"Red Flags" Rule FTC Enforcement Deadline Pushed to December 31, 2010

Posted on May 31, 2010 by Joseph Lazzarotti

The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.

The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians.  As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit

Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

Tags: , , , , , , ,

Keylogging--Jurisdictions at Odds Over Privacy Concerns

Posted on May 13, 2010 by Jason C. Gavejian

Keystroke logging (or “keylogging”) is the noting (or logging) of the keys struck on a computer keyboard. Typically, this is done secretly, so  the keyboard user is unaware his activities are being monitored.

Several cases throughout the country have examined an employer’s use of keylogging.  Recently, the Criminal Court of the City of New York held in New York v. Klapper  that an employer who installed keylogging software on office computers and subsequently monitored an employee's e-mail activity did not, absent some showing of contrary e-mail protections or acceptable use policies, access a computer “without authorization” in violation of New York law. 

In some of the strongest language against the premise of e-mail privacy to date, the Court stated in its April 28, 2010 opinion:

[t]he concept of internet privacy is a fallacy upon which no one should rely. It is today’s reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke. 

The Court found that e-mails are more akin to a postcard than a letter, as they are less secure and can easily be viewed by a passerby. An employee who sends an e-mail from a work computer sends a communication that will travel through the employer's central computer and will be commonly stored on the employer's server even after it is received and read. Once stored on the server, the employer can easily scan or read all stored e-mails or data. The same holds true once the e-mail reaches its destination, as it travels through the Internet via an Internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in e-mail communications.

In contrast to the strong language from New York, the U.S. District Court for the Northern District of California ruled in Brahmana v. Lembo that a plaintiff could proceed to trial in his case alleging his employer committed an impermissible “interception” under the Electronic Communications Privacy Act (ECPA) by using keylogging to discover the password to his personal e-mail account, and using the logged password, accessed his personal e-mail.  However, another California District Court found in United States v. Ropp that because the keylogger recorded the keystroke information in transit between the keyboard and the CPU, the system transmitting the information did not affect interstate commerce as the required by the ECPA.  Further complicating the issue, a federal court in Ohio questioned Ropp, suggesting in Porter v. Havlicek that it read the statute too narrowly by requiring the communication to be traveling in interstate commerce as opposed to merely “affecting interstate commerce.”

Because of the numerous issues arising from the use of electronic communications, and the varying court opinions on these questions, employers would do well to reexamine their use of keystroke monitoring or logging technology on a regular basis.

Tags: , , , , , , , , , , , ,

Employers Get Guidance from Ohio Court on "FCRA" Background Check Notice Requirements

Posted on May 12, 2010 by Joseph Lazzarotti

Submitted by Susan M. Corcoran and Richard I. Greenberg

An increasing number of employers are conducting background checks on applicants and employees and many are outsourcing this function. Employers that outsource their background check function will find themselves subject to the Fair Credit Reporting Act (FCRA), which contains a set of “technical” compliance requirements.

The lack of guidance by courts in the area of background checks has left employers wondering whether their “best practices” will pass muster if challenged. A recent decision from the Southern District of Ohio, Mandy Burghy v. Dayton Racquet Club, Inc. et al., 2010 U.S. Dist. LEXIS 17373 (S.D. Ohio Feb. 26, 2010), may provide some needed assistance.

By way of background, the FCRA imposes specific procedural requirements on employers that wish to obtain consumer or investigative consumer reports (“Reports”) from third-party consumer-reporting agencies regarding applicants or employees. These employers must:

  1. Obtain written consent from and provide written disclosure to applicants or employees, in a “clear and conspicuous” stand-alone document, that a Report has been requested. (Informally, the Federal Trade Commission (“FTC”) has stated these requirements can be satisfied through the use of a combined consent/disclosure form focused solely on the Report being obtained);
  2. Before taking any adverse action based on information contained in a Report, provide the individual with a copy of the Report and a copy of the FTC’s Summary of Rights and allow the individual reasonable period of time to dispute the accuracy of the disqualifying information (the “Pre-Adverse Action” requirement); and
  3. Issue an adverse-action letter when implementing any adverse action, such as a denial of employment or denial of promotion.

In Burghy, the Court first considered whether the employer provided a “clear and conspicuous” disclosure. It found this was satisfied because the employer put the disclosure “on the front side of a one page document,” “employed reasonably sized type,” used “bullet points to call attention to the disclosures,” and the plaintiff was aware that the employer was obtaining a Report.

Practice point - Infuse clarity and brevity into disclosures and exclude ancillary information.

The Court also considered the plaintiff’s assertion that the employer violated the “Pre-Adverse Action” requirement by implementing an adverse action prior to providing a copy of the Report and the FTC Summary of Rights. Specifically, the plaintiff claimed that the employer advised her of her termination at the same time as it provided her with the Report and Summary of Rights. The Court allowed this claim to proceed, denying the employer summary judgment.

Practice point - Eliminate factual disputes by carefully structuring conversations or correspondence pertaining to a Report so that the individual understands that no final decision (adverse or otherwise) has been made and the individual retains the right to contest the accuracy of the Report for a reasonable time. To the extent there is a conversation, having a checklist handy to delineate the process may be helpful.

Tags: