Under a new regulation on the notification of personal data breaches, providers of publicly available electronic communication services must provide notices to authorities of breaches within 24 hours. If the provider lacks full information about the data breach, a preliminary notice is required, with a subsequent notification within 3 days after the initial notification. The subscribers [...]
The Federal Trade Commission (“FTC”) recently issued a revised guidance (“Guide”) on the Red Flags Rule (“Rule”) (see “Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business”). The Red Flags Rule requires certain businesses to develop, implement and administer an identity theft protection program. The purpose of this Guide is to [...]
There has been an explosion in the number and variety of mobile payment services available to consumers in the last couple of years, with new innovations and players growing exponentially. The release of the Federal Trade Commission’s (FTC) March 8, 2013 staff report, “Paper, Plastic… or Mobile? An FTC Workshop on Mobile Payments,” indicates the potential [...]
The Federal Financial Institutions Examination Council (FFIEC) has released proposed guidance on the use of social media by financial institutions, including banks, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau. The proposed “Social Media: Consumer Compliance Risk Management Guidance” (“Proposed Guidance”) defines “social media” broadly to including micro-blogging sites (like Google [...]
The FTC has issued an interim final rule to amend the Identity Theft “Red Flags Rule,” which requires certain “financial institutions” and “creditors” to develop and implement a written identity theft prevention program to identity, detect, and respond to possible incidents of identity theft. The interim rule amendment conforms the Red Flag’s Rule’s definition of [...]
On October 13 the Division of Corporate Finance at the US Securities and Exchange Commission issued a Disclosure Guidance that for the first time advises registrants — public companies — to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. This Guidance is likely to lead to public companies performing formal and detailed assessments of the cybersecurity risks, and may lead to shareholder litigation following data security breaches with claims that a company failed to perform the assessment and disclose the risks recommended in the Guidance for complaince with securities disclosure laws.
A financial services industry group recently released guidance on managing the risks associated with using social media such as Facebook and Twitter. The guidance, titled “Social Media Risks and Mitigation,” was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies. The guidance includes tips on managing numerous concerns specific to financial institutions, which are increasingly using social media in their marketing and customer relationship activities.
This blog entry provides a summary of the Hogan Lovells Chronicle of Data Protection’s recent coverage of legal developments regarding social media.
The Securities and Exchange Commission (SEC) announced yesterday that three former executives of GunnAllen Financial, Inc., a Tampa-based broker-dealer, agreed to settle charges that they had violated Regulation S-P by failing to protect confidential information about their customers. This action marked the first time that the SEC had assessed financial penalties against individuals charged solely with violations of Regulation S-P, which requires broker-dealers, investment advisers, and other financial institutions under the SEC’s jurisdiction to protect their customers’ nonpublic personal information and to provide their customers the right to opt out of having their information shared with unaffiliated third parties.
The D.C. Circuit Court of Appeals has dismissed as moot a lawsuit challenging the applicability to lawyers of the “Red Flags Rule,” which requires financial institutions and creditors to implement identity theft prevention programs. The organized Bar had challenged the applicability of the Rule to lawyers and had won in the lower court. Since the Red Flag Clarification Act recently passed by Congress would exempt most lawyers from coverage under the Rule, the Court found that litigation no longer is necessary or appropriate.
Comments are due December 29th on a proposal that would require banks and money transmitters to report information to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.
On October 27, the Commodity Futures Trading Commission (CFTC) issued proposed privacy and data security rules under the Gramm-Leach-Bliley Act (GLBA) and Fair Credit Reporting Act (FCRA), pursuant to the Dodd-Frank Act.
The Ninth Circuit recently reversed and remanded a district court denial of class certification in a FACTA case, making it easier for class certification even where there was disproportionality between the potential liability and the actual harm suffered, where the potential damages were huge and where defendant engaged in good faith compliance.
On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance urging banks under its supervision to ensure that they have robust written policies and procedures for the erasure or destruction of sensitive or confidential information stored in office equipment.
On July 1, 2010, final regulations will go into effect that impose new obligations on entities that furnish information about individuals (“data furnishers”) to consumer reporting agencies (“CRAs”) for use in reports about those individuals. These regulations require data furnishers to institute reasonable policies and procedures that (1) ensure the accuracy and integrity of furnished information and (2) allow individuals to formally dispute the correctness of certain information that is furnished about them to CRAs directly with the data furnisher.
FTC Chairman Leibowitz: “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix the problem quickly.”
April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA). Read more about in this entry.
The Hogan & Hartson privacy lawyers are counseling clients on the use of social media, as the legal risks are significant — especially if employees use the shield of anonymity to protect their privacy but make representations on behalf of their employers without disclosing their affiliation. The FTC and FDA recently have focused on social media. And on January 25, the Financial Industry Regulatory Authority (FINRA), an industry self-regulatory organization, issued Regulatory Notice 10-6, which gives guidance to member companies on the use of blogs and social networking sites to engage in company-sponsored communications with the public.
Yesterday the financial regulatory agencies issued a model notification form for Gramm Leach Bliley Act consumer notices, Use of the new model form provides a “Safe Harbor” for covered entities required to provide consumer notices of data sharing practices. A link to the new form is contained within this blog entry.
The Federal Trade Commission (FTC) announced today that it is delaying enforcement of its FACTA Red Flags Rule until June 1, 2010 “[a]t the request of Congress.”