February 8, 2013 Monika Jedrzejowska Associate Privacy and Data Security Practice Hunton &...
Embed Size (px)
Transcript of February 8, 2013 Monika Jedrzejowska Associate Privacy and Data Security Practice Hunton &...
- Slide 1
February 8, 2013 Monika Jedrzejowska Associate Privacy and Data Security Practice Hunton & Williams LLP (212) 309-1047 [email protected] www.huntonprivacyblog.com Overview of U.S. Privacy and Information Security Issues NCHER Winter Legal Meeting Slide 2 Roadmap Introduction Overview of U.S. Privacy and Data Security Requirements Federal State U.S. Enforcement Climate Federal State Federal Policy Landscape 2 Hunton & Williams LLP Slide 3 3 What is Privacy? Privacy is the appropriate use of information as defined by: Laws and regulations Consumer expectations Security is the protection of information Confidentiality of data Data integrity Availability of data Hunton & Williams LLP Slide 4 Four Privacy Risks Legal compliance Reputation Investment Reticence 4 Hunton & Williams LLP Slide 5 5 Overview of U.S. Privacy and Data Security Requirements Hunton & Williams LLP Slide 6 6 Patchwork of U.S. Privacy Laws U.S. has no overarching privacy scheme Sectoral approach More than ten federal privacy laws Hundreds of state laws Plus industry standards (such as PCI DSS) No uniform definition of personal information Hunton & Williams LLP Slide 7 7 Major U.S. Federal Privacy Laws Sectoral approach Laws include: GLB: Financial institutions HIPAA: Health care entities Fair Credit Reporting Act (FCRA)/Fair and Accurate Credit Transactions Act (FACTA): Consumer reporting agencies and others FTC Disposal Rule Red Flags Rule Childrens Online Privacy Protection Act (COPPA): Childrens data online Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM): Commercial email Video Privacy Protection Act (VPPA): Video rental records Drivers Privacy Protection Act (DPPA): DMV records Telephone Consumer Protection Act: Telemarketing Privacy Act of 1974: Federal government Hunton & Williams LLP Slide 8 Gramm-Leach-Bliley Act (GLB) GLB includes an extremely broad definition of Financial Institution The term financial institution means any institution the business of which is engaging in financial activities as described in section 1843(k) of title 12 Originally enforced by the FTC and various financial services regulators, including: Office of the Comptroller of the Currency (OCC) Federal Reserve Board (the Board) Securities and Exchange Commission (SEC) Since 2011, Regulation P transferred authority over many financial institutions to the Consumer Financial Protection Bureau (CFPB) 8 Hunton & Williams LLP Slide 9 GLB Privacy Rule Notice Obligations Must provide customers with notice of privacy policies and practices at the outset of the relationship and annually thereafter Regulations call for reasonably understandable notice Notice must include: Categories of nonpublic personal information the institution collects Categories of information it discloses Affiliates and nonaffiliated third parties to whom such information is disclosed Description of customers right to prevent certain disclosures to nonaffiliated third parties Final Model Privacy Notice Form published in November 2009 Safe Harbor if form is used, but use of model form is not required Opt out and no opt out versions available 9 Hunton & Williams LLP Slide 10 GLB Privacy Rule Disclosures to Non- Affiliates and Affiliates NPI may not be disclosed to non-affiliates, unless: Customer has received an initial privacy notice Customer has opportunity to opt out Opt out must be clear and conspicuous Customer does not opt out But affiliate sharing is not restricted by GLB Note: Californias Financial Information Privacy Act Note: FACTA Affiliate Marketing Rule Broad exceptions permit nearly any legitimate business use: as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer with the consent or at the direction of the consumer Disclosure to CRAs is permitted as required by law 10 Hunton & Williams LLP Slide 11 Safeguards Rule Must develop policies and procedures to: Ensure the security and confidentiality of customer records and information Protect against any anticipated threats or hazards to the security or integrity of customer records and information Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer Must properly dispose of consumer report information 11 Hunton & Williams LLP Slide 12 GLB Interagency Guidelines and Guidance Interagency Guidelines Establishing Information Security Standards Requires a written security program overseen by Board of Directors (or their designee) Requires that financial institutions take appropriate steps to protect information provided to a Service Provider (broadly defined) Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Applies to certain financial institutions Prescribes a risk-based response program to address incident of unauthorized access to customer