FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA--But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

By Ronald G. London

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again. 

Continue Reading...

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

 
In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming….
 
Continue Reading...

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

 
In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.
 
Continue Reading...

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security


In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).
 
Continue Reading...

Updated Location Privacy Protection Act Introduced

 
On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.
 
Continue Reading...

Caution: Your Company's Biggest Privacy Threat is...the FTC

By Sanjay Nangia

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.
 
Continue Reading...

New Guidance for Employers Conducting Background Checks

By Angela Galloway

Employers who investigate workers' criminal or credit backgrounds may want to review federal guidelines released March 10.

The joint publication of the Federal Trade Commission and the Equal Employment Opportunity Commission provides detailed guidance for employers who check into the criminal or credit histories of applicants or employees. “Background Checks: What Employers Need to Know” aims to guide employers in complying with federal laws that prohibit workplace discrimination and regulate commercial background reporting agencies.

Separate laws restricting employers’ ability to request and/or rely on such background checks have also been enacted by many states and cities, including Seattle and San Francisco.

The publication released today offers guidelines for developing policies and practices that avoid improper practices or discriminatory employment decisions. For example, the report advises:

Continue Reading...

Latest FTC Enforcement Action Reflects Agency's Intent to Focus on Emerging Market Involving the "Internet of Things"

By K.C. Halm

In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.

The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.

But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.

Continue Reading...

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.

NIST Issues Draft RFI for Cybersecurity Framework

By Robert G. Scott, Jr.

Following up on the President’s February 12, 2013 Executive Order on Cybersecurity and the related Presidential Policy Directive, discussed in our last blog entry, the National Institute of Standards and Technology (NIST) has issued a draft Request For Information (RFI) to kick off the public input process as mandated by the Executive Order. The RFI seeks information on current cybersecurity risk management practices of private organizations–including standards, guidelines, and best practices–in the various sectors, including communications, information technology, health, financial services, energy, water, and others that implicate critical infrastructure.

Continue Reading...

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.

Continue Reading...

FTC "Reminder" About ID Theft Red Flag Compliance

Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November  2008 compliance deadline.  The FTC's notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.

Continue Reading...

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Continue Reading...

FTC Announces "Crackdown" on Do-Not-Call Violators

Posted by Ronald G. London

The Federal Trade Commission recently announced that as a result of a new crackdown by the agency on violations of the National Do-Not-Call Registry (“NDNCR”) and related provisions of the FTC’s Telemarketing Sales Rule (“TSR”), it entered several consent decrees with multiple companies totaling $7.7 million in civil penalties, with one complaint still outstanding. The FTC brought the enforcement actions against Craftmatic (purveyor of adjustable beds and mobility assistance scooters) and affiliated entities through which it conducts telemarketing, ADT for TSR-violative actions by authorized third-party dealers of its security systems, Ameriquest Mortgage Company, Guardian Communications and its prerecorded call vendor U.S. Voice Broadcasting, and Global Mortgage Funding. Each of the first four companies and their affiliated entities entered consent decrees with the government and agreed to pay substantial civil penalties (amounts provided below) and to injunctive relief prohibiting them from engaging in similar violations in the future, while the FTC’s complaint for civil penalties and injunctive relief against Global was to be filed.

Continue Reading...

FTC Changes Duration of National Do-Not-Call Registrations

Posted by Ronald London

The Federal Trade Commission today announced through a statement by Chairman Deborah Platt Majoras  and in related testimony before Congress that it will not remove any telephone numbers from the National Do Not Call Registry (“NDNCR”) notwithstanding that it previously stated in adopting the NDNCR rules that such registrations are to last only five years. That decision was the result of deliberative consideration of constitutional and statutory imperatives not to unduly interfere with legitimate telemarketing, how long numbers remain registered on the various state do-not-call lists, and the fact that the telephone subscriber who places a number on this list may well move or otherwise change his or her number, leaving it to be “recycled” to a new subscriber who did not initially placed it on the NDNCR and may or may not want to be listed. Indeed, the record at the time reflected that 16% of all phone numbers change each year, and 20% of all Americans move each year. The FTC decided that, on balance, given the needs of legitimate telemarketing, the frequency with which telephone numbers are recycled, and the fact that not everyone would want their number on the NDNCR, five years was the appropriate duration for NDNCR listings. Consumers wishing their numbers to remain on the NDNCR would have to re-register before the five-year period lapsed.

