On May 12, 2009, the UK Information Commissioner's Office (ICO) released a much anticipated report authored by the RAND Corporation assessing the strengths and weaknesses of the 1995 EU Data Protection Directive (95/46/EC) (the "Directive), the main source of privacy legislation in Europe. While the report highlighted a number of the Directive's positive attributes, it nonetheless concluded that as society becomes more globally networked, "the Directive as it stands will not suffice in the long term."

• Email This
• Print
• Comments
• Trackbacks

As our readers know, many of the 44 state data breach notification laws allow for (and may even require) a brief delay in notifying affected individuals of the breach if that notification would interfere with or impede a law enforcement investigation.  Last week, the governor of Maine, emphasizing the importance of providing notice "as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement," as articulated in the existing statute, amended that state's data breach notification law.  The amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.  The amended language can be found here.  It becomes effective 90 days following adjournment of Maine's 124th Legislature.

• Email This
• Print
• Comments
• Trackbacks

The Financial Industry Regulatory Authority (FINRA) announced on April 28, 2009 that it had fined Centaurus Financial, Inc., of Anaheim, California, $175,000 for Centaurus’s failure to protect confidential customer information. FINRA also required Centaurus to send notifications to affected customers and their brokers, provide one year of credit monitoring at no cost to the affected customers, and certify to FINRA that its procedures and systems are in compliance with privacy requirements. See FINRA News Release (April 28, 2009).

• Email This
• Print
• Comments
• Trackbacks

We noted in an earlier post that the FTC determined that the Red Flags Rule applies to retailers who pass credit card applications on to lenders. However, there appears to be strong arguments against this interpretation.

• Email This
• Print
• Comments
• Trackbacks

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest “Data Accountability and Trust Act” is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush’s latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements.

• Email This
• Print
• Comments
• Trackbacks

I spoke with Health Leaders Media about the Red Flag Rules and the FTC's further extension of the compliance deadline, previously discussed here.  The title of the article says it all:  "Don't Delay Because of Red Flags Rule Delay."

• Email This
• Print
• Comments
• Trackbacks

Last month, we blogged about whether the Red Flag Rules apply to medical care providers.  According to the FTC, they may also apply to retailers. 

The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most retailers have been caught off guard by this interpretation, since they are not accustomed to being considered “creditors.” Fortunately for them, in the nick of time for the May 1^st compliance deadline, the FTC extended the deadline to August 1, 2009, giving retailers time to put their policies in place in a thoughtful and reasoned manner.

• Email This
• Print
• Comments (1)
• Trackbacks (2)

The U.S. Securities and Exchange Commission ("SEC”) announced on April 15, 2009 that it is reopening the period for public comment on proposed amendments to Regulation S-P, the SEC’s Gramm-Leach-Bliley Act (“GLBA”) implementing regulations. The SEC’s announcement follows the release of a report detailing the results of the second phase of the Interagency Notice Project (“INP”). The report by Drs. Alan Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, uses the results of a mall-intercept study to compare the performance of a prototype financial privacy notice developed by the Kleimann Communication Group (“KCG”) during the first phase of the INP against three alternative notices. The Levy-Hastak report, among other things, confirms what proponents of the INP suspected – some GLBA privacy notices are largely ineffective in conveying information to consumers that allows them to make rational decisions about the sharing of their personal financial information.

• Email This
• Print
• Comments
• Trackbacks

• Email This
• Print
• Comments
• Trackbacks