House and Senate Enact Amendment of FCRA, Limit Scope of Red Flags Rule
The Blog of Legal Times is reporting that late on December 7, 2010 the House of Representatives passed a bill on a voice vote that amends the definition of "creditor" in the Fair and Accurate Credit Reporting Act (FCRA) and, as a result, dramatically limits the scope of the Red Flags Rule. The House bill is identical to the legislation enacted by the Senate last week. We previously covered in detail on our blog both the House bill and the Senate bill.
The legislation has the effect of largely limiting the applicability of the Red Flags Rule to financial institutions and entities commonly understood to be "creditors". It will generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time. The legislation leaves open the possibility that the FTC would bring various types of creditors within the scope of the Rule through rulemaking. However, it sets a procedural threshold for expanding the scope of the Rule and appears to require the determination to be specific to the type of creditor.
“When I think of the word ‘creditor,’ dentists, accounting firms and law firms do not come to mind,” said Rep. John Adler (D-N.J.), speaking on the House floor.
The legislation limits the definition of "creditor" under the FCRA to entities that:
More importantly, the amendment specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion means that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above. The FTC will begin enforcing the Red Flags Rule on December 31, 2010. By this deadline, financial institutions and creditors subject to the FTC's jurisdiction must have an identity prevention program in place to the extent they are required to do so by the Rule.
Lame Ducks Tackle Red Flags; Relief is in Sight
Last week, the U.S. Senate adopted by unanimous consent a bill (S. 3987) that would limit the scope of the Federal Trade Commission's Red Flags Rule by amending the Fair Credit Reporting Act's (FCRA's) definition of "creditor." The Senate bill is identical to the bipartisan House proposal we covered in detail in our blog on November 22, 2010.
Both bills have been referred to the House Committee on Financial Services. Given that the House and Senate are now on the same page with respect to the Red Flags Rule, there is a good chance that this proposal will become law before the FTC begins enforcing the Rule on December 31, 2010.
The bills seek to largely limit the applicability of the Red Flags Rule to entities commonly understood to be "creditors". They would generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time.
Specifically, if passed, the legislation would limit the definition of "creditors" under the FCRA to entities that:
More importantly, the proposed bill specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion suggests that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.
FTC's Red Flags Rule Slated to Take Effect - Congress Tries Another Fix
The Federal Trade Commission's latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC's broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC's Red Flags Rule by amending the Fair Credit Reporting Act's (FRCA's) definition of "creditor."
The FTC's Red Flags Rule implements Section 114 of the FCRA. The Rule requires certain creditors and financial institutions subject to the FTC's jurisdiction to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft.
The cause of the multiple enforcement delays is the Rule's definition of "creditor" and the FTC's broad interpretation of the term. Specifically, the FTC has taken the position that, in addition to entities that lend money or participate in credit decisions, a "creditor" subject to the Rule includes any entity that sells goods or services and allows customers to pay for the goods or services later. The FTC's broad interpretation of the term "creditor" has thus turned any business that employs invoice billing into a creditor subject to the Rule.
The proposed bill seeks to largely limit the applicability of the Red Flags Rule to entities commonly understood to be creditors. Pursuant to the bill, "creditors" would be defined as entities that:
- obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
- furnish information to consumer reporting agencies (see 15 U.S.C. 1681s-2) in connection with a credit transaction; or
- advance funds to or on behalf of a person (based on the person's obligation to repay the funds or repayable from property pledged by or on behalf of the person).
More importantly, the proposed bill specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion suggests that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.
Appeals Court Considers Applicability of the Red Flags Rule to Attorneys
Several news outlets are reporting today on the November 15, 2010 argument before the U.S. Court of Appeals for the D.C. Circuit on the applicability of the Federal Trade Commission's Identity Theft Red Flags Rule.
The relevant part of the Rule implements Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) and requires certain creditors to develop and maintain an identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft. The FTC has taken the position that attorneys and law firms are within the scope of the Rule’s definition of “creditor” to the extent they allow clients to pay for legal services after the services are preformed. The ABA successfully challenged the applicability of the Rule to attorneys before the D.C. District Court. The FTC appealed that ruling.
The BLT is reporting that the appellate panel struggled with the Red Flags Rule's terms in trying to determine whether the FTC's interpretation of the Rule exceeded the agency's authority in regulating attorneys. The issues in the case are both whether and in which circumstances the federal government can regulate attorneys, and the propriety of the FTC's interpretation of FACTA and the Red Flags Rule as applying to at least some attorneys who receive payment only after providing services to a client.
The ABA and the FTC have clearly articulated their positions on the issue. According to the BLT, FTC attorney Michael Bergman argued that "lawyers are no different — though they might think they are — from other service providers,” and "judge Thomas Griffith echoed that argument... discounting the ABA’s argument that Congress must be explicit when it intends to regulate the legal profession because the industry is the longtime province of states." The ABA Journal is quoting ABA's President Stephen N. Zack, who observed that "the mission of every lawyer is to provide aid and counsel to our clients and improve access to the justice system — not to push paperwork that attempts to solve what is, for the legal profession, a non-existent problem and promises to raise legal costs."
Physicians Seek Relief On Eve of FTC's Red Flags Enforcement Deadline
As previously reported here, the Federal Trade Commission (FTC) is currently scheduled to commence enforcement of the FACTA Red Flags Rule (72 Fed. Reg. 63,718) on June 1, 2010. On Friday, only 10 days before the deadline, the American Medical Association, the American Osteopathic Association, and the Medical Society for the District of Columbia filed suit against the FTC in the United States District Court for the District of Columbia (AMA v. FTC, D.D.C., No. 1:10-cv-00843), following in the footsteps of similar lawsuits filed in the past year by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA). The ABA, in a lawsuit filed last August (ABA v. FTC, No. 1:09-cv-01636-RBW), succeeded in obtaining an order (now on appeal) barring the FTC from enforcing the Red Flags Rule against lawyers. (There has been no ruling on the AICPA complaint filed last November.)
Following is a discussion of the definitions ("creditor" and "credit") at the heart of the dispute, a summary of the positions taken by the FTC and the AMA with respect to application of the Red Flags Rule to physicians, and a brief review of the court's decision in ABA v. FTC.
