EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold
At the Black Hat conference in Las Vegas last week, a security researcher presented his research on using access rights available under the GDPR for identity theft purposes (slides available here; whitepaper available here). Specifically, the researcher “attempted to steal as much information as possible” about his fiancé by submitting GDPR access requests…
On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top consumer complaints to the FTC, and has been an enforcement priority for the FTC’s Bureau of Consumer Protection.
Continue Reading FTC Solicits Public Comment on Identity Theft Detection Rules
By Megan Rodgers
The FTC announced that the identity theft protection firm LifeLock will pay $100 million to resolve allegations that the company made false statements about its services and failed to safeguard consumer data. This settlement represents the largest of its kind in an FTC order enforcement action.
The FTC first sued LifeLock in…
This week, the Medical Identity Fraud Alliance (“MIFA”) released its 2014 Fifth Annual Study on Medical Identity Theft, finding that in the last year, medical identity theft incidents increased by 21.7% from 2013. The study is annually conducted to determine the pervasiveness of medical identity theft in the United States, how it affects the lives of victims, and what steps should be taken by consumers, healthcare providers, and governments to reduce the incidence of this crime. Medical identity theft is defined by the report as occuring “when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and/or goods, including attempts to commit fraudulent billing.” In this study, medical identity theft also is deemed to occur when an individual shares his or her health insurance credentials with others.
Continue Reading Study Shows Increase in Medical Identity Theft
By Ashden Fein and Randall Friedland
On Friday, President Obama signed an Executive Order directed at securing consumer transactions and sensitive data, improving consumer identify theft remediation, and better securing personal information on federally run websites. Among the security measures, the President ordered all federal government-issued credit cards be equipped, as soon as possible, with chip-and-PIN technology. The chip-and-PIN technology, commonly used in Europe, makes stealing credit card numbers more difficult. Chips are embedded in the credit cards and generate a unique code for every transaction requiring a user PIN (similar to a debit card)—adding another layer of security. Further, the Executive Order requires all retail payment card terminals at federal agencies to be able to accept the chip-and-PIN technology by January 1, 2015.Continue Reading President Obama Signs Executive Order Aimed at Protecting the Security of Consumer Financial Transactions
By: Kelly Carson
Last month, the Federal Trade Commission (FTC) issued an updated “How-To” guide to help businesses and organizations determine whether they are subject to the agency’s Red Flags rule (Rule). Under the Rule, certain entities are required to establish written programs that are aimed at detecting and preventing identity theft.
The FTC’s revised guide lays out which businesses the Rule covers — namely, “financial institutions” and some “creditors” — as well as the steps they must take to comply with the Rule’s requirements. As covered in a previous post, the Rule was amended in November 2012 to narrow the definition of “creditor,” bringing it in line with the Red Flag Program Clarification Act of 2012.Continue Reading FTC Issues Revised Business Guide on Identity Theft Red Flags Rule
Last week, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) published in the Federal Register a joint rule requiring entities regulated by the agencies to adopt programs to detect and prevent identity theft. The rule is referred to as the “red flags rule” and applies to certain broker-dealers, mutual funds, investment advisers, futures…
Yesterday the FTC released its annual report of consumer complaints, highlighting identity theft as the leading category of complaints, with 18% of the total. The 2012 report analyzes complaints received by the FTC, certain other federal agencies, state law enforcement agencies, and non-governmental organizations such as the Better Business Bureau. After identity theft, consumers filed the…
Yesterday, Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, testified before a subcommittee of the House Ways and Means Committee on the use of social security numbers (SSNs) in identity theft. In addition to providing background information on the use of SSNs in identity theft and the FTC’s recommendations for…