Privacy Compliance & Data Security

FTC Extends Red Flag Rules Enforcement Until June 1, 2010

mmccreary@foxrothschild.com (Mark McCreary) — Tue, 03 Nov 2009 09:28:46 -0500

The FTC has again extended enforcement of the Red Flag Rules, this time until June 1, 2010.

This extension comes just one day after the ABA won a victory with its request that practicing attorneys be exempted from compliance with the Red Flag Rules.

The extension of the enforcement deadline also comes shortly after certain other exemptions, namely, health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, were passed in the House of Representatives.

Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.

ABA SCORES VICTORY WITH ATTORNEY EXEMPTION FROM RED FLAG RULES

mmccreary@foxrothschild.com (Mark McCreary) — Fri, 30 Oct 2009 10:19:58 -0500

The United States District Court for the District of Columbia ruled that the Red Flag Rules are not applicable to attorneys engaged in the practice of law.

The complaint, filed in late August 2009, argues that the FTC overstepped its statutory authority by imposing the Red Flag Rules on attorneys engaged in the practice of law.

The ruling is another victory by the American Bar Association when it comes to exempting attorneys from rules regarding the handling of financial and/or sensitive information. It would seem that the FTC would have made adjustments to its definitions of “creditor” to make it clear that attorneys should be included in its regulations, but that clarification may need to be addressed at the Congressional level to avoid future ambiguity.

If Congress does present future legislation, or an amendment to existing legislation, that specifically includes attorneys, it will be interesting to see how the ABA argues that attorneys should be exempted from these these types of federal consumer protection statutes.

The BLT: The Blog of LegalTimes reports that it is expected that the FTC will appeal the ruling.

EXEMPTIONS UNDER FTC RED FLAG RULES AMENDMENT PASSES THE HOUSE

mmccreary@foxrothschild.com (Mark McCreary) — Thu, 22 Oct 2009 08:19:02 -0500

Representative John Adler’s (D-NJ) amendment to the FTC Red Flag Rules, an act titled “To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses,” passed the House of Representatives on October 20, 2009.

Currently, the Red Flag Rules go into effect on November 1, 2009.

Set forth in full below, the bill exempts health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, from complying with the Red Flag Rules.

The Adler amendment will have little effect on the litigation brought in August by the American Bar Association because of its limited scope.

CALIFORNIA'S PROPOSED STRENGTHENED DATA PRIVACY LAW TERMINATED

mmccreary@foxrothschild.com (Mark McCreary) — Tue, 13 Oct 2009 07:37:34 -0500

It appears that John Connor is not the only thing from the future in Governor Schwarzenegger’s crosshairs. The Governator vetoed the update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto).

Simitan, the author of California’s existing privacy legislation (AB 700), created a bill that had no apparent opposition. In fact, Simitan has a record of creating trend-setting legislation in the privacy field, with more than 40 states adopting legislation similar to the legislation that he authored for California (AB 700). Scientific American named Simitan as member of the “Scientific American 50” in 2003 in the “Privacy & Security” category for his work on California’s existing legislation (AB 700).

The California Chronicle quoted Simitan as saying “I’m surprised as well as disappointed by the Governor’s veto. There was no opposition to the bill in its final form. This was a common sense step to help consumers.”

As a refresher, SB 20 would accomplish two major goals. First, SB 20 would have required that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also have required that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office.

While the basis for the Governor's veto of SB 20 was not immediately apparent, it is likely that Simitan will reintroduce this legislation with some adjustments.

Proposed California Data Breach Law Could Create a Clearinghouse

mmccreary@foxrothschild.com (Mark McCreary) — Fri, 11 Sep 2009 17:28:10 -0500

We have written before about how the lack of a national clearinghouse for large data breaches is a significant shortcoming of existing federal law. We have also speculated that if a large state were to create a de facto clearinghouse, the shortcoming may be partially alleviated.

President Obama’s administration may be disappointing many privacy experts to date, but California’s Governator now has an opportunity to make some major strides.