Continue Reading...

Uptick in Junk Fax Enforcement Suggests FCC May Build on Scant Agency Precedent Involving Fax Broadcasters

Posted by Ronnie London

The last several weeks at the FCC has seen a flurry of orders proposing to fine companies for sending unsolicited faxes, ranging from $4,500 to nearly $2.2 million, for a total of just over $5 million in proposed fines ($5,044,500, to be exact). In all, there have been six notices issued at the Commission level finding companies “apparently liable” for fines, and another nine issued on authority delegated to the FCC’s Enforcement Bureau. The impetus for what appears to be a sudden upswing of activity on this front is not clear, but it appears the FCC may be poised to issue potentially significant guidance on how its rules apply to “fax broadcasters.”

Continue Reading...

The REAL ID Act: The First Step Away from the Abyss?

Posted by Ronald London

First it was Maine and then Montana and Washington, and now concerns have come full circle as opponents of the REAL ID Act in the newly Democrat-controlled Senate have taken the first concrete steps toward retrenchment against adoption of a de facto national identification card. A recent floor debate over a massive immigration bill saw preservation of an amendment sponsored by Senators Baucus and Tester that would prohibit the identifications cards to be required by the REAL ID Act from being mandated as the document required for employment verification. Senators Baucus and Tester, both Democrats, are both from Montana, the first state to adopt a law refusing the implement the REAL ID Act (Maine was the first to adopt a resolution opposing the law, and others have followed suit, but Montana was the first to adopt a law in this regard).

Continue Reading...

Federal Agencies to Implement Data Breach Notification Policies and Limits Use of SSNs

Posted by Charlene Brownlee

The Office of Management and Budget issued a data breach notification memorandum May 22, 2007[1] to the heads of federal executive agencies and departments exactly one year after the Veterans Affairs Department announced the largest publicly known federal government data breach.[2]

All federal agencies have 120 days to implement policies to notify individuals in the event of a breach of their personal information by the federal government.  In addition, agencies must also review their collection and use of Social Security numbers and develop a plan to, within 18 months, eliminate their unnecessary collection and use of SSNs.

Continue Reading...

All the Telemarketing Enforcement Enlightenment Three-Quarters of a Million Dollars Can Buy

Posted by Ronald London

Earlier this week, the Federal Communications Commission issued a Forfeiture Order that, in fining Dynasty Mortgage, L.L.C., $748,000 for violations of the National Do-Not-Call Registry (NDNCR), instantly became one of the more notable decision in the FCC’s relatively limited body of telemarketing enforcement case law. The decision’s importance lies primarily in the fact that it is one of the few times the FCC pursued an alleged violator all the way through the four phases of pursuing complaints against it (i.e., citation, letter of inquiry investigation, notice of apparent liability for post-citation violations and, finally, forfeiture order), and consequently issued legal findings and factual conclusions that offer insight on how the do-not-call rules are intended to operate in real-world practice. This is significant, because many of the FCC’s rules (and the parallel rules of the FTC) are in the form of generalized prohibitions and obligations that state what telemarketers are supposed to do, but not how to go about doing so.

Continue Reading...

Internet Adapts to Surveillance by Law Enforcement

Posted by Thomas Jeffry

Monday (May 14th) marked the deadline when all facilities-based broadband Internet access providers and providers of interconnected VoIP (voice over Internet protocol) needed to comply with Section 103 and 105 of the Communications Assistance for Law Enforcement Act of 1994 (CALEA), Pub. L. No. 103-414, 108 Stat. 4279. Cable modem companies, satellite internet companies, DSL providers, and broadband over powerline join traditional telecommunications carriers in providing technology that allows law enforcement agencies to tap into email, instant messaging, web browsing logs, and other forms of electronic communications.

Continue Reading...

Can You Hear Me Now? FCC Adopts New Privacy Rules for Customer Phone Call Records

Posted by Charlene Brownlee

A password is now required if you want to get your account information from your telecommunications carrier[1] over the phone under new privacy rules approved Monday by the Federal Communications Commission (FCC).[2] If a customer does not provide a password, carriers have two options: (i) mail the information to the customer at its address of record; or (ii) call the customer at the telephone number on record.

Continue Reading...

