Practical Application of Consumer Privacy Laws to Franchised Businesses*
This year brings the commencement or increase in enforcement of three major privacy initiatives. First, on March 1, 2010, Massachusetts began enforcement of its specific, and as many would claim, onerous privacy regulation. While only a Massachusetts state regulation, the implementing law states that its jurisdictional reach is to all businesses that possess personal information about a Massachusetts resident. Thus, although this jurisdictional claim has not been tested, many businesses have chosen to comply if there is any chance that they may be subjected to the law rather than deal with the possibility of litigation as a conseqeuence for failing to comply. The second privacy initiative set to be enforced is the FTC's Red Flags Rule. According to the FTC, the Red Flags Rule requires businesses that provide goods and services in exchange for deferred payment to adopt certain policies and procedures to detect, mitigate, and respond to instances of identity theft. Third, the credit card association standards, called the Payment Card Industry Data Security Standards or PCI DSS, which have existed for many years but received little enforcement, are thought to become a subject of increased attention. One commentator suggested that "[a]ny business in any industry that accepts, stores, manages, processes or transmits payment card information will be subject to intense scrutiny."1 More notably, as of January 1, 2010, compliance with PCI DSS for those subject to it became a legal obligation in Nevada. This article considers those three developments, and it offers a summary of the current status of state data breach notification laws.2
*Our sincere appreciation to Sabrina Houlton of Wiggin and Dana for her invaluable assistance in the preparation of this paper.
1Gary Sturinsky, "2010 Compliance Challenges: Three More Areas That Matter," Corporate Compliance Insights, Mar. 4, 2010, available at http://www.corporatecomplianceinsights.com/2010/compliance-challenges-arra-pci-dss-fcpa.
2This article does not cover recent developments in HIPAA, such as the implementation of HITECH. It also does not address international data privacy issues.
3Pinero v. Jackson Hewitt Serv. Inc., 638 F.Supp. 2d 632 (E.D. La. 2009).
4Id. at 638.