California’s State Legislature approved SB 20, a bill proposed by State Senator Joe Simitian´s (D-Palo Alto), which the Senator states would “strengthen and update California´s landmark privacy protection law.”

Governor Schwarzenegger will have until October 11th to sign or veto the proposed bill.

The existing legislation, originally authored by Simitan, requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. Simitan’s office proudly and accurately states that California’s law has been widely praised, and more than 40 states have adopted similar legislation.

At its heart, SB 20 accomplishes two major goals. First, SB 20 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”

Second, SB 20 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

While the proposed revision to California’s data breach law is not a cure for the lack of a national database, it does create hope that a national requirement may be on the horizon. In any event, as more states consider and require such reporting requirements, at the very least there may come into existence a patchwork of clearinghouses. Even such a patchwork has the potential to be better than the current systems.

Identity Theft Regulations in Massachusetts May Get Small Business Friendly

mmccreary@foxrothschild.com (Mark McCreary) — Tue, 18 Aug 2009 07:34:09 -0500

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF). A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC). Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

The Information Security and Privacy Advisory Board Issues Federal Privacy Recommendations

mmccreary@foxrothschild.com (Mark McCreary) — Tue, 28 Jul 2009 18:02:23 -0500

The Information Security and Privacy Advisory Board (the “Board”), known from the late 1980’s until 2002 as the Computer System Security and Privacy Advisory Board, has released its expected report with recommendations on updating privacy law and policy in light of technological advancements. The Board’s report, titled “Toward a 21^st Century Framework for Federal Government Privacy Policy,” (PDF), makes several recommendations at the federal government level to address longstanding deficiencies in current practices, as follows:

Amendments to the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 are needed to:
- Improve Government privacy notices
- Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records
- Clearly cover commercial data sources under both the Privacy Act and the E-Government Act
Government leadership on privacy must be improved
- OMB should hire a full‐time Chief Privacy Officer with resources
- Privacy Act Guidance from OMB must be regularly updated
- Chief Privacy Officers should be hired at all “CFO agencies”
- A Chief Privacy Officers’ Council should be developed
Other changes in privacy policy are necessary
- OMB should update the federal government’s cookie policy
- OMB should issue privacy guidance on agency use of location information
- OMB should work with US-CERT to create interagency information on data loss across the government
- There should be public reporting on use of Social Security Numbers

Citing a lack of leadership from Congress, the failure to update federal laws and regulations, and the breakneck speed of technological evolution, the Board appeared critical that “only a few privacy leaders in key agencies have been empowered by their internal leadership to fill the policy vacuum.”

Whether this report will be the catalyst of sweeping privacy reform from the Obama administration that many have expected remains to be seen.

PCI Security Standards Council Issues Guidelines

apurcell@foxrothschild.com (Amy C. Purcell) — Thu, 23 Jul 2009 08:51:58 -0500

The Payment Card Industry Security Standards Council, which administers the PCI standards, has issued guidelines for applying its protocols to wireless technology. These Guidelines will help merchants incorporate wireless networking equipment without compromising data security. The Guidelines consist of nine requirements that provide guidance for testing and deploying wireless networks. Specifically, the Guidelines will help merchants to understand methods to secure their wireless networks. In addition, the Council formed a special interest group to develop recommendations for businesses to increase wireless security and reduce the potential for hackers to access wireless networks.

Payment Card Industry Data Security Standard Comes to Nevada

mmccreary@foxrothschild.com (Mark McCreary) — Wed, 01 Jul 2009 12:07:18 -0500

Minnesota made waves in 2007 when it became the first state to make part the Payment Card Industry (“PCI”) Data Security Standard applicable to its Plastic Card Security Act ( PDF Link). Although it has taken over two years, Nevada has become the second state to incorporate PCI and it has done so by making all of the PCI standard applicable.

