Posted on May 28, 2010 by Timothy Tobin

FTC Red Flags Rule Enforcement Delayed Again (and New Legal Challenge)

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

 

 

The further delay comes as FTC Chairman Leibowitz acknowledges the agency’s Rule’s shortcomings: “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly.”

As previously covered in the Chronicle, the last delay occurred on October 30, 2009 when the FTC announced it would not begin enforcing the rule until June 1, 2010. That delay followed U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers (for analysis of that decision, click here). It also followed the House of Representatives' unanimous passage in late October of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule. Subsequently, in November 2009, the American Institute of Certified Public Accountants (AICPA) filed a lawsuit against the FTC challenging the applicability of the Red Flag Rule to Certified Public Accountants

Now the Red Flag Rule is facing a new legal challenge. On May 21, 2010, the American Medical Association (AMA), the American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit against the FTC in the U.S. District Court for the District of Columbia challenging the Red Flag Rule and citing the court’s earlier decision regarding the applicability of the Rule to lawyers. In the latest lawsuit, these medical organizations argue that the Rule, which is applicable to financial institutions and creditors, unjustifiably "treats physician practices like banks, credit card companies and mortgage lenders."

 
Tags: , , , , , , , , , , , , , , , , , ,
Posted on September 30, 2009 by Mark Paulding

Recently Introduced Federal Legislation May Expand Regulation of Data Brokers

The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services.  While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.

Comprehensive Federal Regulation of “Data Brokers”

Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as

“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.” 

PDPSA § 3(5).  Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted.  See PDPSA § 201(b)(1)-(3).  Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports. 

Data Broker Provisions are Substantially Similar to the FCRA

The obligations the draft legislation places on data brokers largely mirror those contained in the FCRA.  For example, under the proposed legislation data brokers must make records containing personally identifiable information (“PII”) maintained for disclosure to third parties available to consumers upon request at a reasonable fee. See PDPSA § 201(c).  Such disclosures must include instructions for correcting inaccurate information.  In addition, the proposed law would obligate users of data broker services to provide notice to individuals when they take any adverse actions based upon data broker records. See PDPSA § 201(d).  Adverse action notices would include contact information for the data broker and instructions on the steps needed to correct inaccurate information.    

FTC and State Attorneys General Authorized to Pursue Civil Enforcement Actions

The draft legislation authorizes the Federal Trade Commission (“FTC”) and state Attorneys General to bring civil enforcement actions against entities that violate the data broker requirements.  See PDPSA § 202.  The civil remedies set forth in the bill include equitable relief and monetary penalties of up to $1,000 per violations up to a maximum of $250,000.  The FTC also would be able to seek double monetary penalties for violations that demonstrated to be willful or intentional.
Tags: , , , , , ,