Tuesday, March 24, 2009

Red Flag Rules - Deadline May 1

My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.

The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA.

The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008.

Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.

The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:

identify relevant Red Flags, and then incorporate those Red Flags into the Program;
detect such Red Flags;
respond appropriately to any Red Flags to prevent and mitigate identity theft; and
ensure that the Program is updated periodically to reflect changes in risks to customers
What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules.

Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:

a fraud or active duty alert is included with a consumer report
a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report
a consumer reporting agency provides a notice of address discrepancy
identification documents appear to be forged
inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient
inconsistencies between personally identifying information provided and that obtained from external information sources
a new revolving credit account is used in a manner commonly associated with known patterns of fraud.
Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required.

Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.

Sunday, March 22, 2009

EPIC Files Interesting Complaint Regarding Google Services

Earlier this month, Google sent out an email admitting to a bug (subsequently fixed) which caused some documents on Google's cloud computing services to be shared without their owners' knowledge or consent (a copy of the email can be found in this blog post). Now, the Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC asking it to investigate Google's procedures, to force Google to revise its terms of service, and to spend $5,000,000 on security research. The complaint also asks that Google be enjoined from offering cloud computing services until "safeguards are verifiably established." The complaint can be found here.

At this point, I actually don't want the complaint to succeed - at least, not to succeed in full, as I use some of the services in question, and I don't want to wait for Google to get its act together on privacy before using them again. However, while I don't want the complaint to succeed, I do think it makes for interesting reading for people who care about, but aren't familiar with, the FTC's role in protecting consumer privacy. Highly recommended reading, at least for that class of reader.

via

Sunday, March 15, 2009

PCI and the Efficacy of Self Regulation

Tucked away in the conclusion of this article is an interesting question: is the PCI Data Security Standard effective? Actually, the question as posed, which was whether the PCI Data Security Standard in its current form is effective, is not particularly interesting (at least to me). The more interesting question is whether the PCI DSS, or any self regulation can be an effective counter to information security threats. I don't know the answer, but the article gives some indication that that answer might be no.

Of course, the article itself did not tackle the question of self regulation versus governmental oversight. The article was devoted to describing a new set of guidelines which is intended to facilitate the process of becoming PCI compliant. Apparently, there is a perception that some businesses look at the PCI requirements, become overwhelmed by what's necessary to comply, and, as a result, do nothing. The hope is that, by breaking things down and ranking them in terms of priority, the new guidelines will make the task more manageable, and therefore increase compliance. The article then mentioned that these new efforts to increase compliance come at a time when the effectiveness of the PCI DSS is being questioned based on recent security breaches such as that at Heartland Payment Systems. The article mentioned that a spokesman from the PCI Security Standards council had said that there wasn't anything wrong with the standards. However, if that's true, it raises a bigger question - why are the breaches still happening?

One possible answer, the one I alluded to at the beginning of the post, is that breaches are still happening because self regulation isn't an effective means of influencing behavior. I think that position is probably too extreme - merchants do care about the PCI DSS. However, the fact that there is a perceived need for the current compliance campaign, and the fact that massive breaches like that at Heartland keep happening indicates that something needs to change. Maybe what that is is to add a dose of federal government enforcement power to the supposedly sufficient requirements of the PCI DSS.

Tuesday, March 10, 2009

What I wouldn't give for some time...

Actually, I know very well what I wouldn't give up for some time. I wouldn't give up my productivity at work, or my relaxing evenings with my wife. However, if I would give those things up, I could write a great blog post on proposed changes to California's security breach notification act. Instead, I'll just mention this article from Computer World, and quickly note that the proposed changes require businesses that suffer breaches to report them to a centralized authority, not just to the people whose data is compromised.

Of course, if I were writing a really good blog, post, I wouldn't just talk about the proposed changes, but instead I'd try and put them in broader context, perhaps by referring to this post from the Threat Level blog, which describes a panel discussion on whether notification laws "work". I might even have some analysis on the proper way to measure the efficacy of notification laws.

As it is though, I'm not writing that blog post, I'm writing this relatively uncreative excuse for a blog post. Oh well. On the bright side, I'm still a good lawyer by day, and I've had a nice evening with my wife.

Sunday, March 1, 2009

Facebook Content Policy

Last month, there was something of a controversy regarding the terms of service for the popular social networking site Facebook. The issue (described in this article) was that Facebook removed a statement from its terms of service that said it couldn't claim rights in original content uploaded by users after they terminated their accounts, and replaced it with a statement saying that Facebook might maintain archived copies of user content. From my perspective, this would not have seemed like a significant event. I assume that everything (including this web site) I put online is archived somewhere, whether its at the site that's hosting the content (e.g., Facebook), some external site (e.g., the internet archive), or the local computers of whoever happens to have looked at whatever I posted (e.g., blog readers). My guess is that the lawyers who recommended that Facebook make the change thought that most Facebook users were about like me, and wouldn't see the modification of the policy as a significant change.

They were wrong.

Facebook's users were outraged. They started a Facebook group (!) to protest, and it quickly signed up 88,000 members. The Electronic Privacy Information Center prepared an FTC complaint. As one user rhetorically asked: "Will I wind up seeing pictures of my niece staring at me from a bus stop at some point and be told I shoulda read the fine print?" (quote via this article).

Anyway, because of the outrage, Facebook backed down, and is now asking users to help define its policies (article here). On one hand, it's a demonstration that consumer pressure actually can have beneficial effects. On the other hand, it's a demonstration that privacy concerns crop up over the most bizarre things. For example, if someone really wants to have their niece's picture taken out of an advertisement, they can sue Facebook for making an unauthorized public display and get an injunction.* Additionally, there have been several cases where people have sued for common law torts such as libel, or false light invasion of privacy for using pictures in advertisements without the subjects' consent (e.g., Virgin, which was sued for using a picture uploaded to Flickr with the tag line "virgin to virgin" - article here). In short, the fears that led to the revolt against Facebook are one of the areas where the law does offer redress for unauthorized use of personal data. Strange that people got outraged over that, rather than something where the law offers little or no protection.

*Copyright protection subsists in any work fixed in a tangible medium of expression. 17 USC 102. That includes computer memory, which means that everything uploaded to Facebook is automatically protected by copyright.**

**Yes, there is a requirement for registration, but you can register after infringement has taken place. 17 USC 408 et seq. While there are significant advantages to registering before an infringement occurs, a discussion of those advantages is way outside the scope of this post.