Nevada’s existing Security of Personal Information law now requires that affected parties comply with PCI as a whole. Unfortunately, the Nevada amendment (PDF link) does not get off to a good start, requiring compliance deadlines that do not exist under the PCI standard, but are (in actuality) created independently by the card issuers. Amending the existing Security of Personal Information law, the amendment (PDF link) requires that each affected party meet the following standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

The effect of the amendment itself is quite interesting. First, the amendment creates statutory authority for required compliance with the PCI standard, where before this requirement (as applied to merchants) existed only through contractual relationships. This will be academic for many merchants already complying, but it does go a long way to closing the existing gap whereby the PCI standard applied to merchants only because of contractual obligations with those parties directly affected.

Second, the amendment proposes a standard that creates some interesting outcomes. This safe guard provides that “[a] data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.” Previously, an affected party would have recourse under various theories of law, with varying (and often undefined) standards of care or duty. Arguably, absent gross negligence or willful misconduct, an otherwise PCI-compliant merchant that experiences a data loss may escape liability in Nevada.

It is also likely that a savvy litigator will argue that the standards created in existing contractual relationships should be replaced with the statutory standard. Whether such an argument would prevail remains to be seen, but it is likely to be tested sooner than later.

Notwithstanding the inexplicable compliance deadline error, the Nevada amendment blazes the way for other states to incorporate the PCI standard into their existing and new laws. With the addition of the safe harbor set forth by Nevada, these laws may be a welcome addition to merchants that are PCI-compliant but experience a data loss.

TJX Reaches Settlement In Data Security Breach Investigation

apurcell@foxrothschild.com (Amy C. Purcell) — Wed, 24 Jun 2009 18:09:04 -0500

TJX agreed to pay $9.75 million to forty-one states to settle an investigation of a data breach that it reported in January 2007. $2.5 million of the settlement amount will be used to create a data security fund for those states whose residents were affected by the data breach. TJX will pay $7.25 million in settlement and investigation costs. The settlement requires TJX, among other items, to take specific steps to tighten data security and to provide notice to consumers within ten days in the event of another data security breach. The settlement also allows state governments to monitor TJX's data security efforts for three years.

TJX continues to emphasize that it "firmly believes it did not violate any consumer protection or data security laws." TJX's chief financial officer, Jeffrey Naylor, stated that the settlement will allow TJX and state attorneys general to take "leadership roles in exploring new technologies and approaches to solving systematic problems in the U.S. payment card industry."

TJX reported that eleven people were arrested on hacking charges, two people pleaded guilty to hacking charges and two people have pleaded guilty to related charges in connection with the data security breach.

Eleventh Circuit Court of Appeals Rejects Veterans' Claims For Damages

apurcell@foxrothschild.com (Amy C. Purcell) — Fri, 19 Jun 2009 10:20:53 -0500

On June 17, 2009, the Eleventh Circuit Court of Appeals affirmed the decision of the United States District Court for the District of Alabama and held that veterans were not entitled to damages as a result of data security breach.

In February 2007, the Department of Veterans Affairs announced that a computer hard drive, which contained the unencrypted names, social security numbers, birth dates and healthcare files for more than 198,000 living veterans, was missing. Veterans instituted a lawsuit against the VA and claimed that the "stress caused by their fear of identity theft" and "from their loss of trust in the VA" aggravated certain of their medical conditions. The district court granted the VA's motion for summary judgment and dismissed the veterans' claims. The Eleventh Circuit upheld the district court's decision and stated that the veterans were not entitled to monetary damages because they failed to prove "actual damages" or "pecuniary losses". The Eleventh Circuit did, however, remand the case to the district court to order the VA to take certain steps to avoid similar incidents in the future.

Data Breach Sharing Website Started

apurcell@foxrothschild.com (Amy C. Purcell) — Tue, 09 Jun 2009 09:20:13 -0500

The risk management technology company, Intersections Inc., and the Identity Theft Assistance Center launched www.Breachcenter.com today. Breachcenter.com is a website where companies that have suffered data breaches can share their experiences. Instead of focusing on the "technical aspects of breach recovery" or "breach prevention", Breachcenter.com focuses on the "human side" of responding to a data breach. Breachcenter.com serves as a "community-fueled knowledge base" that includes practical information about how to respond to a data breach, including legal obligations to notify consumers who may be affected by the breach.

