HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Following a request in May 2011 from Senator Jay Rockefeller (D-WVA) to the Securities and Exchange Commission that the SEC advise public companies on when disclosure of cybersecurity risks to investors is mandated, on October 13 the Division of Corporate Finance at the SEC issued a Disclosure Guidance that for the first time advises registrants to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. The Guidance contained this caveat:

The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.

Still, companies that ignore the advice from the Division of Corporate Finance and fail to assess and disclose material cybersecurity risks do so at their peril -- risking regulatory and legal action.

• Email This
• Print

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

• By a financial institution to communicate with or service the financial institution's customers
• By the financial institution's employees in their personal or professional capacities
• By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

• Email This
• Print

Social media has been a hot topic of late.  Companies are debating the official use of social media for marketing purposes, social networking privacy has been the subject of recent (failed)  legislation, and the EU has been ratcheting up pressure on prominent social networking sites to enhance privacy protections.  Social media was even a topic of discussion at this May's "eG8" in Paris, an event blogged about recently by Chris Wolf.

The Hogan Lovells Chronicle of Data Protection have covered social media developments over the past year or so, and provide a summary of our coverage for you here in one place, allowing you to take stock:

• Email This
• Print

The Securities and Exchange Commission (SEC) announced yesterday that three former executives of GunnAllen Financial, Inc., a Tampa-based broker-dealer, agreed to settle charges that they had violated Regulation S-P by failing to protect confidential information about their customers. This action marked the first time that the SEC had assessed financial penalties against individuals charged solely with violations of Regulation S-P, which requires broker-dealers, investment advisers, and other financial institutions under the SEC's jurisdiction to protect their customers' nonpublic personal information and to provide their customers the right to opt out of having their information shared with unaffiliated third parties. 

• Email This
• Print

The D.C. Circuit Court of Appeals has dismissed as moot a lawsuit challenging the applicability to lawyers of the "Red Flags Rule," which requires financial institutions and creditors to implement identity theft prevention programs. The organized Bar had challenged the applicability of the Rule to lawyers and had won in the lower court. Since the Red Flag Clarification Act recently passed by Congress would exempt most lawyers from coverage under the Rule, the Court found that litigation no longer is necessary or appropriate.

By way of background, the Red Flags Rule was promulgated by the Federal Trade Commission ("FTC") and the federal banking agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). Under the Rule, a "creditor" -- which was defined broadly to include any business that accepts deferred payment for goods or services -- must establish a written identity theft prevention program if it offers certain types of consumer accounts. In April 2009, the FTC issued an Extended Enforcement Policy stating that "professionals, such as lawyers or health care providers, who bill their clients after services are rendered" would be considered creditors subject to the Rule. The American Bar Association ("ABA") sued to prevent the Rule from applying to attorneys.

• Email This
• Print

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

• Email This
• Print

On October 27, the Commodity Futures Trading Commission (CFTC) published two Notices of Proposed Rulemaking (NPRMs) proposing privacy rules under the Gramm-Leach-Bliley Act (GLBA) and affiliate marketing and data disposal rules under the Fair Credit Reporting Act (FCRA). 

The rulemakings were prompted by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The CFTC, an independent federal agency, maintains oversight over the commodity and financial futures and options markets.  The Dodd-Frank Act creates two new categories of entities that are subject to CFTC jurisdiction:  “swap dealers” and “major swap participants.”  Thus, the CFTC has proposed that those two types of entities would explicitly be subject to the CFTC’s existing GLBA privacy rules, first issued in 2001. Those rules impose certain obligations regarding the treatment of consumers' nonpublic personal information - in particular, restricting the ability of a covered entity to disclose such information to a party not affiliated with that entity. 

The CFTC’s second NPRM proposes to implement sections of FCRA dealing with affiliate marketing and data disposal.  The CFTC's proposed affiliate marketing rule would closely resemble the affiliate marketing rules issued by the Federal Trade Commission and the federal banking agencies in late 2007. While the CFTC has joined those agencies in other rulemakings, it did not join that particular rulemaking.  However, the Dodd-Frank Act specifically authorizes the CFTC to issue rules implementing the affiliate marketing and data disposal provisions of FCRA.

