U.S. Privacy and Information Security Issues

advertisement
Overview of U.S. Privacy and
Information Security Issues
NCHER Winter Legal Meeting
February 8, 2013
Monika Jedrzejowska
Associate
Privacy and Data Security Practice
Hunton & Williams LLP
(212) 309-1047
mjed@hunton.com
www.huntonprivacyblog.com
Roadmap
• Introduction
• Overview of U.S. Privacy and Data Security
Requirements
– Federal
– State
• U.S. Enforcement Climate
– Federal
– State
• Federal Policy Landscape
© Hunton & Williams LLP
2
What is Privacy?
• Privacy is the appropriate use of information as
defined by:
– Laws and regulations
– Consumer expectations
• Security is the protection of information
– Confidentiality of data
– Data integrity
– Availability of data
© Hunton & Williams LLP
3
Four Privacy Risks
•
•
•
•
Legal compliance
Reputation
Investment
Reticence
© Hunton & Williams LLP
4
Overview of U.S. Privacy
and Data Security
Requirements
© Hunton & Williams LLP
5
Patchwork of U.S. Privacy Laws
• U.S. has no overarching privacy scheme
– Sectoral approach
• More than ten federal privacy laws
• Hundreds of state laws
• Plus industry standards (such as PCI DSS)
• No uniform definition of “personal information”
© Hunton & Williams LLP
6
Major U.S. Federal Privacy Laws
•
•
Sectoral approach
Laws include:
– GLB: Financial institutions
– HIPAA: Health care entities
– Fair Credit Reporting Act (“FCRA”)/Fair and Accurate Credit
Transactions Act (“FACTA”): Consumer reporting agencies and others
• FTC Disposal Rule
• Red Flags Rule
– Children’s Online Privacy Protection Act (“COPPA”): Children’s data
online
– Controlling the Assault of Non-Solicited Pornography and
Marketing Act (“CAN-SPAM”): Commercial email
– Video Privacy Protection Act (“VPPA”): Video rental records
– Driver’s Privacy Protection Act (“DPPA”): DMV records
– Telephone Consumer Protection Act: Telemarketing
– Privacy Act of 1974: Federal government
© Hunton & Williams LLP
7
Gramm-Leach-Bliley Act (“GLB”)
• GLB includes an extremely broad definition of “Financial
Institution”
– The term “financial institution” means any institution the business
of which is engaging in financial activities as described in section
1843(k) of title 12
• Originally enforced by the FTC and various financial
services regulators, including:
– Office of the Comptroller of the Currency (“OCC”)
– Federal Reserve Board (the “Board”)
– Securities and Exchange Commission (“SEC”)
• Since 2011, Regulation P transferred authority over many
financial institutions to the Consumer Financial Protection
Bureau (“CFPB”)
© Hunton & Williams LLP
8
GLB Privacy Rule Notice Obligations
• Must provide “customers” with notice of privacy policies and
practices at the outset of the relationship and annually thereafter
– Regulations call for “reasonably understandable” notice
• Notice must include:
– Categories of nonpublic personal information the institution
collects
– Categories of information it discloses
– Affiliates and nonaffiliated third parties to whom such information
is disclosed
– Description of customer’s right to prevent certain disclosures to
nonaffiliated third parties
• Final Model Privacy Notice Form – published in November 2009
– Safe Harbor if form is used, but use of model form is not required
– “Opt out” and “no opt out” versions available
© Hunton & Williams LLP
9
GLB Privacy Rule  Disclosures to NonAffiliates and Affiliates
•
•
•
NPI may not be disclosed to non-affiliates, unless:
– Customer has received an initial privacy notice
– Customer has opportunity to opt out
• Opt out must be “clear and conspicuous”
– Customer does not opt out
But affiliate sharing is not restricted by GLB
– Note: California’s Financial Information Privacy Act
– Note: FACTA Affiliate Marketing Rule
Broad exceptions permit nearly any legitimate business use:
– “as necessary to effect, administer, or enforce a transaction requested
or authorized by the consumer”
– “with the consent or at the direction of the consumer”
– Disclosure to CRAs is permitted
– “as required by law”
© Hunton & Williams LLP
10
Safeguards Rule
• Must develop policies and procedures to:
– Ensure the security and confidentiality of customer
records and information
– Protect against any anticipated threats or hazards to
the security or integrity of customer records and
information
– Protect against unauthorized access to or use of
customer records or information that could result in
substantial harm or inconvenience to any customer
• Must properly dispose of consumer report information
© Hunton & Williams LLP
11
GLB Interagency Guidelines and Guidance
• Interagency Guidelines Establishing Information Security
Standards
– Requires a written security program overseen by Board of Directors (or
their designee)
– Requires that financial institutions take appropriate steps to protect
information provided to a Service Provider (broadly defined)
• Interagency Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer Notice
– Applies to certain financial institutions
– Prescribes a risk-based response program to address incident of
unauthorized access to customer information, including procedures for
notifying federal regulators, law enforcement authorities and customers
– May preempt certain state information security breach notification laws
© Hunton & Williams LLP
12
Fair Credit Reporting Act
• Enacted in 1970 to promote accuracy, fairness and the privacy of
personal information assembled by Consumer Reporting Agencies
• CRAs must follow “reasonable procedures” to protect the