Data Governance Resource - From the IT Perspective

mmccreary@foxrothschild.com (Mark McCreary) — Fri, 29 May 2009 15:47:06 -0500

Microsoft recently announced its new Trustworthy Computing: Data Governance web site at Tech•Ed.

According to Microsoft, it is promoting data governance because:

“Growing public concerns about abuses of consumers’ personal information threatens to curtail the growth of online commerce and services. Data Governance directly addresses these concerns.

Data Governance can reduce an organization’s IT costs and improve its control over its information, which increases data security and privacy and improves responses to changing compliance requirements.

Conversely, poor Data Governance raises the risks of data breaches, including identity theft and fraud, which can erode trust in an organization, trigger financial or legal penalties, or reduce confidence among employees, customers, and investors.”

Although the purpose of the Data Governance web site is to serve as a reference for software and application developers, it is also a good reference to any person involved in developing and maintaining data integrity, security, storage and sharing that contains personal information.

Among other things, the Data Governance web site is a resource for developing data policies, complying with regulatory and best practices requirements, and establishing length of storage issues.

As required by more and more state statutes, Microsoft is promoting the development and implementation of data policies and action plans.

Although the materials are helpful and directed as more of a what-to-do, not a how-to-do it, Microsoft does publish its own standard privacy guidelines, as well as an IT Compliance Management Guide. Although these materials are prepared for Microsoft, and are not applicable to very many businesses, they are good resources for anyone wanting to get a flavor for these types of documents.

European Commission Takes Action on RFID Tags

mmccreary@foxrothschild.com (Mark McCreary) — Thu, 14 May 2009 10:58:21 -0500

The RFID (radio frequency identification) camps are many and varied throughout the world. Privacy proponents are calling the security risks from RFID technology monumental and ripe for data and identity theft. The federal government has decided that when coupled with pin codes and/or protective sleeves, RFID technology used in passports and passport cards is safe. The European Commission has said it believes that RFID technology can be safe, provided its new recommendations are followed.

On Tuesday, May 12, 2009, the European Commission adopted a set of recommendations, hoping to ensure that companies involved in the design or operation of RFID products respect the individual's fundamental right to privacy and data protection, contained in the charter of fundamental rights of the European Union. The recommendations can be read in full here (pdf link).

Members of the European Union are required to report back in two years regarding the steps taken to conform to the recommendations, and the Commission will publish a report within three years of its impact assessment and success with implementation to date.

The recommendations require that all operators in the European Union, regardless of whether those operators are subject to other obligations under The EU Data Protection Directive 95/46/EC, comply with its steps set forth in the recommendations. The following are some of the more significant recommendations:

Member States should ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments.
Member States should support the Commission in identifying those applications that might raise information security threats with implications for the general public. For such applications, Member States should ensure that operators, together with national competent authorities and civil society organisations, develop new schemes, or apply existing schemes, such as certification or operator self-assessment, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.

Without prejudice to the obligations of data controllers, in accordance with Directives 95/46/EC and 2002/58/EC, Member States should ensure that operators develop and publish a concise, accurate and easy to understand information policy for each of their applications. The policy should at least include: (a) the identity and address of the operators, (b) the purpose of the application, (c) what data are to be processed by the application, in particular if personal data will be processed, and whether the location of tags will be monitored, (d) a summary of the privacy and data protection impact assessment, (e) the likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks.
Member States should ensure that operators take steps to inform individuals of the presence of readers on the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders. The sign should include the identity of the operator and a point of contact for individuals to obtain the information policy for the application.
On the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders, operators should inform individuals of the presence of tags that are placed on or embedded in products.
When conducting the privacy and data protection impact assessment as referred to in points 4 and 5, the operator of an application should specifically determine whether tags placed on or embedded in products sold to consumers through retailers who are not operators of that application represent a likely threat to privacy or the protection of personal data.
Retailers should deactivate or remove at the point of sale tags used in their application unless consumers, after being informed of the policy referred to in point 7, give their consent to keep tags operational. Deactivation of the tags should be understood as any process that stops those interactions of a tag with its environment which do not require the active involvement of the consumer. Deactivation or removal of tags by the retailer should be done immediately and free-of-charge for the consumer. Consumers should be able to verify that the deactivation or removal is effective. (Not applicable if the privacy and data protection impact assessment concludes that tags that are used in a retail application and would remain operational after the point of sale do not represent a likely threat to privacy or the protection of personal data. Nevertheless, retailers should make available free-of-charge an easy means to, immediately or at a later stage, deactivate or remove these tags.)
Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.
Members States, in collaboration with industry, the Commission and other stakeholders, should take appropriate measures to inform and raise awareness among public authorities and companies, in particular SMEs, of the potential benefits and risks associated with the use of RFID technology. Specific attention should be given to information security and privacy aspects.
Member States should cooperate with industry, relevant civil society stakeholders and the Commission to stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