As with the other agencies' affiliate marketing rules, under the proposed rule an entity generally could not use a consumer's "eligibility information" received from an affiliate to make marketing solicitations to that consumer unless the consumer had first been given notice that such marketing may occur, a reasonable opportunity to opt-out of such use, and had not opted out. 

The disposal rule would require entities subject to CFTC jurisdiction that possess or maintain consumer information to develop and implement written policies and procedures for the proper safeguarding and disposal of such information.  The policies and procedures would be required to address, among other things, administrative, technical, and physical safeguards for consumer information, including protections against unauthorized access to or use of such information in connection with its disposal.  Such requirements are similar to the disposal rules issued by the FTC and federal banking agencies in 2004.

The CFTC is proposing to make the rules effective on July 21, 2011, the planned "transfer date" on which certain authority over consumer protection matters is to be transferred from other federal agencies to the Consumer Financial Protection Bureau created by Dodd-Frank. 

Public comments are due on each proposal by December 27, 2010.

• Email This
• Print

This post was prepared by Neil O'Hanlon and Robert Hawk of Hogan Lovells' Los Angeles and Silicon Valley offices, respectively.

Bateman v. American Multi-Cinema, Inc.

Executive Summary

The Ninth Circuit Court of Appeals in a class action seeking a substantial award of statutory damages under the Fair and Accurate Credit Transactions Act (FACTA) reversed the denial of class certification, holding that the lower court had abused its discretion in finding that a class action was not a superior method for adjudicating claims.

Background

The plaintiff alleged that the defendant had violated FACTA by printing more than the last five digits of consumers' credit or debit card numbers on electronically printed receipts, and the plaintiff sought to recover on behalf of himself and other putative class members statutory damages ranging from $100 to $1,000 for each willful (knowing or reckless) violation of FACTA. The district court in Los Angeles denied class certification, finding that a class action was not the superior method of litigating the case on three grounds: (1) the disproportionality between the potential liability and the actual harm suffered, (2) the enormity of the potential damages (ranging from $29,000,000 to $290,000,000), and (3) the defendant's good faith compliance with FACTA requirements within a few weeks following the filing of the lawsuit.

Ninth Circuit's Decision

In determining that the district court had abused its discretion in denying class certification, the Ninth Circuit noted that since at least 1972 many courts had denied class certification for "proportionality" reasons, on the basis that a class action was not a superior method of adjudicating claims when the defendant's potential liability would be completely out of proportion to any harm suffered by the plaintiff. The opinion noted that this reasoning has prevailed in the vast majority of district courts within the Ninth Circuit in cases where plaintiffs sought to certify classes in FACTA lawsuits.

The Ninth Circuit distinguished contrary authority by examining congressional intent in enacting the statutory damages provision in FACTA. In particular, it determined that the statute clearly provided for an award of statutory damages upon proof of a willful violation, without any cap on such damages in the case of class actions. The Ninth Circuit presumed that statutory damages serve a compensatory function, noting that FACTA also authorized an award of punitive damages in addition to any actual or statutory damages. Apart from compensating victims, statutory damages were also found to serve as a deterrent. Most importantly, the Court found that Congress had determined that the range of $100 to $1,000 per violation was appropriate compensation, and that a district court had no discretion to depart from the specified range. In tying the hands of the district court, the Ninth Circuit noted that although Congress had amended FACTA in other respects, it did nothing to limit the availability of class relief or the amount of aggregate damages. Furthermore, the Court noted that if district courts were permitted in their discretion to decide whether a potential award would be so disproportionate to the actual harm that a class action would not be the superior method of adjudication, such "unguided discretion" would result in non-uniform decisions about class certification.

Having disposed of the disproportionality argument, the Ninth Circuit made quick work of the district court's other two grounds for denying class certification. It concluded that although certification might result in an enormous potential liability for defendant, with the consequent pressure to settle and avoid the risk of potentially ruinous liability, this factor could not be properly considered in determining whether to certify a class in a FACTA action, in the absence of any supporting congressional intent. Furthermore, the Ninth Circuit dismissed the argument against certification that the defendant had quickly complied with the requirements of FACTA after being sued, since Congress did not include any safe harbor or otherwise limit damages on account of belated compliance.

