We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance.To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate. This blogpost post looks at two online banking breach cases to examine what courts are saying about authentication and commercially reasonable security.
Last week, Politico ran an interesting piece suggesting that federal privacy legislation may see the light of day in 2011. Democratic supporters of the legislation show no signs of slowing down. In the Senate, John Kerry (D-Mass.) is working on privacy legislation based on a bill he proposed last year. Senator Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce Committee, is planning to hold public hearings on Internet privacy starting in February. Of course the key to the success of federal privacy legislation lies in the House, and there Republicans have voiced support for a privacy bill as well. Rep. Cliff Stearns (R-Fla.), Chairman of the Subcommittee on Oversight and Investigations at the House Energy and Commerce Committee, has said that the privacy bill introduced last year by former representative Rick Boucher (D-Va.) could be revised and reintroduced with Republican support (Rep. Stearns co-sponsored the Boucher bill). This sentiment was echoed by Rep. Mary Bono Mack (R-Calif.), Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade. According to Politico, Rep. Bono Mack informed her colleagues on the subcommittee that she remains committed to addressing privacy issues.
In the last hour, the news broke that the FTC has again extended the compliance deadline for the FACTA Red Flags Rule, this time to December 31, 2010, "[a]t the request of several Members of Congress." The FTC's press release of this morning is here. This is the fifth time the FTC has extended the enforcement deadline. As usual, the FTC's extension does not affect "other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight."
As previously reported here, the Federal Trade Commission (FTC) is currently scheduled to commence enforcement of the FACTA Red Flags Rule (72 Fed. Reg. 63,718) on June 1, 2010. On Friday, only 10 days before the deadline, the American Medical Association, the American Osteopathic Association, and the Medical Society for the District of Columbia filed suit against the FTC in the United States District Court for the District of Columbia (AMA v. FTC, D.D.C., No. 1:10-cv-00843), following in the footsteps of similar lawsuits filed in the past year by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA). The ABA, in a lawsuit filed last August (ABA v. FTC, No. 1:09-cv-01636-RBW), succeeded in obtaining an order (now on appeal) barring the FTC from enforcing the Red Flags Rule against lawyers. (There has been no ruling on the AICPA complaint filed last November.) Following is a discussion of the definitions ("creditor" and "credit") at the heart of the dispute, a summary of the positions taken by the FTC and the AMA with respect to application of the Red Flags Rule to physicians, and a brief review of the court's decision in ABA v. FTC.
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days.
As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes.
As our readers know, the FTC, after four extensions of the deadline, currently intends to begin enforcing the Red Flags Rule with respect to organizations subject to its jurisdiction on June 1, 2010. In the meantime, the Red Flags Rule remains in effect as to all financial institutions and creditors (and has been subject to enforcement by the banking regulators since November 1, 2008). Although a recent decision of the United States District Court for the District of Columbia, ABA v. FTC, brought lawyers outside the scope of the Rule, the Rule remains broad and covers a wide range of entities as "creditors." Creditors subject to the FTC's jurisdiction need to have their written Red Flags Rule Identity Theft Prevention Programs prepared, approved by the Board, and implemented by June 1. For more on the history and the requirements of the Rule, see my recent article, "The FACTA Red Flags Rule: A Primer," published in Bloomberg Law Reports - Risk & Compliance, reproduced here with the permission of Bloomberg.
Friday was a busy day for identity theft and data security regulations. Not long after the Federal Trade Commission announced it was extending the enforcement deadline for the Red Flags Rule for the fourth time, word came from BNA's Privacy & Security Law Report that the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) had filed with the Massachusetts Secretary of State its final amendments to 201 CMR 17.00, the state's data security regulations. BNA reported that OCABR plans to make the amendments public sometime this week. BNA further reported that there are no major changes, but that there will be some clarification with respect to contracts between persons who own or license personal information and third-party service providers (201 CMR17.03(2)(f)(2)). You can check out Dave's post on the last round of significant revisions to the regulations in August, complete with redline. We have seen a lot of activity in the blogosphere about the new changes, but nothing official yet. And so far, no announcements of further delays in the effective date, currently set for March 1, 2010. We will report as soon as we hear more information.
The FTC extended the deadline for enforcement of the Red Flags Identity Theft Rule. The new enforcement deadline is June 1, 2010. The deadline was extended at "the request of Members of Congress." www.ftc.gov/opa/2009/10/redflags.shtm
In the last post, I talked about the role of encryption in fashioning a "reasonable" security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.