Security & Surveillance
Data Breach Notification and
Cybersecurity Standards in the
U.S. and E.U.
Jonathan P. Armstrong, Eversheds LLP, Leeds and
Bruce A. Heiman, Preston Gates Ellis & Rouvelas Meeds LLP, Washington D.C.
Reprinted from the December 2005 issue of BNA International’s
World Internet Law Report
Security & Surveillance
Data Breach Notification and Cybersecurity
Standards in the U.S. and E.U.
By Jonathan P. Armstrong, an Associate in the Leeds
office of Eversheds LLP and Bruce A. Heiman, a Partner
with Preston Gates Ellis & Rouvelas Meeds LLP,
Washington D.C. The authors may be contacted at tel.
(+44) (0)113 200 4658, jonathanarmstrong@
eversheds.com; and tel. (+1) 202 662 8435, bruceh@
prestongates.com, respectively.
The issues surrounding security breach have been
prominent in both the United States and the European
Union during the latter half of 2005 and already, there are
signs that 2006 may become “the year of the security
breach”. There is a contrasting approach to regulation in
this area on each side of the Atlantic. In the United States,
a significant number of states have, or are proposing
legislation, mandating the reporting of security breaches
following the model of legislation first enacted in California.
There also are a number of pending federal bills. A survey
by Eversheds LLP this year of more than 25 European
jurisdictions, revealed that in Europe there are as yet no
direct equivalents of the Californian legislation either at an
E.U. level or a domestic level. This article shows the current
position in the United States and the contrasting approach
in Europe.
Legal Requirements in the United States
California’s Breach Notification Law: S.B. 1386
In April 2002, a California state government data centre
processing payroll information suffered a security breach,
resulting in the disclosure of confidential information
including names, social security numbers, and payroll
information of over 250,000 state employees. Prompted by
outrage over this incident, the California legislature quickly
passed, and then Governor Davis signed, S.B. 1386.1 The
law was the first of its kind in the country, and took effect
on July 1, 2003.
The new law required anyone conducting business in
California to promptly notify any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, disclosed to an unauthorised person
as a result of a breach of their computer system. The law
covers all sizes and types of businesses with no
exemptions for small businesses or non-profit
organisations. Moreover, the law covers all companies
“conducting business in California”, not just California
corporations or other entities registered with the state. It is
possible that activity as minimal as having a few employees
in the state could subject a company to its requirements. In
addition, on its face the law applies to a company doing
business in California even if the personal information is
stored on data servers in other states.
The law applies to those who “own or license” electronic
personal information, defined as an individual’s first name,
2
or first initial and last name, in combination with one or
more of the following:
■
social security number;
■
drivers licence number or California Identification Card
number; or
■
account number, credit card or debit card number in
combination with any password that would permit access
to an individual’s financial account.
Notification must occur quickly using one of a variety of
specified means. The content of the notice is not specified.
Injured customers may bring a civil suit for damages and a
business may be enjoined. Some key points about S.B.
1386 are set out below.
What Triggers the Notice Requirement?
Notice is required whenever there is a cybersecurity breach
and the knowledge or reasonable belief that unencrypted
personal information was in fact disclosed to an authorised
person. If a system is breached, but the person or business
is confident that no information was disclosed, then no
notification is necessary. Also, the bill specifically states
that:
“Good faith acquisition of personal information by an
employee or agent of the person or business for the
purposes of the person or business is not a breach of the
security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure”.
When Must Notification be Made?
After learning of an incident (“following discovery or
notification”), notification is supposed to occur as quickly as
possible consistent with determining the scope of the
breach, stopping further disclosures, and cooperating with
any law enforcement agency investigation.
How Must Notification be Provided?
The statute states that notice may be provided either by
written notice or by electronic notice, if the electronic notice
is consistent with the federal Electronic Signatures in Global
and National Commerce Act of 2000 (known as “E-SIGN”).
Alternatively, the business may opt to provide “substitute
notice” if it can show that the cost of providing notice in
one of these two manners would exceed $250,000, that
the affected class of subject persons to be notified exceeds
500,000, or that insufficient contact information is available.
Substitute notice requires that the business notify its
customers by doing all of the following:
■
e-mailing notice when it has an e-mail address for affected
persons;
■
conspicuously posting the notice on its website (if it
maintains one); and
■
notifying major statewide media.