• Email This
• Print

On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance (Financial Institution Letter FIL-56-2010, "FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers") urging banks under its supervision to ensure that they have written policies for the erasure or destruction of sensitive or confidential customer information stored in photocopiers, fax machines, or printers.  Such storage may occur when the device's hard drive or flash memory stores digital images of documents that were photocopied, faxed, or printed using the device.

This is a particular concern for banks that lease office equipment - which may be used to process a significant amount of confidential information relating to financial transactions - and then return the equipment or sell it to another party.  If the memory of such devices is left intact, it is possible that such a third party could access data constituting "nonpublic personal information" under the Gramm-Leach-Bliley Act, such as information in consumers' loan applications or account statements, or other confidential information.

FDIC-supervised banks must, therefore, implement written policies and procedures to ensure that a hard drive or flash memory in office equipment containing sensitive data is erased, encrypted or destroyed prior to the device being returned to a leasing company, sold, or otherwise disposed of.  If the bank chooses to erase or encrypt the hard drive rather than destroy it, the bank should ensure that the method used will render the information on the disk unrecoverable.

While FIL-56-2010 applies only to banks supervised by the FDIC, all financial institutions are required to ensure the proper safeguarding and disposal of customer information.  Therefore, even non-FDIC-supervised financial institutions would be well advised to consider and implement the guidance contained in FIL-56-2010.

• Email This
• Print

On July 1, 2010, final regulations will go into effect that impose new obligations on entities that furnish information about individuals (“data furnishers”) to consumer reporting agencies (“CRAs”) for use in reports about those individuals.  These regulations require data furnishers to institute reasonable policies and procedures that (1) ensure the accuracy and integrity of furnished information and (2) allow individuals to formally dispute the correctness of certain information that is furnished about them to CRAs directly with the data furnisher.

What Is a CRA, and Who Is a Data Furnisher?

The regulations were issued on July 1, 2009 jointly by a number of federal agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act (“FCRA”).  Under the FCRA, a CRA is generally defined as an entity that regularly engages in assembling any information about individuals for the purpose of providing a report to a third party bearing on the individual’s creditworthiness, character, general reputation, personal characteristics, or mode of living, where such a report is expected to be used as a factor in establishing the individual’s eligibility for personal credit, insurance, or employment purposes.  As the name sounds, the most common type of CRA is a credit bureau, but companies that perform background checks for employment purposes, or compile such information about a company’s employees to report for employment purposes, are also considered CRAs.

Accuracy and Integrity Rules and Guidelines

The accuracy and integrity rules within the new regulations require data furnishers to “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency.”  “Accuracy” means that information furnished about an individual correctly:

• Email This
• Print

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

• Email This
• Print

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report:

April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA).

The GLBA statute and the privacy rules issued thereunder by the above agencies impose obligations on “financial institutions” with regard to “nonpublic personal information.” Institutions subject to GLBA are required to provide initial and annual notices regarding their privacy policies to customers, and must allow their customers to opt out of having their nonpublic personal information shared in certain ways. Financial institutions are also required to provide the notice and opt-out opportunity to “consumers” who are not their customers before sharing their nonpublic personal information.

The customizable form, called the Online Form Builder, was issued jointly by the Board of Governors of the Federal Reserve System (FRB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Securities and Exchange Commission (SEC). The agencies had first issued the Model Privacy Notice regulation on November 17, 2009, culminating a rulemaking process initiated more than six years earlier.  However, until April 15, no fillable PDF or other customizable version of the Model Privacy Notice was available. The Online Form Builder was developed by the FRB and is available on the FRB’s website.

The Online Form Builder allows a user to choose the version of the Model Privacy Notice that fits its particular information collection and sharing practices. To obtain the safe harbor, institutions must follow the instructions in the Model Privacy Notice regulation when using the Online Form Builder.

