Privacy Bulletin: Issue No. 50

Congress Passes Red Flags Rule Legislation, Waiting for President’s Signature:

The U.S. Senate and U.S. House of Representatives have both passed amendments clarifying the definition of the term “creditor” under the Fair Credit Reporting Act. This legislation was introduced to limit the types of entities that are subject to the Federal Trade Commission’s identity theft prevention red flag rules. This legislation is awaiting President Obama’s signature.

Currently, the term “creditor” can be broadly interpreted to include many different types of entities and professions, such as attorneys. The legislation will limit the term “creditor” to mean those persons who meet the definition of creditor under the Equal Credit Opportunity Act and regularly and in the ordinary course of business: (i) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

In a press release dated December 8, 2010, FTC Chairman Jon Leibowitz said, “We’re pleased Congress clarified its law, which was clearly overbroad. Now, we can go forward with less litigating and more protecting consumers from identity theft.”

In connection with this controversy, the FTC delayed the effective date of the red flag rules, issued on November 9, 2007, several times. The rules are now to take effect December 31, 2010 (red flag rules). For complete text of legislation see

Senate Approves Legislation to Ban “Data Pass” to Third Party Post-Transaction Sellers:

On November 30, 2010, the U.S. Senate passed legislation that would render unlawful any post-transaction third party seller’s charge or attempt to charge a consumer’s credit card, debit card, or bank account for goods or services sold through the internet. There are exceptions to the prohibition: (i) before obtaining a consumer’s billing information, the post-transaction third party seller has clearly and conspicuously disclosed to the consumer all material terms of the transaction, including certain specific terms; and (ii) the post-transaction third party seller has received the express informed consent for the charge from the consumer whose credit card, debit card, bank account, or other financial account will be charged by certain specified methods. Senate Bill 3386, the “Restore Online Shoppers’ Confidence Act,” has passed to the House Committee on Energy and Commerce.

FCRA Credit Receipt Claim May Proceed Against the U.S. Government, says Federal Circuit Court:

The U.S. Court of Appeals for the Federal Circuit has allowed a claim of a violation of the Fair Credit Reporting Act by the United States government to proceed. In Bormes v. United States (Fed. Cir., No. 2009-1546, 11/16/2010), the plaintiff claims that the United States government failed to follow the Act’s requirements that a consumer’s credit card expiration date be redacted from appearing on a receipt. The plaintiff, an attorney, allegedly paid a client’s filing fees through the U.S. government’s system using a credit card. In so doing, the plaintiff alleges that the receipt for the payment of the filing displayed the card’s expiration date, in violation of the Fair Credit Reporting Act Section 1681c(g)(1).

Congress Holds Hearing on Feasibility of “Do-Not-Track” Legislation:

The U.S. House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection held a hearing entitled “Do-Not-Track Legislation: Is Now the Right Time?” on December 2, 2010. This hearing examined the feasibility of establishing a mechanism that provides internet users a method to opt-out from the tracking of their online activity by data-gathering firms. Among the witnesses were officials from the Federal Trade Commission and the Department of Commerce. Daniel Weitzner of the Commerce Department’s National Telecommunications and Information Administration included in his testimony that the Commerce Department will soon publish a series of policy ideas and questions in a “green paper.” He also stated that these policy ideas and questions “are intended to play a key role in [the Department’s] effort to close gaps in consumer protection, strengthen online trust, and bolster the internet economy.” His testimony also stated that “with or without legislation, Internet stakeholders suggested that the centerpiece of Internet privacy protection may be upgrading the role of voluntary but enforceable codes of conduct, developed through open, inclusive processes.” Director of the Bureau of Consumer Protection David Vladek, testifying on behalf of the Federal Trade Commission, relayed, among other things, the framework proposed by the FTC in its recent report to guide policy makers and industry to improve consumer online privacy protection. On the heels of this hearing, Microsoft® announced on December 8th that it would add a “do-not-track” feature to its Internet Explorer® software.

Members of Congress State Intent to Seek Privacy Legislation in the Next Congress:

Several Congressional Members have indicated their intent to seek internet privacy legislation, including Senator John Kerry (MA). In a press release dated December 1, 2010, Sen. Kerry stated that “during the process of drafting legislation, I’ve concluded that consumers should have three nonnegotiable rights. First, all firms must put procedures in place to secure personally identifiable information. Second, consumers have a right to know in clear and concise terms what firms intend to collect, why, and how it will be used. Third, consumers should be given a simple mechanism for opting out of the process.”