Security & Surveillance
What Must the Notice Say?
On this key point the law is silent.2 It would appear that the
notice must at least state that computerised unencrypted
personal information of the individual was, or is reasonably
believed to have been, acquired by an unauthorised
person. In addition, since the purpose of the law is to put
people on notice and allow them to take protective actions
if they believe it necessary to do so, it would also seem
that the notice should state what personal information was
or may have been disclosed.
Exceptions
There are three notable exceptions to the statute’s
demands. First, the law only applies to breaches involving
“unencrypted personal information” – specifically, where
neither the individual’s name nor a data element is
encrypted.3 Second, the statute specifically provides that
businesses that maintain notification procedures as part of
their own information security policies may follow those
procedures if they are consistent with the timing
requirements of the new law. Third, service providers who
maintain another company’s data and suffer a breach are
only required to notify that company (which in turn notifies
its customers).
California’s Data Security Law
The California law required companies to promptly notify
residents of security breaches, but was silent about the
duties of companies (or state agencies) to protect the
information in the first place. The omission did not go
unnoticed for long. In 2004, the California legislature
passed a new law to impose a requirement for the
protection of computerised personal information. This law
was the first in the United States to establish an explicit,
general, cybersecurity requirement.
California Law A.B. 19504 went into effect on January 1,
2005 and requires businesses that own or license personal
information about California residents to:
“implement and maintain reasonable security procedures
and practices appropriate to the nature of the information to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure” [emphasis
added].
It also states that a business that discloses personal
information about a California resident pursuant to a
contract with a non-affiliated third party, require by contract
that the third party implement and maintain reasonable
security procedures and practices.
The statute explains that “it is the intent of the Legislature
to ensure that personal information about California
residents is protected” and to “encourage” (although the
statute is mandatory) businesses to provide “reasonable
security” for personal information (although the statute does
not define reasonable security).5 Violation of A.B. 1950 is
also subject to a civil suit for damages as well as an
injunction.6
The law retains the broad definition of “personal
information” found in the breach notification law, with the
addition of medical information. The statute also defines the
phrase “owns or licenses” broadly as:
“intended to include, but is not limited to, personal
information that a business retains as part of the business’
internal customer account or for the purpose of using that
information in transactions with the person to whom the
information relates”.
The law is intended as a minimum, broadly applicable,
baseline standard for the treatment of personal information
by entities which are not covered by specific privacy
statutes. A.B. 1950 specifically does not apply to any
business that is regulated by a state or federal law
providing greater protection to personal information than
that provided by this law (e.g., medical and financial entities
under HIPAA and GLBA).
Other States React to a Flood of Breach Notifications
Although the California Breach Notification law became
effective on July 1, 2003 there was scant press attention
paid to any notifications of cybersecurity breaches which
may have occurred during the next 18 months. That
changed suddenly in February 2005 when ChoicePoint, a
corporation that collects and compiles personal and
financial information on millions of consumers, disclosed
that it had been the victim of a security breach by selling
the personal information of almost 145,000 people to a
criminal enterprise intent on ID theft. The company first
disclosed the breach only to California residents –
approximately eight months after the breach had occurred!
It subsequently disclosed that residents of other states may
also have been affected by the breach of security.
Since that time, each week seems to reveal yet another
breach. Organisations have even begun compiling lists.
According to one such list, in 2005, personal information on
over 50 million Americans had been disclosed.7 These
included leading American companies such as Bank of
America, Lexis Nexis, Motorola, as well as public
institutions including universities, departments of motor
vehicles, and departments of health services. The type of
breaches varied. In some cases computers were stolen, in
others back-up tapes were lost. There were also dishonest
insiders, stolen passwords or outsiders successfully
hacking into systems. One incident alone potentially
compromised 40 million credit card accounts as a result of
hackers attacking payments processor CardSysems
Solutions Inc.
As a result of these breach notifications, the National
Conference of State Legislatures reported that in the first
six months of 2005, legislation involving breach notification
and computer security was considered in at least 32 states.
By the end of November, laws had been enacted in 22
states! In general, they all include breach notification
requirements and procedures that are similar to the
California law. However, each state law has its own
particular requirements and specifications leading to
potential compliance burdens. In addition, Arkansas, Rhode
Island and Texas also affirmatively require reasonable
security procedures and practices.8
Federal Legislation
State legislatures are not the only ones to become active in
response to proliferating reports of security breaches.
