Posts tagged Red Flags Rule

authentication, comerica, commercially reasonable security, contracting, experimetal, FFIEC, layered security, multifactor authentication, patco, phishing, reasonable, Red Flags Rule, Security, security breach, security breach litigation, token, UCC 4A-202

The Duty to Authenticate Identity: the Online Banking Breach Lawsuits

By InfoLawGroup LLP on April 17, 2012

We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance.To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate. This blogpost post looks at two online banking breach cases to examine what courts are saying about authentication and commercially reasonable security.

Boucher, InfoLawGroup, information law group, Kerry, Legislation, privacy, Red Flags Rule, Segalis

Support for Privacy Legislation Survives Change of Power in Congress; Privacy Legislation May Advance

By InfoLawGroup LLP on January 26, 2011

Last week, Politico ran an interesting piece suggesting that federal privacy legislation may see the light of day in 2011. Democratic supporters of the legislation show no signs of slowing down. In the Senate, John Kerry (D-Mass.) is working on privacy legislation based on a bill he proposed last year. Senator Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce Committee, is planning to hold public hearings on Internet privacy starting in February. Of course the key to the success of federal privacy legislation lies in the House, and there Republicans have voiced support for a privacy bill as well. Rep. Cliff Stearns (R-Fla.), Chairman of the Subcommittee on Oversight and Investigations at the House Energy and Commerce Committee, has said that the privacy bill introduced last year by former representative Rick Boucher (D-Va.) could be revised and reintroduced with Republican support (Rep. Stearns co-sponsored the Boucher bill). This sentiment was echoed by Rep. Mary Bono Mack (R-Calif.), Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade. According to Politico, Rep. Bono Mack informed her colleagues on the subcommittee that she remains committed to addressing privacy issues.

compliance, Congress, deadline, extension, FTC, Red Flags Rule

BREAKING NEWS: FTC Extends Compliance Deadline for Red Flags Rule AGAIN to December 31, 2010

By InfoLawGroup LLP on May 28, 2010

In the last hour, the news broke that the FTC has again extended the compliance deadline for the FACTA Red Flags Rule, this time to December 31, 2010, "[a]t the request of several Members of Congress." The FTC's press release of this morning is here. This is the fifth time the FTC has extended the enforcement deadline. As usual, the FTC's extension does not affect "other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight."

ABA, AMA, credit, creditor, defer, deferred, ECOA, FACTA, FCRA, FTC, Red Flags Rule

Physicians Seek Relief On Eve of FTC's Red Flags Enforcement Deadline

By InfoLawGroup LLP on May 23, 2010

As previously reported here, the Federal Trade Commission (FTC) is currently scheduled to commence enforcement of the FACTA Red Flags Rule (72 Fed. Reg. 63,718) on June 1, 2010. On Friday, only 10 days before the deadline, the American Medical Association, the American Osteopathic Association, and the Medical Society for the District of Columbia filed suit against the FTC in the United States District Court for the District of Columbia (AMA v. FTC, D.D.C., No. 1:10-cv-00843), following in the footsteps of similar lawsuits filed in the past year by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA). The ABA, in a lawsuit filed last August (ABA v. FTC, No. 1:09-cv-01636-RBW), succeeded in obtaining an order (now on appeal) barring the FTC from enforcing the Red Flags Rule against lawyers. (There has been no ruling on the AICPA complaint filed last November.) Following is a discussion of the definitions ("creditor" and "credit") at the heart of the dispute, a summary of the positions taken by the FTC and the AMA with respect to application of the Red Flags Rule to physicians, and a brief review of the court's decision in ABA v. FTC.

IAPP, International Association of Privacy Professionals, Red Flags Rule

Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon

By InfoLawGroup LLP on April 19, 2010

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days.

ABA, Cloud, E-Sign, ethics, privacy professionals, Red Flags Rule, RSA

Thoughts from the RSA Conference

By InfoLawGroup LLP on March 03, 2010

As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes.

creditors, deadline, extensions, FACTA, financial institutions, FTC, identity theft, June 1, prevention program, primer, Red Flags Rule

Is Your Organization's Red Flags Rule Identity Theft Prevention Program Ready for Primetime?

By InfoLawGroup LLP on January 18, 2010

As our readers know, the FTC, after four extensions of the deadline, currently intends to begin enforcing the Red Flags Rule with respect to organizations subject to its jurisdiction on June 1, 2010. In the meantime, the Red Flags Rule remains in effect as to all financial institutions and creditors (and has been subject to enforcement by the banking regulators since November 1, 2008). Although a recent decision of the United States District Court for the District of Columbia, ABA v. FTC, brought lawyers outside the scope of the Rule, the Rule remains broad and covers a wide range of entities as "creditors." Creditors subject to the FTC's jurisdiction need to have their written Red Flags Rule Identity Theft Prevention Programs prepared, approved by the Board, and implemented by June 1. For more on the history and the requirements of the Rule, see my recent article, "The FACTA Red Flags Rule: A Primer," published in Bloomberg Law Reports - Risk & Compliance, reproduced here with the permission of Bloomberg.

201 CMR 17-00, contracts, data security, OCABR, Red Flags Rule, redline

Final Amendments to Massachusetts Data Security Regulations to Be Announced Shortly

By InfoLawGroup LLP on November 02, 2009

Friday was a busy day for identity theft and data security regulations. Not long after the Federal Trade Commission announced it was extending the enforcement deadline for the Red Flags Rule for the fourth time, word came from BNA's Privacy & Security Law Report that the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) had filed with the Massachusetts Secretary of State its final amendments to 201 CMR 17.00, the state's data security regulations. BNA reported that OCABR plans to make the amendments public sometime this week. BNA further reported that there are no major changes, but that there will be some clarification with respect to contracts between persons who own or license personal information and third-party service providers (201 CMR17.03(2)(f)(2)). You can check out Dave's post on the last round of significant revisions to the regulations in August, complete with redline. We have seen a lot of activity in the blogosphere about the new changes, but nothing official yet. And so far, no announcements of further delays in the effective date, currently set for March 1, 2010. We will report as soon as we hear more information.