FTC, FDIC, SEC, CFTC, NCUA, OTS, Federal Reserve and Comptroller Seek Comment on Model Gramm-Leach-Bliley Privacy Notice

Posted by Ronald London

Eight federal regulatory bodies have come together to jointly initiate a new rulemaking that seeks comment on proposed rules that would adopt a model privacy form for financial institutions to use as the notice that the Gramm-Leach-Bliley Act (GLBA) requires them to provide new customers and to existing customers on an annual basis. The GLBA requires the notice to set forth the institution’s information sharing practices and the consumer’s right to opt out of certain types of such information sharing. The notice of proposed rulemaking (NPR) is the first step in implementing Section 728 of the Financial Services Regulatory Relief Act of 2006, which amended the GLBA to require the agencies to adopt a privacy notice form that is succinct and comprehensible to consumers, allows them to compare easily the privacy practices of financial institutions, and can be easily read. 

Continue Reading...

FTC Seeks Permanent Injunction Against Phone Record "Pretexters"

Posted by Ronnie London

Whatever the role the of FCC may be with respect to “pretexting” involving personally identifiable information by FCC regulatees, the Federal Trade Commission has served notice that the fact that such information originates with FCC regulatees, such as telecom carriers, will not impede FTC enforcement actions on grounds that deceptively obtaining and/or selling consumers’ confidential phone records without their knowledge or consent constitutes an unfair and deceptive trade practice. “Pretexting” generally involves an entity illicitly obtaining under false pretenses personal information from a source that possesses it for lawful purposes, then selling it to facilitate identity theft and/or for commercial profit from purchases by third parties.  Last week, the FTC filed a complaint in the United States District Court for the Middle District of Florida in Orlando seeking a preliminary and permanent injunction, and restitution to the extent necessary and feasible, against Action Research Group, Inc., Eye in the Sky Investigations, Inc., and their principals, on grounds that defendants engaged in unlawful pretexting in violation of Federal Trade Act’s prohibitions on deceptive and unfair acts and practices.

Continue Reading...

Expanded Privacy Obligations for Telecom Carriers and VoIP Providers Under Consideration at the FCC

Posted by K.C. Halm

The FCC is reportedly close to issuing a decision that would modify current rules governing the use, disclosure of, and access to certain information related to telephone subscriber calling records. Current rules require telecommunications carriers to treat this information, known in the industry as customer proprietary network information (CPNI), as confidential and to limit its use and disclosure. CPNI is broadly defined to include information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service. Generally speaking this includes call detail records, call volumes, customer account information, billing information, technical information, service destination, and the service plans to which a customer subscribes. Following several high-profile pretexting cases in 2005 which lead to the release of telephone subscriber records the FCC initiated a proceeding to revisit the scope and effectiveness of its current CPNI rules. 

Continue Reading...

First Official State Act Resisting Real ID Act Passes in Maine

Posted by Ronald London

Concerns regarding the Real ID Act have manifested themselves in Maine becoming the first state to express formal opposition to the federal legislation. The Real ID Act prohibits all federal agencies, starting May 2008, from accepting for any official purpose state-issued identifications unless they meet new federal standards, and effectively calls for creation of electronically readable, federally approved IDs for all individuals for purposes of air travel, banking, Social Security, and most government services. While state-issued driver licenses can be tailored to satisfy the statute, as a practical matter they would have to be re-issued in almost all cases in order to meet federal standards, which the Real ID Act gives the Department of Homeland Security the power to establish.

Continue Reading...

FTC Delays End-Date of Temporary "Safe Harbor" for Prerecorded Telemarketing

Move May Signify Little, But May Be Ray of Hope for Marketers

Posted by Ronald London

The Federal Trade Commission issued a pre-holiday announcement that it would extend its forbearance from enforcing provisions of its Telemarketing Sales Rule (“TSR”) that strictly regulate use of automated prerecorded messages to market goods and services to solicit charitable donations. As reported by the recent posting here, the FTC proposed in October to modify the TSR to make clearer that even prerecorded messages permitted under Federal Communications Commission rules that parallel the TSR, are prohibited by the FTC unless the caller has obtained the express agreement, in writing, of the call recipient for placement of the prerecorded call. This represented a 180-degree shift by the FTC, which previously had proposed to reconcile its rule with the FCC’s under a multi-part “safe harbor” that would have allowed prerecorded sales and solicitations.

