PRIVACY POLICIES AND RELATED PRIVACY LAW Business Law ... · 2. “Fixin’ A Hole” (Data...

PRIVACY POLICIES AND RELATED PRIVACY LAW Business Law & Corporate Counsel Section Program

Speaker:

Christopher J. Volkmer Volkmer Law Firm LLC

PO Box 551415 Dallas, Texas 75355

(214) 349-7589

Author:

Erin Fonte Cox Smith Matthews Incorporated 111 Congress Avenue, Suite 2800

Austin, Texas 78701-4084 (512) 703-6318

[email protected]

Friday, June 11, 2010 10:30 a.m. – 11:15 a.m.

Christopher J. Volkmer Volkmer Law Firm LLC

Dallas, Texas Christopher J. Volkmer practices business law with an emphasis in matters involving privacy and data security, and is the managing member of Volkmer Law Firm LLC. Chris handles transactions involving outsourcing of business functions, technology acquisition and licensing, e-commerce, marketing and distribution, as well as formation of, and general issues for, business organizations. Chris also addresses compliance with privacy laws and regulations, security breaches, and records management practices for businesses and financial institutions. He has worked at large and medium-sized firms in Dallas as well as in the legal department of a large public company. Volkmer Law Firm LLC was started in 2007 in order to provide quality legal services in a closer relationship with clients at a lower cost for the client. Chris is the chair of the Data Security and Privacy Committee for the Business Law Section of the State Bar of Texas, and is a member of the International Association of Privacy Professionals (IAPP). Chris is also a member of the Board of Editors for the Privacy and Data Security Law Journal, has written over twenty articles involving privacy and technology matters, and is a frequent speaker on privacy and data security matters. Chris graduated with distinction from St. Mary’s University School of Law in San Antonio, Texas in 1985, where he was on the board of editors of the St. Mary’s Law Journal. He obtained a bachelor of arts with honors in 1980 from the University of Dallas in Irving, Texas, where he is still involved as a guest lecturer and a sponsor of the business plan writing competition for the Center for Entrepreneurship in the School of Business. Chris is also a member of the board of directors for Senior Adult Services, a non-profit serving four suburban communities in the Dallas area that assists seniors live safely and healthily at home.

Erin F. Fonté Cox Smith Matthews Incorporated 111 Congress Avenue, Suite 2800

Austin, Texas 78701-4084

phone: (512) 703-6318 [email protected]

Erin Fonté is with Cox Smith Matthews Incorporated (Austin office). Her practice

includes banking and financial services, payment systems laws, e-commerce, technology/Internet products, privacy and data security/protection laws (including data security breach laws), and general corporate matters. She is licensed in both Texas and California and is a Certified Information Privacy Professional. Erin earned her B.A. (with honors, Phi Beta Kappa) in Philosophy and Government from U.T. Austin. She earned her J.D. from Stanford Law School (with distinction), serving as Notes Editor of the Stanford Law Review. Erin has authored articles relating to privacy and data security issues, including: financial privacy; EU privacy laws; RFID technology in retail settings; cloud computing; and FACTA ID Theft Red Flag requirements. She has also presented on topics such as banking/ payment systems laws and regulatory requirements, prepaid and stored value cards, and federal and state privacy laws.

DATA SECURITY: WHAT YOU DON’T KNOW CAN HURT YOU

ERIN FONTÉ Cox Smith Matthews Incorporated 111 Congress Avenue, Suite 2800

Austin, Texas 78701-4084 phone: (512) 703-6318 [email protected]

State Bar of Texas SUING, DEFENDING, AND NEGOTIATING

WITH FINANCIAL INSTITUTIONS February 25-26, 2010

Dallas

CHAPTER 18

Data Security: What You Don’t Know Can Hurt You Chapter 18

i

TABLE OF CONTENTS

“MAGICAL MYSTERY (TOP 10) TOUR” – OVERVIEW ......................................................................................... 1

