Privacy & Information Security Law Blog

On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.

On September 13, 2021, the Federal Trade Commission published final revisions to five rules promulgated pursuant to the Fair Credit Reporting Act (“FCRA”), to clarify that the rules apply only to motor vehicle dealers. The final revisions were made to bring the rules in line with the Dodd-Frank Wall Street Reform and Consumer Protection Act. Entities other than motor vehicle dealers are still subject to the Consumer Financial Protection Bureau’s (“CFPB's”) FCRA counterpart rules and the concurrent jurisdiction of the CFPB and FTC to enforce them.

On June 25, 2021, the U.S. Supreme Court in TransUnion LLC v. Ramirez held in a 5-4 decision that certain members of a class action lawsuit, whose inaccurate credit reports were not provided to third parties, did not suffer a “concrete” injury sufficient to confer Article III standing. This case builds upon the Court’s 2016 decision in Spokeo, Inc. v. Robins, where the Court first addressed the concrete injury that must be suffered in order to have standing to bring suit under the Fair Credit Reporting Act (“FCRA”). Importantly, while Spokeo’s holding that a bare ...

On June 2, 2021, Nevada’s governor approved SB 260 (the “Amendment Bill”), which expands on the previously amended Nevada Privacy of Information Collected on the Internet from Consumers Act (the “Act”). Specifically, the Amendment Bill broadens the definition of key terms along with providing several new exemptions.

As we previously reported, the Supreme Court’s decision in Spokeo v. Robins has been nearly universally lauded by defense counsel as a new bulwark against class actions alleging technical violations of federal statutes. It may be that. But Spokeo also poses a significant threat to defendants by defeating their ability to remove exactly the types of cases that defendants most want in federal court. The decision circumscribes the federal jurisdiction, with all its advantages, that defendants have enjoyed under Class Action Fairness Act (“CAFA”) for the past decade.

On May 16, 2016, the United States Supreme Court issued a decision in Spokeo Inc. v. Thomas Robins, holding 6-2 that the Ninth Circuit’s ruling applied an incomplete analysis when it failed to consider both aspects of the injury-in-fact requirement under Article III. Writing for the Court, Justice Samuel Alito found that a consumer could not sue Spokeo, Inc., an alleged consumer reporting agency that operates a “people search engine,” for a mere statutory violation without alleging actual injury.

As reported in the Hunton Employment & Labor Perspectives Blog:

On November 2, 2015, a putative class action was filed against retailer Big Lots Stores, Inc. in Philadelphia, stemming from allegations that the company “systematically” violated the Fair Credit Reporting Act’s (“FCRA’s”) “standalone disclosure requirement” by making prospective employees sign a document used as a background check consent form that contained extraneous information. Among other things, the plaintiff alleges that Big Lots’ form violates the FCRA because it includes the following three categories of extraneous information: (1) an “implied liability waiver” (specifically, a statement that the applicant “fully understand[s] that all employment decisions are based on legitimate nondiscriminatory reasons”); (2) state-specific notices; and (3) information on how background information will be gathered and from which sources, statements pertaining to disputing any information, and the name and contact information of the consumer reporting agency.

Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.

On November 17, 2014, the Federal Trade Commission announced that data privacy certifier True Ultimate Standards Everywhere, Inc. (“TRUSTe”) has agreed to settle charges that the company deceived consumers about its recertification program and misrepresented that it was a non-profit entity in violation of Section 5 of the FTC Act.

On July 1, 2014, Delaware Governor Jack Markell signed into law a bill that creates new safe destruction requirements for the disposal of business records containing consumer personal information. The new law requires commercial entities conducting business in Delaware to take reasonable steps to destroy their consumers’ “personal identifying information” prior to the disposal of electronic or paper records. The law will take effect on January 1, 2015.

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a new proposed rule impacting privacy notices that financial institutions are required to issue under the Gramm-Leach-Bliley Act (“GLB”). Under the current GLB Privacy Rule, financial institutions must mail an annual privacy notice (the “GLB Privacy Notice”) to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing.