The Definitions of "Creditor" and "Credit"
"Creditor" and "credit" are defined terms under the FACTA Red Flags Rule. The Fair and Accurate Credit Transactions Act (FACTA) (15 U.S.C. § 1681a(r)(5)) incorporates by reference the definitions of "creditor" and "credit" found in the Equal Credit Opportunity Act (ECOA). The ECOA defines "creditor" as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." 15 U.S.C. § 1691a(e). The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor." 15 U.S.C. § 1691a(d).
The FTC's Position
As noted in the AMA complaint, the FTC's position on the application of the Red Flags Rule to physicians (and to attorneys) was first spelled out on April 30, 2009 in a footnote of its "Extended Enforcement Policy: Identity Theft Red Flags Rule":
In FACTA, Congress imported the definition of creditor from the [ECOA] for purposes of the [FCRA]. This definition covers all entities that regularly permit deferred payments for goods or services. The definition thus has a broad scope and may include entities that have not in the past considered themselves to be creditors. For example. creditors under the ECOA include professionals, such as lawyers or health care providers, who bill their clients after services are rendered.
(Emphasis added.)
In May 2009, the FTC published another document on its website entitled "'The ‘Red Flags’ Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft.” That document stated as follows:
Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.
In a press release dated July 29, 2009, the FTC referenced a document that provided answers to frequently asked questions (FAQs), which reiterated its position that attorneys and health care providers are required to comply with the Red Flags Rule when their billing arrangements qualify them as creditors under FACTA and the ECOA:
the definition of "creditor" is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. . . . Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies.
The AMA's Position
The AMA argues that physicians are not creditors under the Rule and that the practice of allowing deferred payment by patients, particularly in emergency circumstances, serves a number of purposes unique to the profession:
. . . The practice of not demanding payment at the time care is provided serves several purposes. It gives a benefit to patients who are often under stress when receiving care. It underscores that the physician has a fiduciary relationship with the patient and thereby furthers the patient-physician relationship. Where the patient is insured, the practice enables the insurer to determine what portion of the bill is covered and what amount should be billed to the patient. Because the amount that the patient will owe the physician is not certain at the time that services are provided, the physician does not defer payment of a “debt” by billing after the patient is treated. In many cases, a physician is not entitled to bill patients immediately upon providing services under contracts with health insurance carriers.
Physicians also provide emergency medical care to patients whose identifying information may be unknown to them and who may even be unconscious. In some emergency situations, which may occur for certain physicians on a regular basis, there is no practical way for the physician to bill for his or her services at the time of those services. Further, it would violate the norms of human decency, not to mention principles of ethical conduct . . . , for a physician to demand payment at the time of service in such situations. Indeed, federal law requires a physician to provide services to a patient in an emergency condition without regard to the patient’s ability to pay. See 42 U.S.C. § 1395dd.
The AMA further argues that the Red Flags Rule would interfere with the patient-physician relationship and a physician's ethical responsibilities:
the FTC’s attempt to impose a duty upon physicians to investigate each patient’s identity in advance of treatment conflicts with basic precepts concerning the patient-physician relationship and physicians’ ethical responsibilities to safeguard that relationship. “From ancient times, physicians have recognized that the health and well-being of patients depends upon a collaborative effort between physician and patient.... The patient-physician relationship is of greatest benefit to patients when they bring medical problems to the attention of their physicians in a timely fashion, provide information about their medical condition to the best of their ability, and work with their physicians in a mutually respectful alliance.” AMA, Ethical Opinion 10.01 (“Fundamental Elements of the Patient-Physician Relationship”). Because the success of diagnosis and treatment depends on patients’ willingness to divulge often private and highly sensitive information to their physicians, the patient-physician relationship “is based on trust and gives rise to physicians’ ethical obligations to place patients’ welfare above their own self-interest and above obligations to other groups, and to advocate for their patients’ welfare.” AMA, Ethical Opinion 10.015 (“The Patient-Physician Relationship”). Contrary to these obligations, the FTC requires physicians to approach each new patient with skepticism concerning his or her identity. As a result, the FTC’s Extended Enforcement Policy compromises physicians’ ability to gain new patients’ trust, which is essential to the well-being of patients.
Finally, the AMA argues that, when Congress intends to regulate the practice of medicine, it does so expressly (e.g., in enacting the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The Court's Analysis in ABA v. FTC
Naturally, the analysis of the District Court in ABA v. FTC (currently on appeal) is of interest here. In that case, the court applied the test for review of agency action set forth in Chevron, U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984), and concluded that the FTC's actions violated the Administrative Procedure Act and must be rejected "because the Red Flags Rule cannot be properly applied to attorneys in the overly broad manner in which the Commission seeks to enforce it."
First, the court found that "it was not 'the unambiguously expressed intent of Congress,' Chevron, 467 U.S. at 842-43, to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule." Footnote 9 of the court's decision, while dicta, is particularly interesting for purposes of the new AMA lawsuit. There, the court rejected the FTC's reliance on a particular Sixth Circuit case regarding medical providers:
The Court is not persuaded that the Commission's reliance on Barney v. Holzer Clinic, Ltd., 110 F.3d 1207 (6th Cir. 1997), is sound given that the Sixth Circuit expressly refused to address the question of whether a medical services provider was a creditor under ECO Act, id. at 1209 . . . and made findings to the contrary, id. at 1211 ("The provision of medical treatment under this program is not a credit transaction, either under the technical language of the ECO[ Act] or in the more common sense of the term, any more than is a court-appointed attorney's agreement to represent an indigent defendant.").
(Emphasis added.)
The court also rejected the FTC's reliance on the Federal Reserve Board's staff notes to Regulation B (which state that, if a doctor or lawyer allows the client or customer to defer the payment of a bill, that deferral of debt is credit for purposes of the “incidental credit” regulation, even though there is no finance charge and no agreement for payment in installments). The court did so "because those interpretations were made in a context totally unrelated to identity theft, and therefore the Court is not convinced that it is proper to presume that Congress intended to adopt the Regulation B interpretations when it enacted the FACT Act. Accordingly then, absent any legislative history showing that the Federal Reserve Board's staff's interpretation of Regulation B was actually considered by Congress when enacting the FACT Act, and given that the purposes of the FACT Act and Regulation B do not square with one another, the Court cannot draw the inference the Commission urges."
