© 2007 Morrison & Foerster LLP All Rights Reserved Privacy and Information Security Monthly Update January 9, 2007 Andrew Smith Tom Scanlon Joyita Basu
2 Outline Legislation Federal: Pretexting, Regulatory Relief State: Social Security number, Security Freeze, and Security Breach Notification Regulation ID Theft Task Force Extension of Telemarketing Sales Rule Moratorium FACT Act Update Litigation Harrington v. ChoicePoint Bell v. Acxiom Enforcement Humana Insurance Co. Consent Order Ameriprise Settlement
3 Legislation: Federal Phone Records Pretexting: H.R. 4709; 18 U.S.C. § Sent to the President January 3, 2007 Criminal violations: False statement to employee or customer Internet access Knowing and intentional sale/transfer or purchase/receipt Without authorization, OR “[H]aving reason to know such information was obtained fraudulently” Compare Gramm-Leach-Bliley Act (“GLBA”): unlawful “to request a person to obtain customer information of a financial institution, knowing that the person will obtain” the information by pretexting. 15 U.S.C. § 6821(b). Aggravated pretexting and enhanced penalties
4 Legislation: Federal Regulatory Relief: Accountants P.L , October 13, 2006 Amends 15 U.S.C. § 6803 Exempts from GLBA initial and annual notice provisions: Certified public accountants who are Certified or licensed by a State; and Subject to rule of professional conduct or ethics that prohibits disclosure without consent. Compare lawyers: 430 F.3d 457 (D.C. Cir. 2005) Narrower: Attorneys “engaged in the practice of law.” Broader: GLBA Safeguards; third-party disclosure requirements.
5 Legislation: Federal Regulatory Relief: GLBA Privacy Notices Federal banking agencies and Federal Trade Commission (“FTC”) must “jointly develop a model form.” Among other factors, model form must “enable consumers easily to identify the sharing practices of a financial institution and to compare privacy practices among financial institutions.” Financial institution that uses the model form shall be deemed to be in compliance with the disclosures required under GLBA. Model form must be proposed for comment by April 13, 2007.
6 Legislation: State Social Security Number (“SSN”) Laws Recent Effective Dates: December 26, 2006: Pennsylvania. January 1, 2007: Arkansas, Colorado, and Minnesota. July 1, 2007: Vermont. Recent Legislation: New York. New York Law: Limitations apply to the use of numbers “derived from” a SSN. Pennsylvania Law: Exempts financial institutions (as defined by the GLBA), entities covered by regulation under the Health Insurance Portability and Accountability Act, and entities subject to the Fair Credit Reporting Act (“FCRA”).
7 Legislation: State Security Freeze Laws Recent Effective Dates: January 1, 2007: Hawaii, Illinois, Kansas, New Hampshire, Oklahoma, Rhode Island, and Wisconsin. Recent Legislation: Pennsylvania. Pennsylvania Law: Pennsylvania consumers, as opposed to only victims of identity theft, may block the release of their credit reports. California Ruling U.D. Registry, Inc. v. California, 50 Cal. Rptr. 3d 647: California court of appeals recently held that the state security freeze law was facially constitutional, but the law could not be constitutionally enforced against a consumer reporting agency (“CRA”) that collected credit-related information regarding individuals from public records and the three nationwide CRAs.
8 Legislation: State Security Breach Notification Laws Recent Effective Dates: December 31, 2006: Arizona. January 1, 2007: Hawaii, New Hampshire, Utah, and Vermont. January 31, 2007: Maine, as amended. Recent legislation: Michigan. Effective July 3, Risk-based notification: Notice required unless the entity determines that the breach “has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to,” one or more residents of the state.
9 Regulation : ID Theft Task Force Executive Order: May 10, 2006; strategic plan Notice issued December 26, 2006; Comments due January 19, Security of consumer data Government use of SSNs; catalog private uses of SSNs; federal laws regarding data security standards and breach notice; business and consumer education. Preventing misuse of data Upcoming authentication workshop. Victim recovery and assistance Law enforcement Sweeps; training; foreign cooperation; federal laws regarding theft of corporate identity; additional aggravated identity theft.
10 Regulation: Extension of TSR Moratorium 71 Fed. Reg. 77,634 (Dec. 27, 2006). FTC extends past January 2, 2007, its policy of forbearing from enforcing the call abandonment provisions of the Telemarketing Sales Rule (“TSR”) against prerecorded calls. “The forbearance policy should remain in effect until the conclusion of the prerecorded call amendment proceeding.” Reasons: Expiration of policy would effectively ban prerecorded calls; HMO reminder calls.