On April 9, 2014, the Federal Trade Commission announced settlements with two data brokers, Instant Checkmate, Inc. (“Instant Checkmate”) and InfoTrack Information Services, Inc. (“InfoTrack”), which sell public record information about consumers. The settlements stem from allegations that Instant Checkmate and InfoTrack violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the FTC asserts that the companies violated the FCRA by “providing reports about consumers to users such as prospective employers and landlords without taking reasonable steps to make sure that they were accurate, or without making sure their users had a permissible reason to have them.”

As reported in the Hunton Employment & Labor Perspectives Blog, on March 10, 2014, the Federal Trade Commission and the Equal Employment Opportunity Commission issued joint guidance regarding the use of background checks in the employment context. The agencies issued two guidance documents: Background Checks: What Employers Need to Know (which advises employers on their existing legal obligations under both the Fair Credit Reporting Act and federal non-discrimination laws) and Background Checks: What Job Applicants and Employees Should Know (which informs job applicants ...

On January 16, 2014, the Federal Trade Commission announced a settlement with TeleCheck Services, Inc., and its affiliated debt-collection entity, TRS Recovery Services, Inc. (collectively, “TeleCheck”). The settlement stems from allegations that TeleCheck violated various provisions of the Fair Credit Reporting Act (“FCRA”). According to the press release, the settlement is “part of a broader initiative to target the practices of data brokers, which often compile, maintain, and sell sensitive consumer information” and is similar to an FTC settlement with a different company in August 2013.

As reported in the Hunton Employment & Labor Perspectives Blog:

While much attention has been paid this year to the Equal Employment Opportunity Commission’s (“EEOC’s”) agenda and litigation over criminal background checks (the agency asserts such background checks have a disparate impact on minority groups), a parallel challenge kept pace in the form of private class action litigation under the Fair Credit Reporting Act (“FCRA”). 2013 saw a number of significant class action settlements against both employers and consumer reporting agencies (“CRAs”) for alleged violations of the FCRA in the use of criminal background checks:

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

On November 12, 2013, two companies (the “Defendants”) that provide consumer background reports to third parties, including criminal record checks agreed to an $18.6 million settlement stemming from allegations that they violated the Fair Credit Reporting Act (“FCRA”) when providing these reports to prospective employers.

On September 25, 2013, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, expanded his investigation of the data broker industry by asking twelve popular health and personal finance websites to answer questions about their data collection and sharing practices.

On August 15, 2013 the Federal Trade Commission announced a settlement with Certegy Check Services, Inc. (“Certegy”) stemming from allegations that Certegy violated various provisions of the Fair Credit Reporting Act (“FCRA”). The settlement agreement includes a $3.5 million civil penalty for “knowing violations ... that constituted a pattern or practice of violations.”

On May 7, 2013, the Federal Trade Commission announced that it issued letters to ten data broker companies warning that their practices could violate prohibitions against selling consumer information under the Fair Credit Reporting Act (“FCRA”). The FTC identified the ten data broker companies after a test-shopping operation that indicated these companies were willing to sell consumer information without adhering to FCRA requirements.

On April 10, 2013, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly adopted rules that require broker-dealers, mutual funds, investment advisers and certain other regulated entities to adopt programs designed to detect “red flags” and prevent identity theft. These rules implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, that amended the Fair Credit Reporting Act (“FCRA”) to direct the SEC and the CFTC to adopt rules requiring regulated entities to address risks of identity theft. The 2003 amendments to the FCRA required other regulatory authorities to issue identity theft red flags rules, but did not authorize or require the SEC or the CFTC to issue their own rules.

On April 3, 2013, the Federal Trade Commission issued a press release announcing that it had sent warning letters to operators of six websites that provide rental history reports to landlords for tenant screening purposes. The letters informed the website operators that they may be considered consumer reporting agencies (“CRAs”) subject to the requirements of the Fair Credit Reporting Act (“FCRA”).