Continue Reading...

FTC Extracts Settlement from Home Loan Telemarketers for Do-Not-Call Violations

Posted by Ronald London

The Federal Trade Commission announced that it has reached a settlement with mortgage services company USA Home Loans Inc., and its telemarketer USA First Investment Group, Inc., over alleged violations of the agency’s Telemarketing Sales Rule (“TSR”) relating to calls made to individuals on the National Do-Not-Call Registry (“NDNCR”). The two companies and their principals agreed to more than $500,000 in civil penalties, all of which are suspended except for $53,000 to be paid by USA Home Loans, and to an injunction prohibiting them from engaging in future violations of the NDNCR rules. The settlement resolves allegations that the companies called consumers whose telephone numbers appear on the NDNCR, and that they placed the calls without paying the required annual fees for NDNCR access.

Continue Reading...

FTC Opts to Perpetuate Inconsistency in FCC and FTC Prerecorded Telemarketing Rules

Decision Effectively Seeks to Trump FCC Rule and Would Ban Prerecorded Telemarketing by Entities Subject to the FTC Jurisdiction

Posted by Ronald London

Two years after the Federal Trade Commission sought comment on a proposal to reconcile parts of its Telemarketing Sales Rule ("TRS") that appeared to prohibit all prerecorded message telemarketing with Federal Communications Commission rules that permit such calls in some circumstances, the FTC has pulled an about face and decided not only not to harmonize the rules, but to propose a new rule specifically underscoring a more stringent FTC prohibition. In taking pains to chart a more restrictive course notwithstanding what FCC rules permit, the FTC stated that, “While regulatory uniformity may be a laudable goal, it is not a sufficient basis for conforming [our rules] to the FCC’s regulations,” especially since “compliance with the more restrictive” TSR prohibition “does not violate FCC regulations.” The proposed change would mean that all telemarketers within the FTC’s jurisdiction – which does not reach banks, credit unions, savings and loans, common carriers, non-profit organizations, and those engaged in the business of insurance – would be prohibited from using prerecorded messages that are part of a plan, program or campaign to induce purchases of goods or services or charitable contributions, even if FCC rules otherwise would permit the call.

Continue Reading...

Consumer Groups Oppose Proposed House Data Security Bill

Posted by KM Das

Consumer Union, the U.S. Public Interest Research Group, the Consumer Federation of America, the Center for Democracy and Technology, Consumer Action, and the Privacy Rights Clearinghouse have joined together to write to the leadership of the U.S. House of Representatives to express their dissatisfaction with H.R. 3997—the Financial Data Protection Act. Although vote on H.R. 3997 has now been postponed until at least September and possibly until after the November elections, the letter from the consumer groups highlights yet again two things—Congress’s inability to pass a data breach notification and/or data security bill more than seventeen (17) months after ChoicePoint data breach and the concerns that consumers have about preemption of state laws that are seeing as offering stronger protections and rights to consumers.

Continue Reading...

Update on FCC Oversight of Data Brokers, Pretexters, Etc.

Posted by Ronald London

This week’s output at the Federal Communications Commission included several outgrowths of concerns that started to evolve last year (as reported on DWT's Privacy & Security Law Blog) regarding the apparent availability to third parties of sensitive phone records and other related data online and elsewhere. The records at issue often involve “customer proprietary information” (or “CPNI”) such as data relating to the quantity, type, destination, location and/or amount of use of telecommunications services by subscribers, which becomes available to the subscriber’s carrier solely by virtue of their status as customer. The data also can include potentially identifying information such as phone numbers, addresses, and other data. The Commission began looking into the matter late last year. In early 2006 it issued subpoenas to a number of online data brokers, and it investigated and/or issued notices of apparent liability (“NALs”) proposing fines against several telecommunications providers with respect to their submission to the FCC – or lack thereof – of certifications of compliance with federal CPNI rules and statutes.

Continue Reading...