11 Regulation: FACT Act Update Accuracy study Credit scoring study Affiliate sharing study Upcoming rules: Affiliate marketing Red flags Risk-based pricing Furnisher requirements
12 Litigation: Harrington v. ChoicePoint Case No. CV (C.D. Cal., Oct. 11, 2006). Plaintiffs alleged that, as a result of allowing criminals posing as businesses to gain access to ChoicePoint’s data products, ChoicePoint disclosed consumer reports in violation of the FCRA. The court dismissed plaintiffs’ FCRA claims, holding that the data sold to the criminals was not “consumer report” data and therefore not protected under the FCRA. Not a “communication” of information: Most of the named plaintiffs could not produce sufficient evidence that ChoicePoint actually “communicat[ed]” the information, and held that the FCRA requires, “at a minimum, some act of transmission of information from one source to another.” Does not bear on the seven characteristics: Plaintiffs could not produce sufficient evidence showing that the information actually involved in the fraudulent searches bear on a consumer’s creditworthiness or any of the other six factors prescribed by the FCRA. Specifically, the District Court held that “the very basic demographic and identity related information contained in the initial results of [the fraudulent searches] do not meet the content standard for a consumer report envisioned by Congress when it drafted the seven-factor test.”
13 Litigation: Bell v. Acxiom Plaintiff April Bell (“Bell”) filed a class action against Acxiom Corporation (“Acxiom”) in the U.S. District Court for the Eastern District of Arkansas for claims from a breach of security in Bell alleged that Acxiom was negligent and unreasonably intruded on the privacy of the putative class members by failing to protect their personal information. Acxiom moved for dismissal because Bell failed to plead sufficient injury to warrant standing to sue in federal court, and the district court granted Acxiom’s motion. The district court concluded that the receipt of unsolicited and unwanted mail, as alleged, does not constitute actual harm that rises to an injury under Article III. The district court also rejected Bell’s argument that she was injured as a result of an alleged increased risk of identity theft. The district court found that Bell did not allege suffering any concrete damages; rather Bell’s complaint requested “protection against a harm that is speculative.” The Secure Times (Fall/Winter 2006).
14 Enforcement: Humana Consent Order On October 30, 2006, the North Dakota Commissioner of Insurance (“Commissioner”) entered into a consent order with Humana Insurance Company (“Humana”) regarding two security breaches suffered by Humana in the summer of 2006 (“Consent Order”). The Consent Order described one incident of a theft of a laptop computer containing Humana’s customer information and another involving the discovery of a file of Humana’s customer information on a computer in a hotel. The Commissioner asserted that “allowing a non-affiliated entity access to” Humana’s customer information constituted a “disclosure” of that information under the Commissioner’s privacy regulations under the GLBA that apply to state-licensed insurance entities. However, the Consent Order was silent with respect to whether Humana’s information security program failed to satisfy the Commissioner’s information security program rules under the GLBA. The Consent Order effectively charges Humana with violating its own privacy policy and the state’s privacy rules—by “allowing a non-affiliated entity access to” customer information without regard to whether those customers had opted out under Humana’s policy.
15 Enforcement: Ameriprise Settlement On December 11, 2006, the Massachusetts securities Division entered into a “Memorandum of Understanding” (“MOU”) with Ameriprise Financial Services, Inc. (“Ameriprise”) in connection with a security breach involving a stolen laptop. MOU requires Ameriprise to audit its security controls for the use of laptop computers in home offices, including “notification procedures,” among other sanctions. Massachusetts has not enacted a security breach notification law. Under Securities and Exchange Commission Regulation S-P, investment advisors are not specifically required to notify customers about a breach of security.
16 Speakers Andrew M. Smith Andrew M. Smith is Of Counsel at Morrison & Foerster in Washington, D.C. Mr. Smith advises lenders and other financial services clients on financial privacy issues; consumer financial services issues; and state and federal laws prohibiting unfair and deceptive trade practices. Prior to joining Morrison & Foerster, Mr. Smith was at the FTC, where he directed numerous rulemaking proceedings governing, among other things, the obligations of businesses with respect to identity theft victims, the use of prescreened solicitations, the proper disposal of consumer information, and the sharing of information among affiliated companies. Mr. Smith also supervised the drafting and publication of several FTC studies of the credit reporting industry. Before his stint at the FTC, Mr. Smith was in private practice in Washington, D.C., counseling businesses on consumer financial services issues and representing clients before federal regulatory agencies and in the federal courts. Mr. Smith also served as a staff attorney and Acting Assistant General Counsel at the Securities and Exchange Commission. Mr. Smith can be contacted at or by phone: (202)
17 Bios Tom Scanlon Tom Scanlon is an associate in the Washington, D.C. office of Morrison & Foerster. Mr. Scanlon’s practice focuses on regulatory matters related to managing information about consumers, such as compliance with the FCRA, the privacy and security requirements under the GLBA, and the customer identification requirements under the USA PATRIOT Act. His practice also includes other matters involving financial products and services, including payment transactions in electronic commerce. Mr. Scanlon can be contacted at or by phone: (202)
18 Bios Joyita Basu Joyita Basu is an associate in the Washington D.C. office of Morrison & Foerster. Ms. Basu’s practice focuses on a broad range of matters involving regulatory and legislative issues for financial institutions, including financial products and services under the National Bank Act and electronic banking and payment system issues. Ms. Basu’s practice also includes matters related to privacy and data security under the GLBA, the FCRA, and the FACT Act, as well as state and federal laws prohibiting unfair and deceptive trade practices. Ms. Basu can be contacted at or by phone: (202)