On March 14, 2013, the United States District Court for the Northern District of California granted a motion to prohibit the government from issuing National Security Letters (“NSLs”) to electronic communication service providers (“ECSPs”) requesting “subscriber information” and enforcing nondisclosure clauses contained in such letters. The nondisclosure clauses are intended to prevent ECSPs from disclosing that they received an NSL. The court also held that the sections of two federal statutes relating to the nondisclosure provisions of NSLs, 18 U.S.C. §2709(c) and 18 U.S.C. §3511(b), (collectively, the “NSL Nondisclosure Statutes”) were unconstitutional because they violated the First Amendment as well as separation of powers principles. In light of the significant constitutional and national security implications, the court stayed enforcement of its judgment pending appeal to the Ninth Circuit, or for 90 days if no appeal is filed.

On February 11, 2013, the Federal Trade Commission announced that a congressionally-mandated study of the U.S. credit reporting industry found that 26 percent of consumers identified at least one error that might affect their credit score. The study reported that 5 percent of consumers had errors on their credit reports that could result in less favorable terms for loans and insurance.

On January 25, 2013, Kmart Corporation (“Kmart”) agreed to a $3 million settlement stemming from allegations that it violated the Fair Credit Reporting Act (“FCRA”) when using background checks to make employment decisions. The FCRA addresses adverse actions taken against consumers based on information in consumer reports and includes numerous requirements relating to the use of such reports in the employment context.

In a January 13, 2013 blog post, the Federal Trade Commission’s Bureau of Consumer Protection’s Business Center Blog highlighted the FTC’s recent groundbreaking settlement for violations of the Fair Credit Reporting Act (“FCRA”) in the mobile app context. The settlement with Filiquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk (the owner of Filiquarian and Choice Level, collectively, the “Companies”), is the first FCRA enforcement action against a mobile app developer. Filiquarian offered mobile apps to consumers for purposes of conducting criminal background checks in numerous states, and Choice Level provided the criminal background checks used by the apps to Filiquarian.

As reported in the Hunton Employment & Labor Perspectives Blog:

Beginning January 1, 2013, employers must issue an updated notice form to applicants and employees when using criminal background information under the federal Fair Credit Reporting Act.

On December 18, 2012, the Federal Trade Commission issued Orders to File Special Report (the “Orders”) to nine data brokerage companies, seeking information about how these companies collect and use personal data about consumers. In the Orders, the FTC requests detailed information about the data brokers’ privacy practices, including:

• the data brokerage companies’ online and offline products and services that use personal data;
• the sources and types of personal data the data brokerage companies collect;
• whether, and how, the companies acquire consumer consent before obtaining, collecting, generating, deriving, disseminating or storing the personal data;
• whether, and how, the personal data is aggregated, anonymized or de-identified;
• how the companies monitor, audit or evaluate the accuracy of the personal data they obtain;
• if, and how, consumers are able to access, correct, delete or opt out of the collection, use or sharing of the personal data the data brokerage companies maintain about the consumers;
• how the data brokerage companies provide notice to consumers about their data privacy practices;
• the advertisements or promotional materials the companies use to describe their products and services; and
• information about any complaints or disputes, or governmental or regulatory inquiries or actions, related to the companies’ data privacy practices.

On November 30, 2012, the Federal Trade Commission announced the issuance of an interim final rule (“Interim Final Rule”) that makes the definition of “creditor” in the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule”) consistent with the definition contained in the Red Flag Program Clarification Act of 2010.