FTC Cracks Down on "Unscrubbed" Telemarketing Lead Lists

Posted by Ronald G. London

The Federal Trade Commission announced a $50,000 settlement with Executive Financial Home Loan Corp., d/b/a Executive Home Loan, and its principals, arising out of the company’s use of “lead lists” purchased from third-party brokers that Executive believed had been “scrubbed” of phone numbers on the National Do-Not-Call Registry (“NDNCR”). The FTC alleged that use of the lists in reliance solely on a vendor’s claims that they had been scrubbed against the NDNCR, allegedly resulting in calls to “tens of thousands of consumers” registered with the NDNCR, and the company’s failure to pay NDNCR fees, resulted in the violation of FTC telemarketing rules. In announcing the settlement, the FTC stated that its “bottom line” is that “telemarketers are responsible for complying with the Do Not Call provisions of the Telemarketing Sales Rule, and cannot hide behind the claims of their service providers,” such that if they “purchase a scrubbed list, they better make sure that it is current and squeaky clean or else they may be violating the law and subject to penalties.” Significantly, the actual monetary judgment entered against the company was $1,138,551, but all but $50,000 was suspended due to an inability to pay.

Continue Reading...

Challenge to Federal Government's Secret Law Requiring Airline Passengers to Show ID is Heading to the U.S. Supreme Court--A Blog on the Case is Announced

Posted by Thomas R. Burke

John Gilmore is taking a fascinating secrecy case to the United States Supreme Court. Gilmore, who sued the federal government several years ago to challenge what remains secret today—the requirement that passengers show ID before they travel on airplanes and other forms of transportation in America.

Continue Reading...

Lawyers as "Service Providers" Under the Gramm-Leach-Bliley Act

Posted by Peter Mucklestone and Stuart Louie

Despite a ruling by the D.C. Circuit Court of Appeals that lawyers are not "financial institutions" under the Gramm-Leach-Bliley Act ("GLBA") and therefore need not comply with the privacy obligations under the GLBA required of financial institutions, it is likely that lawyers are "services provides" for the purposes of the GLBA when representing GLBA-regulated financial institutions. (See American Bar Ass'n v. Federal Trade Comm'n, 430 F.3d 457, 21 Law. Man. Prof. Conduct 616 (D.C. 2005). The consequence? Lawyers representing GLBA-regulated financial institutions may be required to give contractual assurances about their information security practices and, in particular, the steps they are taking to protect any personal information they may acquire in the course of their representation.

Continue Reading...

Our National Privacy Officers

Posted by Lance Koonce

Today's Wall Street Journal contains an article about the new civil-liberties protection officer for the U.S. Office of the Director of National Intelligence, Alex Joel. Joel was recently appointed to this new position, which observers say was created to assuage privacy concerns relating to U.S. intelligence efforts, in particular the NSA's heavily criticized surveillance program (see prior entries here, here, here and here). Other privacy posts have been created at other agencies as well, including the Justice Department. As an aside (or maybe not), Mr. Joel sees no problem with the NSA program from a privacy perspective.

Continue Reading...

FCC Completes Rulemaking to Implement Junk Fax Prevention Act of 2005

Posted by Ronald G. London

The Federal Communications Commission has completed its rulemaking to adopt regulations codifying the "established business relationship" or "EBR" exemption to the federal prohibition on unsolicited facsimile advertisements in the Telephone Consumer Protection Act (TCPA). The codification was necessary under the Junk Fax Prevention Act, which mandated that the FCC re❽instate the "EBR exemption" the agency announced it would eliminate in 2003 (after it had been in effect since 1992) in favor of requiring prior written consent for unsoli❽cited fax ads. The new rules create a new "do-not-fax" regime for unsolicited advertisements whereby those who send such faxes must maintain an internal list of recipients who "opt out" of further faxes from the sender.

Continue Reading...

"Hey, I Really Paid $6 million for that Ramones T-Shirt"

Posted by Merrill Baumann

Apparently eBay subsidiary PayPal is used for a lot more than facilitating the purchase of commercial oddities online. At least that's what the IRS thinks. Earlier this week a U.S. District Court in California issued a summons requested by the IRS for account information relating to PayPal money transfers involving financial institutions in more than 30 countries used as tax havens.

The IRS explains that PayPal is simply another mechanism used by creative Americans to stash money overseas and avoid tax liability. PayPal is currently "evaluating [its] options" in light of its privacy obligations. While perhaps not quite as sexy as a request for sensitive information under the Patriot Act, it nevertheless will be interesting to see whether PayPal will try to challenge the IRS' well-known broad subpoena powers.

