Yet again, at the last minute, the Federal Trade Commission has announced that it is delaying enforcement of the Red Flags Rule. This time, the postponement is until June 1, 2010 and comes "[a]t the request of Congress."
This is the FOURTH time that the FTC has delayed "enforcement" of the controversial rules intended to detect and mitigate identity theft. It follows yesterday's federal court ruling that the Red Flags Rule does not apply to lawyers. It also follows on the heels of a 400-0 vote in favor of a House bill (H.R.3763) exempting certain small businesses from compliance with the Red Flags Rule.
As we have discussed in this blog on many occasions, the Red Flags Rule has been plagued with misunderstanding, controversy, and objections from the business community since its enactment in July of 2006. In the meantime, according to the FTC and other compilations of ID theft reports, nearly 25 million U.S. residents have reportedly been victims of identity theft. The regulatory effort is in danger of losing credibility.
Links:
Federal Trade Commission: www.ftc.gov/opa/2009/10/redflags.shtm
Privacy and Security MATTERS: www.privacyandsecuritymatters.blogspot.com/2009/10/changes-to-red-flag-rules-may-be-coming.html
Identity Theft Statistics: www.privacyrights.org/ar/idtheftsurveys
Friday, October 30, 2009
Thursday, October 29, 2009
BREAKING NEWS: Lawyers Need Not Implement Red Flag Program
Just before noon today, Judge Walton granted summary judgment from the bench in favor of the American Bar Association in the ABA lawsuit over application of Red Flag Rules to legal profession. We’ll post the decision as soon as it is available.
$1.8 Million Verdict in Pretexting Case
Written by Cynthia and Michael
A Cook County, Illinois jury recently awarded $1.8 million dollars to Kathy Lawlor, who claimed that her former employer, North American Corp. of Illinois, violated her privacy rights by hiring a private investigator who fraudulently obtained her telephone records through the use of “pretexting” – or by pretending to be Lawlor herself. Some of you might be familiar with the concept of pretexting from the Hewlett Packard scandal in 2006 where HP’s Chairwoman directed independent security experts to investigate the source of an information leak. The security experts obtained the personal phone records of journalists and HP board members by pretexting – or by pretending to be them - and it ultimately allowed HP to determine the source of leak. HP’s efforts caused an uproar, including leading to criminal charges, a congressional investigation and the passage state and federal laws prohibiting pretexting.
In the summer of 2005, prior to the HP scandal, North American terminated Ms. Lawlor’s employment because she would not agree to modify her salesperson commission agreement prior to landing the biggest account of her career. As a result, Ms. Lawlor sued North American seeking to recover certain commissions and for a judgment to lift her non-compete agreement. Ms. Lawlor did not know that at the time she sued North American, it had decided to hire a private investigator to investigate whether Ms. Lawlor’s was stealing its confidential information and clients, and that it had provided certain personal information about Ms. Lawlor to the private investigator, including her Social Security number and phone numbers. During its investigation, in addition to stationing individuals outside Ms. Lawlor’s home, the private investigator arranged for a third party vendor to obtain Ms. Lawlor’s personal phone records by pretexting. When Ms. Lawlor later discovered that North American was investigating her activities she added a claim for invasion of privacy to her lawsuit.
At trial, North American denied that it knew that its private investigator had engaged in pretexting, but the jury was unsympathetic and awarded Ms. Lawlor $1.8 million, most of it coming in the form of punitive damages. North American is contesting the jury’s decision, and the parties continue to litigate North American’s claim that Ms. Lawlor misappropriated its trade secrets, but this case should serve as a warning to employers considering whether and how to conduct investigations of their employees. The North American case confirms that any time an employer conducts an investigation into an employee’s activities it runs the risk of violating that employee’s rights and a resulting lawsuit. Employers must takes steps to ensure that any investigation, whether it be conducted internally or through the use of third party investigators, do not utilize unlawful or other inappropriate methods, including the use of pretexting, which is now prohibited by state and federal law.
A Cook County, Illinois jury recently awarded $1.8 million dollars to Kathy Lawlor, who claimed that her former employer, North American Corp. of Illinois, violated her privacy rights by hiring a private investigator who fraudulently obtained her telephone records through the use of “pretexting” – or by pretending to be Lawlor herself. Some of you might be familiar with the concept of pretexting from the Hewlett Packard scandal in 2006 where HP’s Chairwoman directed independent security experts to investigate the source of an information leak. The security experts obtained the personal phone records of journalists and HP board members by pretexting – or by pretending to be them - and it ultimately allowed HP to determine the source of leak. HP’s efforts caused an uproar, including leading to criminal charges, a congressional investigation and the passage state and federal laws prohibiting pretexting.