On October 10, 2012, the Federal Trade Commission announced that consumer reporting agency Equifax Information Services LLC (“Equifax”) and several of its customers, including Direct Lending Source, Inc. (“Direct Lending”), have agreed to pay a combined total of nearly $1.6 million to settle FTC allegations that they violated the Fair Credit Reporting Act (“FCRA”) in connection with the sale of data regarding consumers in financial distress. According to the FTC, Equifax sold Direct Lending and its affiliates lists of individuals who met selected criteria (known as “prescreened lists”); the lists contained information such as credit scores and mortgage payment status. In its complaint, the FTC alleges that Direct Lending and its affiliates did not have a legally permissible purpose under the FCRA to obtain the prescreened lists because they had no intention to use the lists to make firm offers of credit. Instead, these entities allegedly resold the lists to third parties that used the lists for marketing purposes. The FTC alleges that Equifax had inadequate procedures to prevent this from happening and that it failed to properly investigate when it learned that Direct Lending was engaged in these activities.

On August 8, 2012, the Federal Trade Commission settled with HireRight Solutions, Inc. (“HireRight”) for failure to comply with certain Fair Credit Reporting Act (“FCRA”) requirements. At first blush, the case may appear to be a simple FCRA matter – the FTC alleged that HireRight functioned as a consumer reporting agency when providing employment screening services to companies, but then failed to take steps to assure the accuracy of those reports and prevented consumers from dispute inaccurate information. Despite initial appearances, however, the case has broader geopolitical implications.

On July 24, 2012, a bipartisan group of eight members of Congress sent letters to nine major data brokerage companies requesting information on how the companies collect, assemble and sell consumer information to third parties. Representatives Ed Markey (D-MA) and Joe Barton (R-TX), who serve as co-chairmen of the Bipartisan Congressional Privacy Caucus, are leading the inquiry. The Privacy Caucus, which is an ad hoc group rather than a formally constituted congressional committee, is comprised of members who have a common interest in privacy issues. The Caucus cannot call formal hearings, compel production of materials or pass legislation.

On June 12, 2012, the Federal Trade Commission announced a settlement agreement with data broker Spokeo, Inc. (“Spokeo”). The FTC alleged that Spokeo operated as a consumer reporting agency and violated the Fair Credit Reporting Act (“FCRA”), and that certain of its advertisements were deceptive in violation of Section 5 of the FTC Act. The proposed settlement order imposes a $800,000 civil penalty on Spokeo and prohibits future violations of the FCRA. This is the first FTC case to address the sale of Internet and social media data in the employment screening context.

On February 6, 2012, the Federal Trade Commission warned six marketers of background screening mobile applications that they may be violating the Fair Credit Reporting Act (“FCRA”). In a sample letter posted on the FTC website, the FTC indicates that at least one of the recipient marketer’s mobile apps involves background screening reports that include criminal history checks. Pursuant to the FCRA, this could make the marketers of the mobile apps “consumer reporting agencies” if they are “providing information to employers regarding current or prospective employees’ criminal histories [that] involves the individuals’ character, general reputation, or personal characteristics.”

As reported in the Hunton Employment & Labor Perspectives Blog:

The U.S. Department of Justice has moved to intervene to defend the constitutionality of the Fair Credit Reporting Act (“FCRA”) against a consumer reporting agency accused of violating § 605 of the FCRA.

On November 23, 2010, Shamara T. King filed suit against General Information Services, Inc. (“GIS”) in Pennsylvania federal court claiming violations of the FCRA. (See, King v. General Information Services, Inc., No. 2:10-CV-06850 (E.D. Pa. Nov. 23, 2010). Specifically, King claims that when she applied for a job with the United States Postal Service, GIS performed a background check that included details about a car theft arrest that occurred more than seven years prior to the requested background check. According to § 605(a)(5) of the FCRA, consumer reporting agencies cannot provide adverse information, except for criminal convictions, “which antedates the report by more than seven years.”

As reported in the Hunton Employment & Labor Perspectives Blog, Connecticut recently became the latest state to pass a law regulating employer use of credit reports. The law, which goes into effect on October 1, 2011, prohibits employers from requiring employees or prospective employees to consent to the employer requesting their credit report as a condition of employment.  The full post includes a discussion of the exceptions to this restriction.

Read our previous posts on regulatory scrutiny of employee credit checks and a similar Illinois law that went into effect on January 1 ...

