experience is more secure."
The subcommittees heard testimony from the following witnesses:
Committee members' questions focused on issues that would be important to drafting legislation. For example, several members asked about the benefits of opt-in as opposed to opt-out requirements. Opt-in and opt-out are two schemes for allowing consumers an option as to whether to participate in targeted advertising. Opt-out requires consumers to affirmatively seek out the company's policy and elect not to participate, while opt-in would require companies to affirmatively notify consumers of their privacy policies and obtain permission before using consumers' data. After hearing from witnesses from Google and Yahoo about their opt-out programs, Chairman Rush asked exactly what consumers "opt-out" of, inquiring whether opt-out ensures that a consumers data will not be collected, or whether opt-out means that a consumer will not see targeted ads. Both witnesses explained "opt-out" allows users to exclude themselves from targeted advertising, but not data collection.
Committee members also focused attention other issues that would be important to the drafting of legislation, including the treatment of personally identifiable and sensitive information, and whether the Federal Trade Commission (FTC) or the Federal Communications Commission (FCC) should be given jurisdiction over new legislation. Consistent with the FTC Chairman's recent questioning of the adequacy of existing industry self-regulation, reported here, members also inquired about whether self-regulation can be effective without an enforcement mechanism and whether industry audits would advance privacy interests.
According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system. According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system. More importantly, the intruders could attempt to damage the system during a war or other national security crisis.
Evidently, there have been a growing number of intrusions over the past year, most of which were detected by intelligence agencies and not the companies actually in charge of the infrastructure. According to officials, the software left behind "could be used to destroy infrastructure components," and "water, sewage and other infrastructure systems were at risk." These same officials cautioned, however, that "the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger."
The Journal also notes that "protecting the electrical grid and other infrastructure is a key part of the Obama's administration cybersecurity review, which is to be completed next week" (Aaron Wright's post on this blog regarding the review can be found here). One also wonders if news of this breach will increase momentum for a cybersecurity bill recently introduced in the Senate (see my post here). That bill would give the President power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network (which would presumably include the electricity grid) and would also require that infrastructure companies meet new security standards.
Links:
According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.
The McAfee Report makes four key findings:
In many ways, the global economic crisis could not have come at a worse time for companies attempting to keep their data secure. As layoffs fueled by the troubled economy increase, the number of employees with the motive, means and opportunity to steal valuable data or to sabotage their employer with a damaging data breach are clearly on the rise. According to the McAfee Report, 68% of those surveyed cited “insider threats” as the top threat to essential information. “Data thefts by insiders tend to have greater financial impact given the higher level of data access.”
Coinciding with the increased threat from insiders is a growing and increasingly sophisticated threat from outside groups of cybercriminals. For example, the McAfee report notes that “malware writers now have R&D departments and test departments” and that malware programs are “regularly updated by its developers as to which vulnerabilities to exploit.” According to one source, the number of malicious programs on the internet tripled in September 2008.
And while the expansion of information crime has led to increased government regulation, it is clear that the complex demands of various state and federal regulatory schemes are increasing the burden on companies already struggling in the weakening global economy. According to the National Conference of State Legislatures, 44 states have enacted legislation requiring notification of security breaches. This leaves companies with the unenviable task of determining what state laws apply and how to make sure they are complying with scores of overlapping, potentially inconsistent state rules. This quagmire has led to calls for Congress to set a single federal standard for information security. A group called the Consumer Privacy Legislative Forum, which includes companies such as eBay, Microsoft and Hewlett Packard, released a statement calling for “comprehensive harmonized federal privacy legislation” and will be outlining recommendations for such legislation next month. The FTC also has recommended in its recent report on Social Security numbers that Congress set federal standards for information security.
Between the increasing threats to information assets and the confusing morass of new regulations governing information security, business are stuck between a rock and a hard place while the funds and personnel needed to address the threats and comply with increased regulation are dwindling. Given recent reports that “[o]rganizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers,” the only way through this perfect storm may be to push ahead with efforts to evaluate the increasing security threats and adopt reasonable measures to combat these threats, as regulators appear to be demanding.
Links:Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations.
The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:
FTC Recommendation 1 - Businesses should improve their methods of authenticating the identity of consumers
By this, the FTC means that businesses should reduce or eliminate altogether the use of SSNs to authenticate a person’s identity. The FTC explains that SSNs themselves are not useful tools to confirm a person’s identity because SSNs are widely used as “identifiers” — information that, like your name and address, are commonly supplied to a range of merchants, employers, government agencies and financial institutions — rather than as “authenticators” — information like a password or personal information which remains secret. In short, because your SSN is generally no secret to your boss, your doctor, your bank, the IRS and a number of other entities, knowledge of your SSN is insufficient to prove that you are who you say you are.
The FTC Report does identify some appropriate ways that SSNs may be used during the authentication process which might safely avoid some of the risks associated with using a SSN as an authenticator:
While these examples can be found in the FTC Report, the FTC has made clear that they are not taking a stance on whether any specific techniques would ensure compliance with new federal regulations. In calling for rulemaking on this issue, the FTC indicates, as they have with respect to recent Red Flags regulation, “the standard should be one of reasonableness and not perfection, acknowledging that there is no fool-proof method of authenticating consumers and no likelihood that one will be developed in the foreseeable future.” [Report at 7] Nevertheless, given the FTC’s conclusion that use of SSNs to authenticate a person’s identity presents a risk of identity theft, it seems clear that businesses that rely on SSNs as an authenticator do so at their peril.
FTC Recommendation 2 - Businesses should abolish the public display and transmission of Social Security numbers
Here, the FTC’s guidance is abundantly clear: stop displaying and transmitting SSNs in unnecessary and potentially risky ways. While the FTC calls on regulatory agencies that oversee the use of SSNs to adopt rules on this issue, the FTC makes a series of specific recommendations to businesses in advance of further regulation:
[Report at 8-9]
In addition, the FTC appears to take the view that displaying only a truncated portion of a person’s SSN provides little protection because the other digits can often be collected from other sources or fabricated based on other personal information. [Report at 8]
Given the level of confusion that plagues many businesses’ efforts to develop identity theft prevention programs, the FTC’s clarity on this issue should not be ignored, especially since many, if not all, of these steps are simple and inexpensive to implement.
Other FTC Recommendations
Perhaps not surprisingly given the confusion generated by new federal and state identity theft regulations, the FTC’s remaining recommendations call on Congress, other regulatory agencies and the FTC itself to develop national standards and provide guidance and leadership to dispel the widespread confusion on what we can do to reduce the threat of identity theft. The FTC outlines some specific guidance to businesses, such as:
For those businesses working to comply with recent Massachusetts identity theft regulations (201 C.M.R. § 17.03) or similar state regulations, the FTC's guidance may seem eerily familiar because it parallels many of state requirements. For example, in Massachusetts, 201 C.M.R. § 17.03(g) requires businesses to limit the amount of “personal information” (which includes SSNs) collected, limit access to that information to those employees that require access, and limit “the time such information is retained to that reasonably necessary to accomplish such purpose.” This is good news for businesses worried that they may face inconsistent federal and state requirement and bad news for those having difficulty meeting these state standards.
Links:
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...