Consumers (voters) are also clamouring for the Federal
Government to “do something!” American industry is also
3
Security & Surveillance
supportive of federal legislation under certain conditions.
The growing number of state laws, each with their
idiosyncrasies and possibly conflicting requirements, has
led many businesses to be receptive to the idea of a single
national standard.
The result is that mid-way through the 109th Congress,
three Senate and three House committees have each been
working on solutions to the perceived problems. In part,
each committee’s response is guided by that committee’s
particular jurisdiction. The commerce committees would
increase the authority of the Federal Trade Commission.
The judiciary committees emphasise enforcement and
enhanced penalties. Banking/financial services committees
focus on credit reports (a subject beyond the scope of this
article).
Nevertheless, there are a number of key issues that
repeatedly surface in the commerce and judiciary
committee bills including:
■
Federal pre-emption.
Companies operate nationally and argue forcibly that they
need to be able to operate pursuant to a single set of
rules. From their prospective, federal legislation which
simply sets a “floor” rather than a “ceiling” does not solve
the problem.
■
No private right of action.
Companies are adamant that federal legislation should not
be the basis for an individual or class action lawsuit.
Instead, the U.S. Attorney General, the Federal Trade
Commission, and perhaps State Attorneys General should
have exclusive authority to enforce the federal statute.
■
Notification only in cases where the disclosure of
unencrypted personal information could result in a
“significant risk” of harm from identity theft or financial
fraud.
Businesses worry about compliance costs and negative
publicity. But consumers are also concerned that
“over-notification” could lead individuals to ignore notices
(as many say is true for privacy notices required to be sent
out under GLBA and HIPAA).
■
Responsibility for notification.
Some argue that a company should be responsible for
notifying its customers – even if the breach occurs at a
third party service provider.
■
All efficient methods of notification should be permitted –
companies seek flexibility to mail, telephone, e-mail, post
notification online or utilise any other major media.
A major issue receiving lots of attention is what, if any,
substantive cybersecurity requirements should be imposed
by any federal legislation. There are already specific
requirements for particular sectors. GLBA and HIPAA
4
■
are appropriate to the size and nature of the company, the
activities and sensitivity of the information; and
■
protect against anticipated threats and hazards,
unauthorised access, use or disclosure.
As discussed above, California law AB 1950 was the first
generalised cybersecurity statute and required companies
to “implement and maintain reasonable security procedures
and practices appropriate to the nature of the
information…”.9
But some in industry argue that any general federal
legislation should impose an even more flexible
cybersecurity requirement. Many companies believe they
should only be required to implement and maintain security
procedures and practices of their choosing and limit the
government to enforcing those commitments a company
does make. Another possibility would be to require
businesses to take protective measures that follow
recognised “best practices” in industry. At a minimum,
industry is in widespread agreement that legislation should
not dictate particular cybersecurity measures. Neither
Congress nor the FTC have the expertise to dictate specific
technology requirements or specify particular hardware or
software.
The U.S. Senate Commerce Committee acted first this year,
adopting breach notification legislation as part of the
“Identity Theft Protection Act” (S.1408) in July. The bill
requires companies to notify individuals of breaches of
security affecting sensitive personal information (kept on
and off-line) if after investigation there is a “reasonable risk
of identity theft”. The bill pre-empts state law, does not
create a private right of action, and gives primacy to federal
enforcement. However, there are no exceptions for third
party providers or safe harbours for those who have their
own procedures. The methods and content of the notice
are also left to the FTC rulemaking.
Importantly, the bill also empowers the FTC to set
substantive cybersecurity standards by:
■
requiring companies to have and use an information
security programme including “administrative, technical
and physical safeguards”;
■
deeming a company to be in full compliance with the
statute if it complies with the FTC’s rules on Standards for
Safeguarding Customer Information and Disposal of
Consumer Report Information and Records;
■
requiring the FTC to establish regulations requiring
procedures for authenticating credentials; and
■
requiring the FTC to establish with industry an Information
Security Working Group to develop best practices and
report to Congress.
Workable requirements.
Companies believe they should be allowed a reasonable
period of time to investigate and take corrective action
before notification. Companies are concerned about
impractical dictates and also seek a safe harbour for their
own breach notification provisions adapted pursuant to an
information security policy. This would be consistent with
the California law.
