Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law

Business Law Today

So Many Privacy Rules!
The Developing Standard of Care for Data Security and Identity Theft Protection
By Jonathan T. Rubens
With the growth in identity theft and significant security breaches in large organizations, businesses are increasingly aware of the need to adopt aggressive identity theft prevention measures and to stay current with the requirements to protect consumer privacy and safeguard consumer private information. Yet the challenge of complying with U.S. law and regulation is more complex than ever. Unlike the European Union or the Canadian privacy protection scheme, the laws of privacy protection, data security, and identity theft protection in this country do not follow a uniform set of principles or guidelines. Instead, businesses in the United States must look to a multitude of state and federal laws and regulations. U.S. federal agencies have recently increased their scrutiny of business efforts to maintain the confidentiality of protected private information and have adopted new regulations to help combat identity theft and protect private personal information.

The FACTA Red Flags Rule
Many businesses are now required to have procedures and policies in place to help combat identity theft by responding to a laundry list of "red flags" that indicate a security breach is likely, pursuant to the Red Flags Rule.

In 2007 the Identity Theft Red Flags Regulations and Guidelines were promulgated pursuant to section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) by the Federal Trade Commission (FTC), the federal bank regulatory agencies (the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision), and the National Credit Union Administration to require financial institutions and other parties to develop and implement identity theft prevention measures. The final rule was effective January 1, 2008. The FTC first required covered entities to comply by November 1, 2008, and the agency then extended its deadline for enforcement to May 1, 2009.

The rule requires development and implementation of written identity theft prevention programs, which include measures for identifying, detecting, and responding to patterns, practices, or specific activities (the red flag) that could indicate identity theft. The FTC guidelines list examples of red flags falling into several categories, including

  • Alerts, notifications, and warnings from consumer reporting agencies;
  • Suspicious documents;
  • Suspicious addresses or other suspicious personally identifying information;
  • Unusual use of, or suspicious activity relating to, a covered account;
  • Notices from consumers, victims of identity theft, law enforcement agencies, or other businesses about possible identity theft in connection with covered accounts.
The identity theft prevention program to be adopted by the financial institution or other entity (a creditor—see discussion below) must contain reasonable policies and procedures to

  • Identify relevant red flags for covered accounts and incorporate those red flags into the program;
  • Detect red flags that have been incorporated into the program;
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • Ensure the program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
Many Businesses Subject to Rules
The Red Flags Rule applies primarily to financial institutions, but it also applies to any creditor with covered accounts. The definition of "creditor" extends to any entity that "regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit." Creditors would include finance companies, auto dealers, mortgage brokers, utility companies, and telecommunications companies. Note that acceptance of credit cards as a form of payment does not, in and of itself, make an entity a creditor.

The definition of "covered account" extends to "(1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft." The definition of "account" was deliberately not tied to financial institutions, the commentary to the final rule explains, to make clear that "covered account" will indeed extend to relationships with nonfinancial institution creditors. Thus, the rule will apply to automobile loans, mobile phone accounts, and utility accounts, along with financial services accounts such as brokerage accounts, credit card accounts, checking accounts, mortgage loans, and savings accounts.

Consumer Health Information
At the same time as businesses are trying to figure out whether they may be deemed a creditor under the Red Flags Rule, they may need to consider adopting an additional set of new policies and procedures to safeguard private health information according to a new set of rules implemented as part of the Obama administration's Recovery Act. The American Recovery and Reinvestment Act, which was signed into law on February 15, 2009, included as Title XIII the Health Information Technology for Economic and Clinical Health (HITECH) Act. This part of the Recovery Act includes provisions intended to stimulate investment in health information technology, and it also establishes a new office, the Office of the National Coordinator for Health Information Technology. This office will develop a set of standards for (1) the development and use of technologies that protect the privacy of health information, promote security, and prevent unauthorized access; (2) a nationwide health information technology infrastructure to facilitate the accurate exchange and use of health information; and (3) the use of electronic health records to improve the quality of health care, and to ensure comprehensive collection of patient demographic data. The act requires federal government administered or sponsored health care program contracts to comply with the new standards, and those businesses that regularly contract with these kinds of programs will need to scrutinize their information protection practices for compliance with these developing standards.