On June 27, 2011, the Federal Trade Commission announced that it had reached a settlement with Teletrack, Inc. (“Teletrack”), a consumer reporting agency that sells consumer reports and other services to businesses that serve financially distressed consumers, after alleging that the company had sold information obtained through its consumer reporting business to marketers to create a marketing database. The FTC considered that the information sold by Teletrack, which included lists of consumers who applied for certain credit products, constituted “consumer ...

On May 11, 2011, in Thomas Robins v. Spokeo, Inc., the United States District Court for the Central District of California granted in part and denied in part defendant Spokeo, Inc.’s motion to dismiss claims that it violated the Fair Credit Reporting Act (“FCRA”).  The ruling allows the plaintiff to continue his action against Spokeo, a website that aggregates data about individuals from both online and offline sources.

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

A commonly used pre-employment screening method--conducting credit checks--has drawn increased scrutiny in recent months.  Legislatures at the state and federal levels are considering bills that would limit employer use of credit checks.  Moreover, two recently-filed lawsuits, one of which was filed by the EEOC, seek to challenge the use of pre-employment credit checks in hiring decisions. 

On December 18, 2010, President Obama signed into law the “Red Flag Program Clarification Act of 2010” (S.3987), which amends the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.  The law limits the scope of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flags Rule”), which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

On November 17, 2010, Representative John Adler (D-NJ) introduced the Red Flag Program Clarification Act of 2010 (H.R. 6420) to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.”  The bipartisan bill seeks to limit the scope of the FTC’s Identity Theft Red Flags Rule, which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

On October 27, 2010, the U.S. Commodity Futures Trading Commission (the “CFTC”) issued two notices of proposed rulemaking (“NPRMs”), citing Gramm-Leach-Bliley Act (“GLBA”) privacy rules, and marketing and data disposal rules of the Fair Credit Report Act (“FCRA”).

The proposed rules come in the wake of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which places two new categories of covered entities (i.e., “swap dealers” and “major swap participants”) under the CFTC’s jurisdiction.  Under the proposals, those entities would be subject to certain GLBA privacy rules that regulate the treatment of consumers’ nonpublic personal information, and sections of the FCRA that address affiliate marketing and data disposal.

On August 10, 2010, Illinois Governor Pat Quinn signed the Employee Credit Privacy Act, which prohibits most Illinois employers from inquiring about an applicant’s or employee’s credit history or using an individual’s credit history as a basis for an employment decision.  The definition of “employer” under the Act exempts banks, insurance companies, law enforcement agencies, debt collectors and state and local government agencies that require the use of credit history.

As reported in BNA’s Privacy Law Watch, the Federal Trade Commission intends to agree to temporarily exempt health care providers from the FTC’s Identity Theft Red Flags Rule.  The Red Flags Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The FTC previously has stated that health care providers could be deemed “creditors” under the Rule.  The agreement will grant relief to ...

On May 28, 2010, the FTC announced that it would again delay enforcement of the Identity Theft Red Flags Rule.  This is the fifth time the Commission has announced an extension of the enforcement deadline, after most recently extending the deadline to June 1, 2010.  The Red Flags Rule requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate ...

Provisions of the FTC’s revised rule that regulate advertisements for free credit reports become effective April 2, 2010.  As required by the Credit CARD Act of 2009, the FTC promulgated the revised rule on February 22, 2010, to prevent the deceptive marketing of free credit reports by companies that required consumers to sign up for paid products and services such as credit monitoring in order to receive the reports. 

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC.  The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms.  The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act.  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain ...

The FTC today announced that it would, for the fourth time, delay enforcement of the Identity Theft Red Flags Rule.  The enforcement date is now June 1, 2010 for creditors and financial institutions subject to FTC jurisdiction.  The agency stated that the delay was requested by members of Congress, who are currently considering a bill that would limit the rule's scope.  That bill (which would exclude certain entities with 20 or fewer employees from the rule's definition of "creditor" and also would provide a mechanism for other entities to apply for that exclusion) recently passed the ...

