Inside Privacy - Updates on Developments in Global Privacy & Data Security

On March 29, 2012, Director of the Federal Reserve’s Division of Consumer and Community Affairs Sandra Braunstein testified before the Senate Banking Committee on consumers’ use of mobile financial services.  Ms. Braunstein distinguished between “mobile banking,” which is a consumer’s use of a mobile device to interact with a financial institution, including checking balances and transferring funds, and “mobile payments,” which are purchases, bill payments, charitable donations, or payments to other persons using a mobile device.  After making this distinction, she referred to the Federal Reserve’s recent survey of consumers’ adoption of mobile banking and mobile payments.

The survey found that the most common reasons for consumers not adopting mobile banking were satisfaction with traditional banking services and concerns over security, including potential hackers and the perceived inadequacy of existing technology.  Consumers do not use mobile payments because of security concerns and because traditional payment forms such as cash or credit card can be regarded as being simpler or easier to use. 

These findings highlight the progress depository institutions must make to advance consumers’ use of mobile financial services: namely, enhance information security technology and inform consumers of the effectiveness of such technology.  Indeed, the survey concludes that “consumers’ perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption.  If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.”

On February 7, 2012, the Federal Trade Commission sent letters to six marketers of mobile applications that provide background screening services.  The applications, including “Police Records,” “Criminal Pages,” and “Locate Anyone,” provide criminal record histories that, if used for employment or other Fair Credit Reporting Act (FCRA)-related purposes, may subject the marketers to treatment as a “consumer reporting agency” for purposes of the FCRA.

A consumer reporting agency is a company that assembles or evaluates information relating to consumers for the purpose of furnishing “consumer reports” to third-parties.  Consumer reports include information that relates to an individual’s character, reputation or personal characteristics and are used or expected to be used for employment, housing, credit, or other similar purposes.  It follows that if a company provides criminal background information to employers about prospective or current employees, the company is a consumer reporting agency because the information pertains to the employees’ character, reputation, or personal characteristics.  The definitions in the FCRA are broad and may encompass many companies that are unaware their services fall within the scope of the statute.

The FTC’s letters do not take a position with respect to the marketers’ applications but encourage the marketers to review their applications and policies and procedures in light of the FCRA.

Last year, the Federal Financial Institutions Examination Council (FFIEC) released a much-anticipated supplement to its Authentication in an Internet Banking Environment guidance.  The supplement updates the FFIEC’s supervisory expectations regarding depository institutions’ customer authentication, layered security, and other controls for Internet banking.  Starting this year, FFIEC information technology examinations will include reviews for compliance with the supplement. 

A study released by Guardian Analytics suggests that institutions are moving towards compliance with the supplement but may not be completely prepared for FFIEC IT examinations to be conducted in 2012.  The Guardian Analytics study polled executives at 100 U.S.-based financial institutions in November 2011.  The study found that 43 percent of institutions had not yet completed a risk assessment of online banking, and 41 percent had not developed a plan for addressing online banking security gaps.  Further, 22 percent of institutions had not reviewed the FFIEC supplement.  It is expected that the supplement will be a hot topic throughout 2012 as FFIEC IT examinations reveal the agencies’ stance on the supplement as well as institutions’ compliance with the supplement.    

In mid-October 2011, the Consumer Financial Protection Bureau (CFPB) released version 1.0 of its Supervision and Examination Manual.  Pursuant to Dodd-Frank, the CFPB has primary examination authority for compliance with federal consumer financial laws over banks having $10 billion or more in assets and their affiliates, such as banks’ service providers, as well as certain non-banks, including mortgage originators and payday lenders.  Part II of the Manual provides procedures for examining such institutions’ compliance with federal consumer financial laws, including financial privacy laws such as the Fair Credit Reporting Act, Fair Debt Collection Practices Act, and sections 502 through 508 of the Gramm-Leach-Bliley Act.  The examination procedures resemble similar procedures released by the Office of the Comptroller of the Currency and Federal Reserve Board. 

