More Privacy and Identity Theft Developments

Demonstrating that regulation of privacy is hard, the Federal Trade Commission (FTC) has AGAIN pushed back the enforcement of the Red Flags rule, now until June 1, 2010. http://www.ftc.gov/opa/2009/10/redflags.shtm. This might have followed a court loss, in which the American Bar Association convinced a court to hold that the red flags rule should not apply to lawyers. See https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2009cv1636-21. The ABA had previously won a similar case, where a court held that the privacy components of Gramm Leach Blilely also did not apply to lawyers. In case the reader thinks any of this is unfair to exclude lawyers . . . there is a long, long history of cases at the federal level noting a general intention in federal law not to regulate lawyers – and to allow that regulation to occur at the state level.

The Red Flag rules require “creditors” to establish a plan to fight identity theft. It sounds like a good thing on its face. The problem lies in the FTC’s overreaching definition of “creditor” in the Red Flag rules. As the FTC views it, if you accept payment at any time in the future, you are a “creditor.” This means, essentially, that everyone is a creditor under the rule. However, most of us do not have the capability to implement and monitor a real identify theft detection plan. Indeed, many “creditors” accept credit cards through third party vendors – often not even having possession of credit card data. The FTC is apparently going back to the drawing board in light of the ABA case and fixing its proposed rules.

Finally, in a recent case, Amburgy v Express Scripts, Inc., a federal district court in Missouri has thrown out a case where a plaintiff alleged that the defendant’s data breach – in which thousands of records with personal information were stolen – caused the plaintiff damages to protect his credit because of the possibility that his data was lost. The holding, which some blogs have erroneously mischaracterized as carte blanche protection for data owners, only held that the plaintiff had no standing to sue because he could not prove he had suffered a loss. For some reason, the plaintiff was apparently unable to prove that his records were part of the records that were taken by the data thief. All he could allege (and apparently prove) is that his records might have been lost, and that as a result of that possibility, he had to engage in credit monitoring. The case has a limited holding – and other cases have allowed plaintiffs to proceed under various tort and contract theories under similar facts. The law therefore remains rather unsettled in this area. Congress is considering a bill to federalize data breach notification, but as in past years, it is not clear it will bubble up to consideration with all of the other high profile legislative work being done.

For more information on this topic, please contact Mike Oliver at oliver@bowie-jensen.com.