Federal Regulators Issue Report on Improving Financial Privacy Notices for Consumers

Posted by Stuart Louie

In the wake of the Gramm-Leach-Bliley Act (GLBA) requiring financial institutions to provide their customers with certain notices about their privacy policies and practices, federal regulators observed that such privacy notices were often too lengthy, dense in content, and contained complex language such that most consumers neither read nor understood them. In response to these observations, six federal agencies tasked with enforcing the GLBA (the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission) initiated a multi-phase project to explore the development of a prototype financial privacy notice that would be easier for consumers to understand and use. The report entitled "Evolution of a Prototype Financial Privacy Notice," which was prepared by the Kleimann Communication Group, was released on March 31, 2006.

Continue Reading...

FTC Retains Children's Online Privacy Protection (COPPA) Rule

Posted by Peerapong Tantamjarik

On March 8, 2006, the Federal Trade Commission announced that it decided to retain, without changes, the regulations implementing COPPA, a federal law enacted in 1998 to better protect children's personal information on the web. Generally, COPPA applies to operators of websites and online services directed to children under 13 years of age that also collect personal information from children. COPPA requires such operators to adhere to a clear set of standards such as posting a privacy policy and a link to the policy everywhere personal information is collected; provide notice to parents and in most instances, obtain verifiable parental consent before collecting any child's personal information; provide parents access to their child's information and control over deletion of the information; and maintain the confidentiality, security, and integrity of the personal information collected from children.

Continue Reading...

Whither California's Strict New "Junk Fax" Law?

Posted by Ronald G. London

A federal court judge in Sacramento has issued a declaratory ruling that the federal Telephone Consumer Protection Act ("TCPA") preempts a new California law, slated to take effect the first of this year, to impose stricter regulations on unsolicited advertisements via facsimile by trumping an exception for faxes sent pursuant to an established business relationship ("EBR") codified by Congress in last year's Junk Fax Prevention Act. The decision renders new Section 17538.43 of California's Business and Professions Code - which has never taken effect due to a provisional stay the court issued late last year - effectively unenforceable against interstate commercial faxes sent into California from outside the state. It also throws into doubt the law's remaining vitality with respect to intrastate faxes.

Continue Reading...

FTC Targets "Substantial Assistance and Support" and "Assisting and Facilitating" in National Do-Not-Call Registry Enforcement Actions

Crackdown includes $5.34 Million Settlement with DirecTV

Posted by Ronald London

Recently, two FTC announcements that it settled charges involving alleged violations of its rules surrounding the National Do-Not-Call Registry ("NDNCR") offered insight into the extent to which the agency pursues not just those who directly violate consumers' do-not-call rights, but also all parties substantially involved in the offending activity. The cases involve the largest civil penalty ever in any enforcement action involving consumer protection laws administered by the FTC, and the first case of anyone paying a civil penalty for allegedly violating the "assisting and facilitating" provision in the agency's telemarketing rules.

Continue Reading...

Groups Encourage the Department of Health and Human Services to Adopt More Stringent Standards for Parent Locator Services Databases

Posted by K.M. Das

The Electronic Privacy Information Center ("EPIC"), the Privacy Rights Clearinghouse (PRC), and the World Privacy Forum (collectively "Groups") have filed comments with the Department of Health and Human Services (HHS) encouraging HHS to adopt more stringent standards to control access to and accuracy of State Parent Locator Service ("PLS") databases. The Groups filed their comments in response to HHS's notice of proposed rulemaking ("NPRM") on the issue of "State Parent Locator Service; Safeguarding Child Support Information" (70 Fed. Reg. 60038 (Oct. 14, 2005)).

Continue Reading...

FCC Commences Rulemaking to Implement Junk Fax Prevention Act of 2005

Posted by Ronald London

The recent adoption of an Order and Notice of Proposed Rulemaking ( "NPRM") by the Federal Communications Commission to implement the Junk Fax Prevention Act of 2005 appears to drive the final nail into the coffin of the abortive FCC effort to tighten its "junk fax" rules by eliminating the exception for faxes to recipients with whom the sender has an "established business relationship, i.e., an "EBR." The action is the first step toward realization of Congress's reversal of an FCC decision that critics said would undermine, among other things, the vitality of faxes as a business-to-business tool and as a means for associations to communicate with their members. In the most immediate term, the significance of the FCC's action is that the Order indefinitely suspends the effectiveness of a rule the FCC adopted in 2003 (which has been stayed since its adoption and thus never has taken effect) to require prior written consent for all unsolicited fax advertisements.