The procedures provide a walkthrough of the CFPB’s approach to examinations and use a “module” format designed to be tailored to the activities conducted by the institution.  For example, the FCRA examination procedures contain five modules: (1) Obtaining Consumer Reports, (2) Obtaining Information and Sharing among Affiliates, (3) Disclosures to Consumers and Miscellaneous Requirements, (4) Duties of Users of Consumer Reports and Furnishers of Consumer Report Information, and (5) Consumer Alerts and Identity Theft Protections. 

We are actively monitoring and advising clients regarding all aspects of the CFPB.  Please feel free to contact us if you have any questions.

As covered in our earlier blog post, the Dodd-Frank Wall Street Reform and Consumer Protection Act establishes the Office of Financial Research (OFR) to collect and analyze U.S. financial data for financial regulators.  The OFR is tasked with, among other responsibilities, supporting the Financial Stability Oversight Council’s oversight of systemic risk, developing tools for measuring risk levels and trends in the U.S. financial sector, and performing applied financial research for financial regulators. 

One of the OFR’s initiatives is to design a global classification system for identifying all parties to financial contracts.  The classification system is called a legal entity identifier (LEI) system.  An LEI is a unique number that identifies a legally distinct entity that engages in financial market activities.  One of the system’s objectives is to give policymakers a more in-depth and accurate view of the U.S. economy’s and global economy’s exposure to certain market participants.  The OFR has been working with international financial regulators, self-regulatory bodies, and payment and settlement systems to design the LEI system.  The OFR announced that it hopes to commence the LEI system in 2012. 

The collection of LEI information for all financial transactions may raise privacy concerns depending on the level of granularity and type of information collected.  The OFR has come under attack recently by Congress because of potential privacy issues, and on September 24, 2011, a group of Republican congressmen introduced H.R. 3044, which would repeal in their entirety provisions in Dodd-Frank establishing the OFR. 

Yesterday, a subcommittee of the House Financial Services Committee held a hearing to discuss cybersecurity and security threats to the financial sector.  The panelists included officials from the Secret Service, Federal Bureau of Investigation, and Department of Homeland Security, as well as representatives from Verizon, Symantec, Bank of America, and public interest organizations.  The panelists generally discussed trends in cybersecurity threats, including the rise in security breaches affecting small- to medium-sized banks and other financial institutions. 

One noteworthy item discussed during the hearing was the Office of Financial Research established by Title I of the Dodd-Frank Act to collect and analyze U.S. financial data for financial regulators.  The Office of Financial Research is tasked with, among other responsibilities, supporting the Financial Stability Oversight Council’s oversight of systemic risk, developing tools for measuring risk levels and trends in the U.S. financial sector, and performing applied financial research for financial regulators.  Representative Shelley Moore Capito (R-WV) voiced concerns over the possibility of a security breach affecting the Office:

“I am especially interested to hear from our witnesses about the creation of the Office of Financial Research as called for by the Dodd-Frank Act.  I have serious reservations about the creation of this new bureaucracy, and I am most concerned with the potential for new cyber threats.  By compiling sensitive financial information into one federal agency, are we just making it easier for hackers to attack us?”

Some witnesses agreed with Rep. Capito’s concern and others downplayed her concern by pointing out other targets more attractive to hackers.  We will continue to monitor and report any financial privacy implications of the Office of Financial Research and other governmental bodies established by Dodd-Frank such as the Financial Stability Oversight Council and Consumer Financial Protection Bureau.

Today, the Consumer Financial Protection Bureau ("CFPB") assumed certain powers and authorities set forth in Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act.  The CFPB is tasked with implementing and enforcing Federal consumer financial laws to ensure that consumers have access to markets for consumer financial products and services, and that such markets are "fair, transparent, and competitive."  The CFPB is an independent bureau within the Federal Reserve System and headed by a director appointed by the President and confirmed by the Senate.  President Obama recently nominated Richard Cordray, former Ohio Attorney General, to serve as the CFPB’s director.  Mr. Cordray has not yet been confirmed by the Senate.