The court also noted that monthly billing by lawyers is driven by practical considerations: "Invoicing clients for services previously rendered, instead of demanding immediate payment when service is provided is more likely an outgrowth of practicality and necessity, rather than an attempt to provide clients credit."
Although the court resolved the issue under the first prong of Chevron, it went on to determine that, "even if [it] were to reach question two of Chevron by finding that the FACT Act did not foreclose the Commission's regulation of attorneys, it would still find that the Commission's interpretation of the FACT Act and its resulting application of the Red Flags Rule to attorneys is unreasonable and therefore undeserving of deference."
In its Chevron prong two discussion, the court took issue with the FTC's interpretation of what it means to "defer" payment, again noting the practicality of monthly billing by lawyers:
To invoice client at the end of each month is not delaying payment or giving a client a right to postpone payment. As a practical matter in the legal context, legal services are not the type of services that can in may instances be billed and payment received simultaneously with the occurrence of the services, as can be done, for example, when one's furnace is repaired or catering services are provided for a wedding. . . . And as a practical matter, it would be unreasonable to expect attorneys to bill for services in any manner other than periodically, especially given the frequent unanticipated services attorneys have to perform for their clients or the practical reality that clients may lack the ability to immediately access funds when legal services unexpectedly have to be performed without delay. Not only would immediate billing and collection of fees and expenses be impractical, considering the unique nature of the practice of law, but contrary to the Commission's position, conducting a legal practice in that manner would be extremely costly and time consuming. It does not take much imagination to appreciate the added cost and burden attorneys would incur if they were required to immediately calculate, bill and collect their fees after each task is performed or else run afoul of the Commission's construction of the FACT Act through its adoption of the Red Flags Rule.
Query whether the same analysis should apply to physicians. We shall see.
So, Must Physicians Comply with the Red Flags Rule by June 1?
Yes, for now. Indeed, the BNA Privacy and Security Law Report reports that, pending resolution of the litigation, the AMA has encouraged physicians to comply with the rule, using online resources provided by the AMA.
Is Your Organization's Red Flags Rule Identity Theft Prevention Program Ready for Primetime?
As our readers know, the FTC, after four extensions of the deadline, currently intends to begin enforcing the Red Flags Rule with respect to organizations subject to its jurisdiction on June 1, 2010. In the meantime, the Red Flags Rule remains in effect as to all financial institutions and creditors (and has been subject to enforcement by the banking regulators since November 1, 2008). Although a recent decision of the United States District Court for the District of Columbia, ABA v. FTC, brought lawyers outside the scope of the Rule, the Rule remains broad and covers a wide range of entities as "creditors." Creditors subject to the FTC's jurisdiction need to have their written Red Flags Rule Identity Theft Prevention Programs prepared, approved by the Board, and implemented by June 1. For more on the history and the requirements of the Rule, see my recent article, "The FACTA Red Flags Rule: A Primer," published in Bloomberg Law Reports – Risk & Compliance, reproduced here with the permission of Bloomberg. Read on . . .
Code or Clear? Encryption Requirements (Part 2)
In the last post, I talked about the role of encryption in fashioning a “reasonable” security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.
State Security and Breach Notification Laws
Since California adopted SB 1386, which went into effect in 2003, nearly all US states have enacted security breach notice laws that require notice to affected individuals, and in some cases to public authorities, when a party has reason to believe that the security of protected categories of personal data has been compromised. The protected categories are typically SSN (Social Security Number), driver’s license, financial account or payment card details (usually only if the password or access code is also compromised), and, increasingly, medical data not covered by federal HIPAA privacy protections.
All of these laws make an exemption from the notice obligation if the data were encrypted (some add that this is true only if there is no reason to believe that the decryption key was also compromised). The laws, and regulations adopted under the laws, typically do not specify the level or kind of encryption. For example, California’s Office of Privacy Protection published guidance specifically on the subject of “Recommended Practices on Protecting the Confidentiality of Social Security Numbers” in April 2007, which has only this to say about encryption, on page 11:
“Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.”
Partly as a consequence of these security and breach notice laws, organizations should limit their use and storage of these categories of personal data to the extent they are really necessary for business operations. Storage on servers or on archived media, and transmission over internal networks and VPN connections, may or may not be sufficiently secure without encryption, depending on the company’s risk assessment and IT security practices. Organizations should encrypt such data when it is resident on laptops or other portable devices and when it is in transit over the public Internet.
Massachusetts and Nevada have recently adopted stricter and more specific rules, however, that may become a model for other states. These increase the regulatory pressure for encrypting protected categories of personal data.
Massachusetts
The Massachusetts Personal Information Security Regulation (201 CMR 17.00) is now scheduled to take effect on March 1, 2010. The Regulation was promulgated by the Office of Consumer Affairs and Business Regulation (OCABR) under the authority of the Massachusetts personal information security law.
The Regulation will require all parties that “own or license” any of the protected categories of personal data concerning Massachusetts residents to encrypt the data in laptops or other portable devices, as well as in wireless transmissions and in transmission over public networks.
Note that the Regulation does not limit its coverage of financial account data to cases where the access code or PIN is compromised, as do most security and breach notice laws. The Regulation extends to any nonpublic financial account or payment card data, as well as to SSNs and driver’s license numbers. The Regulation does not cover medical information, however.
The Regulation mandates a number of “Computer System Security Requirements” (201 CMR sec. 17.04) for businesses that handle the protected categories of personal data. These expressly include the following:
“(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly . . .
(5) Encryption of all personal information stored on laptops or other portable devices . . .”
The level and type of encryption are not specified.
Nevada
Nevada recently amended its personal information security law, which already required “reasonable” security measures as well as breach notice (Nevada Rev. Stats. secs. 603A.010 et seq.). The amendments take effect on January 1, 2010.
The law covers SSNs, driver’s license numbers, and payment card or financial account data in combination with an access code or PIN. Medical information is not covered.
Under the amended law, businesses that accept payment cards (credit cards and debit cards) must comply with the Payment Card Industry Digital Security Standard (PCI DSS). In addition, a party handling any of the protected categories of information must encrypt the data if it transfers the data electronically “outside of the secure system of the data collector” or if the data is stored on a device (laptop, USB drive, etc.) that is moved “beyond the logical or physical controls of the data collector or its data storage contractor.”