1. “SHE CAME IN THROUGH THE BATHROOM WINDOW” (DATA SECURITY REQUIREMENTS) ........ 2

2. “FIXIN’ A HOLE” (DATA SECURITY BREACH RESPONSE) ........................................................................ 4

3. “BEING FOR THE BENEFIT OF MR. KITE” (MARKETING) .......................................................................... 6

4. “BACK IN THE USSR” (FINANCIAL DATA/PAYMENT SYSTEMS REQUIREMENTS) ............................. 8

5. “HERE, THERE AND EVERYWHERE” (VENDOR AGREEMENTS/ OUTSOURCING/ CLOUD COMPUTING)...................................................................................................................................................... 10

6. “ACROSS THE UNIVERSE” (INTERNATIONAL PRIVACY REGULATION) ............................................. 11

7. “DOCTOR ROBERT” (HIPAA ISSUES) ............................................................................................................ 12

8. “YOU CAN’T DO THAT” (RESTRICTIONS ON USE OF CERTAIN INFORMATION)............................... 12

9. “HELP!” (GOVERNMENTAL INVESTIGATIONS AND DISCOVERY REQUESTS) .................................. 13

10. “HELTER SKELTER” (GOVERNMENT ENFORCEMENT ACTIONS – STATE, FEDERAL AND INT’L) ......................................................................................................................................................... 14

D t S it Wh t Y D ’tData Security: What You Don’t Know Can Hurt You

Erin Fonté

“Magical Mystery (Top 10) Tour” - Overview

“Privacy” = appropriate use of i f ti d th i tinformation under the circumstancesPrivacy/data security issues: compliance with applicable laws (state, federal and international)Privacy/data security questions can hinge on state, federal and international lawsHow will we examine the “Top 10” Legal Topics – “With A Little Help From My Friends”


1

1. “She Came In Through The Bathroom Window” (Data Security Requirements)

Legal obligations tied to type of infoLegal obligations tied to type of infoHIPAA (Health Insurance Portability and Accountability Act): protection of “personal health information” (PHI) by “covered entities” and “business associates”GLBA (Gramm-Leach-Bliley Act): protection of “non-public personal information” (NPPI) by “financial institutions”RFPA (Right to Financial Privacy Act) applies to federally insured financial institutions and finance companiesID Theft Red Rules (portion of FCRA (Fair Credit Reporting Act)): applies to “creditors” with “consumer” accounts

1. “She Came In Through The Bathroom Window” (Data Security Requirements) (cont’d)

Data disposal/destruction requirements (end of dataData disposal/destruction requirements (end of data lifecycle)

Federal requirements: FACTA (Fair and Accurate Credit Transactions Act), and the FTC Disposal Rule: disposing of/destroying credit report information27 states (including TX) require proper disposal of business records (electronic or otherwise) (Ethics Point: Attorneys keep business records)

Documents must be destroyed or otherwise rendered unreadable, y ,indecipherable or unable to be reconstructedTX AG has enforced aggressivelyExample: Texas v. Cornerstone Fitness: Cornerstone dumped a filing cabinet full of services contracts with PI fully intact

$28K in fines: $8K to state, $20K in fund for identity theft victimsOngoing obligations: adopt multi-step info security program; secured records disposal program; workplace/employee training


2


D t it i t l b lf i dData security requirements can also be self-imposed (customer-facing privacy policies, employee policies, internal policies, etc.)

FTC will hold you to what you say you do, and will interpret if unclearFTC will examine a company’s stated privacy and security policies and practices to see if the company (a) meets their own stated policies and procedures, and (b) if such policies are “commercially reasonable”A company must have privacy/data security policies that are followed on a regular basis and in all transmission mediums (e.g. wireless – see BJs Wholesale Club FTC enforcement action)FTC’s new chairman, Jon Liebowitz: data security is one of the FTC’s top priorities


Legal Trends and Standards Re: Data SecurityLegal Trends and Standards Re: Data SecurityVersion 1.0: Data Breach Notification Laws

Operational and technology neutralRequires response to data security breach incidentNot preventative (after the incident occurs)

Version 1.5: FTC and State AGs say “be reasonable”Proactive measures with minimal data security required, but still technology neutraltechnology neutralFTC enforcement actions: employ “reasonable” security measures (many state AGs have adopted this test)Case law standards: still watching Hannaford Bros. case in MD (survived MTD on negligence claim) and separate action in ME; Heartland class actions in S.D. TX (FIs and consumers)


3


Version 2 0: Encryption RequiredVersion 2.0: Encryption RequiredMassachusetts regulations – now effective March 1, 2010

Encryption for data of any Massachusetts resident (customer or employee)Is it a trendsetting state law like CA S.B. 1 for breach notice?

