Mixed News on Privacy Law Front
PDFThe past week brought privacy protection news from both the Federal Trade Commission and the state of Massachusetts, the author of the nation’s most comprehensive data protection scheme. Under mounting pressure from Congress, on Oct. 30, the FTC delayed the implementation of its Red Flags Rule for privacy protection, this time until June 1, 2010. The rule applies to financial institutions and a broad range of “creditors” that includes most businesses that provide financing or extend credit. It requires affected businesses to develop and implement written programs to help identify, detect and respond to patterns, practices or specific activities (“red flags”) that might be evidence of identity theft. In pressuring the FTC, members of Congress were responding to concern about the burden of compliance on recession-strapped small and medium-sized businesses.
On Nov. 4, the Massachusetts Office of Consumer Affairs issued regulations – now scheduled to take effect on March 1, 2010 – to implement the state’s expansive new Standards for the Protection of Personal Information. (Click here for the full text.) The standards include the following key points: a sweeping requirement that “every person that owns or licenses personal information about” a Massachusetts resident must implement a written information security program that contains administrative, technical and physical safeguards; a requirement that third-party service providers provide contractual guarantees of information security (this provision does not take effect until March 1, 2012); and, perhaps most controversially, the required encryption of all personal information that will travel across public networks or be transmitted wirelessly. The security program requirement is flexible, taking into account the business' size and resources, the nature and scope of its data collection, and its particular security needs. As the final regulation is written, the encryption requirement applies as long as encryption is "technically feasible." This language is not entirely consistent with FAQs currently posted on the website of the Massachusetts Office of Consumer Affairs and Business Regulation, which apply a reasonableness standard to the encryption requirement. At present, there is no basis for resolving this apparent inconsistency. Because the regulations are not highly detailed, a number of other questions also remain unresolved, including their application to interstate commerce. (Identity Theft Regulations Alert)