“Encryption” is defined in the amendments with reference to “established standards,” specifically including FIPS and mentioning the need for standards-based key management as well as encryption protocols:
‘Encryption’ means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”
Thus, while the law itself does not specify the form of encryption, it puts the burden on the user to choose an appropriate and standards-based method.
HITECH
Title XIII of ARRA, the federal economic recovery legislation adopted early in 2009, is labeled the Health Information Technology for Economic and Clinical Health Act (HITECH). It amends the HIPAA medical privacy provisions by adding a federal security breach notice requirement for nonpublic, personally identifiable health information. While HIPAA applies only to certain covered entities (healthcare providers and insurance companies and clearinghouses), HITECH also applies to “business associates” that provide services to those entities. HITECH reaches as well any employers that are covered by HIPAA because, for example, they operate company clinics or manage their own health plans.
HITECH requires notice to affected individuals when there has been a security breach exposing personally identifiable health data. HIPAA already lists 18 identifiers (names, addresses, SSNs, health plan ID numbers, etc.) that must be removed to establish that health records have been “de-identified.” Where compromised records have not been fully de-identified by removing these data fields, HITECH sec. 132400 also recognizes that the information may not be personally identifiable if it is effectively encrypted:
“(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination; . . . .”
Thus, HITECH does not specify a particular form of encryption but leaves it to IT security experts to decide whether the data are effectively unidentifiable in the hands of an unauthorized user. Note that the statute requires covered entities to maintain documentation of this professional analysis, and that the analysis must be based on “generally accepted” principles and methods – which means that professional opinions are likely to refer to published specifications and industry standards.
Red Flags
The 2007 Identity Theft Red Flags Rule (promulgated under the 2003 FACTA amendments to the federal Fair Credit Reporting Act) went into effect in November 2008, although the FTC suspended enforcement until November 1, 2009. (Similar rules were issued by the federal financial regulatory agencies, for the institutions they supervise.) The Rule requires covered entities to develop and implement written policies to prevent identity theft, including recognition of warning signs or “red flags” of suspected ID theft.
The Rule applies not only to traditional financial institutions but to “creditors,” defined as companies that “regularly defer payment for goods or services,” whether or not charging interest or finance charges, and therefore store personal information about individual debtors. Some employers, for example, sell goods or services to employees on deferred payment terms and may be treated as covered entities for that reason. (However, the Red Flag FAQs written by FTC staff take the view that an employer is not a covered entity simply because it sponsors a 401k or other qualified retirement plan that allows participants to borrow from their retirement funds.)
For covered entities, the mandatory policy to prevent ID theft must identify signs of possible security breaches involving certain data, as well as appropriate responses to those alerts. The covered data are SSNs and tax identification numbers, healthcare IDs, financial account and credit/debit card details, personally identifiable medical information, and identifying data from consumer reports (which are often used for employee background checks as well as for credit applications).
The Rule itself does not mandate encryption measures. However, most covered entities will necessarily address encryption in their written anti-ID theft policies. Their “red flags” should also include an alert if there is evidence that encryption keys have been misused, stolen, or hacked.
Who Must Comply with FACTA's Red Flags Identity Theft Rule?
According to the FTC, any company that "regularly defer(s) payment for goods or services". . .
On October 31, 2007, the FTC released the Red Flags Identity Theft Rule (the "Red Flags Rule" or the "Rule"). The Red Flags Rule requires "covered entities" to conduct a risk assessment to determine if they have "covered accounts," which are consumer-type accounts that pose a reasonable risk of identity theft. If a covered entity does have covered accounts the Red Flags Rule requires the entity to develop and implement a written Identity Theft Program to identify, detect and respond to possible risks of identity theft. The deadline to comply with the Red Flags Rule was November 1, 2008. The FTC, however, announced that it would suspend enforcement of the Rule until May 1, 2009 (note that the enforcement date suspension DID NOT impact the compliance deadline -- all covered entities should have been in compliance by November 1, 2008).
Recently a controversy has arisen as to what constitutes a "covered entity" that must comply with the Rule. The FTC has taken the position, based on various definitions in the Rule and other relevant statutes, that the Rule applies to any company that "regularly defers payment for goods or services." This can include any company that does not require payment at the time goods or services are provided, including for example doctors, hospitals, lawyers, merchants and repairmen. As such the potential scope of the Rule is enormous and all companies should investigate whether they are subject to it.
The FTC's Position on the Scope of the Red Flags Rule
While it is obvious that the Red Flag Rule applies to traditional financial institution type companies (e.g. banks, credit unions, mortgage companies, etc.), the FTC's interpretation of "covered entities" could impose the Red Flags Rule on "non-financial" entities. The Rule defines "covered entities" as either "creditors" or "financial institutions." The current controversy revolves around the term "creditor," which is defined by the Rule by referring to the definition in the Equal Creditor Opportunity Act ("ECOA"). Under the ECOA, "creditor" means:
"any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit."
The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor." In a letter to the American Medical Association on this issue, the FTC cited Federal Reserve Board's elaboration on the definition of creditor and credit:
In its Official Staff Commentary to Regulation B, the Federal Reserve Board makes clear that the terms "creditor" and "credit" under the ECOA should be interpreted broadly so as to include all entities that defer payments, even in the normal course of a traditional billing process.' As the Official Staff Commentary states, "[i]f a service provider (such as a hospital, doctor, lawyer, or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for purposes of the regulation, even though there is no finance charge and no agreement for payment in installments.
In the same letter, the FTC also cited favorably to a legal treatise on the issue:
Similarly, one recent legal treatise on the subject explains that "[b]ecause credit under the ECOA involves any simple deferral of payment, even if there are no finance charges or installments, the ECOA applies to many transactions where the consumer pays after receiving the goods or services, such as doctor and hospital bills, bills from repair persons and other workers, and even a local store where a customer runs up a tab.""
The Impact of the FTC's Interpretation
The FTC's interpretation of "creditor" potentially extends the Red Flags Rule to large swaths of the economy. Taken to its logical conclusion, any company that does not require immediate payment for goods or services could be considered a "creditor." This could include law firms, hospitals, insurance companies, telecommunication companies, doctors and a host of other businesses that provide products or services and bill for them later. While the number of entities that need to comply with the Rule may be significant, the FTC also recognizes that entities posing a lower risk of identity theft may comply with the Rule by implementing simple (relate to high-risk entities) written Identity Theft Programs. The difference between low-risk and high-risk will vary depending on the particular circumstances.