Federal Circuit Court Of Appeals Rules That TJX Litigation May Proceed On State Law Claims

svernick@foxrothschild.com (Scott L. Vernick) — Wed, 13 May 2009 09:19:45 -0500

The First Circuit Court of Appeals has ruled that, by accepting credit cards for payment, retailer TJX and its processing bank, Fifth Third, could have negligently misrepresented to credit and debit card issuers that their data security practices were in compliance with the security protocols established by VISA and MasterCard operating regulations. The First Circuit also ruled that, based on either on the issuers' claim of negligent misrepresentation or a possible violation of Section 5 of the Federal Trade Commission Act, TJX and Fifth Third could have engaged in deceptive practices in violation of Chapter 93A of Massachusetts General Law. While Chapter 93A may require egregious conduct, systemic recklessness, as distinct from deliberate wrongdoing or self-benefit, may be sufficient to sustain a claim.

After a security breach in 2005, in which computer hackers gained access to TJX's wireless network and compromised the security of more than 45 million customer accounts, credit and debit card issuers filed suit against TJX and Fifth Third to recover losses they sustained as a result of fraudulent use of cardholder information.

House Calls For Increased Internet Privacy Protection

apurcell@foxrothschild.com (Amy C. Purcell) — Thu, 07 May 2009 18:38:54 -0500

House Energy and Commerce Communications Subcommittee Chairman Rick Boucher (D-Va.) plans to introduce a bill to provide Web users greater confidence in how information collected online is stored and used. In a hearing held last month, Boucher focused on pipeline providers, such as AT&T, Comcast and Verizon. The panel discussed whether the government should regulate a filtering technology that Internet firms employ for security reasons. This technology, however, can also be used to target advertising by tracking customers' Internet use and compiling detailed customer profiles without their consent.

Boucher has decided to join forces with Energy and Commerce Consumer Protection Subcommittee Chairman Bobby Rush (D-Ill.), who recently introduced the Data Accountability and Trust Act (H.R. 2221). The Data Accountability and Trust Act, in its proposed form, would preempt state data breach notification laws and require entities that collect personal information to implement certain security policies. Boucher and Rush plan to hold a joint hearing this summer to determine how they can combine their efforts. Google and Yahoo have already expressed an interest in testifying at this joint hearing.

Data Breaches Worse Than Thought

mmccreary@foxrothschild.com (Mark McCreary) — Thu, 07 May 2009 13:10:35 -0500

There is a very interesting article posted at Nextgov.com regarding major data breaches and thefts. The article can be found here.

The author, quoting James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, makes the point that the list of breaches would be much larger if smaller breaches were reported.

So how many breaches go unreported? Well, nobody knows for sure but the number would almost certainly be staggering. With new federal requirements poised to go into effect, we may start to have a better idea of just how many breaches occur. At the very least, we may have a way to track those breaches that are actually reported.