Once it has a confirmed Director, the CFPB will have rulemaking authority and, with respect to certain entities, enforcement authority under certain federal laws with privacy implications, such as the Fair Credit Reporting Act, Fair Debt Collection Practices Act, and the financial privacy sections of the Gramm-Leach-Bliley Act.  The CFPB also will enforce with respect to certain entities consumer protection regulations already promulgated by other federal agencies under these Federal consumer financial laws.  In addition, select classes of nonbank institutions will be subject to regular supervision by CFPB examiners for compliance with these Federal consumer financial laws.

The CFPB will have more limited authority until a Director is confirmed, although the full scope of this limited authority during the interim period is not entirely clear.

Additional information regarding the CFPB can be found in an alert we prepared for clients following Dodd-Frank’s passage.

In light of the number of privacy and data security-related bills currently being considered by Congress, we thought it might be helpful to provide a roundup of the legislation introduced or circulated to date:

Comprehensive privacy legislation:

• BEST PRACTICES Act, H.R. 611 (Rep. Rush): introduced Feb. 10, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Commercial Privacy Bill of Rights Act of 2011, S. 799 (Sens. Kerry and McCain):  introduced Apr. 12, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation.
• Consumer Privacy Protection Act of 2011, H.R. 1528 (Reps. Stearns, Matheson, Bilbray, and Manzullo):  introduced Apr. 13, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 

Do Not Track:

• Do Not Track Me Online Act, H.R. 654 (Rep. Speier):  introduced Feb. 11, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Do-Not-Track Online Act of 2011, S. 913 (Sen. Rockefeller): introduced May 9, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Children’s privacy:

• Do Not Track Kids Act of 2011, H. R. 1895 (Reps. Markey and Barton):  introduced May 13, 2011.  Referred to the House Committee on Energy and Commerce. 

Data security and breach notification:

• Data Accountability and Trust Act, H.R. 1707 (Reps. Rush, Barton, and Schakowsky):  introduced May 4, 2011.  Referred to the House Committee on Energy and Commerce. 
• Data Accountability and Trust Act of 2011, H.R. 1841 (Reps. Stearns and Matheson): introduced May 11, 2011.  Referred to the House Committee on Energy and Commerce. 
• Personal Data Privacy and Security Act of 2011, S. 1151 (Sens. Leahy, Schumer, Cardin, and Franken):  introduced June 7, 2011.  Referred to the Senate Committee on the Judiciary. 
• Secure and Fortify Electronic Data Act, H.R. ___ (Rep. Bono Mack): discussion draft released June 13, 2011.  Hearing held by the House Subcommittee on Commerce, Manufacturing, and Trade.
• Data Security and Breach Notification Act, S. 1207 (Sens. Pryor and Rockefeller): introduced June 15, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Geolocation privacy:

• Geolocation Privacy and Surveillance Act, H.R. 2168 (Reps. Chaffetz and Goodlatte): introduced June 14, 2011.  Referred to the House Committee on the Judiciary and the House Committee on Intelligence (Permanent Select). 
• Geolocation Privacy and Surveillance Act, S. 1212 (Sen. Wyden): introduced June 15, 2011.  Referred to the Senate Committee on the Judiciary. 
• Location Privacy Protection Act of 2011, S. 1223 (Sens. Franken and Blumenthal): introduced June 16, 2011.  Referred to the Senate Committee on the Judiciary. 

ECPA:

• Electronic Communications Privacy Act Amendments Act of 2011, S. 1011 (Sen. Leahy):  introduced May 17, 2011.  Referred to the Senate Committee on the Judiciary. 

Financial privacy:

• Financial Information Privacy Act of 2011, H.R. 653 (Reps. Speier, Hastings, and Filner): introduced Feb. 11, 2011.  Referred to the House Subcommittee on Financial Institutions and Consumer Credit. 