information, including procedures for notifying federal regulators, law enforcement authorities and customers May preempt certain state information security breach notification laws 12 Hunton & Williams LLP Slide 13 Fair Credit Reporting Act Enacted in 1970 to promote accuracy, fairness and the privacy of personal information assembled by Consumer Reporting Agencies CRAs must follow reasonable procedures to protect the confidentiality, accuracy and relevance of credit information FCRA requires that: Consumers be told by creditors why they have been turned down for credit and that the decision was based on a consumer report The CRA provides a free copy of the report to the consumer after an adverse action Consumers be allowed to dispute information in the report The credit bureau reinvestigates the dispute Data suppliers cooperate with the reinvestigation and report accurately thereafter, and the CRA corrects the report after such reinvestigation The user of a consumer report must have a permissible purpose for obtaining the report 13 Hunton & Williams LLP Slide 14 FACTA, Red Flags Rule and Affiliate Marketing Fair and Accurate Credit Transactions Act (FACTA) was enacted in 2003 to amend the FCRA and two key rules resulted: Red Flags Rule: Requires financial institutions and creditors to develop and implement an Identity Theft Prevention Program that identifies, detects and responds to Red Flags signaling fraud by identity theft Requires users of consumer reports to develop procedures for responding to notices of address discrepancy; imposes duties on credit card issuers regarding change of address notifications Affiliate Marketing Rule: Requires to provide notice to individuals that their information will be shared with affiliates for marketing purposes, and that they may elect to limit the use of their eligibility information to make solicitations Opt out must be effective for five years, unless revoked by customer, with renewal requirements at end of five years 14 Hunton & Williams LLP Slide 15 15 State Privacy Laws Examples: Website privacy notices (CA, NE, PA) Marketing restrictions (e.g., telemarketing) Restrictions on sharing information with third parties for marketing purposes (CA) SSN use restrictions Child protection registry laws (MI, UT) Radio frequency identification (RFID) Anti-spyware Credit reports Hunton & Williams LLP Slide 16 16 State Information Security Laws Several states have laws mandating security measures to protect PI Example: Californias AB 1950 requires reasonable security procedures and contracts with service providers Massachusetts requires businesses to develop, implement and maintain a comprehensive WISP to protect personal information, including: Developing information security policies Requiring service providers by contract to implement security measures for personal information Implementing numerous computer system security requirements Nevada requires encryption of data in transit Hunton & Williams LLP Slide 17 17 Information Security Breach Notification Laws 90% of U.S. companies have experienced a hacking event in the last year The term security breach defines a broad range of activities 50 U.S. jurisdictions have security breach notification laws Californias SB 1386 started the trend There are also federal breach notification requirements pursuant to HIPAA and GLB Recent breaches have been game changers Companies notifying when not legally required to do so (Epsilon) Huge volumes of affected individuals (Sony) Security companies targeted (RSA) Hunton & Williams LLP Slide 18 18 Breach Laws: Requirements Generally, duty to notify arises as a result of unauthorized access or acquisition of unencrypted computerized personal information Personal information typically is name combined with: SSN drivers license or state ID card number account, credit or debit card number, along with password or access code But state laws differ: Definition of PI Computerized v. paper data Notification to state agencies Notification to CRAs Timing of individual notification Harm threshold Contents of notification letter Hunton & Williams LLP Slide 19 U.S. Enforcement Climate 19 Slide 20 20 Federal Privacy Enforcement FTC Act provides the principal enforcement tool for privacy issues Section 5 of the FTC Act: Prohibits unfair or deceptive acts or practices in or affecting commerce FTC privacy enforcement actions typically result from (1) security breaches, (2) deceptive statements in privacy policies, and (3) lack of conspicuous notice Google Buzz settlement changed the landscape Director of Consumer Protection Bureau kept his promise to bring more pure privacy actions HHS is now also proactive Slide 21 21 State Privacy Enforcement and Class Actions State AGs are now proactive Regularly make inquiries and bring enforcement actions Class actions filed with increasing regularity Common after data breaches, particularly (but