Continue Reading...

This Just In! Lawyers are not "Financial Institutions" and Congress has not Hidden any Elephants in a Mousehole!

Posted by Bruce Johnson

On December 6, 2005, the United States Court of Appeals for the District of Columbia Circuit affirmed the ruling of the U.S. District Court for the District of Columbia that lawyers who are merely practicing law are not subject to the privacy provisions of the Gramm-Leach-Bliley Act ("GLB"). The D.C. Circuit agreed with the district court's conclusion that the Federal Trade Commission's (FTC) attempt to regulate the practice of law under the Act fell outside its statutory authority.

Continue Reading...

Seventh Circuit Breaks with Other Appeals Courts to Find Federal Jurisdiction for Consumer Junk Fax Suits

Posted by Ronald London

The U.S. Court of Appeals for the Seventh Circuit, which sits in Chicago and encompasses Illinois, Indiana and Wisconsin, recently issued a decision in Brill v. Countrywide Home Loans, Inc., No. 05-8024, holding that federal courts may hear lawsuits arising out of consumer claims for redress under the Telephone Consumer Protection Act ("TCPA"), which regulates unsolicited commercial faxes and phone calls. The Seventh Circuit breaks with six other federal courts of appeal that have held jurisdiction over such consumer claims lies exclusively in state court and cannot be lodged in or removed to federal court. The Seventh Circuit decision is significant in that it creates the kind of "split" among circuits that often forms the basis for the Supreme Court to exercise discretionary review, and because it is the first federal appeals court TCPA decision that post-dates the Class Action Fairness Act of 2005.

Continue Reading...

FTC Targets Spyware

Posted by Ronald London

The Federal Trade Commission has reported to Congress that spyware and other "malware" downloaded to consumers' computers without their consent is a serious and growing problem that harms consumers and the Internet, in testimony that coincided with new enforcement action the agency brought alleging a company distributed file-sharing programs that included spyware. In testimony before the Senate Commerce Committee's Subcommittee on Trade, Tourism, and Economic Development, FTC Chair Deborah Majoras stated that spyware causes problems that range from sluggish computer performance to lost personal data, and that the FTC has active programs targeting spyware concerns, including law enforcement initiatives. The testimony comes as Congress has before it several bills that would regulate spyware at the federal level.

Continue Reading...

The Federal Government Updates its Guide to Federal Privacy Act -- and Its Free!

Posted by Tom Burke

Said to be "one of the most widely read congressional committee reports in history," this manual explains how to use the federal Freedom of Information Act and the federal Privacy Act of 1974 to request records from the federal government. It includes practical forms. One of the most useful items the federal government publishes; last updated in 2003.

Secure Flight Will Not Use Commercial Databases

Posted by Brian Bennett

The Transportation Security Administration ("TSA") has scrapped plans to use commercial data to check the identities of airline passengers in "Secure Flight," the government's proposed passenger prescreening system. As envisioned by the TSA, Secure Flight would be used by the government to compare passenger name records against information compiled by the Terrorist Screening Center, including "no fly" lists. The TSA would also use Secure Flight to detect suspicious travel behavior. The TSA intended to use information collected in commercial databases, such as data related to drivers and credit history, to verify the accuracy of information provided by travelers. Shortly after the TSA made the decision not to use commercial data, a working group of experts appointed by the TSA issued a confidential report on September 19, 2005, that criticized the privacy impacts of the Secure Flight program.

Bruce Schneir, who was one of the members of the working group that released the report, further discusses these issues on his blog.

What Does Sarbanes-Oxley Have To Do With Information Security?

Although it has a high profile in corporate America, the Sarbanes-Oxley Act has not been at the center of discussions about the need for corporations to adopt appropriate information security measures. However, a recent article in the August 29th, 2005 issue of the National Law Journal by well-known Chicago trade secrets lawyer R. Mark Halligan persuasively suggests that "... directors and top managers must become actively involved with intellectual asset management and information security, to avoid both civil and criminal liability under Sarbanes-Oxley and shareholder derivative suits for the breach of the fiduciary duty to adequately protect intellectual property assets.", and that this represents a "sea change" in the law.

