The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

UK Regulator Approves Hyatt Hotels BCR – First Approval under the Mutual Recognition Procedure

On September 23, 2009, the Information Commissioner’s Office (the "ICO"), the UK’s data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation’s binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.

Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State’s DPA acts as the lead authority on a company’s BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.

To review the ICO’s approval, click here.  To read more about BCRs and the mutual recognition procedure, click here and here.

Leave a comment

Federal Court Finds Standing for Security Breach Victims Fearing Identity Theft

Citing a trend in data security breach litigation, the U.S. District Court for the District of Connecticut recently found that the fear of identity theft suffices to confer Article III standing on plaintiffs seeking civil damages in the Second Circuit.  Such fear will not, however, sustain negligence claims or claims made under state tort laws absent an allegation of actual harm.  Although the court in McLoughlin v. People’s United Bank Inc. found for the plaintiffs on the issue of subject matter jurisdiction, it ultimately granted the defendants’ motion to dismiss for failure to state a claim because there was no allegation of actual identity theft or other quantifiable harm.  More information on this case and recent holdings of similar effect are available here, here and here.

Leave a comment

Becoming HITECH: Actions Covered Entities and Business Associates Should Take Now to Comply with the Requirements of the HITECH Act

The HITECH Act’s breach notice provisions became effective yesterday, but there are many additional features of the statute of which covered entities and business associates should be aware.  For example, the HITECH Act creates several new and potentially burdensome obligations that affect the relationship between covered entities and business associates. Because these changes are quite substantial and necessitate revisions to existing business associate agreements, covered entities and business associates should begin compliance efforts as soon as possible.  Additional comentary on the HITECH Act and implementing regulations is available here and here.

Leave a comment

FTC Announces Public Roundtables on Consumer Privacy Issues

On September 15, 2009, the Federal Trade Commission unveiled a series of public roundtables that will focus on the effect of modern technology and business practices on the privacy of consumer information.  The goal of the panels is to explore how to best balance the concerns for consumer privacy, beneficial use of consumer information and technological innovation.  The discussions will address myriad technologies and practices, such as social networking, cloud computing, behavioral marketing, mobile marketing and, generally, the collection of consumer information for various purposes.  The roundtables will also consider the adequacy of existing legal and self-regulatory frameworks.  Participants will include academics, privacy experts, consumer advocates, industry representatives, technology experts, legislators, and experts from outside the United States.  The Commission has asked individuals and organizations to submit requests to participate as panelists and suggest discussion topics.  The Commission also has asked interested parties to submit written comments and research on the issues of (i) risks, concerns and benefits associated with the collection and use of consumer information, (ii) consumer expectations of how their information is used, and (iii) the adequacy of existing legal requirements and self-regulatory regimes in protecting consumer privacy interests.

Click here for more information on the Commission’s news release.

Leave a comment

FTC’s Robocall Ban is in Effect

As a reminder, the FTC’s ban on unwanted robocalls went into effect yesterday.  Telemarketing calls made to consumers that use prerecorded commercial messages are now prohibited, unless the telemarketer has obtained written permission from customers to make such calls.  Exceptions to this ban include calls made for purely informational purposes, calls concerning the collection of debts where the call do not also promote goods or services, and calls made by politicians, banks, telephone carriers, and most charitable organizations.  Even if telemarketers have obtained written customer consent for robocalls, messages must tell customers how to opt-out of receiving such calls in the future at the start of the message, and provide an automated opt-out method.

Leave a comment

ABA Challenges FTC’s Red Flags Rule

On August 27, the ABA filed a lawsuit against the FTC challenging the application of the FTC’s Red Flags Rule to lawyers. The Red Flags Rule was promulgated under FACTA and requires financial institutions and creditors to implement identity theft prevention programs by November 1, 2009. These programs are required to identify patterns, practices and activities that are "red flags" for identity theft. Examples of Red Flags include a notice of address discrepancy, a fraud alert or credit freeze on a credit report, identification or an application that looks altered or forged, information that the customer isn’t receiving account statements in the mail, and claims of unauthorized charges on the account.

The ABA alleges that the FTC has taken action in excess of its statutory jurisdiction under FACTA, because Congress did not "directly and plainly" grant the FTC the power to regulate practicing lawyers, who are regulated at the state level. The ABA also claims that the FTC has acted "arbitrarily" and "capriciously" in applying the Red Flags Rule to lawyers, because the FTC has failed to show a "rational connection" between the practice of law and identity theft. The ABA is seeking declaration by the court that the application of the Red Flags Rule to lawyers is unlawful, and to permanently enjoin the FTC from including lawyers in its implementation of the Red Flags Rule. The suit is captioned ABA v. FTC, and was filed in the U.S. District Court for the District of Columbia.