What should a company do if it does allow deferred payments?
At this point, it appears that such companies must investigate whether they handle "covered accounts" and ascertain the identity theft risk associated with those accounts. The Rule is also, unfortunately, not clear on what constitutes a covered account in this context. Moreover, since business models vary, the risk posed and red flags established will likely vary between companies. Company's should retain counsel to work through these issues and help develop an Identity Theft Program.
In theory at least, lower risk and less complex entities will face lower compliance burdens and costs to achieve compliance. Nonetheless, because of the need to investigate the applicability of the law and the potentially fact-intensive process of assessing identity theft risk and crafting a program for a particular company, the costs may be significant for some companies (especially "high-risk" entities). More coming on compliance burdens in a future article on this blog.
FACTA Development: The "Credit and Debit Card Receipt Clarification Act of 2007" Signed into Law.
The FACTA class action litigation saga has taken a new twist. Congress has passed and the President has signed the Credit and Debit Card Receipt Clarification Act of 2007 (the "Act") into law. The Act will likely provide a large set of FACTA class action defendants with the ability to escape expensive litigation and liability.
As previously reported, plaintiffs have filed FACTA class action lawsuits based not on the printing of the payment card number on an electronically printed receipt, but simply based on the printing of the expiration date on a receipt (see for example the StubHub case referenced in this post). In fact, the relevant FACTA section establishes an "either/or" scenario:
Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card numberor the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.
15 U.S.C. 1681c(g) (emphasis supplied). If a plaintiff is able to establish a willful violation of FACTA, a court could award statutory damages ranging from $100 to $1,000 without the having to establish that he or she suffered actual harm.
Unfortunately dozens of companies that had made the effort to truncate the payment card numbers nonetheless were sued in FACTA class actions alleging a failure to remove the expiration date from payment card receipts (see e.g. Troy v. Home Run Inn, No. 07CV4331 (N.D. Ill 2008)); Cicilline v. Jewell Food Stores, No. 07CV2333 (N.D. Ill 2007)).
Congress passed the Act in light of these "expiration date only" FACTA lawsuits. The relevant part of the Act states:
(d) Clarification of Willful Noncompliance- For the purposes of this section, any person who printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment of this subsection but otherwise complied with the requirements of section 605(g) for such receipt shall not be in willful noncompliance with section 605(g) by reason of printing such expiration date on the receipt.
(emphasis supplied). In essence this language appears to block plaintiffs from going after statutory damages under FACTA. Since those statutory damages are the only reason these cases are attractive to plaintiffs attorneys, it is likely that class actions on this basis will not be pursued.
Significantly, the Act applies retroactively: it would apply to FACTA lawsuits already filed on the basis of printing the expiration date on the receipt
This is obviously good news for defendants. However, the way Congress went about this raises some questions. Rather than "clarifying" the law by stating that printing just the expiration date is not a violation of FACTA, Congress left the door open for plaintiffs that suffer "actual harm" based on the "non-willful" printing of the expiration date. Admittedly, few if any plaintiffs will be able to establish actual harm in this context.. However, there is a certain logic gap at play here.
Congress has said unequivocally, regardless of the actual facts of the case, that printing the expiration date shall not be "willful noncompliance." What if, in an (extreme) hypothetical, a defendant wrote an email stating:
I, President of ABC company, understand that FACTA prohibits the printing of a credit card expiration date on the receipt, but for financial reasons I intend to not follow that legal requirement.
Based on the Act, there would still be no willful violation even though under this hypo there was one in laymen's terms. Of course in "real life" this email likely does not exist, but there could be lesser evidence establishing "willfulness" that could be in play. In short, Congress took an awkward somewhat Alice-In-Wonderland approach to rectify the situation, and hopefully it does not give plaintiffs a hook to keep these cases in court (clearly more research would be needed as to how legislative intent is factored in these scenarios).Regardless, at the minimum, this gives the FACTA defendants great litigation leverage on this issue.
FACTA Class Action Certified (N.D. Illinois)
All, a link to a recent case that certified a class action under FACTA based on credit card receipts with more than the last five digits and expiration date: (Meehan v. Buffalo Wild Wings Inc., N.D. Ill., No. 07 C 4562)
Interestingly this case goes against rulings in the 9th, 10th and 11th Circuits, which ruled that the "superiority" requirement of Rule 23(b) had not been met because of the potentially staggering statutory damages available under FACTA ($100 to $1000 per violation).
In this case, the court followed 7th Circuit precedent that held that classes could be certified despite staggering damage potential. In this Circuit the issue of staggering damages, however, can still be challenged as a violation of due process rights after the certification.
In short, the certification provides the plaintiffs with more leverage because the class has been established and plaintiff's attorneys will have a large economic incentive to argue all the way through the due process arguments. Companies operating in the jurisdiction of the 7th Circuit should be very careful with their credit card receipts.
FACTA Privacy Lawsuit Developments - Companies Sued for Online Credit Card Receipts
This month's newsletter follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance LLC ("ISC") explored in its April and June 2007 newsletters (What You Don't Know Just Might Hurt You. - April 2007; FACTA Privacy Class Action Lawsuit Developments - Bad News and Good News for Merchants). Recently plaintiffs have filed lawsuits against companies displaying credit card receipts on the consumer's computer screen (not printed on a paper receipt), and at least one court has denied a merchant's motion to dismiss a case based on online credit card receipts. In other words, the FACTA credit card receipt prohibitions may not be limited to paper receipts.
FACTA Summary
As discussed previously by ISC, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 ("FACTA"), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and prohibits printing a credit card's expiration date on the receipt. FACTA specifically provides:
Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.***
(2) LIMITATION.--This subsection shall apply only to receipts that are electronically printed, and shall not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.
15 U.S.C. 1681c(g) (emphasis supplied). A single willful violation of FACTA could result in damages ranging from $100 to $1,000 without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.
Recent Suits Filed Against Online Companies
In a complaint filed August 8, 2007 in the U.S. District Court for the Southern District of Florida, plaintiffs alleged that after they purchased iPods and other electronic equipment from Apple Computer Inc. online, the company provided receipts that included the full credit or debit card number used to make the purchase (Maria v. Apple Computer Inc., S.D. Fla., 1:07-cv-22040-AJ, complaint filed 8/8/07).