Data Accountability and Trust Act: Federal Breach Notification, Data Security Policies and File Access Addressed

mmccreary@foxrothschild.com (Mark McCreary) — Thu, 07 May 2009 09:08:20 -0500

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

Second, DATA would require that those firms that store personally identifiable information to have in place security policies and procedures to ensure that information is adequately protected. These proposed provisions largely track those already in place in the Gramm-Leach-Bliley Act. The definition of “personal information” in DATA is fairly limited in scope, namely because having too broad of a definition (think of the very broad definition used by the European Union) would lead to over-notification if there is a breach, a possibility many fear would lead to complacency if breach notification becomes an everyday occurrence. The current definition under DATA is: an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number; (ii) driver’s license number or other State identification number; and (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

However, the definition of “personal information” in DATA is no broader with respect to security policies and procedures, meaning that those firms required to have in place security policies and procedures is likewise limited. While there may be a particular concern about imposing (potentially) costly requirements on firms that hold information less sensitive than that in the definition of “personal information,” there will be a push to expand the definition of “personal information” for purposes of security policies and procedures requirements.

Third, DATA has added provisions related to consumers’ ability to review and correct misinformation held by a firm. Similar to the right to review and protest information contained in credit reports under the Fair Credit Reporting Act (PDF link), consumers are allowed to point out incorrect “personal information” a firm maintains. That statement alone raises two major flaws in the current legislation. First, the definition of “personal information” is limited and would only allow a review and correction of highly sensitive information. Under FCRA, any reported information is subject to review and correction. Second, there is no clear direction on what is meant by “maintain.” Does information obtained from clearinghouses constitute “maintaining” that information? Most state statutes are interested in possession and/or use of the data, which is a much clearer standard.

DATA will continue to evolve and be adjusted as interested parties provide feedback and suggestion. Whether DATA is the national privacy law that we are all anticipating and, in many ways, hoping for remains to be seen.

Heartland Reestablishes PCI Compliance

svernick@foxrothschild.com (Scott L. Vernick) — Mon, 04 May 2009 08:56:07 -0500

On Friday, May 1, 2009, Heartland Payment Systems Inc. announced that it is again compliant with the Payment Card Industry Data Security Standard. In April 2008, a compliance audit determined that Heartland was PCI compliant but, sometime after that, Heartland fell out of compliance. In January 2009, the payment processor reported that it was the victim of a what became a widely-reported security breach. Effective May 4, 2009, VISA will again list Heartland as a validated service provider.

Red Flags Rules Further Delayed, Now Go Into Effect August 1, 2009

mmccreary@foxrothschild.com (Mark McCreary) — Fri, 01 May 2009 16:21:30 -0500

UPDATE: Whether it is because of the economy, or a fear that the Red Flags Rules affects far more retailers than may be understood, the FTC has granted a further delay of enforcement of the Red Flags Rules until August 1, 2009. Additionally, the FTC will issue a template for lower risk covered entities. The most recent update can be read here.

This time, nobody can accuse the Federal Trade Commission (“FTC”) and other agencies of implementing new requirements that sneak up on us. These particular regulations (the “Red Flags Rules”), which require that financial institutions and creditors develop and implement written identity theft prevention programs, were issued by the FTC, the federal bank regulatory agencies and the National Credit Union Administration ("NCUA"), as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003 go into effect on August 1, 2009. Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009.

The Red Flags Rules require that a program be put in place by financial institutions and creditors that provides for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags.” The purpose of the Red Flags Rules is to help avoid identity theft.

These "red flags" may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

As explained by the FTC:
The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of – or suspicious activity relating to – a covered account; and
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

A full list of the 26 possible red flags is set forth below.

It is important that your business, if affected, conforms with the Red Flags Rules.

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part.
4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries;
b. An unusual number of recently established credit relationships;
c. A material change in the use of credit, especially with respect to recently established credit relationships; or
d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents
5. Documents provided for identification appear to have been altered or forged.
6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.
9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:

a. The address does not match any address in the consumer report; or
b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is fictitious, a mail drop, or prison; or
b. The phone number is invalid, or is associated with a pager or answering service.

14. The SSN provided is the same as that submitted by other persons opening an account or other customers.
15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account
19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account.
20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example

a. Nonpayment when there is no history of late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.

22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.

Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.