Search ))
Minneapolis Law Firm

ALERTS, NEWS & EVENTS

COMPANY LIABLE FOR BUSINESS PARTNER’S SECURITY PRACTICES 

 

Premier Capital Lending, Inc. recently agreed to a settlement with the Federal Trade Commission (FTC) over claims that Premier violated the Safeguards Rule and the Privacy of Consumer Financial Information Rule (the “Privacy Rule”) promulgated under the Gramm-Leach-Bliley Act. According to the complaint, Premier subscribed to a credit reporting service and granted a business partner access to order credit reports on potential customers. A hacker compromised the business partner’s computer systems and was able to access hundreds of credit reports through the service. 

 

The FTC claimed that Premier violated the Safeguards Rule by failing to evaluate the business partner’s security measures and by failing to monitor the service for any unusual activity by reviewing the activity reports provided by the service provider. The FTC further claimed that Premier violated the Privacy Rule because Premier did not implement procedural safeguards to protect its customer’s personal information. Furthermore, the FTC claimed that Premier violated Section 5 of the FTC Act as well because Premier misrepresented in its privacy policy the degree to which it protected customer information. Premier will have to comply with the terms of the settlement through December 10, 2028. This ruling makes it clear that companies are not only liable for their own security measures, but for the security measures implemented by business partners with access to private information.

 

SONY BMG PAYS $1 MILLION FOR VIOLATING COPPA 

 

The Federal Trade Commission (FTC) recently announced that Sony BMG Music Entertainment will pay penalties totalling $1 million for violating the Children's Online Privacy Protection Act (COPPA) by collecting personal information on children under the age of 13 and for violating Section 5 of the FTC Act by failing to abide by the terms of its own privacy policy. Sony BMG operated music based web sites which gathered personal information, such as names, addresses, and birthdates. Although Sony BMG’s privacy policy stated that children under 13 should only enter personal information with parental permission, it never actually solicited parental permission and, despite collecting birthdates indicating at least 30,000 users were under age 13, never restricted access to any portions of any of the websites. 

 

RED FLAGS RULE ENFORCEMENT DELAYED UNTIL MAY 2009 

 

The Red Flags Rule requires any organization that holds a transaction account for a consumer to develop a security program that monitors, detects and reports on various “red flag” events that may represent identity theft. The Red Flags Rule became effective on January 1, 2008, but full compliance with the rule became mandatory on November 1, 2008. Due to general confusion around how broadly the Red Flags Rule will be enforced, the Federal Trade Commission (FTC) announced in October that it would delay enforcement of the Red Flags Rule until May 1, 2009. This enforcement delay is limited to the FTC and other federal banking organizations and the National Credit Union Association will still enforce the Red Flags Rule within their own jurisdictions. The Red Flags Rule applies to many businesses that may not classify themselves as financial institutions; therefore any organization that maintains any sort of transactional account for its customers should plan on developing a security program to comply with the Red Flags Rule.

 

MASSACHUSETTS REQUIRES ENCRYPTION, BUT EXTENDS DEADLINE 

 

Massachusetts is among the growing number of states set to implement privacy protections for its citizens. The Standards for the Protection of Personal Information of Residents of the Commonwealth Act requires anyone collecting and storing personal information belonging to a Massachusetts resident to implement a comprehensive security system, including data encryption. Originally set to become effective on January 1, 2009, Massachusetts extended the compliance deadline for some portions of the law to May 1, 2009 and as late as January 1, 2010 for others. The broad wording of the act seems to indicate that Massachusetts intends to try to enforce the security requirements regardless of where the offending party may be located or where the offending party may hold itself out as conducting business. 

 

TEXAS LICENSING REQUIREMENTS COULD BE FAR REACHING 

 

Under the Texas Private Security Act (the “Act”), private investigation companies are subject to state licensing requirements. Under a recent amendment, the Act applies to anyone who obtains information “through the review and analysis of, and the investigation into the content of, computer-based data not available to the public”. Other states have similar laws, for example Michigan, attempting to regulate computer forensics. The Act, however, is particularly broad and in this digital age the implications of such a broadly worded law may reach much farther than intended. A judge in Texas recently ruled that using electronic equipment to capture images of traffic violations for use in a court of law without a private investigator license is a violation of the Act. There is not much evidence to suggest the legislature intended the Act be applied in this fashion, but Texas courts seem willing to broadly enforce the licensing requirement.

 

Contact Us 

 

If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys:

 

 

Erika Koster 

612.607.7419

Patrick Midden 

612.607.7554

 

 


This alert is a copyrighted publication produced by Oppenheimer Wolff & Donnelly LLP. The information contained in this alert is of a general nature and is subject to change. Readers should not act without further inquiry and/or consultation with legal counsel.