Today, at the urging of Members of Congress, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its Red Flags Rule for the fourth time. Financial institutions and creditors subject to enforcement by the FTC will now have until June 1, 2010 to develop written policies and procedures to detect and respond to so-called identity theft “red flags.”

The FTC’s announcement does not impact the separate timeline of the proceeding we reported on here (in which the U.S. District Court for the District of Columbia ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers) or any possible appeals. Moreover, the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight.

• Email This
• Print
• Comments
• Trackbacks

A typical corporate data security policy classifies consumer contact information as
confidential, but not “highly confidential” or “sensitive.”  Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database
of its customers’ contact information (including names, physical addresses, email
addresses and phone numbers) had been compromised. A class action law suit quickly
followed, and the third settlement attempt was rejected just recently by the court on the
grounds that, in the judge’s view, it provided an inadequate remedy for the affected
consumers.
 

• Email This
• Print
• Comments
• Trackbacks

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers, saying that the FTC's interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s definition of a creditor. Judge Walton ruled from the bench with a written decision to follow.

The American Bar Association, represented by a Proskauer team led by partner Steven Krane, argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers are not covered by the rule. The FTC contended that lawyers should be covered, because many of their billing practices, such as charging clients on a monthly basis rather than up front, made them “creditors.”

The American Bar Association's complaint, prepared on a pro bono basis by Proskauer Rose, said that the application of the Rule to practicing lawyers is “arbitrary, capricious and contrary to law,” and that the FTC has failed “to articulate, among other things: a rational connection between the practice of law and identity theft; an explanation of how the manner in which lawyers bill their clients can be considered an extension of credit under the FACTA; or any legally supportable basis for application of the Red Flags Rule to lawyers engaged in the practice of law.”

The FTC has not yet indicated whether it will appeal Judge Walton's ruling.

Here is a link to the court’s order.

Here is a link to the ABA’s press release.

• Email This
• Print
• Comments
• Trackbacks

Earlier today, the FTC announced its latest COPPA enforcement action (http://www.ftc.gov/opa/2009/10/iconix.shtm).  Iconix Brand Group, Inc., the operator of websites featuring its apparel brands, was fined $250,000 for collecting personal information from children without complying with COPPA’s parental consent rubric.

The FTC cited the websites associated with the brands Mudd, Candie’s, Bongo and OP, which are popular with children and teens. The FTC did not characterize Iconix’s websites as ones “directed to children.” According to the FTC's complaint, the websites each have online registration processes that, among other things, collect the birthdate of users; and Iconix violated COPPA by collecting personal information from approximately 1000 users who identified themselves as under 13. The collection occurred both through website and sweepstakes registration, post-registration email marketing, and also through public disclosure at a “Share Your Story” feature on one of the websites.

The FTC also cited Iconix for stating in its privacy policy that it would not collect personal information from children without parental consent, when its practices did not conform to its policy.

General audience websites that collect birthdate or age-related information from their users should employ an FTC-compliant neutral age-screening mechanism to ensure that if a user enters information disclosing that he or she is under 13, the website operator does not collect or disclose personally identifiable information from that user.
 

• Email This
• Print
• Comments
• Trackbacks

On October 6, 2009, in one fell swoop, the Federal Trade Commission (“FTC”) announced proposed settlements of charges against six companies for violations under the US/EU Safe Harbor Program. Specifically, these companies (World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC) were alleged to have continued to represent in their online privacy policies that they were self-certified under the Safe Harbor Program when in fact they had allowed their certifications to lapse, and thus had engaged in deceptive practices.

• Email This
• Print
• Comments
• Trackbacks

Since the Third Circuit said so, in its September 22, 2009 decision in AT&T v. Federal Communications Commission (No. 084024).

Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that a corporation (AT&T) was protected by an exemption in the Freedom of Information Act (FOIA) that applies to “unwarranted invasions of personal privacy.” Specifically, FOIA exempts “records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information … could reasonably be expected to constitute an unwarranted invasion of personal privacy…”(emphasis added). This exemption, combined with FOIA’s definition of “person” to include legal entities, enabled AT&T to successfully argue that a corporation has a right to privacy. (After all, the court said, “it would be very odd indeed for an adjectival form of a defined term not to refer back to that defined term.”) As a result, AT&T’s competitors have not been able to obtain information about an FCC investigation of AT&T regarding AT&T’s alleged overcharging of some of its customers.

Whether this ruling will be followed in other FOIA cases, or used to expand the concept of privacy rights under other statutes, remains to be seen. For now, when submitting information to regulators in connection with investigations, companies should consider submitting such information as confidential, since doing so could help the company to later challenge attempts by competitors or other third parties to obtain such information from the regulator under FOIA.

• Email This
• Print
• Comments (2)
• Trackbacks

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning their unsecured protected health information (“PHI”). With its rule, HHS also provided guidance on securing PHI through “encryption” and “destruction” measures. While compliance with these security measures is not required, conformance to the guidance offers a relative safe harbor for covered entities and vendors in the event of a security breach.  See September 1, 2009 client alert from Proskauer's Health Care Department for additional information.

• Email This
• Print
• Comments
• Trackbacks

In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs.

The French government has strongly recommended that companies set up a plan for the continuity of their businesses in case of pandemic flu. Indeed, in case of pandemic, the French authorities anticipate significant degrees of absenteeism among employees and a possible paralysis of certain companies if they are not sufficiently prepared. 

• Email This
• Print
• Comments
• Trackbacks

On August 19, 2009, the French Data Protection Agency (also known as the "CNIL") released a new opinion (the "Opinion") on the transfer of personal data from France to a jurisdiction outside of Europe. The Opinion is noteworthy for describing how personal data can be transferred from France to the United States pursuant to U.S. discovery proceedings. The Opinion stresses that it does not cover proceedings originating from U.S. governmental requests, such as requests by the Security Exchange Commission (SEC) or the Federal Trade Commission (FTC). The issue of international discovery transfers has been a particularly thorny and complex one, as it has often pitted the legal obligations of an entity in the United States to comply with U.S. discovery requirements against its obligations to comply with EU data protection laws, where it holds personal data on individuals located within the EU.

• Email This
• Print
• Comments
• Trackbacks