Morrison & Foerster : Legal Updates & News : Legal Updates : Privacy Report

Financial Services Report, Winter 2006

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Financial Services Law Financial Services Litigation Litigation

Privacy Report

December 2006

Feds Fold

This is an election year, as if anyone needed reminding, so Congress was unable to pass much-needed national legislation governing consumer notification about breaches of security involving the disclosure of customers’ personal information. Currently, two-thirds of the states have breach-notification laws but they are a nightmare, making compliance next to impossible. Once the new Congress convenes, the debate will reemerge over a wide range of proposals.

For more information, contact Oliver Ireland at oireland@mofo.com.

No Fear

The slogan says “No Fear.” Still, companies rightly worry that sending customers a notification that their personal data may have been compromised is like hanging out a sign saying “Sue Me.” Dozens of class actions have been filed by consumers bringing such lawsuits. But thankfully, fears of “Fear-of-ID-Theft” class actions may be unfounded.

Another one bit the dust this quarter, and for the same reason the others did. In Bell v. Acxiom, 2006 LEXIS 72477, (E.D. Ark., Oct. 3, 2006) the district court held that a class action alleging negligence and invasion of privacy failed for want of Article III “case or controversy.” Unable to allege that she received a single marketing mailer or had her identity stolen, plaintiff was seeking protection from purely speculative harm. So, even if state law imposed a duty to reasonably guard against a breach of security, said the court, no theory of damages would allow the plaintiff to proceed in federal court.

For more information, contact James McGuire at jmcguire@mofo.com.

SWIFT Kicked

Do you make international wire transfers? Listen up. This could impact your EU subsidiaries or branch offices in Europe.

On November 22, European privacy regulators from the 25 EU Member States issued a ruling demanding that the Society for Worldwide Interbank Financial Transactions (SWIFT) terminate immediately its agreement with the U.S. Treasury Department that enables the U.S. government to access its database of international wire transfers. Why? That represents a serious breach of EU data protection rules.

According to the opinion, “the hidden, systematic, massive and long-term transfer of personal data by SWIFT to the United States Department of Treasury in a confidential, non-transparent and systematic manner for years without effective legal grounds and without the possibility of independent control by public data protection supervisory authorities constitutes a violation of the fundamental European principles as regards data protection and is not in accordance with Belgian and European law.” It made clear that “the financial institutions in the EU as data controllers have the legal obligation to make sure that SWIFT fully complies with the law, in particular data protection law, in order to ensure protection of their clients.”

What does this mean? Financial institutions in the EU will need to quickly update their customer notices and consents to ensure that they fully disclose their sharing of data with regulators including in the U.S. and in particular their activities related to SWIFT. Financial institutions may also need to update the registrations filed with data protection authorities to reflect these data flows.

For more information, contact Rick Fischer at rfischer@mofo.com.

Same Sheriff, New Badge

Data breach actions by regulators continue. On September 8, the FTC issued a final consent order against CardSystems and its successor Solidus Networks, Inc., for violations of section 5 of the FTC Act. The Solidus order includes the whole falafel (we’re tired of enchiladas): Establishment of a comprehensive information security program; administrative, technical, and physical safeguards to protect the security, confidentiality and integrity of personal information collected from consumers; and reviews of its data security program on a biennial basis by a third-party security expert. Twenty-year sentences are de rigueur, and so too here.

Once More Onto The Breach

How should financial institutions prepare to respond to a breach of security? One resource is a paper recently published by the American Bankers Association and BITS, the technology arm of the Financial Services Roundtable. The paper reviews differences in state and federal laws governing data breach notifications and highlights elements of a response program, including considerations for managing service provider relationships. You can download the paper at http://www.bitsinfo.org/downloads/Publications%20Page/BITSABADBNov06.pdf.

For more information, contact Tom Scanlon at tscanlon@mofo.com.