Nevada (new law/changes effective 1/1/10)Current Nevada law: customers who are Nevada residentsNew law/changes effective 1/1/10: covers data on anyone who is a Nevada resident (customers or employees); if you are a “data collector” and have info on NV residents, you must encryptAlso, you must be PCI-DSS compliant if you accept payment cards

Other proposed laws?Michigan: creating a safe harbor – breach liability immunity to companies that meet minimum specified safeguards for data set forth in the law

2. “Fixin’ A Hole” (Data Security Breach Response)

Data security breaches: always in the newsData security breaches: always in the newsTJX/TJMaxx, Heartland Payment Systems, etc.Recent News: Albert Gonzalez (+ 2 unknowns) responsible for stealing about 170M payment card numbers. Tied to breaches at: 7-11; Heartland; Dave & Busters; Barnes & Noble; BJs Wholesale Club; Office Max; DSW; TJX/TJMaxx.

2007 Ponemon Inst. Survey: costs range from $250K to $35MAverage incident = $500K, but more if court or regulatory actions. TJX recently agreed to pay $9.8M to group of 41 state AGs; $70M to settle consumer/class action suits Costs of a breach can include breach response costs, plus churn from lost business/customers


4

2. “Fixin’ A Hole” (Data Security Breach Response) (cont’d)

Data security breach: loss of protected or sensitive personal informationData security breach: loss of protected or sensitive personal information concerning customers or employees (of you or your clients)Data breach notice laws: 45 states (+ D.C., Puerto Rico and U.S. Virgin Islands); state of affected individual’s residence controlsState laws differ re: notice triggers, timelines, required content, notification of state agencies, etc.

Federal law? Efforts have been underway since 2003; nothing has come to fruition yet.

State AGs don’t want measure less protective than their state lawSticking point over notice trigger (reasonable likelihood of harm, etc.)

Protected information: for most states = first name (or first initial) and last name + any of the following: SSN; DL/ID #; or account or credit/debit card number (plus access codes if needed for use)ENCRYPT. It gets you out of a majority of state data breach notice laws

2. “Fixin’ A Hole” (Data Security Breach Response) (cont’d)

R d d 5 St D t B h R PlRecommended 5 Step Data Breach Response Plan:Step 1: Form Incident Response Team (include members from IT,

HR, Legal, Risk/Compliance, PR and executive ranks)Step 2: Formulate Incident Response Plan (get contact info for all

members of Incident Response Team; plan for response actions)

Step 3: Discovery and Investigation (have external computer forensics companies on file, and do your due diligence)forensics companies on file, and do your due diligence)

Step 4: Determine If Notice Required (and provide if required; this may require bringing in outside legal counsel with data breach expertise)

Step 5: Conduct Post-Mortem of Security Breach Incident (formulate remediation steps and “lessons learned” to prevent similar breaches)


5

3. “Being For The Benefit of Mr. Kite” (Marketing)

COPPA = Children’s Online Privacy Protection ActCOPPA Children s Online Privacy Protection ActGoverns marketing online to children under age 13Applies if a website is directed to children, OR you are aware that info from children under 13 is being collected(collecting date of birth puts you on constructive notice –see FTC enforcement action: U.S. v. Iconix Brand Group, Inc. - $250K fine)FTC enforcement action: Sony BMG Music = $1M fine, plus consent order requiring certain actions and ongoing FTC monitoring

Maine Predatory Marketing LawEffective September 12, 2009; Maine AG won’t enforceCannot knowingly collect or receive a minor’s health-related information or PI for marketing purposes without first obtaining verifiable parental consent (minor = under 18); lawsuits on this (dormant commerce clause?)