An Overall Data Security Policy
Yet compliance with the Red Flags Rules or the new standards to come out of the HITECH Act will be just one part of a creditor entity's or health services business's consumer privacy and data security protection obligations. And these rules can give those businesses and others further or general guidance in how to adopt best practices to protect consumer private information.

It has become clear that a business's failure to implement information security and privacy protection best practices could constitute unfair trade practices under the Federal Trade Commission Act (FTC Act). The FTC has stepped up its scrutiny of business practices in these areas, pursuant to its authorization to regulate commerce and protect consumers from unfair practices under the FTC Act. The FTC has advised that businesses generally have a duty to protect customer private information and must adopt reasonable data security measures to make sure they live up to the promises they make to consumers in their own privacy policies. A business's failure to do so could constitute an unfair trade practice subject to FTC investigation and potential prosecution.

Since 1998 the FTC has prosecuted more than 20 cases against a variety of businesses for failure to adequately protect consumer privacy. Using the authority granted to it under section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, the FTC files lawsuits against businesses "to enforce the promises in privacy statements, including promises about the security of consumers' personal information." The FTC also uses its section 5 authority "to challenge information practices that cause substantial consumer injury." Since 1999 the FTC has brought actions for violations of privacy promises against large consumer brands and operators of consumer businesses such as Microsoft, Guess, ValueClick, and TJX Companies, Inc., as well as against smaller businesses or nonconsumer-focused businesses such as CardSystem Solutions, a payment solutions provider, and Guidance Software, a security software system provider.

What Are the Standards?
But what are the standards for maintaining the security of customer data and protecting consumer private information? The FTC has not yet articulated an across-the-board standard that would apply to all business data security and privacy protection obligations. Are we moving toward a U.S. norm or baseline standard that will apply?

Business data safeguard and privacy protection obligations are not entirely new. Since 1999, financial institutions have had particular financial privacy obligations under the Financial Privacy Rule and the Safeguards Rule of the Gramm-Leach-Bliley Financial Services Modernization Act (GLB). The GLB Financial Privacy Rule implemented the obligation to provide consumers with written notice of the institution's information collection, usage, and sharing practices, and the Safeguards Rule required financial institutions to develop written information security plans to describe their information protection practices, including the safeguarding of nonpublic personal information of their former and current clients. Since the advent of the GLB, privacy policy and data security review and notice have become regular and ongoing components of financial institution compliance, and consumers have become used to receiving notices of privacy practices from their banks, credit card companies, and lenders.

Similarly, businesses that are medical services businesses are likely subject to the information privacy requirements and standards of the Health Information Portability and Accountability Act (HIPAA) and its Privacy Rule, which took effect in 2003. The HIPAA Privacy Rule governs the use of patient information by health insurers, certain medical service providers, and other health services-related businesses. The rule applies to "protected health information," which includes information relating to health status, provision of health care, or health care payment that can be linked to a particular individual. It requires covered entities to disclose protected health information to the relevant individual on request, and, when disclosing that information to third parties when authorized or otherwise as needed to facilitate payment or treatment, it requires the covered entities to take care only to disclose the minimum amount of the information as may be necessary. These businesses may now be considering how the new HITECH Act may affect their electronic health information storage and communication practices.

What about businesses who believe they are squarely outside the purview of the regulations directed at the financial services industry or the health care world? These businesses need to look to state regulations for a complete answer to the statutory requirements in the United States, and they now also need to consider whether they will be deemed to be creditors under the Red Flags Rule. Additional industry standards may be important, and perhaps the most important industry data security standard in the United States is the Payment Card Industry's Security Standards Council Information Data Security Standard (PCI DSS). Adopted by a consortium of the major credit card companies operating in the United States, this is a "set of comprehensive requirements for enhancing payment account data security" and was supported "to help facilitate the broad adoption of consistent security measures on a global basis." The set of standards requires all merchants (i.e., anyone accepting credit card payments) to implement the PCI DSS.

