Privacy & Information Security Law Blog

In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.

Virginia SB 1041

On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person.  The law currently applies only to organizations, corporations and agencies supported by public funds.  In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.

Update: On February 11, 2011, BNA's Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly.  If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL.  The amendments are summarized below.

The Centre for Information Policy Leadership at Hunton & Williams has issued the following statement about the U.S. Department of Commerce’s “Green Paper” released on December 16:

The Centre for Information Policy Leadership congratulates the Department of Commerce on the release of its Green Paper, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” and commends the Department for the extensive outreach and research it conducted to inform the document. 

On December 18, 2010, President Obama signed into law the “Red Flag Program Clarification Act of 2010” (S.3987), which amends the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.  The law limits the scope of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flags Rule”), which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

As previously reported, on December 16, 2010, the U.S. Department of Commerce released its Green Paper “aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth.”

During a press teleconference earlier that morning announcing the release of the Green Paper, Secretary Gary Locke commented on the Green Paper’s recommendation of adopting a baseline commercial data privacy framework, or a “privacy bill of rights,” built on an expanded, revitalized set of Fair Information Practice Principles (“FIPPs”).  He indicated that baseline FIPPs would respond to consumer concerns and help increase consumer trust.  The Secretary emphasized that the Department of Commerce would look to stakeholders to help flesh out appropriate frameworks for specific industry sectors and various types of data processing.  He also noted that the agency is soliciting comments on how best to give the framework the “teeth” necessary to make it effective.  The Secretary added that the Department of Commerce is also open to public comment regarding whether the framework should be enforced through legislation or simply by conferring power on the Federal Trade Commission.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Bill C-28, the Fighting Internet and Wireless Spam bill, received Royal Assent on December 15, 2010.  The centerpiece of the Act are prohibitions aimed at preventing spam, but the law also includes regulations to combat phishing and protect users from online malware.  Specifically, among other things, the legislation would prohibit:

• sending commercial electronic messages (including emails and text messages) without consent (subject to certain limited exceptions);
• altering transmission data on email messages; and
• the installation of computer programs without express consent.

On December 16, 2010, the U.S. Department of Commerce Internet Policy Task Force issued its “Green Paper” on privacy, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  The Green Paper outlines Commerce’s privacy recommendations and proposed initiatives, which contemplate the establishment of enforceable codes of conduct, collaboration among privacy stakeholders, and the creation of a Privacy Policy Office in the Department of Commerce.  Noting that “privacy protections are crucial to maintaining the consumer trust that nurtures the Internet’s growth,” the Green Paper “recommends reinvigorating the commitment to providing consumers with effective transparency into data practices, and outlines a process for translating transparency into consumer choices through a voluntary, multistakeholder process.”

The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards.  The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts.  The basis for the binding international agreement would be the Madrid ...

On December 10, 2010, Senior Advisor to U.S. Senator John Kerry (D-Mass.), Daniel Sepulveda, briefed the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) members on Senator Kerry’s forthcoming privacy legislation.  The bill, which will be introduced next Congress, aims to establish a regulatory framework for the comprehensive protection of individuals’ personal data that authorizes rulemakings by the Federal Trade Commission.

The “Red Flag Program Clarification Act of 2010” (S. 3987) has passed the Senate.  The legislation would limit the scope of the Red Flags Rule, which requires certain “creditors” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.  The new legislation would exclude from the definition of “creditor” certain entities that “[advance] funds on behalf of a person for expenses incidental to a service provided by the creditor to that ...

David Vladeck, Director of the FTC’s Division of Consumer Protection, this morning previewed the long-awaited FTC report that sums up months of discussion regarding the future of privacy regulation in the United States and examines the viability of a Do Not Track mechanism.  Vladeck indicated at the Consumer Watchdog Policy Conference that the existing privacy framework in the U.S. is not keeping pace with new technologies.  In addition, he stated that the pace of industry self-regulation, while constructive, has been too slow.  According to Vladeck, the report will address several major themes, including the following:

On November 23, 2010, the data protection authority of the German federal state of Hamburg issued a €200,000 fine against financial institution Hamburger Sparkasse AG (“Haspa”) for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers. The bank cooperated with the DPA and has discontinued the illegal practices.

On November 19, 2010, the UK Information Commissioner’s Office (the “ICO”) announced that Google has signed an undertaking committing it to improve its data processing practices.  The undertaking follows an ICO investigation into the collection of payload data by Google Street View cars in the UK.  Google’s Senior Vice President, Alan Eustace, signed the undertaking on behalf of Google, Inc.