3. “Being For The Benefit of Mr. Kite” (Marketing) (cont’d)

eMarketing and Legal IssuesCAN-SPAM is applicable (state and federal)

Footer requirements (opt-out & physical address)Must maintain suppression listMost CAN-SPAM requirements do not apply to “transactional” and “relational” messages as defined under the act (but interpret)

E-mail address issuesCompany must comply with its own privacy and point-of-sale policiesp y p y p y p pAnticipate sharing of e-mail addresses in privacy policiesBe aware of any existing restrictions in either e-mail lists acquired from third parties or acquired in a merger or acquisition

COPPA applies (see above) and new Maine restrictions on marketing to minors applies (if upheld)


6


mMarketing (Mobile Marketing) and Legal Issuesg ( g) gCAN-SPAM v. Telephone Consumer Protection Act (TCPA) Basic SMS text message is SMPP (Short Message Peer-to-Peer) = subject to TCPA (prior agreement by customer to receive any unsolicited commercial message) (TCPA enforced by FCC)Messages sent SMTP (Simple Mail Transfer Protocol) = subject to FCC’s CAN-SPAM Rules (diff’t from FTC CAN-SPAM rules and really strict)Direct Marketing Association’s “Guidelines For Mobile Marketing”

Behavioral AdvertisingThus far, industry self-regulation (e.g. Internet Advertising Bureau’s “Guidelines for Behavioral Advertising”)BUT, statements by new FTC Chairman Jon Liebowitz :

4/27/09: “The industry is pretty close to its last clear chance to demonstrate it can police itself.” 5/12/09: “Opt-out isn’t necessarily illegal, but I think that the better practice is opt-in.”Amended FTC guidance on behavioral advertising ealier this year; may bring enforcement actions based on UDAP, other laws (Sears tracking software)


Social MediaSocial MediaFacebook, Linked In, Twitter etc. Also blogs and vlogs. (Ethics Point: Attorneys & Social Media)Need to examine how company wants to use social media for marketing purposes – what are your goals and aspirations? Is it going to be another avenue for providing customer service?Also need to examine whether company’s use of social media will trigger other laws/regulations: bank’s still have to comply with advertising rules; proprietary info/trade secrets issues; don’t reveal aadvertising rules; proprietary info/trade secrets issues; don’t reveal a merger in the works, etc.Once you have determined goals on use of social media, plus any relevant restrictions on data or activities, then develop a social media or social computing policy

Good Model: “IBM Social Computing Guidelines” (available at www.ibm.com/blogs/zz/en/guidelines.html)


7

4. “Back In The USSR” (Financial Data/Payment Systems Requirements)

Threats to Financial DataGLBA (Gramm-Leach-Bliley Act)

CA S.B. 1 – more restrictive

FCRA (Fair Credit Reporting Act) as amended by FACTA (Fair & Accurate Credit Transactions Act)

ID Theft Red Flag Rulesg

RFPA (Right to Financial Privacy Act)PCI-DSS (Payment Card Industry Data Security Standards)

4. “Back In The USSR” (Financial Data/Payment Systems Requirements) (cont’d)

Threats to Financial DataThreats to Financial DataFinancial data = moneyOn Albert Gonzalez and 2 accomplices: “If 3 punks can do this much harm, think about what could be done by a hostile nation.”Lots of threats and security breaches against financial services industry and transaction data are originating from Russia and Eastern Europe (formerly USSR)

Russian Business Network “botnet” attacksATM hacking and malware concerns in Eastern Europe22% of attacks in 2008 originated from Eastern Europe

Deadweight economic loss in U.S. due to hacking, ID theft and fraud so large it is now becoming a national security concernNew threats emerge with new payment technologies (e.g. mobile payments, increase in ACH fraud via business bank accounts, etc.)