■
require an information security programme for financial and
health information that includes administrative, technical
and physical safeguards that:
The Senate Judiciary Committee acted next by favourably
reporting two – in many respects conflicting – bills.
First was a bill sponsored by Senator Jeff Sessions
(S.1326) that required companies to notify individuals of
breaches of security affecting sensitive personal information
if there is a “significant risk of identity theft… ”. Like the
Security & Surveillance
Commerce Committee bill, this legislation also preempts
state law, precludes a private right of action, and gives
primacy to federal enforcement. Unlike the Commerce
Committee bill, it also requires notification only by those
who own or license data (not third party contractors) and
provides a safe harbour for companies’ own breach
notification procedures. Rather than empowering the FTC
to set an affirmative cybersecurity obligation, the Sessions
bill statutorily requires companies to:
“implement and maintain reasonable security and notification
procedures and practices appropriate to the size and nature
of the [entity] and the nature of the information …”.
The Judiciary Committee then reported a broader and more
complex bill dealing with ID theft sponsored by Chairman
Specter and Ranking Member Leahy (S.1789).10 This bill is
tougher on business than either Senator Sessions or the
Commerce Committee bills. This bill requires notification (by
those who own or license data) whenever sensitive
personally identifiable information (defined broadly and
including even encrypted information) is subject to a
security breach – there is no “significant risk” threshold.
Preemption of state law is weaker, there is only partial
preclusion of a private right of action, and no “safe harbour”
for a company’s own breach identification procedures.
There is primacy of federal enforcement. The bill requires
companies to implement comprehensive data security
programmes that include:
“administrative, technical and physical safeguards
appropriate to the size and complexity of the business entity
and the nature and scope of its activities”.
Businesses are required to comply with those safeguards
as well as any others identified by the FTC in a rule making.
Most recently, in November the House Commerce
Committee’s Consumer Protection Subcommittee, approved
an amended version of H.R. 4127, The Data Accountability
and Trust Act (“DATA”), which had been introduced by the
Committee leadership. The bill requires notification (by
those who own or license data) where there is a “significant
risk” of identity theft or fraud or other unlawful conduct. The
use of robust encryption with appropriate key safeguards
creates a rebuttable presumption that there is no
reasonable basis to conclude that there is such a significant
risk. The bill preempts state law and prohibits any private
right of action, but there is no safe harbour for a company’s
own notification provisions. The bill requires the FTC to
promulgate regulations to require companies engaged in
interstate commerce that own or possess data in electronic
form containing personal information to:
“establish and implement policies and procedures regarding
information security practices for the treatment and
protection of personal information …”.
The FTC’s requirements are to be consistent with the size,
nature, scope, complexity of activities; the “current state of
the art in administrative, technical, and physical safeguards
for protecting such information;” and the costs of
implementing such safeguards.
Note, however, that as reported the bill also specifically
prohibits the FTC from mandating the use of particular
technology mandates.
It remains to be seen whether, and in what form, federal
breach notification and cybersecurity legislation will emerge
from Congress. On the one hand, the multiple committees
involved can seriously complicate prospects for settling on
a single final bill. The second Session of Congress is also
always shorter and it becomes easier to delay and stop
legislation. On the other hand, “running out the clock” may
not be a viable strategy in this area. After all, 2006 is an
election year and as Members of Congress get closer to
the time when they have to face their constituents for
re-election, will they really want to tell the voters that they
did not pass legislation to address their concerns about
identity theft and financial loss?
Legal Requirements in Europe
As already stated at the start of this article, a survey by
Eversheds LLP has revealed that as yet, there are no direct
equivalents of the Californian legislation either at E.U. level
or a domestic level. Whilst a number of countries have
been looking at the increasing number of security breaches,
in the main the response has been to use existing privacy
legislation to take action.
The Legislative Background in Europe
Currently around 33 different European jurisdictions
(including the 25 within the European Union) have some
form of privacy or data protection law in place. Broadly
speaking, these laws protect the personal data (i.e., any
data from which a living individual can be identified,
whether from the data itself, or from the data and other
information in the possession of the person handling the
data) of data subjects. Data subjects are similarly broadly
defined – whilst data subjects in most countries are living
individuals this is not always the case.
The starting point in looking at a security breach which
touches on Europe should be the data protection legislation
in the country concerned – in the United Kingdom for
example, the Data Protection Act 1998 includes the
seventh data protection principle:
“Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of,
or damage to, personal data”.
