Privacy Report, May 2007

Super Models

Client Alert

Eight—count ’em—federal agencies have joined forces to simplify the privacy notices that financial institutions must send to individual customers under the Gramm-Leach-Bliley Act (“GLBA”). Apart from designing a new “model form” privacy notice as mandated by the regulatory relief legislation enacted last fall, the interagency proposal would establish a safe harbor for those institutions that use the prescribed language and format of the model form. This, friends, is a single-sided, 8.5 by 11-inch single sheet disclosure.

The agencies proposed to “sunset” the existing safe harbor provisions in the privacy regulations that allow financial institutions to use “Sample Clauses” in their own privacy notices, so long as those clauses accurately describe their privacy policies and practices. Thus, even though the regulatory relief legislation expressly allows financial institutions the “option” of using the model form, the agencies are steering institutions toward the regimented model form, even at the risk of forsaking their own privacy notices that accurately describe their own privacy policies.

The interagency proposal is available here.

For more information, contact Rick Fischer at

Once More unto the Breach

The Gopher State has told merchants it’s time to settle up and pay the bill. On May 16, the Minnesota Legislature became the first state to pass legislation that would make retailers and other merchants liable to banks for costs associated with data breaches, such as consumer notification and card replacement. The mass data compromise of over 46 million credit and debit cards used at TJX Companies stores has prompted at least six states to join the conga line: California, Connecticut, Illinois, Massachusetts, Minnesota, and Texas.

The Minnesota bill (H.F. 1758) is notable, and not just because it came first. It passed the Senate by a lopsided 63-1 vote and passed the House on a 104-27 vote.

The measure is sweeping. It would prohibit merchants from retaining Track II data (information drawn from the magnetic strip of a credit card) and the personal identification number (PIN) or access code after completion of a credit card transaction. For debit card transactions, merchants would be prohibited from storing such information for longer than 48 hours after completion of a transaction. If the merchant violated this anti-storage prohibition, a bank would have standing to sue the merchant to recover “the cost of reasonable actions undertaken” to respond to the breach, including the costs of cancelling and reissuing credit cards, closing and/or reopening accounts, stop-payment actions, unauthorized transaction reimbursements, and the providing of breach notification to account holders.

Bills pending in Connecticut (S.B. 1089) and Illinois (S.B. 1675) are similar to Minnesota’s. In California, A.B. 779 is proceeding, except it is not limited to merchants. It would make all businesses and government agencies that process credit or debit card transactions liable to others, including banks, that are required to give notice to individuals of a data breach incident. On May 10, the Texas House unanimously passed a bill (H.B. 3222) that would amend its data breach notification law to allow banks to recover breach costs from merchants. Unlike the other states, Texas would codify the industry-imposed Payment Card Industry Data Security Standard and provide safe harbor from the proposed law for merchants in compliance with those industry standards. Massachusetts—the home of TJX—started the ball rolling with the first retailer-liability bill (H. 213), but its fate is uncertain.  

For more information, contact Miriam Wugmeister at mwugmeister

MoFo’s On-Line Privacy Library

Bookmark your “favorites.” Morrison & Foerster is pleased to announce the launch of its Privacy Library. This free resource, available at, provides links to privacy laws, regulations, reports, multilateral agreements, and government authorities more than 90 countries around the world, including the United States.

This Privacy Library is the most comprehensive collection of privacy laws and regulations ever assembled, the result of years of research and experience working with clients around the world.  This website provides companies with an essential
tool to help them navigate the privacy labyrinth.

For more information, contact Miriam Wugmeister at

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.