Yesterday, Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, testified before a subcommittee of the House Ways and Means Committee on the use of social security numbers (SSNs) in identity theft. In addition to providing background information on the use of SSNs in identity theft and the FTC’s recommendations for preventing misuse of SSNs, the testimony described the Commission’s approach to combating identity theft. Key aspects of the FTC’s approach include:

• The FTC has brought 32 law enforcement actions since 2001 against businesses, including pharmacies and credit report resellers, that failed to protect sensitive consumer information in violation of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the FTC Act, and other consumer protection laws.
• The FTC manages and makes available to federal and state law enforcement the Identity Theft Clearinghouse, an online database of identity theft-related complaints.
• The Commission provides educational outreach to consumers and businesses in order to raise awareness about identity theft and outline precautions to be taken to prevent it.

As we reported in a prior post, there is a developing legislative trend to restrict employers’ use of credit report information in making adverse employment decisions (e.g., hiring, promotion, termination) regarding prospective or current employees.  There are currently 18 states considering legislation in this area: California, Indiana, Kentucky, Missouri, Nebraska, New Mexico, New York, Texas, Connecticut, New Jersey, Vermont, Maryland, Pennsylvania, Georgia, Ohio, Florida, Michigan, and Montana.  Hawaii, Illinois, Oregon, and Washington already have laws restricting employers’ use of employee credit report information for employment decisions. 

The bills vary in scope.  Some bills apply only to prospective employees while others apply to both prospective employees and current employees.  For example, legislation in Florida would make it an improper employment practice for an employer “to directly or indirectly use a job applicant’s personal credit history as a hiring criterion” unless the applicant’s credit history is directly related to the position sought.  Even if the applicant’s credit history is directly related to the position, the employer may not use the applicant’s credit history as the determining factor in whether to hire the applicant.  The Florida bill does not restrict an employer’s ability to use the credit report information of current employees to make employment decisions.

We will provide further updates as to the progress of these bills as state legislative sessions begin to wrap up. 

We covered in a previous post ongoing litigation in the D.C. Circuit between the American Bar Association and Federal Trade Commission over the scope of the FTC’s Red Flags rule.  On January 20, 2011, the FTC filed a supplemental brief analyzing the impact of the recently-enacted Red Flag Program Clarification Act of 2010 on the permissible scope of the rule.  The ABA filed a response brief on February 3, 2011, and the FTC filed a reply brief on February 10, 2011. 

The ABA’s response brief emphasized the view that Congress never intended for the Red Flags requirements to apply to lawyers and used the Clarification Act and its deliberations in Congress as further evidence of that congressional intent.  The Clarification Act does not contain an express authorization for the FTC to apply the Red Flags rule to attorneys and, in fact, narrows the definition of “creditor.”  It points to legislative history that suggests Congress intended to prevent the FTC from applying the rule to professionals such as attorneys. 

The FTC’s reply brief argued that the Clarification Act provided no categorical exemption from the definition of “creditor” for attorneys and that the definition, as amended, continues to encompass certain attorney billing or credit arrangements.  Moreover, Congress considered but ultimately did not pass bills that explicitly exempted attorneys from the scope of the rule.

The deadline to submit comments in response to the Consumer Financial Protection Bureau (CFPB) Implementation Team’s notice to establish the “Consumer Inquiry and Complaint Database” is less than two weeks away. 

Title X of the Dodd-Frank Act establishes the CFPB to enforce federal consumer financial laws through rulemaking, supervision, and enforcement authority.  Dodd-Frank grants the CFPB province over, among other federal statutes, the Electronic Fund Transfer Act, Fair Credit Reporting Act, and Fair Debt Collection Practices Act.  The CFPB will officially open for business on July 21, 2011.  In the meantime, the CFPB Implementation Team has been active in taking steps to ensure the bureau gets off the ground running, including with its notice to establish the Consumer Inquiry and Complaint Database. 