8


Gramm Leach Bliley Act (GLBA)Gramm-Leach-Bliley Act (GLBA)Applies to “financial institution” = broad definition; Privacy Rule and Safeguards RuleAffiliate sharing of NPPI = permitted under GLBA (“affiliate” = entity owned or under common control)Third party sharing of NPPI = opt out notice (but exceptions)

To complete transactionsJoint marketing with FIgSubpoena, examiner, other

CA S.B. 1 – more restrictive than GLBAGLBA is “floor preemption” and states can enact more restrictive lawsCA S.B. 1 in court since 2004; 6/29/09 USSC denied cert of appeal, so CA S.B. 1 applicable to California customers/employeesRequires opt-out for affiliate sharing (GLBA is no notice)Requires opt-in for third-party sharing (GLBA is opt-out)


FCRA/FACTAAffiliate sharing = C&C disclosure to consumer and consumer can opt out (model form) (“affiliate” = entity owned or under common control)Third party sharing = specific permission/opt inFACTA customer receipt truncation (last 4 digits only; no exp. date)

ID Theft Red Flags Rules – Nov. 1, 2009, deadline “Creditors” with “consumer accounts” and/or other accounts with a reasonably forseeable risk of ID theft (commercial accounts, i.e. sole proprietors, etc.)“Creditor” = anyone who defers payments for goods & services (e g Net 30Creditor = anyone who defers payments for goods & services (e.g. Net 30 billing)Must implement an ID theft prevention program that detects “red flags” that indicate potential for ID theft or fraud (e.g. address discrepancies, changing address then asking for new card)Big pushback from docs and lawyers on applicability to them; ABA has filed suit; H.R. 3763 passed U.S. House on 10/20/09 (vote 400 – 0) and exempts health care, accounting and legal practices with 20 or fewer employees; also any business can apply to FTC for application for exemption


9


Right to Financial Privacy Act (RFPA)Right to Financial Privacy Act (RFPA)Federal act that gives customers of financial institutions the right to some level of privacy from government searchesThere, but lots of exceptions, esp. for government subpoenas, etc. (and now national security letters (NSL letters))

Payment Card Industry Data Security StandardsIf you accept, process or store credit/debit card information, must comply with PCI-DSS requirements. PCI-DSS prohibits the retention of certain

dh ld /t ti d t d i f d i i t t t b Vi MCcardholder/transaction data and is enforced via private contract by Visa, MC, AmEx, etc.MN was first state to enact PCI-DSS requirements into law; now Nevada (1/1/10); TX had a bill previous 2 sessions that was similarFall 2009 – PCI standard setting body is receiving comments for PCI-DSS revisions; changes will be effective Fall 2010DON’T rely on your vendors to comply with this; ask themOct. 5, 2009: Visa Best Practices: Data Field Encryption v. 1.0 (post-Heartland)

5. “Here, There and Everywhere” (Vendor Agreements/ Outsourcing/ Cloud Computing)

Vendor and Outsourcing Agreements:g gBe aware of any special due diligence and contractual requirements under GLBA, HIPAA, PCI-DSS, etc.Read agreement and make sure your company owns data and has a right to get it backSpecial contract points include:

Data locations (i.e. will it be stored outside U.S.)T diti l it i (b k d h kTraditional security issues (background checks, business continuity, disaster recovery)EncryptionData security/data breach notification and responsibilitiesPost-termination transition of services and return of dataRight to approve vendor’s subcontractors


10

5. “Here, There and Everywhere” (Vendor Agreements/ Outsourcing/ Cloud Computing) (cont’d)

Cloud ComputingGaining attention and use as companies outsource data storage and hosting, and providers seek less expensive electricity and laborBenefits: scalability; cost effectiveness; access to data anytime, anywhere; expertise of providerRisks: loss of control; data can be stored anywhere on the globe; servers are centralized repositories subject to massive hack; exposure f d t t i b f i t/ bof data to seizure by foreign government/subpoenas

Know where your data will live and travel.Contract Issues:

Read your contract carefully. All contract points for Vendor/Outsourcing, plus: details on data storage locations, and flow of data; agreement to abide by your privacy policies and requirements; clearly articulated security practices and responsibilities; retention of control of data and getting it back; my competitors can’t see my data; cyber-liability insurance requirements

6. “Across The Universe” (International Privacy Regulation)

Any company operating in multiple y p y p g pcountries faces compliance issues

U.S. vs. EU (applicable jurisdictions)You can have data controller/owner in one country, data processor using/storing data in another, and data subjects (customers, employees) in other multiple countriesBe aware of legal restrictions and requirementsLegal responsibilities associated with formal process and governmental investigationsData transfer laws (customers, employees, M&A target in EU)

E.g. cross-border enforcement, Canada Privacy Commission & Facebook

FTC Enforcement: 9 years, zero times. 10/6/09, settlement with 6 companies falsely claiming safe harbor compliance (7 in 2009).


11

7. “Doctor Robert” (HIPAA Issues)Health Insurance Portability and Accountability Act (HIPAA)(HIPAA)

Applies to “covered entities” and “business associates”

“Covered entities” = generally healthcare providers (hospitals, clinics, doctor’s office) and “group health plans” as defined by ERISA“Business associates” = entities that store or process protected health information (PHI)Policy, training, security, notification, certificationPolicy, training, security, notification, certification

New HITECH Act ProvisionsExpanded applicability of HIPAA based on interaction with PHIAlso imposed new Business Associate security rulesImportant to know re: push for electronic health records

New Hampshire: 1/1/10 = eHealth privacy, health data marketing, health data breach notice laws

8. “You Can’t Do That” (Restrictions On Use of Certain Information)

Information you use in business is both an asset and a source of risk/liabilityMost information cannot be “owned” per se, but the collector and holder of that data has legal rights and responsibilitiesBusiness Acquisition Context: Due Diligence

Understand what you are buying in terms of PI and h it i i ll i dhow it was originally acquiredExamine any privacy policies applicable to data you are acquiringExamine expectation, applicable laws and data transfer issues (e.g. strict E.U. consent issues)Transfer of PI in customer-facing privacy policies (bankruptcy example: Toysmart)


12

8. “You Can’t Do That” (Restrictions On Use of Certain Information) (cont’d)

Acquisition of Marketing Information from third parties = DueAcquisition of Marketing Information from third parties = Due Diligence

Florida v. VICI Mktg. Florida-based VICI Mktg. bought customer leads/e-mails from a third partyLeads contained PI on individuals stolen from Certegy in a prior, highly publicized breach; Certegy breach victims contacted FL AGFL AG brings a state Unfair and Deceptive Acts or Practices (UDAP) claimApril 8, 2009: VICI enters a settlement with FL AG for $350K in penalties for alleged UDAP violations (company must pay additional $1M if it violatesalleged UDAP violations (company must pay additional $1M if it violates settlement agreement)UDAP allegations arose from VICI’s complete lack of due diligence in determining whether the data purchased from a third party was of unlawful or questionable origin. Outlier case or will other AGs follow?

Indiana: Welfare Data For Screening Potential Employees?U.S. Food & Nutrition Service said “no”; permissible use of data ??

9. “Help!” (Governmental Investigations and Discovery Requests)

Electronic Communications Privacy ActElectronic Communications Privacy Act (ECPA)

Referred to as “Codified 4th Amendment”Expanded gov’t powers as a result of USA-PATRIOT ActGenerally, order or search warrant required for content of 3rd party e-mailPreservation requestsPreservation requests

On-site Government InvestigationsNSL letters; criminal acts (money laundering, etc.)Computer ScanningSearch warrants


13

9. “Help!” (Governmental Investigations and Discovery Requests) (cont’d)

Foreign Surveillance Act (FISA)Civil Discovery Requests

Constitutional rights (privacy, freedom of speech)Specific statutory rights and issues (HIPAA, OSHA, RFPA)Third-party e-mail (ECPA)Proprietary, and necessary, company systems and dataN di l tNon-disclosure agreementsNotification requirements

Get legal involved immediately

10. “Helter Skelter” (Government Enforcement Actions – state, federal and int’l)