On November 17, 2010, Representative John Adler (D-NJ) introduced the Red Flag Program Clarification Act of 2010 (H.R. 6420) to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.”  The bipartisan bill seeks to limit the scope of the FTC’s Identity Theft Red Flags Rule, which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

In a move toward implementation of the EU e-Privacy Directive, on November 3, 2010, the Dutch Minister of Economic Affairs submitted a bill to the Dutch Parliament that would amend the Dutch Telecommunications Act to obligate telecom and internet service providers to provide notification of data security breaches, and require consent for the use of cookies (the “Bill”).

The proposed Bill would require telecom and internet service providers to notify the Dutch Telecom Authority (the “OPTA”) without delay in the event of a security breach involving personal data.  They also would be required to notify affected individuals without delay if the breach is likely to have an adverse effect on the protection of their personal data.  The Bill does not affect initiatives to introduce a broader data breach notification regime applicable to other industries outside the telecom sector.  The Dutch Minister of Justice recently stated that he expects to issue a proposal to implement a more general data breach notification law in 2011.

Earlier today, a Department of Commerce official briefed Hunton & Williams and Centre for Information Policy Leadership representatives on the Department’s forthcoming “Green Paper” on privacy.  On November 12, 2010, Telecommunications Reports Daily published an article based on information obtained from an unofficial, pre-release draft version of the Green Paper.  It remains to be seen which portions of the leaked draft ultimately will survive the interagency approval process currently underway.  The Department of Commerce representative emphasized that the content of the draft Green Paper currently undergoing review is consistent with Assistant Secretary of Commerce Larry Strickling’s October 27, 2010, speech in Jerusalem.  In his speech, Secretary Strickling explained that the Department is calling it a “Green” Paper, “not because of its environmental impact, but because it contains both recommendations and a further set of questions on topics about which [the Department] seek[s] further input.”

Representative Rick Boucher (D-VA), current head of the House Subcommittee on Communications, Technology and the Internet, lost his reelection bid yesterday to Republican Morgan Griffith, the Majority Leader of the Virginia House of Delegates.  Representative Boucher, widely recognized and respected for his legislative efforts in the areas of technology, telecommunications and privacy law, co-authored the CAN-SPAM Act and also introduced draft privacy legislation earlier this year.  Congressman Boucher’s defeat leaves the House Subcommittee on Communications, Technology and the Internet panel without its top Democrat, and it is unclear who will fill that leadership vacancy.

The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK.  The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”

While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.

The international group of data protection commissioners today admitted the U.S. Federal Trade Commission into membership.

Meeting at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, the commissioners determined that the FTC had the requisite authority and independence to qualify for membership.

The decision has been a long time coming.  The U.S. has long sought to be recognized as a member of the data protection group.  Last year, the U.S. application was rejected at the international conference in Madrid.

David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, today provided a high-level outline of the Commission’s forthcoming report on the future of privacy.

Speaking at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Vladeck said the report reflected two broad conclusions.  First, current privacy law places too much burden on consumers to read and understand privacy notices and make privacy choices.  The second conclusion is that there is a pressing need to reexamine the conception of “harm” in U.S. law to move beyond only economic and physical harms.

Following its recent enactment of an omnibus data protection law, Mexico has been unanimously elected to lead the Ibero-American Data Protection Network, a consortium of the governments of Spain, Portugal, Andorra and 19 Latin American countries.  The group’s mission is to foster, maintain and strengthen an exchange of information, experience and knowledge among Ibero-American countries through dialogue and collaboration on issues related to personal data protection.  The IFAI announced on September 29, 2010, that Jacqueline Peschard, head of Mexico’s Federal ...

On October 4, 2010, the French Data Protection Authority (the “CNIL”) stated in a press release that a recently enacted environmental law (Act No. 2010-788 of July 12, 2010, known as “Grenelle II”) expands the CNIL’s authority to regulate devices used to measure the viewership of advertisements in public places like shopping malls, train stations and airports.  Grenelle II introduces a new provision under Article L. 581-9 of the French Environmental Code, which states: “Any system that automatically measures the audience of an advertising device or which analyzes the typology or behavior of individuals passing within the vicinity of such advertising device requires prior approval of the CNIL.”