The PCI data security standards are scaled to annual transaction volume, and they are built around sets of key principles for maintaining data security best practices. Some of these key principles include maintaining firewalls around networks to secure consumer data, avoiding vendor-supplied default password systems, and implementing customized password and encryption systems, encrypting cardholder data transmissions, implementing and updating antivirus software, restricting access to cardholder data, monitoring access to network cardholder data, and implementing regular network security testing features.

While the PCI DSS is not a U.S. federal government-mandated standard, it is notable that several state government legislatures and agencies have considered amending their data breach notification laws to include liability for failure to adopt some of the safeguards the PCI DSS would require. Minnesota amended its data breach notification law in 2007 to specifically prohibit companies from retaining security codes and certain additional kinds of credit card data after processing transactions; these prohibitions mirror some of the principles outlined in the PCI DSS. The statute requires companies to reimburse credit card-issuing financial institutions for costs incurred following a data breach, and it allows financial institutions to bring private actions against merchants for noncompliance. The new Massachusetts Data Security Law, which was effective January 1, 2009, has been said to mandate PCI-like compliance for all businesses that store information pertaining to Massachusetts residents. This new statute would require businesses to encrypt consumer personal information they store, which includes name plus driver's license, credit card, or social security numbers, and it requires businesses to implement a long list of PCI-like security practices and procedures. Similarly, Nevada enacted a statute that became effective in October 2008 requiring all businesses to encrypt personal information, also defined to include name plus driver's license, credit card, or social security numbers.

An FTC-Enforced Standard of Care?
Whether or not it is complying with the current version of the payment card industry's standards or any of these new state laws, a company that processes consumer private financial information may find itself subject to FTC scrutiny and prosecution if it is not taking adequate steps to protect its network from hackers and safeguard consumer private information. The FTC has not pronounced a definitive standard of care that applies, but the Commission will look at what protection measures are reasonably available at the time in question.

In a recent prosecution, the FTC filed a lawsuit against online computer supplies and consumer electronics reseller Compgeeks.com, which operates the website www.geeks.com. A significant data breach had been reported in early 2008 after hackers had accessed sensitive data about hundreds of consumers, including names, addresses, e-mail addresses, phone numbers, and credit cards including numbers, expiration dates, and security codes. The FTC alleged that Comp-geeks routinely stored this information in unencrypted text on their computer network and "did not adequately assess whether their Web application and network were vulnerable to commonly known or reasonably foreseeable attacks, such as Structured Query Language (SQL) injection attacks." Nor did the company implement simple readily available and free or inexpensive defenses to these attacks, and the company didn't even find out about the attacks for more than six months. The FTC alleged that the company violated federal law because its privacy policy falsely stated that Compgeeks uses "secure technology, privacy protection controls and restrictions on employee access to safeguard your information." Notably, the www.geeks.com site had sported a McAfee "Hacker Safe" seal at various times, although it had been removed by McAfee during 2007. The FTC settlement bars the company from making deceptive privacy and data security claims and requires them to implement and maintain a comprehensive information security program including administrative, technical, and physical safeguards. It also requires biennial security audits for 10 years from a qualified independent third-party auditor to ensure the program satisfies the settlement's requirements.

Analyzing compliance with the new Red Flags Rule, along with PCI compliance and other data security measures, should be part of an organization's regular and ongoing privacy and data security protection measures. Business executives need to work with their data security and privacy experts and counsel on an ongoing basis to conduct data security and privacy audits, review compliance with new and evolving standards and requirements, and deal with the legal consequences of a data breach and other aspects of IT and IP risks.

Additional Resources

  • The Red Flags Rule can be found on the FTC website at http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf. There are links to related materials at http://ftc.gov/opa/2007/10/redflag.shtm.

  • The PCI Data Security Standards are described and the standards can be found in full on the PCI Data Security Standards Council website at www.pcisecurity standards.org/security_standards/pci_dss.shtml.

  • The Minnesota statute is Minn. Stat. § 365E.64.

  • The Massachusetts statute is the Standards for Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 1700.

  • The Nevada statute is Nev. Rev. Stat. § 597.970, Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

  • The HITECH Act is Pub. L. No. 111-5, § 13112.

Rubens is of counsel at Bullivant Houser Bailey PC in San Francisco. His e-mail is jon.rubens@bullivant.com.

Back to Top