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

The November 1st deadline for compliance with the FTC’s Red Flags Rule Identity Theft Prevention Program requirements is rapidly approaching.  Of late, there has been a flurry of activity aimed at limiting the scope of the rule.  The Red Flags Rule, which was jointly promulgated by several federal agencies in November 2007, requires all “creditors” that offer or maintain a “covered account” to implement a written identity theft prevention program.  A “creditor” is defined broadly to include “any person who regularly extends, renews, or continues credit.”  In March 2009, the Federal Trade Commission (“FTC”) published a how-to guide for businesses to comply with the Red Flags Rule that confirmed the FTC will broadly construe the rule, stating that the definition of a “creditor” includes all businesses that “provide goods or services and bill customers later.”

On July 29, 2009, the Federal Trade Commission ("FTC") announced another three-month delay in the enforcement of the provision of Identity Theft Red Flags and Address Discrepancies Rule (the "Rule") that requires creditors and financial institutions to implement an Identity Theft Prevention Program.  The FTC noted that small businesses and entities with a low risk of identity theft remain uncertain about their obligations under the Rule and pledged to "redouble" its efforts to educate businesses about compliance with the Rule.  The new enforcement deadline for creditors and ...

The Federal Trade Commission (“FTC”) recently issued new rules and guidelines to promote the accuracy of consumer information included in credit reports.  The final rules and guidelines were issued in conjunction with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (the “Agencies”) pursuant to Section 312 of the Fair and Accurate Transactions Act of 2003 (“FACTA”).  The Agencies’ release regarding the new rules, entitled “Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act” and “Guidelines for Furnishers of Information to Consumer Reporting Agencies,” was issued on July 1, 2009.  The final rules and guidelines will take effect on July 1, 2010. 

On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA").  Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act.  To date, these powers have been shared among all financial services regulators, including the Federal Trade ...

On May 13, 2009, the Federal Trade Commission ("FTC") published a compliance template designed to assist financial institutions and creditors "at low risk for identity theft " in developing the Identity Theft Prevention Program required by the FTC’s Identity Theft Red Flags and Address Discrepancies Rule (the "Rule").  The template is entitled "A Do-It-Yourself Prevention Program for Businesses and Organizations at Low Risk for Identity Theft."

At the eleventh hour, the Federal Trade Commission announced that it will once again delay enforcement of the Red Flags Rule.  The Red Flags Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACTA").  The previous compliance date was May 1, 2009, which was an extension from the original deadline of November 1, 2008.  The new extension applies only to the provisions of the Rule requiring financial institutions and creditors to implement an identity theft prevention program.  The continuing enforcement delays respond to ongoing uncertainty about ...

On March 20, 2009, the Federal Trade Commission (“FTC”) published its long-awaited guide to the Red Flags Rule (the “Rule”), entitled “Fighting Fraud with Red Flags Rule:  A How-To Guide for Business.”  The guide applies to creditors and certain financial institutions (such as state-chartered credit unions and mutual funds that offer accounts with check-writing privileges) that are subject to the FTC’s jurisdiction and addresses the provision of the Rule that requires implementation of an Identity Theft Prevention Program.  For entities subject to the FTC’s jurisdiction, the relevant compliance deadline is May 1, 2009.  Financial institutions that are regulated by federal bank regulatory agencies or the National Credit Union Administration (which issues their own versions of the Red Flags Rule) were required to comply with the Rule as of November 1, 2008.

On March 20, 2009, the Federal Trade Commission published a Red Flags Rule compliance guide for businesses, entitled “Fighting Fraud with the Red Flags Rule.”  The guide offers an overview of the Rule and practical steps businesses need to take to comply.  In addition, the guide addresses the issue that has raised the most concern among businesses -- the Rule's scope.  As expected, the FTC is interpreting the Rule broadly, suggesting, for example, that any company that sells goods or services and bills customers later is a "creditor" subject to the Rule.  According to the guide ...