The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule

The FTC again announced that it will delay enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.  In its press release announcing this development, the FTC stated that Members of Congress requested the delay. The FTC press release announcing the enforcement delay is available at:

Leave a comment

Court Decides that FTC Cannot Make Lawyers Comply With Red Flags Rule

Judge Reggie Walton of the U.S. District Court for the District of Columbia ruled today that the FTC cannot force practicing lawyers to comply with Red Flags Rule.

The FTC’s scheduled enforcement date for the Red Flags Rule is November 1. The American Bar Association challenged the Rule’s applicability to lawyers arguing that it would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers were not covered. The FTC replied that lawyers should be covered because billing practices, such as charging clients on a monthly basis rather than upfront, made them “creditors” under the plain language of the Rule.  

Judge Walton rejected the FTC’s definition of a creditor stating that under the FTC’s interpretation, a plumber who charges a customer after working on a toilet for two days also would be considered a "creditor."  

It is not clear at this point whether the FTC will appeal the decision.

An article about this development is available at:

Leave a comment

Agencies Expected to Publish Final Gramm-Leach-Bliley Act Model Privacy Notice

The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice.  The model notice incorporates financial institutions’ required disclosures pursuant to Section 503 of the GLBA.  Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA.  Once adopted and published in the Federal Register, the financial services agencies’ final model notice will take effect in 30 days.

The financial services agencies’ announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.  More information about the model notice is available here.

Leave a comment

DMA Adopts Behavioral Targeting Guidelines

The Direct Marketing Association (DMA) announced additions to its Guidelines for Ethical Business Practices that address online behavioral advertising (OBA) and mobile marketing.   

The new OBA guidelines are designed to follow the previously-released seven Self-Regulatory Principles adopted by DMA; the Association of National Advertisers; the American Association of Advertising Agencies; the Interactive Advertising Bureau; and the Council of Better Business Bureaus.   

Among the new OBA rules is a requirement that when information is collected from or used on a website for online behavioral advertising purposes, visitors should be provided with notice (easy to find, read, and understand) about the third party’s policies for online behavioral advertising.  The rules also describe methods that third parties should use to provide notice about OBA. 

The mobile marketing sections are described as an expansion of DMA’s existing guidelines for wireless communications and require, among other things, prior express consent for mobile marketing.  

A press release announcing and linking to the guidelines is available at:

Leave a comment

House Approves Bill to Exempt Certain Entities From FTC Red Flag Rules

On Oct. 20 the House approved H.R. 3763, a bill that would exempt certain businesses from the Federal Trade Commission’s (FTC’s) Red Flags Rules. Under the bill, health care, accounting, and legal practices with 20 or fewer employees would be excluded from the Rules definition of a "creditor" and the FTC also would be required to issue new regulations allowing any business to apply for an exemption.
To date the Senate has not introduced a companion bill.
The FTC’s enforcement deadline for the Rule is November 1, 2009.
A copy of the bill is available at: Information about the FTC’s Red Flags Rule is available at:

Leave a comment

FTC COPPA enforcement action: Iconix Brand Group, Inc.

The FTC announced a settlement with Inconix Brand Group under which Iconix will pay a $250,000 civil penalty to settle FTC allegations that the company violated the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents’ permission. 

Iconix owns, licenses, and markets (offline and on its websites) apparel brands including Mudd, Candie’s, Bongo, and OP. The FTC alleged that Iconix required consumers on certain of its websites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number – as well as date of birth – in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other website features. On one website,, Iconix also allegedly enabled girls to publicly share personal stories and photos online. The FTC alleged that in connection with certain of these sites, since 2006, Iconix knowingly collected and stored personal information from approximately 1,000 children without first notifying their parents or obtaining parental consent in violation of COPPA.

Information about the settlement can be found on the FTC’s website, at:


Leave a comment

Judiciary Committee Recommends Repeal of Maine Privacy Law

The judiciary committee for Maine legislature voted Friday to recommend the repeal of the controversial Maine privacy law that restricts gathering or publishing information about minors. According to Peggy Reinsch, a committee staff attorney, the committee agreed that the measure is unconstitutional because it violates the First Amendment and affects interstate commerce.  Ms. Reinsch also reportedly stated that the committee is recommending that the legislature draft a more limited measure addressing the collection of minors’ health-related information. An article about this development is available at:

Leave a comment

Court Reconsiders Retail Liability in Hannaford Breach Case

U.S. District Court Judge D. Brock Hornby, who is overseeing a Maine data breach case involving a 2007-2008 breach of the Hannaford Brothers supermarket chain, has reversed his earlier decision to dismiss a class-action lawsuit against Hannaford Brothers.   

Maine law covering breaches allows consumers to recover damages if the merchant’s negligence caused a direct loss to the consumer’s account.  Judge Hornby is asking the state’s Supreme Court whether "time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?” If the Supreme Court decides that such losses do merit compensation, it may eliminate some of the protections that have shielded retailers from legal liability for data breaches. 

Leave a comment

Schwarzenegger Explains Veto

Schwarzenegger issued a statement explaining his veto of Senate Bill 20, a bill that would imposed additional requirements on entities issuing data breach notifications.   According to his statement the bill was unnecessary because "there is no evidence that there is a problem with the information provided to
consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do
anything with the notices."

A copy of his statement is available at:


Leave a comment

Governor Schwarzenegger Vetoes Data Breach Legislation

Governor Schwarzenegger vetoed state Senator Joe Simitian´s (D-Palo Alto) Senate Bill 20, which would have imposed additional requirements on businesses and state agencies that experience a breach of security.

If adopted into law, the bill would have required that consumers be provided with a plain language description of the data loss incident, including the timing of the incident and the type of personal information exposed. Senate Bill 20 also would have directed data holders to submit a copy of the notification letter to the state Attorney General´s office if more than 500 California residents were affected in a single incident.

State Senator Simitian was quoted as saying “I’m surprised as well as disappointed by the Governor’s veto . . .There was no opposition to the bill in its final form. This was a common sense step to help consumers.” 

An article about this development is available at