According to a press report dated October 2, 2010, the German state data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) continue to consider the use of Google Analytics on company websites to be illegal.  The Düsseldorfer Kreis reached this decision at a recent meeting of its Telemedia working group.  The group has indicated that it hopes to continue negotiations with Google.  Dr. Alexander Dix, the Berlin Commissioner for Data Protection and Freedom of Information who was interviewed on this issue, stated that although ...

The Department of Health and Human Services (“HHS”) received numerous comments on its proposed modifications to the Health Insurance Portability and Accountability Act Privacy, Security and Enforcement Rules, which were issued on July 8, 2010.  Some highlights from the comments are outlined below.

Enforcement Rule

The American Hospital Association (“AHA”) suggested that HHS should continue to require the Secretary of HHS to attempt to resolve a complaint or compliance review through informal means, instead of making the informal resolution process optional.  According to the AHA, making “resolution via informal means optional, regardless of the perceived level of culpability of a particular entity” would not be appropriate or effective.  The Coalition for Patient Privacy, on the other hand, recommended stricter enforcement so that “the only category of violators that should not be penalized with fines are those who despite due diligence could not discover the violation, who reported the violation immediately when discovered, and fully corrected the problems within 30 days of discovery.”

The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.

Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website.  The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.

David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010.  Mr. Vladeck began by reminding the audience that the FTC is aggressively enforcing on privacy and data security matters, having brought 29 cases to date.  Where possible, the FTC joins forces with other federal regulators, such as the Department of Health and Human Services, to seek broad relief that the FTC could not otherwise get on its own.  Mr. Vladeck indicated that the FTC also works closely with the states, citing a recent case in which the FTC filed concurrent settlements with 36 state attorneys general.  Mr. Vladeck stated that the FTC plans to continue to bring cases to ensure that companies “reasonably” safeguard information.

Mr. Vladeck noted three key areas for future enforcement.  The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).

The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws.  On September 21, 2010, GPEN unveiled its new website, www.privacyenforcement.net, designed to educate the public about the network.  The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for ...

On September 15, 2010, New York State Attorney General Andrew Cuomo announced a $100,000 settlement with EchoMetrix, a developer of parental control software that monitors children’s online activity.  The settlement comes one year after the Electronic Privacy Information Center (“EPIC”) alleged in a complaint to the Federal Trade Commission that EcoMetrix was deceptively collecting and marketing children’s information.

The United States Congress is currently considering several bills addressing cybersecurity issues.  Below are brief summaries of four such bills.

The Grid Reliability and Infrastructure Defense (“GRID”) Act

The GRID Act was passed by the House of Representatives on June 9, 2010. This bill would amend the Federal Power Act to grant the Federal Energy Regulatory Commission (“FERC”) authority to issue emergency orders requiring critical infrastructure facility operators to take actions necessary to protect the bulk power system. Prior to FERC issuing such an order, the President would have to issue a written directive to FERC identifying an imminent threat to the nation’s electric grid.  FERC would be required to consult with federal agencies or facility operators before issuing an emergency order only “to the extent practicable” in light of the nature of the threat. The GRID Act is being considered by the Senate Committee on Energy and Natural Resources at this time.

On September 2, 2010, police in New Zealand issued a statement to confirm that there was no evidence Google committed a criminal offense in relation to the data it collected from unsecured WiFi networks during the Street View photography capture exercise.  The case has now been referred back to the New Zealand Privacy Commissioner.  A spokesperson from the New Zealand police force took the opportunity to underline the need for Internet users to make sure that security measures are properly implemented when using WiFi connections in order to prevent their information from being improperly accessed.

On August 18, 2010, the Connecticut Insurance Department (the “Department”) issued Bulletin IC-25, which requires entities subject to its jurisdiction to notify the Department in writing of any “information security incident” within five calendar days after an incident is identified.  In addition to providing detailed procedures and information to be included in the notification, the Bulletin states that the Department “will want to review, in draft form, any communications proposed to be made” to affected individuals.  The Bulletin further indicates that, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act.  The magazine, which catered to a young gay audience, had a website privacy policy that asserted   “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.”  Readers who submitted online profile information were told that their information “will not be published.  We keep it secret.”  The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

As scrutiny and enforcement escalate in corporate privacy and data security, has your organization developed policies that meet local and global compliance requirements?

Lisa J. Sotto, head of the Global Privacy and Information Management practice at Hunton & Williams and a member of the SAI Global Law & Ethics Advisors, along with Jeff Kaplan, Kaplan & Walker, LLC and Chair of the SAI Global Law & Ethics Advisors, deliver an informative podcast reviewing the drivers for privacy and data security policy compliance, and they discuss the keys to a successful compliance program.

