E-Commerce Law Week, Issue 343

FTC Settles with Mortgage Firm on GLBA Security Violations
New revelations about data security breaches are coming to light almost daily. So the fact that the Federal Trade Commission (FTC) on March 4 reached a consent agreement with a mortgage company for violations in 2004 of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule seems so, well … last year. But the case is remarkable for being only the second of the FTC's enforcement actions under the Safeguards Rule -- a rule that, in light of the recent flurry of security breaches at the center of the nation's attention, could provide a basis for an increasing number of enforcement actions against financial institutions.

New Data Security Scandals Heighten Pressure On Lawmakers To Act
Two more announcements of security breaches rocked the data collection industry this month. On March 8, DSW Shoe Warehouse (owned by Retail Ventures, Inc.) announced that credit card information from customers of more than 100 of its stores had been stolen from the company’s computer database over the past three months. And on the following day, LexisNexis announced that computer hackers had accessed data on 32,000 consumers -- including names, addresses, social security numbers, and drivers’ license numbers.

These latest shocks to the information industry contribute to the momentum for new federal legislation regulating data collection and storage procedures, which is beginning to appear all but inevitable. At a March 10 Senate Banking Committee hearing on identity theft and the recent security breaches, Sen. Charles Schumer (D-NY) announced that he planned to introduce comprehensive identity theft legislation that would create a new Federal Trade Commission office to handle identity theft. Additionally, the House Commerce, Trade and Consumer Protection Subcommittee of the House Energy and Commerce Committee announced its March 15 hearing on protecting consumer data.

Can Privacy Be Bad for the Good Guys? -- Data Protection and European Banks
Banks in certain EU Member States have been reluctant to report fraudulent merchants to a widely accessible database because of concerns about breaching national data protection laws. But on March 2, the European Commission announced that the Article 29 Working Party had agreed to "Guidelines for Terminated Merchant Databases." The Guidelines set out the conditions under which payment systems, banks, and other financial institutions may operate cross-border databases on merchants whose contracts to accept payment cards have been terminated. The product of a two-year negotiation process between industry and the Working Party, the Guidelines attempt to clarify how data protection principles apply to industry’s fraud prevention efforts. The Guidelines will be implemented during 2005, and implementation will be reviewed by the Article 29 Working Party in early 2006.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to  Sally Albertazzie.