In the summer of 2005, prior to the HP scandal, North American terminated Ms. Lawlor’s employment because she would not agree to modify her salesperson commission agreement prior to landing the biggest account of her career. As a result, Ms. Lawlor sued North American seeking to recover certain commissions and for a judgment to lift her non-compete agreement. Ms. Lawlor did not know that at the time she sued North American, it had decided to hire a private investigator to investigate whether Ms. Lawlor’s was stealing its confidential information and clients, and that it had provided certain personal information about Ms. Lawlor to the private investigator, including her Social Security number and phone numbers. During its investigation, in addition to stationing individuals outside Ms. Lawlor’s home, the private investigator arranged for a third party vendor to obtain Ms. Lawlor’s personal phone records by pretexting. When Ms. Lawlor later discovered that North American was investigating her activities she added a claim for invasion of privacy to her lawsuit.
At trial, North American denied that it knew that its private investigator had engaged in pretexting, but the jury was unsympathetic and awarded Ms. Lawlor $1.8 million, most of it coming in the form of punitive damages. North American is contesting the jury’s decision, and the parties continue to litigate North American’s claim that Ms. Lawlor misappropriated its trade secrets, but this case should serve as a warning to employers considering whether and how to conduct investigations of their employees. The North American case confirms that any time an employer conducts an investigation into an employee’s activities it runs the risk of violating that employee’s rights and a resulting lawsuit. Employers must takes steps to ensure that any investigation, whether it be conducted internally or through the use of third party investigators, do not utilize unlawful or other inappropriate methods, including the use of pretexting, which is now prohibited by state and federal law.
Wednesday, October 21, 2009
Changes to the "Red Flag" Rules may be coming -- and so is the November 1 compliance deadline
By an overwhelming vote of 400-0, the U.S. House yesterday approved legislation that will exempt certain businesses from the Federal Trade Commission’s Red Flag Rules. As we have reported, the Red Flag Rules require a broadly-defined class of “creditors” to implement identity theft prevention programs by November 1st. Under H.R. 3763, health care, accounting, and legal practices with 20 or fewer employees will be excluded from the definition of “creditor.” The measure also requires the FTC to issue new regulations allowing any business -- regardless of size -- to apply for an exemption.
New Exemption Provision
Under the exemption provision, the bill allows any business to be exempted if the FTC determines that the organization knows all of its customers or clients individually, only performs services in or around the residences of its customers, or has not experienced incidents of identity theft and is part of an industry that rarely experiences the problem. The FTC will be required to issue regulations setting out the exemption process.
ABA Still Not Happy
The American Bar Association says the legislation does not go far enough and
is demanding a full exemption for law firms. The ABA also continues
asking a federal court to bar the FTC from enforcing the rules against
attorneys. Besides the ABA, the FTC's broad interpretation of the creditor
category has prompted objections from the American Medical Association and the AICPA.
It is unlikely that this legislation will be finalized by the current November 1st enforcement deadline, and it remains to be seen whether this will cause the FTC to announce another delay.
New Exemption Provision
Under the exemption provision, the bill allows any business to be exempted if the FTC determines that the organization knows all of its customers or clients individually, only performs services in or around the residences of its customers, or has not experienced incidents of identity theft and is part of an industry that rarely experiences the problem. The FTC will be required to issue regulations setting out the exemption process.
ABA Still Not Happy
The American Bar Association says the legislation does not go far enough and
is demanding a full exemption for law firms. The ABA also continues
asking a federal court to bar the FTC from enforcing the rules against
attorneys. Besides the ABA, the FTC's broad interpretation of the creditor
category has prompted objections from the American Medical Association and the AICPA.
It is unlikely that this legislation will be finalized by the current November 1st enforcement deadline, and it remains to be seen whether this will cause the FTC to announce another delay.
Labels:
compliance,
Federal Trade Commission,
FTC,
identity theft,
Red Flag
Wednesday, October 7, 2009
More on the real cost of the Heartland breach
Nearly 10 months after disclosing a months-long data breach that affected millions of consumers, the financial impact of the Heartland data breach continues to unfold. InformationWeek reports that Heartland stock prices plunged more than $500 million following the breach, and while shareholder value has rebounded, other breach related costs have thus far totaled $32 million, with numerous lawsuits against the company still pending.