In a statement released on July 29, 2010, the UK Information Commissioner's Office ("ICO") has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise "does not include meaningful personal details that could be linked to an identifiable person."  This follows an assessment carried out by the ICO on a sample of the data in question at Google's London offices.

On July 27, 2010, Senator John Kerry (D-Mass.) announced his intention to introduce an online privacy bill to regulate the collection and use of consumer data.  “Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress,” Kerry said in a prepared statement.  Senator Kerry is the Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet.  He indicated that his bill would go beyond the regulation of targeted ...

Rite Aid has agreed to pay $1 million and implement remedial measures to resolve Department of Health and Human Services (“HHS”) and Federal Trade Commission allegations that it failed to protect customers’ sensitive health information.  The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications.  The FTC took issue with this practice in light of the pharmacy’s alleged claims that “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously . . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.”  At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act.

On July 21, 2010, a coalition of 38 states sent a letter to Google demanding more information about the company’s collection of data from unsecured wireless networks by its Google Street View vehicles.  The letter was sent by Connecticut Attorney General Richard Blumenthal on behalf of the executive committee of a multistate working group investigating Google Street View practices.  As we reported on June 22, Blumenthal has spearheaded the nationwide investigation into Google Street View.  Among other things, the letter asks Google to identify who was responsible for the software code that allowed the Street View cars to collect data broadcast over Wi-Fi networks, and for a list of states where unauthorized data collection occurred.  The letter also asks Google for details regarding whether any of the data was disclosed to third parties or used for marketing purposes.

On July 19, 2010, Representative Bobby Rush (D-Ill.) introduced a bill "to foster transparency about the commercial use of personal information" and "provide consumers with meaningful choice about the collection, use and disclosure of such information."  The bill, cleverly nicknamed the "BEST PRACTICES Act", presumably intends to set the standards for the use of consumer personal information by marketers.  A similar bill was introduced by Representatives Boucher and Stearns in early May.  Although both proposals would require opt-out consent for online behavioral advertising ...

On June 1, 2010, Ukraine’s parliament adopted a bill on the protection of personal data which introduces a comprehensive regulatory regime for data processing in the country.  The bill was signed by the President of Ukraine on June 24, 2010, and will come into force on January 1, 2011.

The UK Ministry of Justice has issued a Call for Evidence on the effectiveness of current data protection legislation in the UK.  Responses must be submitted by October 6, 2010.  “It will give the [UK] Government a solid evidence base to use in negotiations with other European Union parties.  I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens,” said Minister of State for Justice, Lord McNally.

On July 6, 2010, the Irish government formally objected to the adequacy procedure initiated by the European Commission that would have allowed the free flow of European personal data to Israel, over concerns of the possible use of the information by Israeli officials.  This political move follows recent revelations regarding forgery of European passports, including several from Ireland, and their alleged use by Israel’s intelligence services.

On July 7, 2010, the UK Information Commissioner’s Office published a new code of practice for the collection of personal data online.  Launching the new code at a data protection conference, UK Information Commissioner Christopher Graham said, “the benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience.  But there are risks too.  A record of our online activity can reveal our most personal interests.  Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

On July 6, 2010, Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares came into force.  As we previously reported, on April 27, 2010, the Mexican Senate unanimously approved this landmark federal data protection law governing the collection, processing and disclosure of personal data by the private sector.  Pursuant to the adoption of the new law, the Mexican Federal Institute of Access to Public Information has changed its name to the Federal Institute of Access to Information and Data Protection.

As reported by the IAPP, the Institute’s ...

The Australian government recently released an exposure draft of legislation that would fundamentally reform the Australian Privacy Act and would unify public and private sector privacy principles.  The exposure draft includes thirteen principles intended to protect individuals from the risks associated with the sharing of personal information.

Of particular interest to the international business community, Principle 8 addresses the cross-border disclosure of personal information.  The principle states that an entity must take reasonable steps to ensure that an overseas recipient does not breach the Australian Privacy Principles with respect to personal information being disclosed, but provides an exception if the entity reasonably believes that (i) the recipient of the information is subject to a law or binding scheme that provides protection that is substantially similar to protections provided by the Australian Privacy Principles, and (ii) there are mechanisms available for affected individuals to enforce such protection.