Enforcement of Specific LawsEnforcement of Specific LawsGLBA: enforced by the banking/financial services agencies

Office of Comptroller of the Currency (OCC)Federal Deposit Insurance Corporation (FDIC)Office of Thrift Supervision (OTS)

C ( C )National Credit Union Admin. (NCUA)

HIPAAPrivacy Rule – HHS Office of Civil RightsSecurity Rule - Was enforced by HHS Centers for Medicare and Medicaid Services (CMS); now enforced by OCR


14

10. “Helter Skelter” (Government Enforcement Actions – state, federal and int’l) (cont’d)

FTC is primary regulator of federal U S privacy lawsFTC is primary regulator of federal U.S. privacy lawsSection 5 of FTC Act: Unfair and Deceptive Trade Practices

Failure to abide by your stated privacy policies Failure to “reasonably” safeguard/secure data (security issues)

FTC can also enforce industry-specific privacy regulations for otherwise unregulated entities

Many enforcement actions involve specific law + Section 5 violationTypically end in consent orders with fines plus ongoing compliance monitoring by FTC for up to 20 yearsE.g. Sony BMG (COPPA violation, but also violation of stated privacy policies)E.g. BJs Wholesale Club (failure to reasonably protect customer data)E.g. Quality Terminal Services (no notices as required by FCRA plus Section 5 violation)FTC also enforces E.U. Safe Harbor registrations for U.S. companies (company must abide by Safe Harbor registration and its privacy policy)


FTC 5 Year Strategic PlanFTC 5 Year Strategic PlanPlan calls for, among other things, challenging practices that “threaten consumer privacy” and calls for enforcement of consumer credit statutes/rules

CFPA (Consumer Financial Protection Agency)Currently being debated by Congress; primarily a response to what was called “lax” oversight by financial regulatory agenciesIf created, FTC’s role would shift with relation to new CFPA

FTC’s primary authority for financial product and services protections wouldFTC s primary authority for financial product and services protections would be transferred to CFPA; CFPA to handle front-end privacy protection on financial issuesBUT, FTC would retain “back up” authority with CFPA for those statutes for which FTC currently has jurisdictionFTC would retain joint authority with CFPA over financial fraud and remain the lead federal consumer protection agency re: data security


15


St t Att G lState Attorneys GeneralState attorney general can generally enforce any state’s data breach notice lawState attorney general can also enforce any state-specific privacy lawAnything FTC can do, we can do better

State attorney general can also bring a UDAP claim under state UDAP law that is similar to FTC Section 5 Unfair and Deceptive Trade Practices claimSometimes in national or multi-state privacy-related events, groups ofSometimes in national or multi state privacy related events, groups of attorneys general will file suit in follow-on litigation/enforcementE.g. TJX in June 2009 settled with 41 state attorneys general for claims regarding violation of consumer protection and/or data security laws$2.5M to Data Security Fund; $5.5M settlement + $1.75M to cover states’ expenses; certify that TJX`s computer system meets detailed data security requirements; and encourage development of new technologies to address systemic vulnerabilities in the United States payment card system


International EnforcementInternational EnforcementU.S. companies operating abroad face enforcement actions from countries where they operate

Google executives and alleged violation of Italian privacy lawsCanadian Privacy Commission’s investigation of Facebook practices (and Facebook’s changes)

Can face fines, penalties, restrictions on doing business, settlement and monitoring requirements, and even jail time (in extreme cases)g q , j ( )


16

“All Together Now” (Questions?)Erin F. Fonté

Financial InstitutionsPrivacy, Internet & Information Technology

Cox Smith Matthews Incorporated111 Congress Avenue, Suite 2800

Austin, TX 78701Direct: 512.703.6318

[email protected]


17

PRIVACY POLICIES AND RELATED PRIVACY LAW Business Law ... · 2. “Fixin’ A Hole” (Data...

Documents

Transcript of PRIVACY POLICIES AND RELATED PRIVACY LAW Business Law ... · 2. “Fixin’ A Hole” (Data...