When the "Safe Harbor" is Not So Safe
If your company transfers personal data cross-border and you participate in the Safe Harbor program, it’s time to check the status of your certification. For the second time in a month, the Federal Trade Commission has announced enforcement actions against companies under Safe Harbor, the international privacy framework that provides a means for U.S. companies to transfer data from the European Union to the United States in keeping with EU and U.S. law.
In September, the first ever Safe Harbor enforcement action was announced against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor program, when apparently it never had. Yesterday, the FTC continued the trend by announcing six separate enforcement actions in one fell swoop.
According to the six separate complaints, the companies deceptively claimed they held current certifications under the Safe Harbor framework, when in fact the companies had allowed those certifications to expire. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. To participate in Safe Harbor, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The proposed settlements do not include any monetary penalties nor any admission of guilt, but would require compliance monitoring for 20 years.
If you have put Safe Harbor (either compliance or certification) on the “back burner” because it appeared that the FTC was not enforcing the program, the time for change has come. You should check what representations are being made on public-facing websites and privacy policies regarding Safe Harbor certification and ensure that these representations are accurate and up-to-date. In the cases announced yesterday, the defendant companies had been certified, but had let those certifications lapse. The exhibits to the FTC’s complaints included pages from their websites (see links below), and their own words were used against them.
For more information:
To file a public comment in the FTC proceeding - http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site.
FTC Complaints:
In the Matter of World Innovators, Inc.
In the Matter of ExpatEdge Partners, LLC
In the Matter of Onyx Graphics, Inc.
In the Matter of Directors Desk LLC
In the Matter of Progressive Gaitways LLC
In the Matter of Collectify LLC
Safe Harbor List
To check the status of your company’s Safe Harbor certification - Safe Harbor List
In September, the first ever Safe Harbor enforcement action was announced against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor program, when apparently it never had. Yesterday, the FTC continued the trend by announcing six separate enforcement actions in one fell swoop.
According to the six separate complaints, the companies deceptively claimed they held current certifications under the Safe Harbor framework, when in fact the companies had allowed those certifications to expire. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. To participate in Safe Harbor, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The proposed settlements do not include any monetary penalties nor any admission of guilt, but would require compliance monitoring for 20 years.
If you have put Safe Harbor (either compliance or certification) on the “back burner” because it appeared that the FTC was not enforcing the program, the time for change has come. You should check what representations are being made on public-facing websites and privacy policies regarding Safe Harbor certification and ensure that these representations are accurate and up-to-date. In the cases announced yesterday, the defendant companies had been certified, but had let those certifications lapse. The exhibits to the FTC’s complaints included pages from their websites (see links below), and their own words were used against them.
For more information:
To file a public comment in the FTC proceeding - http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site.
FTC Complaints:
In the Matter of World Innovators, Inc.
In the Matter of ExpatEdge Partners, LLC
In the Matter of Onyx Graphics, Inc.
In the Matter of Directors Desk LLC
In the Matter of Progressive Gaitways LLC
In the Matter of Collectify LLC
Safe Harbor List
To check the status of your company’s Safe Harbor certification - Safe Harbor List
Tuesday, October 6, 2009
Vets Data At Risk? Again?
Wired.com reports on a possible breach at -- of all places -- the National Archives and Records Administration (NARA) that, if verified, could affect tens of millions of records about U.S. military veterans. It appears that it may involve an issue that I call “Data Security 101” -- the failure of a contractor to wipe clean a defective hard drive returned to it by NARA . The contractor determined that the drive could not be fixed, and sent it elsewhere to be recycled --- without following ordinary industry procedures (and U.S. Government policy) requiring that hard drives be degaussed before recycling or other disposition.
According to the Wired piece, the incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, “who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.”
The Veterans Administration settled a class action earlier this year at a cost of $20 million over the 2006 loss of a laptop containing records with personal information of up to 26.5 million veterans and active duty personnel.
According to the Wired piece, the incident was reported to NARA’s inspector general by Hank Bellomy, a NARA IT manager, “who charges that the move put 70 million veterans at risk of identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.”
The Veterans Administration settled a class action earlier this year at a cost of $20 million over the 2006 loss of a laptop containing records with personal information of up to 26.5 million veterans and active duty personnel.
Subscribe to:
Posts (Atom)