The definition of the word “processing” is a wide one and
it will include obtaining, recording, destroying, altering or
holding the data. Section 4 of the U.K. Act makes it a
duty of a data controller to comply with the data
protection principles in relation to all personal data which
he controls.
There are obvious similarities with the equivalent legislation
in other European countries for example, with the
equivalent Austrian legislation Article 14, para 1:
“Measures to ensure data security shall be taken by all
organisational units of a controller [Auftraggeber] or
processor [Dienstleister] that use data. Depending on the
kind of data used as well as the extent and purpose of the
use and considering the state of technical possibilities and
economic justifiability it shall be ensured that the data are
protected against accidental or intentional destruction or
5
Security & Surveillance
loss, that they are properly used and are not accessible to
unauthorised persons”.
Some countries in Europe have additional domestic
provisions dealing with security. There are some parallels
here with the security obligation imposed in California – in
Italy for example, under sections 31 and 32 of the Italian
Privacy Code the obligation is that:
“personal data shall be processed and controlled, taking into
account its nature, the specific features of the processing as
well as the technological innovations in security measures
and devices in such a way as to minimise the risk of
destruction or loss of data, whether by accident or not, as
well as of any unauthorized access to the data or processing
operations that are either unlawful or inconsistent with the
purposes for which the data have been collected. Where
there is a particular risk of a breach of network security, the
provider of a publicly available communications service must
inform subscribers and, if possible, users concerning that
risk and, when the risk lies outside the scope of the
measures to be taken by the provider the provider must give
details of possible additional measures including an
indication of the likely costs involved”.
This information must also be provided to the Italian Privacy
Authority and the Italian Authority for Communications
Safeguards.
The other main way in which privacy law could come in to
play might be after intervention by a data subject. The
data subject (perhaps suspecting a breach) could make a
subject access request which might of itself force
disclosure of a security breach – for example, a data
controller is mandated in most jurisdictions to disclose
who has seen the data. It is important to remember that
these requests must ordinarily be answered within a short
space of time prescribed by law. This is especially relevant
given that some of the U.S. disclosures we have seen so
far have been months after the suspected breach. In many
cases it would be open to pressure groups or business
competitors to use the subject access request mechanism
to force disclosure of a suspected security breach.
As well as in-country data protection legislation, like in the
United States, there may also be additional regulation for
certain types of activity which will be relevant to a
business’s information security policy. There are no
Europe-wide direct equivalents of HIPAA or GLB but as an
example in the United Kingdom, the Financial Services
Authority (FSA) has said that it intends to keep a close eye
on the security practices of e-banking sites and it will call
the operators to account for any breaches. U.K. websites
who collect credit cards payments online will also have to
meet the Payment Card Industry Data Security Standard
which imposes the requirement of a 12-step security audit
every three months.
Other criminal legislation could also have a role to play.
Many countries in Europe criminalise hacking and any
resultant criminal prosecution might also lead to significant
publicity for the original attack. In many cases whilst there
may not be a black-letter obligation to inform data subjects
of a security breach the involvement of regulatory
authorities is likely to lead to a “voluntary” disclosure being
encouraged.
6
Prior Registration
Most jurisdictions in Europe operate a prior registration
scheme (also called notification) for the processing of
personal data. In some jurisdictions (like Austria and
Hungary) the registration number it then obtains must be
given to data subjects before data on them can be
obtained. In many countries it is a criminal offence not to
register.
Registration authorities are also increasingly using the
registration mechanism to enforce information security
standards. It is common for applicants to be required to
specify the precautions they will take against disclosures of
personal data as part of the registration process. It seems
likely that a security breach in violation of the information
security policy notified to the registration authority could
also prove actionable.
Possibility of Civil Actions
As in California the general scheme is to allow individuals to
commence civil actions for losses sustained as the result of
a security breach in addition to any action the regulatory
authorities might take. Section 13 of the UK Data
Protection Act 1998 for example, creates a specific right of
remedy:
“(1) An individual who suffers damage by reason of any
contravention by a data controller of any of the requirements
of this Act is entitled to compensation from the data
controller for that damage.
