ICANN decided Friday to postpone approval of procedures for organizations to propose new generic top-level domains (gTLDs). Companies anticipating the need to protect trademarks in a potentially large number of new gTLDs will have at least a few more months to understand and weigh in on the proposals, and to brace themselves for successive rounds of sunrise filings and domain name disputes as new gTLDs are introduced.
The Blog of Legal Times is reporting that late on December 7, 2010 the House of Representatives passed a bill on a voice vote that amends the definition of "creditor" in the Fair and Accurate Credit Reporting Act (FCRA) and, as a result, dramatically limits the scope of the Red Flags Rule. The House bill is identical to the legislation enacted by the Senate last week. We previously covered in detail on our blog both the House bill and the Senate bill.The legislation has the effect of largely limiting the applicability of the Red Flags Rule to financial institutions and entities commonly understood to be "creditors". It will generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time. The legislation leaves open the possibility that the FTC would bring various types of creditors within the scope of the Rule through rulemaking. However, it sets a procedural threshold for expanding the scope of the Rule and appears to require the determination to be specific to the type of creditor. "When I think of the word 'creditor,' dentists, accounting firms and law firms do not come to mind," said Rep. John Adler (D-N.J.), speaking on the House floor.
Last week, the U.S. Senate adopted by unanimous consent a bill (S. 3987) that would limit the scope of the Federal Trade Commission's Red Flags Rule by amending the Fair Credit Reporting Act's (FCRA's) definition of "creditor." The Senate bill is identical to the bipartisan House proposal we covered in detail in our blog on November 22, 2010.Both bills have been referred to the House Committee on Financial Services. Given that the House and Senate are now on the same page with respect to the Red Flags Rule, there is a good chance that this proposal will become law before the FTC begins enforcing the Rule on December 31, 2010. The bills seek to largely limit the applicability of the Red Flags Rule to entities commonly understood to be "creditors". They would generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time.
Last week the Federal Trade Commission (FTC) released its anticipated preliminary 122-page staff report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (the "Report"), which we covered in brief immediately following its release. In this part 1 of our review, and in following parts, we dig into specifics of the Report's proposed framework, with a eye toward examining rationales for the various proposals as well as analysis on the potential effects going forward on practices and data policies.
As reported by Dan Or-Hof, Manager of the Information Technology, Internet and Copyright group at the Israeli law firm of Pearl Cohen Zedek & Latzer, in a first of its kind decision, the Tel-Aviv district court ruled on November 30, 2010 that a subscriber of cellular services does not have a general right to have his phone records deleted.
On December 1, 2010, the Federal Trade Commission issued a preliminary report entitled "Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers". The report proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services.
On November 30, 2010, the Federal Trade Commission announced a settlement with EchoMetrix, Inc. with respect to charges that the company failed to adequately disclose its privacy practices. EchoMetrix sells software that allows parents to monitor their children's online activities. The FTC alleged that the company engaged in a deceptive act or practice in violation of Section 5 of the FTC Act by failing to inform parents that the information the software collected about their children would be disclosed to third parties for marketing purposes.
The Federal Trade Commission's latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC's broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC's Red Flags Rule by amending the Fair Credit Reporting Act's (FRCA's) definition of "creditor."
Many of you probably read earlier this month that California's Office of Administrative Law approved the California Department of Insurance's proposal to repeal certain privacy regulations. The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act, so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. Many of our followers have asked me to break down this newest California development, so here goes.
A recently released IC3 fraud advisory for businesses, entitled "Corporate Account Take Overs," addresses the growing problem of criminals targeting small- to medium-sized businesses (SMB's), local municipalities and school districts for bank account takeovers. The take overs culminate in costly and potentially ruinous "cyberthefts" where accounts are subject to a series of wire transfers or ACH payments that empty part or all of the account's funds to overseas banks.
During the final week of October and beginning of November, I attended two privacy events that were set far apart geographically and philosophically: the Data Protection Commissioners Conference in Jerusalem and the ad:tech conference in New York City. The Jerusalem event had a decidedly pro-privacy flavor, while at ad:tech businesses showcased myriad ways for monetizing personal information. Both conferences posed interesting questions about the future of privacy, but as a privacy lawyer I was more interested in learning and observing than engaging in the privacy debates. The events' apparently divergent privacy narratives made me ponder where a privacy lawyer may fit on the privacy continuum between these two great cities.
Several news outlets are reporting today on the November 15, 2010 argument before the U.S. Court of Appeals for the D.C. Circuit on the applicability of the Federal Trade Commission's Identity Theft Red Flags Rule.The relevant part of the Rule implements Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) and requires certain creditors to develop and maintain an identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft. The FTC has taken the position that attorneys and law firms are within the scope of the Rule's definition of "creditor" to the extent they allow clients to pay for legal services after the services are preformed. The ABA successfully challenged the applicability of the Rule to attorneys before the D.C. District Court. The FTC appealed that ruling.
Several important privacy issues were in the news in the first half of this week. Here's our take on these stories, which covered online data collection, employee privacy and legislative battles about the future of privacy.
Today, the Federal Trade Commission announced the launch of a business center portal to help businesses understand and comply with privacy and information security requirements that the FTC enforces. The new portal provides centralized access to the FTC's privacy and information security regulations, enforcement actions and guides. The main portal also offers information about compliance with advertising, credit, telemarketing and myriad other requirements. A series of short videos explain what businesses need to know to comply, and the business center blog offers latest compliance tips and information.
A panel of the Ninth Circuit last week released an opinion in DSPT Int'l, Inc. v. Nahum, 2010 WL 4227883, (CV-06-00308-ODW)(Oct. 27, 2010), that's worth a brief review for its various holdings in a "cybersquatting" trademark and domain name dispute. What's interesting about this case? For starters the different result the Court reached under the Anticybersquatting Consumer Protection Act (the "ACPA") versus what would have occurred had a Uniform Domain-Name Dispute Resolution (UDRP) procedure been followed.
Earlier today, the European Commission released documents setting out the road map for revision of the European data protection rules, including the EU Data Protection Directive 95/46/EC. The strategy is based on the Commission's position that an individual's ability to control his or her information, have access to the information, and modify or delete the information are "essential rights that have to be guaranteed in today's digital world." The Commission set out a strategy on how to protect personal data while reducing barriers for businesses and ensuring free flow of personal data within the European Union.
A draft release of a 90-page Proposed Security Assessment and Authorization for U.S. Government Cloud Computing was distributed by the White House CIO Council yesterday, curiously numbered a 0.96 release.