In addition, in a complaint filed in the U.S. District Court for the Southern District of Illinois, plaintiffs alleged they received receipts with their full payment card number information after they paid for hotel reservations and services online through a subsidiary of Expedia Inc. (Sutton v. Expedia Inc., S.D. Ill., No. 3:07-cv-00547-GPM-DGW, complaint filed 7/31/07).
These lawsuits may have been initiated because of a recent ruling against Stubhub Inc. in a FACTA lawsuit.
Stubhub Ruling: On-Screen Credit Card Receipt Qualifies as "Printed"
Stubhub, Inc., an online ticket broker, was sued for a violation of FACTA based on an electronically generated credit card receipt, and the plaintiff in that case survived a motion to dismiss the case. In July 2007, the U.S. District Court for the Central District of California ruled that a credit card expiration date appearing on an electronically generated receipt qualifies as "printed" for purposes of FACTA (Vasquez-Torres v. Stubhub Inc., C.D. Cal., No. CV 07-1328, motion to dismiss denied 7/2/07).
Since the term "print" was not defined in FACTA, Stubhub and the court looked to common dictionary usage for guidance on the definition. Stubhub cited Webster's Third New International Dictionary, which defines "print" in part as "to make an impression in or upon." The court held that even under Stubhub's definition, Stubhub had "made an impression upon" a computer screen when it displayed the credit card expiration date. The court also cited Merriam-Webster's Collegiate Dictionary (10th ed. 2002, p. 924), which defined "print" as "to display on a surface (as a computer screen) for viewing."
In addition, the court held that its ruling was consistent with the purposes of FACTA: to prevent identity theft in all its forms. The court reasoned that a narrow interpretation limited to paper-printed records did not comport with the broad goals of FACTA in combating identity theft. The court stated that if Congress intended to exclude receipts printed on a computer screen, it could have explicitly done so as it did for the exclusion of "transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card."
Conclusion
While some of the recent rulings on class certification may have slowed down the FACTA lawsuits for plaintiffs, the potential for lawsuits with respect to online credit card receipts poses considerable challenges to organizations. Just getting sued and having to incur substantial fees to defend the suit could be an expensive and distracting proposition. Companies, working with attorneys and IT professionals, should conduct an inventory of their online consumer systems to determine whether any of their websites or portals displays credit card confirmations or receipts with expiration dates or credit card numbers in excess of the last five digits. If such information is displayed, organizations should seek to technologically disable that display. In addition, service providers (e.g. ecommerce payment processors, hosters, application service providers) that may be working with companies displaying credit card information using the service provider's systems, should consider informing their customers of FACTA and adding contract terms to protect themselves from FACTA liability.
FACTA Privacy Class Action Lawsuit Developments - Bad News and Good News for Merchants
This month's post follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance explored in April 2007 newsletter (What You Don't Know Just Might Hurt You. - April 2007). In bad news for merchants defending these FACTA suits, the U.S. Supreme Court ("USSC") upheld a broad interpretation of "willful violation" of FACTA. However, in good news for merchants, citing potential bankruptcy-inducing damages ranging from $340 million to $3.4 billion, a U.S. District Court in California refused to certify a 3.4 million person class alleging FACTA violations
FACTA Summary
As discussed in April, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 ("FACTA"), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card's expiration date on the receipt. A single willful violation of FACTA could result in damages ranging from $100 to $1,000 (FACTA is incorporated into and part of the Fair Credit Reporting Act ["FCRA"]), without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.
Perhaps the key issue to date for these cases is the meaning of "willful violation." In two separate FRCA cases in a different context (Geico v. Edo and Safeco Ins. v. Burr), the U.S. Court of Appeals for the Ninth Circuit ruled as follows:
In sum, if a company knowingly and intentionally performs an act that violates FCRA, either knowing that the action violates the rights of consumers or in reckless disregard of those rights, the company will be liable under 15 U.S.C. § 1681n for willfully violating consumers' rights.
Both of these Ninth Circuit cases were appealed to the USSC, which was asked to rule on whether the Ninth Circuit's interpretation of "willful violation" was valid. The general consensus among commentators was that the Ninth Circuit's interpretation would make it less difficult to collect statutory damages for FACTA credit card receipt violations, and that a narrow interpretation had the potential to cripple these FACTA class action suits for plaintiffs.
U.S. Supreme Court's Ruling on "Willful Violations" Under FACTA
In Geico and Safeco, the class plaintiffs alleged that the insurance company defendants violated the FCRA by failing to provide notice of insurance policy changes based on the plaintiffs' credit scores. The plaintiffs argued that "willful violation" included not only "knowing" violations of FCRA, but also reckless disregard of FCRA statutory duties. Turning to precedent interpreting similar language in other statutes and under common law, the USSC ruled against the insurance companies and concluded that the Ninth Circuit's ruling was correct: one can "willfully violate" FRCA by knowingly violating the statute or acting in reckless disregard of the FCRA obligations.
In short, the USSC adopted a more lenient standard of proof for plaintiffs to establish FCRA obligations. Plaintiffs will still face obstacles in proving recklessness disregard. However, a merchant's claim that it did not know of the FACTA requirements may not serve as a complete bar; plaintiffs will likely be able to present evidence concerning the merchant's efforts to discover its FACTA obligations and whether or not the merchant should have known about the FACTA credit card requirements.
FACTA Class Action Certification Denied
In good news for merchants, in May 2007 the U.S. District Court for the Central District of California rejected a motion to certify a class action in Spikings v. Cost Plus, Inc. The Court focused on whether a class action would be superior to other methods of adjudication as required under Rule 23(b)(3) of the Federal Rules of Civil Procedure. The Court cited other cases ruling that Rule 23(b)(3)'s "superiority requirement" was not met where the defendant's liability "would be enormous and completely out of proportion to any harm suffered by the plaintiff." It also listed other cases that generally denied class certification, including an FCRA case, where the damages would be "absurd" relative to harm suffered.
