For Audio Participation, Please Call 1.866.281.4322, *1382742* Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Compliance With the Red Flags Rules 12 p.m. 1:30 p.m. Central August 27, 2009 Dan Bachrach Andrew Serwin Douglas Kelly Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 1
Housekeeping Issues Call 866.493.2825 for technology assistance Dial *0 (star/zero) for audio assistance Ample time for Q & A will be allotted at the end of the formal presentation Pull Down Menu We encourage you to Maximize the PowerPoint to Full Screen Usage: Hit F5 on your keyboard; or Select View from the toolbar menu and click Full Screen To print a copy of this presentation: Click on the printer icon in the lower right hand corner Convert the presentation to PDF and print as usual 3 Today s Presenters Andrew Serwin Foley & Lardner LLP Douglas Kelly Marriott International, Inc. 4 Dan Bachrach Foley & Lardner LLP 2
Privacy 5 General Principles: Notice Choice Onward Transfer Access Security Data Integrity Enforcement Privacy 6 Ultimately Four Issues: What information do you collect? What do you do with the information? When can t you disclose it? When must you disclose it? 3
Federal Privacy Statutes 7 Children s Online Privacy Protection Act Gramm-Leach-Bliley FCRA/FACTA Right to Financial Privacy Act Electronic Communications Privacy Act Health Insurance Portability and Accountability Act CAN-SPAM and telephone marketing restrictions Common Areas of State Regulation 8 Identity Theft Laws Restrictions on Use of Social Security Numbers Spam Internet Privacy Telephone/Fax Marketing Laws State Wiretapping Laws Computer Crime Laws Notice of Security Breach Laws Medical Privacy Financial Privacy 4
What Type of Data Presents Privacy and Security Issues? 9 Confidential Information Intellectual Property Personally Identifiable Information Health Financial Other data that reveals sensitive information about individuals by itself or if combined with other information Trends in Privacy 10 Increasing technology is driving more information sharing, as well as greater restrictions. Free services on the Internet are built upon information sharing and therefore government regulation has been more limited. Health information is receiving more regulatory attention. Government spending will drive EHR and privacy requirements. Greater protections for information that can be used to commit identity theft. 5
Why are we here? 11 The FTC continues to be concerned about identity theft, including medical identity theft. Notable Examples: ChoicePoint 12 February 2005 allegation: Identity thieves posed as legitimate customers to access company s extensive consumer profile database FTC reportedly investigated company s compliance with federal law SEC reportedly investigated insider trading and adequacy of disclosures Secret Service, FBI and U.S. Postal Service involved Six class-action lawsuits filed in CA and GA 6
Notable Examples: DSW Shoe Warehouse 13 March 2005 Allegation: Data from 1.4 million credit cards used in 108 stores was reportedly stolen between November 2004 and February 2005 Federal authorities, including Secret Service, investigated DSW established special help line for its customers Parent company disclosed the matter in a 10-K/A and 8- K filed in April 2005 Disclosures occurred in the midst of parent s planning for the IPO of DSW Head of FTC, Deborah Platt Majoras, was among affected DSW customers Notable Examples: Heartland 14 Late 2008: 100 million card transactions/month for 175,000 merchants Attack occurred while PCI review under way Heartland uncovered malware (the data-sniffing kind) that allowed thieves to capture credit or debit-card numbers, expiration dates, and in some cases the cardholder s name. 7
Scope of Coverage of the Rule 15 Financial Institutions and Creditors that offer or maintain covered accounts. The key concepts for the scope of coverage are what is a: Financial Institution; Creditor; and Covered account. Other Key Concepts 16 The definition of identity theft is also important: The term "identity theft" means a fraud committed or attempted using the identifying information of another person without authority. 8
Other Key Concepts 17 The term "identifying information" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any--(1) Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device. Other Key Concepts 18 Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. 9
Who is covered? 19 Financial Institution is defined in the same way as in 15 U.S.C. 1681a(t). Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. What is covered? 20 Covered account means: (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Account means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes: (i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account. 10