• Email This
• Print

The Hogan & Hartson privacy lawyers are counseling clients on the use of social media, as the legal risks are significant -- especially if employees use the shield of anonymity to protect their privacy but make representations on behalf of their employers without disclosing their affiliation.  The FTC and FDA recently have focused on social media.  And on January 25, the Financial Industry Regulatory Authority (FINRA), an industry self-regulatory organization, issued Regulatory Notice 10-6, which gives guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public. 

The unique nature of social networking sites and the speed and fluidity with which communications can be made to the public have presented challenges in the implementation of existing FINRA rules.  Some recommendations made in the guidance includes:

• Supervising interactive communications made through social networking sites in a manner reasonably designed to ensure that they do not violate the content requirements of FINRA's communications rules or other securities laws, and instituting policies and procedures for this supervision
• Instituting a policy prohibiting business communications by employees through social networking sites that are not subject to the company's supervision
• Requiring employees posting content to social networking sites to undergo training
• Establishing appropriate usage guidelines for customers and other third parties that are permitted to post on company-sponsored web sites
• Adopting disclaimers to help ensure that third-party content posted to blogs or social networking sites is not attributed to the company
• Monitoring third-party posts to mitigate the perception that the company is adopting the content of the post or to assist compliance with the "Good Samaritan" safe harbor for blocking and screening offensive material under Section 230 of the Communications Decency Act.

While FINRA exercises oversight of the securities industry, the recommendations in Notice 10-6 are good advice for any business that is considering communicating or marketing with consumers through social media, whether hosted by the company or on a third-party social networking site such as MySpace or Twitter.  In addition to the recommendations listed here, businesses seeking to enter the social networking space should also institute policies that ensure that its representatives don't deceive consumers and that the content posted complies with all applicable laws and regulations, such as defamation and intellectual property laws.

The fact that FINRA is looking into this issue -- in September 2009, FINRA organized a Social Networking Task Force from which these guidelines were generated -- highlights the importance of social networking as a marketing tool, along with the accompanying risks.  Other industries are also considering these issues; for example, in November 2009 the FDA held a well-attended public hearing about the use of social media as a marketing tool for FDA-regulated entities.  For more information about legal risks that can arise through business use of social networking sites and how to address these risks, check out Hogan & Hartson's recent guidance on the topic.

• Email This
• Print

The Gramm-Leach-Bliley Act ("GLBA") requires covered institutions to notify consumers of their information-sharing practices and inform them of their right to opt out of certain sharing practices.  For years, people have been complaining that the notices sent to consumers were dense and confusing.  Indeed, the Financial Services Regulatory Relief Act of 2006 amended GLBA to required that the financial regulatory agencies propose a succinct, comprehensible model form that would allow consumers to compare easily the privacy practices of different financial institutions, and one that would be easy to read.

Yesterday, after a lengthy drafting process, eight federal regulatory agencies (the Board of Governors of the Federal Reserve System; thr Commodity Futures Trading Commission; the Federal Deposit Insurance Corporation;  the Federal Trade Commission; the National Credit Union Administration; the Office of the Comptroller of the Currency; the Office of Thrift Supervision; and Securities and Exchange Commission) released a final model privacy notice form designed to make it easier for consumers to understand how financial institutions collect and share information about consumers.   The model form provides standardized language in easy-to-read form.

According to the FTC press release, "the agencies conducted extensive consumer research and testing in developing the model form issued today.  Then they solicited public comments and considered those comments in developing a model form that is easier for consumers to understand and use."

The final rule provides that a financial institution that chooses to use the model form obtains a “safe harbor” and will satisfy the disclosure requirements for notices.  Here is a link to the FTC announcement of the model form, which contains links to the form and the rule adopting it.

• Email This
• Print

The Federal Trade Commission (FTC) announced today that it is delaying enforcement of its FACTA Red Flags Rule until June 1, 2010 “[a]t the request of Congress.”  This is the fourth time the FTC has delayed the controversial red flags rule and it follows shortly on the heels of the U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers.  It also follows the House of Representatives' unanimous passage last week of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule.  The FTC's Red Flags Rule has been marred by confusion and uncertainty since it was proposed in July 2006.

• Email This
• Print