Description
119
See 16 C.F.R. §§ 314.4(d)(1) & (2).
120
16 C.F.R. § 682.3(b)(3) (2014). The Disposal Rule under FACTA provides examples of compliant due diligence, including “[r]
eviewing an independent audit of the disposal company’s operations and/or its compliance with this rule, obtaining information
about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a
recognized trade association or similar third party, reviewing and evaluating the disposal company’s information security policies or
procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.” Id.
121
See Goal Financial Complaint at 2 (failing “to require third-party service providers by contract to protect the security and
confidentiality of personal information.”); James B.
Nutter & Co. Complaint at 2 (providing “back-up tapes containing personal information in clear readable text to a third-party service provider,” without requiring the service provider to protect the information’s security and confidentiality); Nations Title Agency Complaint at 2 (failing to provide reasonable oversight for handling of personal information by service providers employed to process and assist in real estate closings); Sunbelt Lending Complaint at 2 (failing to take steps to ensure service providers were providing appropriate security for customer information). 122 GeneLink and foruTM Complaint at 12. 123 Id. at 13. 124 See GeneLink Order at 7; Consent Order at 7, In re foruTM Int’l.
Corp., No. C-4457 (F.T.C. May 8, 2014) [foruTM Order], http://www. ftc.gov/system/files/documents/cases/140512foruintdo.pdf. 125 Wyndham Worldwide Complaint at 2, 12.
See also LifeLock Complaint at 10 (alleging that the company “[f]ailed to require . . . vendors, and others with access to personal information to use hard-to-guess passwords or to implement related security measures, such as periodically changing passwords or suspending users after a certain number of unsuccessful log-in attempts .
. . .”). 126 Credit Karma Complaint at 4. 127 See, e.g., Accretive Health Order at 3.
See also notes 55 & 56 for similar language in consent orders under GLBA and COPPA and notes 11, 12, & 14 for similar language in Consent Orders under FTC Act § 5. 128 See FTC Business Guidance at 22–23 (the “Plan Ahead” Principle, “[c]reate a plan for responding to security incidents.”). 129 See 16 C.F.R. § 314.4(b)(3), (c) (2014) (requiring safeguards to control identified risks, including in detecting and responding “to attacks, intrusions, or other systems failures.”). 130 Though GLBA does not itself require breach notification, the rules of some financial institution regulators under GLBA require such notifications be made as part of the institution’s mandated response programs. See, e.g., Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12 C.F.R.
pt. 30, app. B, supp.
A (2014); Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice (NCUA), 12 C.F.R. pt. 748, app.
B (2014). Forty-seven states, Puerto Rico, Guam, and the U.S. Virgin Islands require covered businesses with PII of the jurisdiction’s residents to provide notice if an unauthorized disclosure or breach of PII occurs. 131 The FTC Safeguards Rule under GLBA requires organizations to “[e]valuate and adjust your information security program in light of the results of the testing and monitoring required .
. . any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program.” 16 C.F.R.
§ 314.4(e). 132 See Complaint at 4, In re ACRAnet, Inc., No. C-4331 (F.T.C. Aug.
17, 2011) [ACRAnet Complaint], http://www.ftc.gov/sites/default/files/documents/cases/2011/08/110809acranetcmpt.pdf; James B. Nutter & Co. Complaint at 3; Nations Title Agency Complaint at 3; SettlementOne Credit & Sackett National Holdings Complaint at 4. 133 HTC America Complaint at 2.
See Fandango Complaint at 4 (“[f]ailing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties.”). 134 See, e.g., Accretive Health Order at 3. For similar language in Consent Orders under GLBA, see note 55; in Consent Orders under COPPA; see note 56; and in Consent Orders under FTC Act § 5 see notes 11, 12, & 14. 135 See note 1. See also, e.g., Gerard M.
Stegmaier & Wendell Bartnick, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data-Security Requirements, 20 GEO. MASON L. REV.
673, 674 (2013). 136 Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 COLUM. L.
REV. 583 (2014). 19 .
Nutter & Co. Complaint at 2 (providing “back-up tapes containing personal information in clear readable text to a third-party service provider,” without requiring the service provider to protect the information’s security and confidentiality); Nations Title Agency Complaint at 2 (failing to provide reasonable oversight for handling of personal information by service providers employed to process and assist in real estate closings); Sunbelt Lending Complaint at 2 (failing to take steps to ensure service providers were providing appropriate security for customer information). 122 GeneLink and foruTM Complaint at 12. 123 Id. at 13. 124 See GeneLink Order at 7; Consent Order at 7, In re foruTM Int’l.
Corp., No. C-4457 (F.T.C. May 8, 2014) [foruTM Order], http://www. ftc.gov/system/files/documents/cases/140512foruintdo.pdf. 125 Wyndham Worldwide Complaint at 2, 12.
See also LifeLock Complaint at 10 (alleging that the company “[f]ailed to require . . . vendors, and others with access to personal information to use hard-to-guess passwords or to implement related security measures, such as periodically changing passwords or suspending users after a certain number of unsuccessful log-in attempts .
. . .”). 126 Credit Karma Complaint at 4. 127 See, e.g., Accretive Health Order at 3.
See also notes 55 & 56 for similar language in consent orders under GLBA and COPPA and notes 11, 12, & 14 for similar language in Consent Orders under FTC Act § 5. 128 See FTC Business Guidance at 22–23 (the “Plan Ahead” Principle, “[c]reate a plan for responding to security incidents.”). 129 See 16 C.F.R. § 314.4(b)(3), (c) (2014) (requiring safeguards to control identified risks, including in detecting and responding “to attacks, intrusions, or other systems failures.”). 130 Though GLBA does not itself require breach notification, the rules of some financial institution regulators under GLBA require such notifications be made as part of the institution’s mandated response programs. See, e.g., Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12 C.F.R.
pt. 30, app. B, supp.
A (2014); Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice (NCUA), 12 C.F.R. pt. 748, app.
B (2014). Forty-seven states, Puerto Rico, Guam, and the U.S. Virgin Islands require covered businesses with PII of the jurisdiction’s residents to provide notice if an unauthorized disclosure or breach of PII occurs. 131 The FTC Safeguards Rule under GLBA requires organizations to “[e]valuate and adjust your information security program in light of the results of the testing and monitoring required .
. . any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program.” 16 C.F.R.
§ 314.4(e). 132 See Complaint at 4, In re ACRAnet, Inc., No. C-4331 (F.T.C. Aug.
17, 2011) [ACRAnet Complaint], http://www.ftc.gov/sites/default/files/documents/cases/2011/08/110809acranetcmpt.pdf; James B. Nutter & Co. Complaint at 3; Nations Title Agency Complaint at 3; SettlementOne Credit & Sackett National Holdings Complaint at 4. 133 HTC America Complaint at 2.
See Fandango Complaint at 4 (“[f]ailing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties.”). 134 See, e.g., Accretive Health Order at 3. For similar language in Consent Orders under GLBA, see note 55; in Consent Orders under COPPA; see note 56; and in Consent Orders under FTC Act § 5 see notes 11, 12, & 14. 135 See note 1. See also, e.g., Gerard M.
Stegmaier & Wendell Bartnick, Psychics, Russian Roulette, and Data Security: The FTC’s Hidden Data-Security Requirements, 20 GEO. MASON L. REV.
673, 674 (2013). 136 Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 COLUM. L.
REV. 583 (2014). 19 .
Regulations Presentations
+
Regulations Sub Categories