What is required? 21 Each Creditor must periodically determine whether it offers or maintains covered accounts. This must include a risk assessment to determine whether it offers or maintains covered accounts taking into consideration: The methods it provides to open its accounts; The methods it provides to access its accounts; and Its previous experiences with identity theft. Written Program 22 Financial Institutions and Creditors that offer or maintain one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft. 11
What Factors Can be Considered When the Program is Created? 23 The Program must be appropriate to the size and complexity of the Financial Institution or Creditor and the nature and scope of its activities. What Must the Program Include? 24 The Program must include reasonable policies and procedures to: Identify relevant Red Flags for the covered accounts that the Financial Institution or Creditor offers or maintains, and incorporate those Red Flags into its Program; Detect Red Flags that have been incorporated into the Program of the Financial Institution or Creditor; Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. 12
Continued Administration and Necessary Approvals 25 A Creditor must also provide for the continued administration of the Program and must: Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors; Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program; Train staff, as necessary, to effectively implement the Program; and Exercise appropriate and effective oversight of service provider arrangements. Other Key Elements of the Program 26 The Program must also assist the Creditor in: Identifying Relevant Red Flags; Detecting Red Flags; Preventing and Mitigating Identity Theft; Administering the Program; Complying with Other Applicable Legal Requirements; Addressing Alerts, Notifications or Warnings from a Consumer Reporting Agency; Identifying Suspicious Documents and Suspicious Personal Identifying Information; and Identifying the Unusual Use of, or Suspicious Activity Related to, the Covered Account. 13
New Guidance from the FTC 27 There have been several documents released by the FTC that have provided additional guidance, but open questions remain. Effective Date 28 November 1, 2009? 14
Potential Litigation 29 Both the American Bar Association, and the American Medical Association, have threatened litigation over the definition of creditor. Creating a Compliance Plan Potentially Relevant Policies 30 Privacy policies Employee policies Business partner policies (e.g., contract policies) Document retention policies (e.g., destruction of records containing sensitive personal information) Incident response policies 15
Prevention 31 Technologically Protect your systems Work with (certified) vendors and other parties like Visa Visa s information security standards ISO 17799 Information Security Programs Contractually Two key contracts are merchant bank and POS vendor Require certifications as a condition Internally Implement appropriate policies Educate employees about handling inquiries What is reasonable security? 32 Legislative history says there are no specific mandates; no bright lines States there will be compliance uncertainty Goal is to allow industry to exercise its own judgment Reasonable measures must be appropriate to the nature of the information This obligation expressly applies to contracts involving data sharing 16
Information Security and Privacy: A Practical Guide to Federal, State and International Law 33 Privacy Takeaways 34 Assess what information is being collected Think through the types of data you are collecting Determine what laws apply to your company based upon the information it collects, where it does business and the identity of its customers 17
Privacy Takeaways 35 Make sure that employees understand that they do not have an expectation of privacy in their use of your e-mail and electronic systems Consider what security systems you have in place and what securities measures you are requiring third parties to have Consider restrictions upon the use of removable media Make sure your privacy policy makes the necessary disclosures Privacy Takeaways 36 Reserve the right to modify your privacy policy Ensure that employees are aware of your policies Assess whether you have a responsibility to report a data security incident Consider what security systems you have in place and what securities measures you are requiring third parties to have Determine if you are sending or receiving data to countries that have higher privacy and security standards 18
37 Questions and Answers Presenter Contacts 38 Andrew Serwin 619.685.6428 aserwin@foley.com Dan Bachrach 407.244.3261 dbachrach@foley.com Douglas Kelly 407.513.6870 Douglas.Kelly@vacationclub.com 19
Thank You 39 A copy of the PowerPoint presentation and a multimedia recording will be available on our website within 24 to 48 hours: http://www.foley.com/news/event_detail.aspx?eventid=2903 We welcome your feedback. Please take a few moments before you leave the web conference today to provide us with your feedback. http://www.zoomerang.com/survey/?p=web229km4t97d3 20