On June 17, 2010, the French data protection authority (the “CNIL”) reported that it had conducted an on-site investigation at Google on May 19 to examine activities by Google’s Street View cars.  This investigation followed Google’s May 14 announcement that it had inadvertently captured Wi-Fi signals emitted in locations where its vehicles were taking photos.

Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.  The charges stem from alleged lapses in the company’s data security that permitted hackers to access tweets that users had designated as private and to issue phony tweets from the accounts of some users, including then-President-elect Barack Obama.  According to the FTC’s complaint (main document, exhibits), these attacks on Twitter’s system were possible due to a failure to implement reasonable ...

Connecticut Attorney General Richard Blumenthal recently announced that his office will lead a multistate investigation into the “deeply disturbing” unauthorized collection of personal data from wireless computer networks by Google’s Street View cars.  Attorney General Blumenthal noted that Google “must provide a complete and comprehensive explanation of how this unauthorized data collection happened, why the information was kept if collection was inadvertent and what action will prevent a recurrence.”  A significant number of states are expected to ...

Reporting from Israel, legal consultant Dr. Omer Tene writes:

The Israeli Law, Information and Technology Authority (“ILITA”), Israel’s privacy regulator, continues to up the ante for data controllers in Israel.  This week ILITA imposed a $70,000 (NIS 258,000) fine against a company illicitly trading personal data.

As reported in BNA’s Privacy Law Watch, the Federal Trade Commission intends to agree to temporarily exempt health care providers from the FTC’s Identity Theft Red Flags Rule.  The Red Flags Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The FTC previously has stated that health care providers could be deemed “creditors” under the Rule.  The agreement will grant relief to ...

The Centre for Information Policy Leadership at Hunton & Williams LLP made ten recommendations in response to the U.S. Department of Commerce’s notice of inquiry, “Information Privacy and Innovation in the Internet Economy.”  The Centre’s recommendations strongly suggest that organizational accountability is the key to providing the flexibility needed to use information robustly while protecting the interest of individuals in maintaining private space in a digital age:

“The flexibility to be innovative must be conditioned on the organization’s accountability for the manner in which it uses, manage, and protects data.  … To strike the appropriate balance between the value created by data use and the risk that use poses to privacy, organizations must implement privacy processes that are as dynamic as their business processes.” 

On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007.  There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher.  The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.

On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule.  This is the fifth time the Commission has announced an extension of the enforcement deadline, after most recently extending the deadline to June 1, 2010.  The Red Flags Rule requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate ...

The Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”) has announced that it will more closely examine covered entities’ breach notification and risk mitigation plans.  OCR noted that small and medium sized covered entities have been particularly vulnerable to data breaches.  The National Institute of Standards and Technology (“NIST”) will publish a guide for covered entities that “outlines the steps to mitigate risks for data breaches, training for how to respond to breaches, and overall preparation in the event of a ...

The Russian Federation is considering amending the country’s data protection law, according to BNA’s Privacy Law Watch.  Businesses have long complained that the law contains restrictions on data processing that are extremely difficult to meet.  For example, the law requires affirmative written consent for most types of data processing.  In the online context, this provision has been interpreted to require a consumer’s digital signature.  A check box, which is an acceptable mechanism for expressing consent in the EU, for example, is deemed unacceptable in Russia.  In ...

David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”).  Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule.  In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

Following the first “hung parliament” since 1974, the UK is facing considerable legislative reform under the newly formed Conservative - Liberal Democrat coalition government.  Although the parties appear to have differing opinions on a number of legislative issues, one issue that unites them is their commitment (at least in theory) to strengthening the current data protection regime implemented under the Labour government.

Each party’s manifesto states that, should it be elected, it will enhance the audit powers of the Information Commissioner (the UK data protection regulator).  Currently, the Information Commissioner may audit government departments and public authorities suspected of violating data protection principles without their prior consent.  The Conservatives and Liberal Democrats propose to extend the Information Commissioner’s audit powers to private sector organizations.  This could be achieved in theory by secondary legislation.

According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding.  In addition, DPAs impose few sanctions for violations of data protection laws.  DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.”  In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.”  ...

On May 7, 2010, the data protection authority of the German federal state of North Rhine-Westphalia imposed a fine of €120,000 on Deutsche Postbank AG for illegal disclosure of customers’ bank account transaction data.  The bank unlawfully allowed approximately 4,000 self-employed agents to access information on more than a million customer accounts for sales purposes.

On May 4, 2010, Congressmen Rick Boucher (D-VA) and Cliff Stearns (R-FL) introduced draft legislation designed to protect the privacy of personal information both on the Internet and in offline contexts.

The legislation would apply to any “covered entity,” which is defined as “a person engaged in interstate commerce that collects data containing covered information.”  The term “covered information” is very broad and includes, but is not limited to, an individual’s first name or initial and last name, a postal address, a telephone number or an email address.  Government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period (and do not collect sensitive information) would not be considered “covered entities” for purposes of the law.

The Mexican Senate has unanimously approved a landmark data protection law governing information use in the private sector, la Ley Federal de Protección de Datos Personales en posesión de los particulares.  We provided information on the bill last week when the Chamber of Deputies voted to approve it.  The legislation has been forwarded to the president for signature.  We will provide further details as this story develops.

Legislators at the federal and state levels are urging social networking websites to enhance privacy protections available to their users.  On April 27, 2010, four U.S. Senators wrote a letter to Facebook’s CEO expressing “concern regarding recent changes to the Facebook privacy policy and the use of personal data on third party websites.”  The letter urged Facebook to provide opt-in mechanisms for users, as opposed to lengthy opt-out processes, and highlighted default sharing of personal information, third-party advertisers’ data storage and instant personalization features as three areas of concern.

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

Following up on our previous post on the sentencing of three Google executives by an Italian court, the New York Times reports that an 111-page explanation of the verdict has been released.  Judge Oscar Magi found that Google had an obligation to make users more aware of its EU privacy policies, and cited Google’s active marketing of its Google Video site as indicative of the company’s profit motive for not removing the video sooner.

According to Mr. M. Jorge Yanez V., a partner at the law firm of Barrera, Siqueiros y Torres Landa, S.C. in Mexico City, on April 13, 2010, the Mexican Chamber of Deputies passed a bill that, when ratified by the Senate, will become the country’s new Federal Law of Protection of Personal Information.  The Senate is expected to pass the bill shortly and without revisions.  When the bill is enacted into law, Mexico’s Federal Institute of Access to Information, the agency that currently oversees the disclosure of and access to government information, will be renamed the Federal ...

On April 12, 2010, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined D.A. Davidson & Co. $375,000 for failing to protect its customers’ confidential information.  In late 2007, the firm’s system was compromised when hackers employed a SQL injection attack to download the confidential customer information of approximately 192,000 individuals.  The security breach came to light when one of the persons responsible for the intrusion attempted to blackmail D.A. Davidson via email on January 16, 2008.  The firm responded quickly by notifying ...

In the wake of recent amendments to the German Federal Data Protection Act, the German Federal Ministry of the Interior (the Bundesinnenministerium des Innern) is working on a draft law on special rules for employee data protection.  The draft law is intended to provide clarification on some issues that were not addressed fully in the amendments that entered into force on September 1, 2009.  The Ministry’s overarching considerations are set forth in a key issues paper that was published April 1, 2010.

On April 7, 2010, Mississippi became the 46th state to enact a data security breach notification law.  The law, which will take effect July 1, 2011, applies to the unauthorized acquisition of unencrypted electronic files, media, databases or computerized data containing personal information of any Mississippi resident.  The law contains a harm threshold specifying that notification is not required if it can be reasonably determined that the breach will not likely result in harm to affected individuals.  The enactment of this law leaves Alabama, Kentucky, New Mexico and South Dakota ...

The Attorney General of Connecticut, Richard Blumenthal, is investigating an alleged breach of medical records at Griffin Hospital in Derby, Connecticut.  The hospital believes that a formerly affiliated radiologist gained unauthorized access to its digital Picture Archiving and Communications System (“PACS”), which stores patient information, including names, exam descriptions and medical record numbers.  In February, the hospital began receiving inquiries from patients who had been contacted by the radiologist to promote professional services offered at another medical facility.  In response to patient inquiries, the hospital conducted an internal investigation that revealed several instances of unauthorized access to the PACS system.  The hospital subsequently notified Attorney General Blumenthal.

In a landmark holding, the Israeli Supreme Court restricted the unmasking of an anonymous defendant on an online defamation case, holding that online anonymity is a constitutional right derived from the right to privacy and free speech.

On February 19, 2010, the Court of Appeals of Versailles (the “Court”) upheld the unlimited seizure and review of a company’s emails by several agents of the French Competition Authority (Autorité de la Concurrence).  The agents had been authorized by a lower court judge to inspect the emails pursuant to an investigation into an alleged abuse of dominant position in the pharmaceutical market.

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.