Continue Reading...

Free Consumer Credit Reports Finally Available to All

The Fair Credit Reporting Act's guarantee of free credit reports took full effect on September 1. The links to the website, previously blocked, are now fully accessible, and reports for residents in States in the Eastern US have finally been made available. Persons may obtain one free report each year from each of the three major credit reporting agencies. For additional information, you may also visit EPIC's Fair Credit Reporting Act Page.

Posted by Merill Baumann

Divided Fourth Circuit Upholds FTC Do-Not-Call Rules for Telefunders

Last Friday, the United States Court of Appeals for the Fourth Circuit in Richmond, Va., issued a split 2-1 decision in National Federation of the Blind v. FTC that affirmed a Maryland federal court decision upholding the Federal Trade Commission's rules applicable to calls by for-hire telemarketers on behalf of non-profit entities. The National Federation of the Blind and Special Olympics of Maryland had challenged the rules on constitutional and other grounds, including that they violate the First Amendment and exceed the FTC's statutory authority.

Continue Reading...

Agencies' Data Mining Efforts Criticized for Privacy Failures

In a recent report to a subcommittee of the Committee on Homeland Security and Governmental Affairs on data mining (i.e., the extraction of pertinent information from large volumes of data), the Governmental Accountability Office concluded that none of five agencies the GAO audited "followed all the key procedures" for the protection of personal information. The particular agency projects were chosen for review in part because they involved one of the following goals: (1) analysis of intelligence and detection terrorist activities; (2) detection of criminal activity; (3) identification of fraud, waste or abuse; or (4) efforts to improve service or performance.

Continue Reading...

Homeland Security Pushes Changes to Secure Flight Program

As reported previously, on July 22, 2005, the Government Accountability Office issued a report stating that the Transportation Security Administration (TSA) violated the Privacy Act during testing of the Secure Flight program by exceeding the scope and objectives of the commercial data testing described in their Public Disclosure Notices. Despite this violation, the Department of Homeland Security (DHS) is proposing changes to next year's homeland security funding bill that would allow the Secure Flight program to use background checks and profiling to help determine if an airline passenger is a terrorist, even if he or she is not on a terror watch list. The proposal would also allow the Secure Flight program to be implemented in U.S. airports after approval by the Head of DHS (the current bill requires independent congressional investigators to evaluate it).

Posted by Brian Bennett

FCC Rules that Broadband and VoIP Providers Must Accommodate Wiretaps

The FCC has issued a press release announcing that it will now require certain providers of broadband and Voice-over-Internet Protocol (VoIP) to build backdoor into their networks to accommodate law enforcement wiretaps.

Continue Reading...

Fixing the FCC's Fax Faux Pas

It may have taken the better part of two years, but Congress and President Bush, by respectively passing and signing the Junk Fax Prevention Act of 2005 to make it law last month, reversed the 2003 change in Federal Communications Commission "junk fax" rules that otherwise would have required businesses to obtain written permission from recipients before sending unsolicited fax advertisements. Under the new law and rules the FCC will adopt to implement it, companies instead will be required to maintain and honor an in-house "do-not-fax" list, similar to the internal "do-not-call" list businesses that telemarket must keep, and must refrain from sending unsolicited commercial materials to recipients who have opted out of receiving such faxes.

Continue Reading...

Wi-Fi Spectrum Battle at Airports: Safety or Profits at Stake?

A simmering battle between airports authorities and airlines over management of wireless networks has boiled over at Logan International Airport in Boston, and the FCC has been asked to intervene.

The dispute stems from a Continental Airlines program that provides free wi-fi service to passengers in its President's Club lounges. While some airport authorities also provide free wi-fi within passenger terminals, at Logan travelers must pay a daily fee of $7.95 for the service. Continental frequent fliers, however, can step into the airline's lounge and avoid that fee.

Continue Reading...

The Risks of Unencrypted Data Transmission

Business managers responsible for data security may be investigating what they can do to avoid the fate of BJ's Wholesale Club. The Federal Trade Commission issued a complaint against BJ's for failing to safeguard data regarding credit and debit cards that BJ's customers used at its stores. The FTC alleged that BJ's lax security, which included BJ's transmission of unencrypted payment card data within its stores over WiFi systems, was an unfair practice.

Continue Reading...