FTC Solicits Comments on Caller ID Services for Telemarketers:

The Federal Trade Commission issued an advance notice of proposed rulemaking on November 30, 2010, seeking comments on the provisions of the Telemarketing Sales Rule concerning caller identification services and disclosure of telemarketers’ identities for telemarketing calls.

Caller identification services provide a consumer the opportunity to know his or her caller. However, innovations in caller identification services have led to a telemarketer’s ability to shield its true identity and contact information from consumers. Telemarketers can use technology to allow them to transmit caller identification numbers that are not associated with their geographical location. Telemarketers can also use these technologies to display telephone numbers that lead to voicemail only or to display a number that is not in service. Telemarketers can also change their name in the caller identification display.

The FTC solicits comments on whether changes should be made to the Telemarketing Sales Rules to reflect the current use and capabilities of caller identification technologies and whether the Rules should be amended to better achieve the objectives of the caller identification provisions. The FTC’s press release regarding this ANPR states that the ANPR “does not put forward a specific plan for strengthening the Telemarketing Sales Rule’s Caller ID provisions. Instead, it provides information on how Caller ID services work, and explains how the benefits of Caller ID services are undermined when telemarketers use technology to block transmission of Caller ID, to transmit false information, or to transmit a telephone number or name that does not clearly identify the source of the call.” Comments are due January 28, 2011.

FTC Publishes Tips for Securing Data on Digital Copiers:

The FTC recently published a guide, Copier Data Security: A Guide for Businesses, which advises business how to secure sensitive data stored on digital copiers. The FTC’s press release announcing this new guide includes some helpful steps for ensuring data security that can be obtained in the guide (reprinted below):

  • Before acquiring a copier, plan to have the information technology staff manage and maintain it just as they would a computer or a server.
  • When buying or leasing a copier, evaluate your options for securing the data on its hard drive – including the encryption or overwriting features that will be used. Encryption scrambles the data on the hard drive so it can only be read by particular software. This ensures that even if the hard drive is removed from the machine, the data cannot be retrieved. Overwriting – also known as file wiping or shredding – replaces the existing data with random characters, so that the file cannot be easily reconstructed.
  • Take advantage of all of the copier’s security features. Securely overwrite the entire hard drive at least once a month.
  • When returning or disposing of a copier, find out whether it is possible to have the hard drive removed and destroyed, or to overwrite the data on the hard drive. Generally, it is advisable for a skilled technician to remove the hard drive to avoid the risk of rendering the machine inoperable.

Please see the FTC’s website for more information,

Congress Passes Social Security Number Protection Act:

On December 9, 2010, Congress passed legislation to further protect an individual’s social security number. The legislation will prohibit federal, state and local agencies from displaying a person’s social security number (or any derivative of that number) on a check issued by an agency. The legislation will also prohibit federal, state or local agencies from employing prisoners where the prisoner would have access to a person’s social security number. This legislation, the Social Security Number Protection Act of 2010, was sponsored by Senator Dianne Feinstein (CA). The bill now awaits President Obama’s signature.

Verizon Announces Plan to Issue Medical Credentials to Doctors, and Other Medical Professionals

Verizon announced on November 17th its plans to issue medical identity credentials to 2.3 million physicians, physicians’ assistants and nurse practitioners in the United States free of charge. In a press release, Verizon claimed that “this first-of-its kind step will enable U.S. health care professionals to meet federal requirements contained in the 2009 Health Information Technology and Clinical Health (HITECH) Act that call for the use of strong identity credentials when accessing and sharing patient information electronically beginning in mid-2011.” Verizon feels that with these credentials, “U.S. health care professionals will be able to receive digital health information via the Verizon Medical Data Exchange, using a secure, private inbox accessed from a new web-based physician portal.” Further, Verizon states that the credentials will enable these health care providers to access applications and programs such as electronic medical records and e-prescribing.

Consumer Group Advocates Improved Consumer Protections to Cloud Computing Service Providers

The Consumer Federation of America released a set of best practices for cloud computing services on November 30th, titled “Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing.” Cloud services can be incredibly useful for sharing information electronically. Consumers as well as businesses and governments already take advantage of cloud computing services, such as social networking sites and other remote servers that hold information and are accessed through the internet. However, cloud computing services can also create issues in the consumer protection and privacy arenas. Thus, according to its press release on November 30th, the Consumer Federation held a two day retreat over the summer with representatives from consumer and privacy organizations, academia, government and business from the United States and Europe in attendance and created a set of best practices for the cloud service provider industry. These best practices include, but are not limited to, the demonstration of operational safeguards and security mechanisms by cloud service providers and that cloud service users should be able to delete information the user uploaded to the cloud. These best practices are not mandatory but the Consumer Federation of America hopes that the cloud servicer provider industry will consider these practices in the future.