In this case, the Court noted that if the class was certified the potential statutory penalties ranged from $340 million to $3.4 billion (based on a penalty ranging from $100 to $1000 per violation for 3.4 million class defendants), despite the fact that the lead plaintiff testified that it did not suffer any actual damages. The court noted that the entire Cost Plus organization was worth approximately $316 million and that a judgment on a class action in this case for even the minimum fine would bankrupt it. The Court further noted that Cost Plus began truncating its credit card receipts as soon as it became aware of the technical violation of FACTA, and that it was possible for the class plaintiffs to file individual suits to recover damages. Finally, the court noted that certifying the class opened the potential for abuse by plaintiffs' attorneys in the form solicitation of unnecessary litigation. Based on the foregoing, the Court denied the plaintiffs' motion for class certification.
Conclusion
While the USSC's decision concerning "willful violation" of FACTA may be disappointing for merchants under suit, if the Spikings decision survives appeal the "teeth" associated with these lawsuits may have been extracted. The same logic that applied in the Cost Plus matter could apply to other retailers that face insolvency if they lose a class action suit. Its hard to imagine courts desiring to put some of the top U.S. retail brands out of business when no actual harm has been shown to have occurred. Paradoxically the reason that these suits are being filed in the first place (the large number of plaintiffs and the potential for a large pay-off for plaintiffs' attorneys through class action) is the same reason they may ultimately be unsuccessful. If plaintiffs' lawyers cannot proceed using the class action mechanism it will not likely be cost effective to pursue individual cases.
Nonetheless, it is premature to come to any firm conclusions on the reasoning set forth in the Spikings decision since it will likely be appealed and there also may be other district courts across the country that could rule differently. If Spikings is overruled, the USSC's decision may provide plaintiffs' counsel with significant arguments and settlement leverage. At the bare minimum, until some of these issues are resolved by higher courts, merchant-defendants will have to incur significant legal fees to fight these matters.
InfoSecCompliance will keep you updated concerning any other material developments in this matter.
What You Don't Know Just Might Hurt You.
"As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know."
--Donald Rumsfeld, Feb. 12, 2002
Regardless of what one thinks of Donald Rumsfeld's tenure as Secretary of Defense, these words hold a pearl of wisdom that applies to organizations struggling to comply with privacy and security laws. One of the major difficulties for modern organizations working with private personal information is simply knowing what privacy and security laws apply to their operations. This problem is exacerbated by the fact that, even for smaller- and medium-sized organizations, modern commerce often involves transacting with consumers in multiple legal jurisdictions (e.g. local, State, Federal and international). In short, since privacy and security laws from several jurisdictions may apply, it is highly likely that a lot of "unknown unknowns" exist, which can cause adverse impacts. This month's newsletter explores an instance where unknown unknowns may have come into play in the privacy context, and how organizations can begin to address the problem.
Too Much Information?
FACTA Credit Card Receipt Class Action Suits a Cause for Serious Concern.
In what appears to be a classic case of "unknown unknowns," a rash of over 100 class action lawsuits have been filed in California alleging violation of the Fair and Accurate Transaction Act of 2003 ("FACTA"). Section 15 U.S.C. § 1681c(g) of FACTA limits the information that can be printed on an electronically printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card's expiration date on the receipt. Organizations were provided with a three-year grace period to comply with this Federal law (December 4, 2006 was the first date that compliance was required).
A single willful violation of FACTA (which is incorporated into and part of the Fair Credit Reporting Act ["FCRA"]) could result in damages ranging from $100 to $1,000. Plaintiffs are also entitled to actual damages if they can prove a negligent violation of the FACTA. With companies processing millions of credit card transactions each year the damage potential for these lawsuits is staggering.
These class action suits have been filed against companies such as: Urban Outfitters; IKEA; Chanel Inc.; Toys-R-Us Delaware Inc.; Oakley, Inc.; Rite Aid Corp.; Costco Wholesale Inc.; The Walt Disney Parks and Resorts; California Pizza Kitchen Inc.; El Pollo Loco; Levy Restaurants; United Artists Theatre Circuit Inc.; FedEx Kinkos Office and Print Services Inc.; Valero Energy Corp.; and Avis Rent-A-Car Systems Inc. Lawsuits are also spreading outside of California - two lawsuits were filed on March 14, 2007 in the Western District of Pennsylvania.
Thus far, many of the cases have survived motions to dismiss. Defendants have argued that dismissal is warranted because, while section 1681c(g) of FACTA applies to "cardholders," private rights of action are only available to "consumers" under section 1681n of FCRA. This argument was rejected by California courts when raised by Oakley, Inc. and IKEA.
The success of these cases could ultimately hinge on the meaning of "willfully fails to comply" under section 1681n of FCRA. Two 9th Circuit cases (the Federal Appellate Court for California and other western States) have ruled on the meaning of "willfully." In Geico v. Edo, the court alluded to a "recklessness" standard:
In sum, if a company knowingly and intentionally performs an act that violates FCRA, either knowing that the action violates the rights of consumers or in reckless disregard of those rights, the company will be liable under 15 U.S.C. § 1681n for willfully violating consumers' rights. A company will not have acted in reckless disregard of a consumers' rights if it has diligently and in good faith attempted to fulfill its statutory obligations and to determine the correct legal meaning of the statute and has thereby come to a tenable, albeit erroneous, interpretation of the statute. In contrast, neither a deliberate failure to determine the extent of its obligations nor reliance on creative lawyering that provides indefensible answers will ordinarily be sufficient to avoid a conclusion that a company acted with willful disregard of FCRA's requirement. Reliance on such implausible interpretations may constitute reckless disregard for the law and therefore amount to a willful violation of the law (emphasis added).
This interpretation differs from interpretations in other Federal Appellate Districts, and this issue has now been argued before the U.S. Supreme Court (additional Supreme Court briefs and other information can be found here). If the Supreme Court disagrees with the 9th Circuit's (and the 3rd Circuit's) interpretation of "willfully," then these class actions may be difficult for plaintiffs to win (it is doubtful that plaintiffs will be able to establish actual damages to recover for "negligent" failure to comply with FCRA).
Many corporate defendants reported that they were "surprised" by the FACTA credit card receipt requirements despite the three-year grace period to achieve compliance. That seems like a plausible explanation considering that most rational companies, had they known of this requirement, would most likely have chosen to limit the information on their credit card receipts rather than face a potential fine of up to $1000 per violation and expensive attorney fees to defend class action lawsuits. Nonetheless, these companies are now experiencing the risks and expense associated with unknown privacy laws.
What should companies do to address "unknown unknowns" when it comes to privacy laws?