The Consumer Inquiry and Complaint Database will contain information concerning complaints or inquiries submitted directly to the CFPB and those submitted to other agencies and referred to the CFPB.  Specifically, the database will include (1) information about the individual or entity that is the subject of the complaint, (2) information about the individual or entity submitting the complaint, (3) correspondence and any documentation associated with the complaint, and (4) information about how complaints or inquiries were addressed.  The purpose of the database is to enable the CFPB to collect, respond to, and refer complaints or inquiries regarding consumer financial products or services.  However, information in the database may be disclosed in the course of civil discovery, litigation, or settlement; to Congress, law enforcement agencies, regulatory agencies, and self-regulatory agencies; and in aggregate form to the public for purposes of analytical and statistical reporting.  The database presents a number of privacy-related issues that will not be fully recognized until the CFPB commences operations. 

Comments regarding the database must be submitted by February 9, 2011.

We recently covered the Red Flag Program Clarification Act of 2010 in a blog post and client alert.  The Act was intended to narrow the scope of the Federal Trade Commission’s Red Flags rule, which imposes requirements on creditors and financial institutions to detect and deter identity theft.  Prior to the Act’s passage, the American Bar Association had commenced litigation against the FTC regarding the rule’s application to attorneys.  The litigation is presently in the U.S. Court of Appeals for the District of Columbia Circuit, and in court papers filed on Friday, January 20, 2011, the FTC provided its initial interpretation of the Act’s impact on the rule. 

The FTC argued that the Act does not provide a blanket exemption for all attorneys, contrary to the ABA’s contention and the district court’s ruling.  Pursuant to the Act, an attorney could be subject to the Red Flags rule if he or she satisfies the definition of “creditor” under the Equal Credit Opportunity Act and regularly obtains consumer reports in connection with credit transactions, furnishes information to consumer reporting agencies in connection with credit transactions, or lends money to or on behalf of a person unless the loan is for expenses incidental to the services provided by the attorney.  In addition, the Act authorizes the FTC to subject any person to the rule if the FTC determines, by rulemaking, that the person “offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”  The FTC pointed to these two provisions, as well as the absence of legislative history supporting a blanket exemption for any profession, in arguing that the Act does not support the ABA’s position that attorneys should be categorically exempt from the rule. 

The ABA’s responsive brief is due on February 3, 2011. 

Yesterday, the U.S. Supreme Court refused to reconsider Shlahtichman v. 1-800 Contacts Inc., in which the U.S. Court of Appeals for the Seventh Circuit held that an email confirmation of an online purchase is not “electronically printed” for purposes of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”).  Among other restrictions, FACTA prohibits merchants who accept credit cards as payment from printing the expiration date on any receipt provided to the purchaser at the point of sale or transaction. This prohibition applies only to receipts that are “electronically printed.” 

The plaintiff, Eduard Shlahtichman, sued 1-800 Contacts, alleging that the company’s email confirmation violated FACTA because it listed his credit card's expiration date.  After considering the issue, the district court dismissed the case, strongly suggesting that FACTA does not apply to e-commerce because emailed receipts are not "electronically printed."  On appeal, the Seventh Circuit agreed with the district court, finding that the ordinary meaning of the term “electronically printed” reaches only those receipts that are printed on paper, and that the use of the term "electronic" did not broaden the scope of the statute beyond paper receipts.

Shlahtichman is one in a series of cases in which courts are struggling to determine the extent to which laws enacted before e-commerce was as widespread as it is today should apply in today's information economy.

Over the weekend, President Obama signed into law the "Red Flag Program Clarification Act of 2010."  The Act is intended to narrow the types of entities that are subject to the Federal Trade Commission’s Red Flags rule, which requires financial institutions and creditors to take certain steps to prevent identity theft.  More information on the Act is available in our prior post and client alert.