COMPANY LIABLE FOR BUSINESS PARTNER’S SECURITY PRACTICES
Premier Capital Lending, Inc. recently agreed to a settlement with the Federal Trade Commission (FTC) over claims that Premier violated the Safeguards Rule and the Privacy of Consumer Financial Information Rule (the “Privacy Rule”) promulgated under the Gramm-Leach-Bliley Act. According to the complaint, Premier subscribed to a credit reporting service and granted a business partner access to order credit reports on potential customers. A hacker compromised the business partner’s computer systems and was able to access hundreds of credit reports through the service.
SONY BMG PAYS $1 MILLION FOR VIOLATING COPPA
RED FLAGS RULE ENFORCEMENT DELAYED UNTIL MAY 2009
The Red Flags Rule requires any organization that holds a transaction account for a consumer to develop a security program that monitors, detects and reports on various “red flag” events that may represent identity theft. The Red Flags Rule became effective on January 1, 2008, but full compliance with the rule became mandatory on November 1, 2008. Due to general confusion around how broadly the Red Flags Rule will be enforced, the Federal Trade Commission (FTC) announced in October that it would delay enforcement of the Red Flags Rule until May 1, 2009. This enforcement delay is limited to the FTC and other federal banking organizations and the National Credit Union Association will still enforce the Red Flags Rule within their own jurisdictions. The Red Flags Rule applies to many businesses that may not classify themselves as financial institutions; therefore any organization that maintains any sort of transactional account for its customers should plan on developing a security program to comply with the Red Flags Rule.
MASSACHUSETTS REQUIRES ENCRYPTION, BUT EXTENDS DEADLINE
Massachusetts is among the growing number of states set to implement privacy protections for its citizens. The Standards for the Protection of Personal Information of Residents of the Commonwealth Act requires anyone collecting and storing personal information belonging to a Massachusetts resident to implement a comprehensive security system, including data encryption. Originally set to become effective on January 1, 2009, Massachusetts extended the compliance deadline for some portions of the law to May 1, 2009 and as late as January 1, 2010 for others. The broad wording of the act seems to indicate that Massachusetts intends to try to enforce the security requirements regardless of where the offending party may be located or where the offending party may hold itself out as conducting business.
TEXAS LICENSING REQUIREMENTS COULD BE FAR REACHING
Under the Texas Private Security Act (the “Act”), private investigation companies are subject to state licensing requirements. Under a recent amendment, the Act applies to anyone who obtains information “through the review and analysis of, and the investigation into the content of, computer-based data not available to the public”. Other states have similar laws, for example Michigan, attempting to regulate computer forensics. The Act, however, is particularly broad and in this digital age the implications of such a broadly worded law may reach much farther than intended. A judge in Texas recently ruled that using electronic equipment to capture images of traffic violations for use in a court of law without a private investigator license is a violation of the Act. There is not much evidence to suggest the legislature intended the Act be applied in this fashion, but Texas courts seem willing to broadly enforce the licensing requirement.
If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys:
This alert is a copyrighted publication produced by Oppenheimer Wolff & Donnelly LLP. The information contained in this alert is of a general nature and is subject to change. Readers should not act without further inquiry and/or consultation with legal counsel.