Wednesday, January 27, 2010

Analysis of Court Ruling Overturning FTC Red Flag Rules for Law Firms

Hinshaw & Culbertson has posted an excellent analysis of the court ruling that barred the FTC Red Flag rules from extending to law firms (American Bar Association v. Federal Trade Commission, __ F.Supp.2d __, 2009 WL 4289505 (D.D.C. 2009).

The basis of the ruling asserted that Congressional intent is required for a federal agency to have the power to regulate lawyers in the context of their relationship with clients. Excerpts from the complete article:
  • The court found that nothing in the legislative history or the administrative record, which never considered the subject of regulating lawyers, indicated that the FACT Act or the Red Flags Rule applied to the legal profession. The court held that Congress unambiguously did not intend the FACT Act to apply to attorneys.
  • The court also noted that, even if Congress’ intent was ambiguous, the FTC’s construction of the FACT Act was unreasonable, completely arbitrary, post-hoc without any inquiry or fact-finding, and thus impermissible and entitled to no deference.

Tuesday, January 19, 2010

New Massachusetts Data Privacy/Confidentiality Rules Going into Effect Shortly

Massachusetts is in the news today for several reasons. One important issue relevant to law firms are the data privacy and confidentiality regulations going into effect March 1, 2010 (201 CMR 17.00). These rules explicitly apply to law firms with offices or clients in the commonwealth, who should take care to comply. The new regulations include provisions that organizations that “store” or otherwise have access to personal information about Massachusetts residents:
  • Must comply, even if they are located in other states (the rules affect firms with clients based in Massachusetts) 
  • Must have written information security policy (WISP), which includes training and retention/destruction practices
  • Must put in place protections and controls to ensure compliance. These should include confidentiality enforcement controls that include monitoring/reporting capabilities.
  • Cannot communicate information in an unencrypted format (including email)
Relevant personal information includes names, social security numbers, driver’s license numbers / state ID numbers, financial account numbers. Several articles and resources provide additional information. See also the text of the regulation and a concise FAQ.