On March 17, 2010, the Federal Trade Commission convened the last of its three-part series of roundtable discussions entitled “Exploring Privacy.”  In her opening remarks, outgoing Commissioner Pamela Jones Harbour emphasized the critical importance of privacy to consumers, stating that “consumer privacy cannot be run in beta,” and that companies often inappropriately expose consumer data during new product rollout.  David Vladeck, Director of the FTC’s Bureau of Consumer Protection, then set the stage by invoking the “notice is broken” theme that recurred during the first two roundtables on December 7, 2009, and January 28, 2010, and was echoed by participants in the March 17 event.

The Wall Street Journal is reporting that outgoing FTC Commissioner Pamela Jones Harbour criticized technology companies for publicly exposing consumer data, particularly during the rollout of new products.  Ms. Harbour lamented that companies do not take consumer privacy seriously.  She singled out the launch of Google Buzz as irresponsible conduct by “one of the greatest technology leaders of our time.”  Consumer advocates raised alarm when Google Buzz initially established Google Gmail users’ social network connections automatically based on the users’ email and chat contacts, and made that list public by default.  Ms. Harbour reiterated the advocates’ sentiment by stating that, from the time the product launched, consumers rather than Google should have decided whether or not to subscribe to the features that could expose their contact data.  Soon after the launch, Google changed the defaults to allow users more control.  Google put forth a conciliatory message, stating that user transparency and control are top priorities for the company and that Google is continuing to improve Buzz based on the feedback the company receives.

On March 9, 2010, the European Court of Justice ruled that the Federal Republic of Germany’s practice of “state supervision” over data protection authorities violates EU Data Protection Directive 95/46/EC.  The case, brought by the EU Commission, is a milestone which will force Germany to change the structure of its DPA system and could have ramifications in other countries as well.

The Court’s decision is based on Article 28(1) of the Directive, which requires that data protection authorities (“DPAs”) act with “complete independence.” German law makes a distinction with regard to DPA supervision depending on whether the data processing is carried out by public or non-public bodies.  There are therefore different authorities responsible for monitoring public entities’ compliance with data protection provisions versus those that monitor compliance by private parties and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) outside the public sector (such as transportation and utility companies).

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services.  The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers.  The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity ...

On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”).  Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months.  This information may be retrieved for law enforcement and safety purposes.  Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history. 

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC.  The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms.  The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain ...

In February 24, 2010, an Italian court in Milan found three Google executives guilty of violating applicable Italian privacy laws.  The executives were accused of violating Italian law by having allowed a video showing an autistic teenager being bullied to be posted online.  The Google executives, Senior Vice President and Chief Legal Officer David Drummond, Chief Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes, were fined and received six-month suspended jail sentences.

On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud.  In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers.  The letters also recommended that the ...

After several delays and revisions, the Massachusetts information security regulations, entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth,” will take effect on March 1, 2010. The regulations apply to entities that own or license personal information about Massachusetts residents. “Personal information” is defined as a combination of a resident’s first and last name and Social Security number, driver’s license or state ID number, or financial account number or payment card number that permits access to the individual’s financial account.

We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published.  The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule.  Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.

On January 29, 2009, the German Federal Network Agency (the “Agency”) stated in a press release that it has imposed fines for unauthorized telephone advertising in six cases.  This brings the total to nine procedures (resulting in €500,000 in fines) during the months of December 2009 and January 2010, and marks the first time the Agency has imposed sanctions for violations of the prohibition on unauthorized telephone advertising and for breach of the caller ID requirement for marketing calls.

The Federal Trade Commission’s second “Exploring Privacy” roundtable concluded Thursday, January 28, 2010.  The roundtable did not provide many firm conclusions, but it did help further refine some hard issues facing privacy protection.

Although Thursday’s hearing was intended to be devoted to technology issues, the role of regulation appeared to dominate the discussions.  “Everyone is dying to talk about regulation,” said Jessica Rich, Deputy Director of the Bureau of Consumer Protection, moderating a panel on Technology and Policy.

On January 25, 2010, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 10-06, Guidance on Blogs and Social Networking Web Sites (the “Guidance”) for securities firms, investment advisors and brokers.  FINRA, which is the largest non-governmental financial regulator, previously had issued guidance on other issues pertaining to interactive web sites, such as participation by securities firms and their employees in Internet chat rooms discussing stocks or investments.  The goals of the Guidance are to “ensure that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations” as well as “to interpret [the] rules in a flexible manner to allow firms to communicate with clients and investors using” blogs and social networking.