Organizations are not omnipotent - they cannot possibly know all things at all times at all places. However, they can take action to minimize their risk of unknown privacy and security laws, including: (1) designing their privacy programs consistent with Fair Information Practice Principles; (2) acquiring resources to stay on top of privacy and security regulations and case law; and (3) insuring against the unknown.
Fair Information Practice Principles. While the legal requirement to limit credit card receipt data may not be intuitive to all companies, there are certain general activities that rational actors know could get them into trouble when it comes to handling customer information. For example, selling or collecting personal information without notice or consent can obviously be problematic, and as a result there are laws that address those general categories of privacy violations. Addressing general privacy activities and principles can decrease risk even if specific regulatory requirements are unknown.
In fact many, if not most, privacy and security-related laws reflect the principles and framework set forth in the Fair Information Practice Principles ("FIPP"). FIPP includes: notice/awareness, choice/consent, access/participation, security/integrity and enforcement/redress. If FIPP is the goal and the organization strives to meet that goal with due diligence, that organization will likely have reduced its regulatory privacy risks (relative to organizations that do not consider FIPP).
The problem, of course, is that FIPP does not address every single detail of every privacy law. Some organizations that follow FIPP may have missed the specific requirements of FACTA or may not be aware of the specific notices (and fines) required under the CAN-SPAM Act, HIPAA, GLB and other more obscure laws. These class action lawsuits demonstrate how compliance to FIPP can help. Those companies diligently concerned about the security/integrity prong of FIPP, even without knowledge of FACTA's specific legal requirement, may have made an independent determination that truncating credit card numbers on receipts is a good practice to secure credit card information from identity theft. In fact, some organizations likely adopted this practice prior to the FACTA law as the result of due diligence with general privacy principles.
Due Diligence Investigation. Legal violations arising out of privacy or security incidents increasingly threaten organizations in terms of reputation damage, legal fees and damage awards. In fact, more and more companies are dedicating specific resources toward addressing privacy and security legal compliance. The first step is establishing accountability within the organization by creating a manager solely responsible for privacy compliance (a C-level executive with direct reporting to the CEO is a best case), and providing he or she with a budget. The lead privacy compliance officer should hire or work with attorneys to develop a formal process for inventorying the personal information the company handles, tracking the flow of that information across jurisdictions from collection to storage/disposal and determining the laws that apply to the organization.
Companies should attempt to address the lowest hanging fruit first. In certain industries, such as finance and healthcare, comprehensive privacy laws exist such as GLB and HIPAA. If the personal information of European or Canadian companies is at issue, the national privacy law of those countries should be considered.
Determining the applicability of privacy and security laws requires a continuous effort that considers changes in both the organization's internal privacy practices and the law. Those responsible for privacy compliance should engage in frequent and comprehensive communications with business managers whose units collect and handle personal information. Companies should track laws and legislation, and subscribe to privacy and security reporters and websites (feel free to contact me for a list of sources). A person who can make the link between organizational practices and changes in privacy laws, and how those practices laws might impact the organization, should be dedicated to tracking internal practices and privacy laws.
Privacy and Security Liability Insurance - Risk Transfer. Insurance is a very important tool for managing the "unknown unknowns." For companies that operate across multiple jurisdictions, it is virtually impossible to know every law and how every part of an organization is reacting or failing to react to that law. This means that residual risk exists that must either be tolerated by the organization or transferred to a third party.
Privacy and security liability insurance is an excellent tool for decreasing a company's risk load under these circumstances. While the uncertainty inherent in complying with every security or privacy law still exists for insurers, insurers can spread their risk across thousands of organizations. Moreover, even if aggregated events occur, as long as the insurer has a good financial rating, they should be able to absorb the loss. Even insurance companies without the highest financial ratings are typically reinsured by large reinsurers who are able to weather adverse situations.
The ability of insurers to underwrite privacy and security liability risks in a world where such risks are sometimes "unknown" addresses the main problem of modern organizations. Instead of expending huge amounts of resources to achieve an unattainable level of "perfect security," or researching, discovering and analyzing every possible privacy law that applies to them, insurers can take the risk and help their insureds avoids those expenses.
That is not to say that insurers will insure companies with bad privacy practices or poor information security. To be insurable, at a minimum, "reasonable" security and privacy practices must be present (and what is reasonable can vary from insurer to insurer). Nonetheless, most companies that can establish "due diligence," and have practices and policies adhering to FIPP and generally accepted security standards such as ISO 17799, will likely be insurable.
There are two key challenges for companies that want to use insurance as a risk management tool in this context. First is implementing security and privacy practices that meet a level of reasonableness at the lowest price. As long as insurance is available, spending more to achieve "more than reasonable" privacy/security may not be cost-effective. Moreover, large security and privacy overhauls can be disruptive to business. The risk avoided by implementing costly controls can be transferred for the price of an insurance policy which typically costs less than the controls.
Second, and perhaps most important for an organization that wants to manage risk through insurance, is ensuring that the privacy and security insurance policy it chooses actually covers the risks the organization desires to transfer. If it does not, the organization will be left handling the costs of that risk on its own. It takes a concerted effort by risk managers and key business stakeholders to understand not only the potential risks, but also how they might impact the organization if the risk is realized.
On the other side of the equation, since the current crop of security and privacy policies vary in their approach and coverage scope, it is not always easy to get a clear picture of what is covered. Organizations should make sure they have good brokers or insurance consultants who understand the specific risks of their company and the insurance products available to cover such risks. In all, if some time and effort is taken to understand the range of security and privacy insurance options, insurance can be a very cost-effective and efficient tool for dealing with "unknown unknowns."<
Conclusion
While the risks and problems associated with unknown privacy or security regulations may never be fully solved, the awareness of organizations and the skill and talent available to address the problem are probably at their highest. Companies simply need to acknowledge the fact that unknown unknowns exist in the privacy world, and dedicate time and resources toward at least converting them into "known unknowns." Even unaddressed privacy laws are better than unknown laws because at least the organization is aware of some risk and presumably has factored it into their overall risk management scheme. Organizations that are serious about understanding the full scope of their risk need to engage in a due diligence investigation, and need to at least try to adhere to common industry privacy practices and security standards. Companies should also seriously consider transferring their residual risk rather than engaging in potentially never-ending and expensive attempts to "eliminate" their risk. When these steps are taken, organizations can decrease the risk and loss associated with unknown security and privacy laws.
