Regulations Imposing New Obligations on Entities Furnishing Information to Consumer Reporting Agencies Go into Effect on July 1

On July 1, 2010, final regulations will go into effect that impose new obligations on entities that furnish information about individuals (“data furnishers”) to consumer reporting agencies (“CRAs”) for use in reports about those individuals.  These regulations require data furnishers to institute reasonable policies and procedures that (1) ensure the accuracy and integrity of furnished information and (2) allow individuals to formally dispute the correctness of certain information that is furnished about them to CRAs directly with the data furnisher.

What Is a CRA, and Who Is a Data Furnisher?

The regulations were issued on July 1, 2009 jointly by a number of federal agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act (“FCRA”).  Under the FCRA, a CRA is generally defined as an entity that regularly engages in assembling any information about individuals for the purpose of providing a report to a third party bearing on the individual’s creditworthiness, character, general reputation, personal characteristics, or mode of living, where such a report is expected to be used as a factor in establishing the individual’s eligibility for personal credit, insurance, or employment purposes.  As the name sounds, the most common type of CRA is a credit bureau, but companies that perform background checks for employment purposes, or compile such information about a company’s employees to report for employment purposes, are also considered CRAs.

Accuracy and Integrity Rules and Guidelines

The accuracy and integrity rules within the new regulations require data furnishers to “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency.”  “Accuracy” means that information furnished about an individual correctly:

Continue Reading...

FTC Red Flags Rule Enforcement Delayed Again (and New Legal Challenge)

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

 

 

Continue Reading...

Federal Regulators Release Customizable Version of Model Privacy Notice

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report:

April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA).

The GLBA statute and the privacy rules issued thereunder by the above agencies impose obligations on “financial institutions” with regard to “nonpublic personal information.” Institutions subject to GLBA are required to provide initial and annual notices regarding their privacy policies to customers, and must allow their customers to opt out of having their nonpublic personal information shared in certain ways. Financial institutions are also required to provide the notice and opt-out opportunity to “consumers” who are not their customers before sharing their nonpublic personal information.

The customizable form, called the Online Form Builder, was issued jointly by the Board of Governors of the Federal Reserve System (FRB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Securities and Exchange Commission (SEC). The agencies had first issued the Model Privacy Notice regulation on November 17, 2009, culminating a rulemaking process initiated more than six years earlier However, until April 15, no fillable PDF or other customizable version of the Model Privacy Notice was available. The Online Form Builder was developed by the FRB and is available on the FRB’s website.

The Online Form Builder allows a user to choose the version of the Model Privacy Notice that fits its particular information collection and sharing practices. To obtain the safe harbor, institutions must follow the instructions in the Model Privacy Notice regulation when using the Online Form Builder.

FINRA Issues Guidance on Social Networking Sites

The Hogan & Hartson privacy lawyers are counseling clients on the use of social media, as the legal risks are significant -- especially if employees use the shield of anonymity to protect their privacy but make representations on behalf of their employers without disclosing their affiliation.  The FTC and FDA recently have focused on social media.  And on January 25, the Financial Industry Regulatory Authority (FINRA), an industry self-regulatory organization, issued Regulatory Notice 10-6, which gives guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public. 

The unique nature of social networking sites and the speed and fluidity with which communications can be made to the public have presented challenges in the implementation of existing FINRA rules.  Some recommendations made in the guidance includes:

  • Supervising interactive communications made through social networking sites in a manner reasonably designed to ensure that they do not violate the content requirements of FINRA's communications rules or other securities laws, and instituting policies and procedures for this supervision
  • Instituting a policy prohibiting business communications by employees through social networking sites that are not subject to the company's supervision
  • Requiring employees posting content to social networking sites to undergo training
  • Establishing appropriate usage guidelines for customers and other third parties that are permitted to post on company-sponsored web sites
  • Adopting disclaimers to help ensure that third-party content posted to blogs or social networking sites is not attributed to the company
  • Monitoring third-party posts to mitigate the perception that the company is adopting the content of the post or to assist compliance with the "Good Samaritan" safe harbor for blocking and screening offensive material under Section 230 of the Communications Decency Act.

While FINRA exercises oversight of the securities industry, the recommendations in Notice 10-6 are good advice for any business that is considering communicating or marketing with consumers through social media, whether hosted by the company or on a third-party social networking site such as MySpace or Twitter.  In addition to the recommendations listed here, businesses seeking to enter the social networking space should also institute policies that ensure that its representatives don't deceive consumers and that the content posted complies with all applicable laws and regulations, such as defamation and intellectual property laws.

The fact that FINRA is looking into this issue -- in September 2009, FINRA organized a Social Networking Task Force from which these guidelines were generated -- highlights the importance of social networking as a marketing tool, along with the accompanying risks.  Other industries are also considering these issues; for example, in November 2009 the FDA held a well-attended public hearing about the use of social media as a marketing tool for FDA-regulated entities.  For more information about legal risks that can arise through business use of social networking sites and how to address these risks, check out Hogan & Hartson's recent guidance on the topic.

Agencies Issue Model GLBA Form That Provides Safe Harbor

The Gramm-Leach-Bliley Act ("GLBA") requires covered institutions to notify consumers of their information-sharing practices and inform them of their right to opt out of certain sharing practices.  For years, people have been complaining that the notices sent to consumers were dense and confusing.  Indeed, the Financial Services Regulatory Relief Act of 2006 amended GLBA to required that the financial regulatory agencies propose a succinct, comprehensible model form that would allow consumers to compare easily the privacy practices of different financial institutions, and one that would be easy to read.

Yesterday, after a lengthy drafting process, eight federal regulatory agencies (the Board of Governors of the Federal Reserve System; thr Commodity Futures Trading Commission; the Federal Deposit Insurance Corporation;  the Federal Trade Commission; the National Credit Union Administration; the Office of the Comptroller of the Currency; the Office of Thrift Supervision; and Securities and Exchange Commission) released a final model privacy notice form designed to make it easier for consumers to understand how financial institutions collect and share information about consumers.   The model form provides standardized language in easy-to-read form.

According to the FTC press release, "the agencies conducted extensive consumer research and testing in developing the model form issued today.  Then they solicited public comments and considered those comments in developing a model form that is easier for consumers to understand and use."

The final rule provides that a financial institution that chooses to use the model form obtains a “safe harbor” and will satisfy the disclosure requirements for notices.  Here is a link to the FTC announcement of the model form, which contains links to the form and the rule adopting it.

FTC Delays Enforcement of Red Flags Rule for Fourth Time

The Federal Trade Commission (FTC) announced today that it is delaying enforcement of its FACTA Red Flags Rule until June 1, 2010 “[a]t the request of Congress.”  This is the fourth time the FTC has delayed the controversial red flags rule and it follows shortly on the heels of the U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers.  It also follows the House of Representatives' unanimous passage last week of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule.  The FTC's Red Flags Rule has been marred by confusion and uncertainty since it was proposed in July 2006.