On January 11, 2010, the data protection authority of the German federal state of Baden-Wurtemberg issued a press release stating that it had fined the Müller Group €137,500 for illegal retention of health-related data and failure to appoint a Data Protection Officer.

In April 2009, the German press reported that the Müller Group, a drugstore chain comprised of twelve entities and employing some 20,000 workers, was illegally collecting health data from its employees.  Specifically, employees returning from sick leave were required to complete a form and provide the reason for their sicknesses.  After conducting an investigation, the DPA confirmed these allegations.  Since 2006, the Müller Group entities had systematically requested employees returning from sick leave to identify the reasons for their sicknesses on a form that was then sent to the Group’s central Human Resources department to be scanned.  As of April 2009, approximately 24,000 records containing data on employee illnesses were being stored in Müller’s centralized HR files.

In a lawsuit he described as “[s]adly . . . historic,” Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach.  The case marks the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).  The suit also alleges a violation of Connecticut’s breach notification statute.

In a discussion with The New York Times, Federal Trade Commission (“FTC”) Chairman Jon Leibowitz, and chief of the FTC’s Bureau of Consumer Protection, David Vladeck, indicated that Internet publishers and advertisers can expect the FTC to play a more active role in safeguarding consumer privacy.  Chairman Leibowitz highlighted that, in the past, the FTC’s approach to privacy has focused on consumer notice and consent, and whether consumers were harmed.  From the FTC’s perspective, however, the present model is problematic because companies have failed to provide consumers with meaningful notice that would allow them to make effective choices regarding their privacy.  This “advise-and-consent” model is broken, as it “depended on the fiction that people were meaningfully giving consent.”  In reality, few consumers take the time to inform themselves about the notices and choices outlined in privacy policies.

On January 12, 2010, the UK government laid regulations before Parliament to bring into force civil monetary penalties of up to £500,000 ($800,000) for serious data breaches.  These penalties are likely to take effect starting April 6, 2010.  Significantly, the penalties will apply not only to data security breaches, but also to all serious breaches of the UK Data Protection Act 1998.  Accordingly, collecting personal data for a sweepstakes contest then deliberately, and without consent, disclosing the data to a third party to populate a tracing database for commercial purposes might well be subject to a penalty.

On November 24, 2009, the European Parliament formally approved the European Union's telecoms reform package.  This reform proposed by the European Commission in November 2007 consists of various different EU Directives that set-up the legal framework applicable to the electronic communications sector (telecoms) and includes a new e-Privacy Directive.

New provisions of the e-Privacy Directive will strengthen the protection of privacy and personal data in the electronic communication sector and includes the following:

• mandatory notification for personal data breaches ...

On October 29, 2009, the European Commission (the “Commission”) proceeded to the second phase of infringement proceedings against the UK relating to the UK’s implementation of EU e-privacy and personal data protection laws.  EU Member States must ensure the confidentiality of communications by prohibiting interception and surveillance without user's consent.  The Commission maintains that the UK has failed to fully implement these requirements into its national laws and has identified three specific flaws in the existing UK laws governing the confidentiality of electronic communications:

• The UK does not have an independent national authority responsible for (i) supervising the interception of communications and (ii) complaints about unlawful interception of electronic communications, despite the requirement to this effect contained within EU laws and imposed on Member States;

On November 6, 2009, the French Senate proposed a new draft law to reinforce the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Draft Law”).  Following a Report on the same topic issued last spring, the Senate made concrete proposals with this Draft Law to amend the Data Protection Act.

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule.  The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction.  The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule's scope.  That bill (which would exclude certain entities with 20 or fewer employees from the rule's definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the ...

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts.  The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009.  The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

The November 1st deadline for compliance with the FTC’s Red Flags Rule Identity Theft Prevention Program requirements is rapidly approaching.  Of late, there has been a flurry of activity aimed at limiting the scope of the rule.  The Red Flags Rule, which was jointly promulgated by several federal agencies in November 2007, requires all “creditors” that offer or maintain a “covered account” to implement a written identity theft prevention program.  A “creditor” is defined broadly to include “any person who regularly extends, renews, or continues credit.”  In March 2009, the Federal Trade Commission (“FTC”) published a how-to guide for businesses to comply with the Red Flags Rule that confirmed the FTC will broadly construe the rule, stating that the definition of a “creditor” includes all businesses that “provide goods or services and bill customers later.”

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists.  The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule.  MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada.  The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions.  The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.