(2) An individual who suffers distress by reason of any
contravention by a data controller of any of the requirements
of this Act is entitled to compensation from the data
controller for that distress if (a) the individual also suffers damage by reason of the
contravention, or
(b) the contravention relates to the processing of personal
data for the special purposes. [defined elsewhere in the Act
as the processing of data for journalistic, artistic or literary
purposes]”.
In addition, in many cases a contractual relationship will
also exist between the parties which might also give rise to
an action – for example, under a written privacy policy on a
website or under an employment contract. Civil actions
across Europe are not common at present but at least one
class action seems planned.
Manually Held Data
It is important to remember that, unlike the current
California legislation most of Europe applies data protection
law equally to electronically and manually held data. Those
regulatory authorities (like Ireland) who insist on seeing a
company’s information security policy before sanctioning
the holding of personal data will therefore extend their
enquiry to manual records including details of who holds
the keys to locked cabinets. Even here however there are
differences from country to country. In Spain for example,
manually held data will in general not fall within the scope
of the main Data Protection legislation (Organic Act
15/1999 on Data Protection) until October 2007. In the
meantime however, a separate Royal Decree (Royal Decree
994/1999, of June 11, on Security Measures) establishes
Security & Surveillance
in other bills. Instead, the bill seeks to establish a minimum baseline
standard that draws upon the reasonableness standard well
established in existing law…this standard is fact-specific…[and]
reflects the author’s goal of letting industry exercise its own
judgment as to what constitutes an appropriate level of security”.
mandatory security measures that must be taken by data
controllers electronically processing data and the Spanish
authorities have said that they take the view that manually
held data is covered by this secondary legislation.
6
CA Civ Code Sec. 1798.84. The California Senate Judiciary
Committee staff also tried to address concerns about the new
cause of action by explaining that it “does not create a cause of
action for each and every unauthorized disclosure or access
incident. Rather, it requires that businesses implement and
maintain reasonable security procedures. If reasonable procedures
are maintained, a business would not be liable under the bill even if
there were an unauthorized disclosure. For example, if a hacker
broke through a well-designed computer security system to obtain
personal information that would not mean that the system was
‘unreasonable’. While the fact that information was disclosed
would be relevant evidence, it would not in and of itself trigger
liability under the bill”.
7
www.privacyrights.org/ar/ChronDataBreaches.htm
8
Although beyond the scope of this article, some of these laws also
address “security freezes” on credit reports, requirements for data
disposal, and limitations on the use of social security numbers.
9
Federal law also requires government agencies to develop
information security programmes depending on the sensitivity of
the information and the risk involved.
Conclusion
As more U.S. States adopt their own legislation, as Federal
legislation in the United States comes into consideration
and as more breaches inevitably happen, we can expect
focus on his area for some time to come. Whilst the two
regimes show markedly differing approaches we can expect
similar results. Businesses will however need to think
carefully when faced with a breach of computer security
and they will need to do this quickly as the time limits
under European legislation for dealing with subject access
requests and under some U.S. legislation for making the
report of a breach can be tight.
1
Senate Bill No. 1386 adds and amends California Civil Code
Sections 1798.29, 1798.82 and 1798.84.
2
The California Office of Privacy Protection subsequently issued
“recommended practices” (admitting the statute was silent)
specifying what information should be included and providing
sample notice letters.
3
The statute does not define what is meant by “unencrypted”. But
the California Office of Privacy Protection called for use the
Advanced Encryption Standard adopted by the U.S. National
Institute of Standards and Technology.
4
Assembly Bill No. 1950 adds and amends California Civil Code
section 1798.81.5
5
Generally security procedures and practices fall into three
categories of administrative, technical and physical measures. The
California Senate Judiciary Committee staff report cites the bill’s
author’s office that the "bill specifically seeks to avoid the specific
mandates and requirements that industry has consistently opposed
10 The bill covers a number of additional subjects: increasing penalties
for identity theft and other violations of data privacy and securities;
state and local law enforcement assistance; government access to
and use of commercial data. The bill also requires data brokers to
disclose the information they maintain and create an accuracy
resolution process.
Other contributors to this article include Donald A. Cohn at EI
DuPont de Nemours and Paul Stimers off Preston Gates,
together with the following at Eversheds International: Alvise
Donà Dalle Rose (Italy); Florencia Grinberg (Spain); Bernadett
Lastofka (Hungary); Arwid Mednis (Poland); Georg Röhsner
(Austria); Kristine Karsten (France) & Christof Lamberts
(Germany).
7