Rule

In November 2009, the association of German data protection authorities (“Düsseldorfer Kreis”) issued a resolution titled “Data Protection Compliance of Web Analytics Tools for Website Audience Measurement.” This resolution has a clear impact on business and contains many risks. The big question is whether the use of web analytics tools as it is today is still compliant with German data protection.

Today, the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") filed its final amendments to the state's data security regulations, which impose specific requirements on entities for safeguarding the personal information of Massachusetts residents. The OCABR will make its amendments public next Monday, but has already stated that it didn't make any major changes and only clarified language regarding contracts between persons who own or license personal information and third-party service providers. The updated regulations are scheduled to take effect on March 1, 2010.

On Wednesday, July 29, 2009, the FTC extended the enforcement deadline for the Red Flags Rule until November 1, 2009.

Today, the FTC and five other federal agencies jointly issued a set of Frequently Asked Questions (FAQs) to help financial institutions, creditors, users of consumer reports, and issuers of credit and debit cards comply with the identity theft Red Flag Rules that go into effect on August 1, 2009. The FAQs provide guidance on numerous aspects of the rules, including (1) types of entities and accounts covered; (2) establishing and administering an identity theft program; (3) address validation requirements; and (4) obligations of users of consumer reports upon receiving notice of an address discrepancy. The press release is available here. The FTC's Red Flag Rules website is here.

The European Commission issued its recommendations on implementation of the European Union privacy and data protection principles to Radio Frequency Identification (RFID) technology. today. http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf 

http://www.ftc.gov/opa/2009/02/behavad.shtm

The Department of Education (Department) recently released regulations modifying numerous provisions the Family Educational Rights and Privacy Act (FERPA). Like FERPA, the regulations govern the privacy of personally identifiable information in student education records and apply to all educational institutions that receive federal funding. The regulations address four issues: (1) permissible disclosures, (2) security measures, (3) revised definitions, and (4) enforcement. Specific, key regulations address health and safety emergencies, third party contractors, security measures, and the statutory definition of "personally identifiable information."

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) has extended to May 1, 2009, its deadline for businesses and others to comply with its new data security regulations. Obligations to encrypt portable devices, other than laptops, and to obtain written certifications from third-party service providers are extended to January 1, 2010.

On October 22, 2008 the FTC announced that it would suspend enforcement of its new "Red Flag Rules" for combating identity theft for six months, which gives entities subject to the rule until May 1, 2009 to implement a written "Red Flag Program" to detect, prevent and respond to threats of identity theft in connection with accounts covered by the rules.  In its Enforcement Policy Statement that accompanied the announcement, the FTC stated that:

[S]ome industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule.  These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA’s definitions of “creditor” or “financial institution.”  Many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008.

Thus, the FTC delayed its enforcement date in order to provide businesses ample time to bring their policies and procedures into compliance with the new rules.

• FTC Press Release: http://www.ftc.gov/opa/2008/10/redflags.shtm
• FTC Enforcement Policy Statement: http://www.ftc.gov/os/2008/10/081022idtheftredflagsrule.pdf

For more information about the Red Flag Rules and how they might affect your business, please review our full posting regarding the rules here, and contact us with questions.

Joe Cutler: 206-539-6014
Veronica McGregor: 415-344-7062

The Payment Card Industry (PCI) Security Standards Council recently posted Version 1.2 of the PCI Data Security Standards (PCI DSS) that apply to many merchants and vendors that accept credit cards and other types of payment cards. A few of the changes will likely have a significant impact on many companies still struggling to comply with Version 1.1. The changes include, among others, heightened requirements for wireless networks and expanded requirements to implement anti-virus software beyond Windows-based platforms, including UNIX. Other changes are simply clarifications or in a few instances relaxation of requirements. Click read more for a more detailed analysis.