confidentiality, accuracy and relevance of credit information
• FCRA requires that:
– Consumers be told by creditors why they have been turned down for
credit and that the decision was based on a consumer report
– The CRA provides a free copy of the report to the consumer after an
adverse action
– Consumers be allowed to dispute information in the report
– The credit bureau reinvestigates the dispute
– Data suppliers cooperate with the reinvestigation and report accurately
thereafter, and the CRA corrects the report after such reinvestigation
• The “user” of a consumer report must have a permissible purpose
for obtaining the report
© Hunton & Williams LLP
13
FACTA, Red Flags Rule and Affiliate Marketing
•
•
•
Fair and Accurate Credit Transactions Act (“FACTA”) was enacted in 2003
to amend the FCRA and two key rules resulted:
Red Flags Rule:
– Requires financial institutions and creditors to develop and implement
an Identity Theft Prevention Program that identifies, detects and
responds to “Red Flags” signaling fraud by identity theft
– Requires users of consumer reports to develop procedures for
responding to notices of address discrepancy; imposes duties on credit
card issuers regarding change of address notifications
Affiliate Marketing Rule:
– Requires to provide notice to individuals that their information will be
shared with affiliates for marketing purposes, and that they may elect to
limit the use of their eligibility information to make solicitations
– Opt out must be effective for five years, unless revoked by customer,
with renewal requirements at end of five years
© Hunton & Williams LLP
14
State Privacy Laws
• Examples:
– Website privacy notices (CA, NE, PA)
– Marketing restrictions (e.g., telemarketing)
– Restrictions on sharing information with third parties
for marketing purposes (CA)
– SSN use restrictions
– Child protection registry laws (MI, UT)
– Radio frequency identification (RFID)
– Anti-spyware
– Credit reports
© Hunton & Williams LLP
15
State Information Security Laws
• Several states have laws mandating security measures to protect PI
– Example: California’s AB 1950 requires reasonable security
procedures and contracts with service providers
– Massachusetts requires businesses to develop, implement and
maintain a comprehensive WISP to protect personal information,
including:
• Developing information security policies
• Requiring service providers by contract to implement security
measures for personal information
• Implementing numerous computer system security requirements
– Nevada requires encryption of data in transit
© Hunton & Williams LLP
16
Information Security Breach
Notification Laws
• 90% of U.S. companies have experienced a hacking event in the
last year
• The term “security breach” defines a broad range of activities
• 50 U.S. jurisdictions have security breach notification laws
– California’s SB 1386 started the trend
– There are also federal breach notification requirements pursuant to
HIPAA and GLB
• Recent breaches have been game changers
– Companies notifying when not legally required to do so (Epsilon)
– Huge volumes of affected individuals (Sony)
– Security companies targeted (RSA)
© Hunton & Williams LLP
17
Breach Laws: Requirements
•
•
•
Generally, duty to notify arises as a result of unauthorized access or
acquisition of unencrypted computerized “personal information”
“Personal information” typically is name combined with:
– SSN
– driver’s license or state ID card number
– account, credit or debit card number, along with password or access
code
But state laws differ:
– Definition of PI
– Computerized v. paper
data
– Notification to state
agencies
– Notification to CRAs
– Timing of individual
notification
– Harm threshold
– Contents of notification
letter
© Hunton & Williams LLP
18
U.S. Enforcement Climate
19
Federal Privacy Enforcement
• FTC Act provides the principal enforcement tool for
privacy issues
• Section 5 of the FTC Act:
– Prohibits “unfair or deceptive acts or practices in or affecting
commerce”
– FTC privacy enforcement actions typically result from
(1) security breaches, (2) deceptive statements in privacy
policies, and (3) lack of conspicuous notice
– Google Buzz settlement changed the landscape
• Director of Consumer Protection Bureau kept his
promise to bring more “pure privacy” actions
• HHS is now also proactive
20
State Privacy Enforcement and Class Actions
• State AGs are now proactive
– Regularly make inquiries and bring enforcement
actions
• Class actions filed with increasing regularity
– Common after data breaches, particularly (but not
necessarily) when there is harm
– Recent privacy and information security class actions:
• Sony was sued for its PlayStation Network data
breaches
• Google was sued for Street View Wi-Fi data
collection
© Hunton & Williams LLP
21
Federal Policy Landscape
22
Federal Policy Landscape
• Existing privacy law framework in the U.S. is
under pressure
• Over a dozen significant privacy bills proposed in
2011-12, including:
– Data Breach Notification Act of 2011 (Sen. Dianne Feinstein)
– Personal Data Protection and Breach Accountability Act of 2011 (Sen. Richard
Blumenthal)
• Policy landscape
– FTC Report (March 2012)
– White House (February 2012)
– Commerce Green Paper (December 2010)
© Hunton & Williams LLP
23
Questions?
Monika Jedrzejowska
Associate
Privacy and Data Security Practice
Hunton & Williams LLP
(212) 309-1047
mjed@hunton.com
www.huntonprivacyblog.com
24
Download