Privacy: Is It Any of Your Business?A Primer on Key Emerging Privacy Issues Wednesday, October 12, 2005 Washington, DC
Seminar Overview John P. Hutchins Partner Troutman Sanders LLP 404.885.3460 email@example.com
Data Collection: Everyone’s Doing It • Electronic Commerce Has Led to Explosion of Data • Between 2002-2005, the world will generate more data than all the data generated on earth over the last 40,000 years. University of California at Berkeley Study, 2002
“Read All About It!” • February 2005 - ChoicePoint discloses that, in October 2004, it sold information on 145,000 people to data thieves posing as legitimate businesses • March 1 - Bank of America reports that it lost computer data tapes containing social security numbers and account information on up to 1.2 million federal employees, including some members of the U.S. Senate • March 10 - LexisNexis reports that hackers commandeered one of its databases, gaining access to personal files of as many as 32,000 people
“Read All About It!” • Mid-March - Boston College reports that a computer with files on 120,000 alumni was breached • March 28 - Reports stolen laptop containing personal information on nearly 100,000 University of California at Berkeley alumni, students and past applicants (some data was 30 years old) • April 12 - Tufts University sends letters to 106,000 alumni, warning of ''abnormal activity" on a computer that contained names, addresses, phone numbers, and some Social Security and credit card numbers
“Read All About It!” • April 20 - DSW Shoe Warehouse reports that thieves stole 1.4 million credit card numbers of customers • May 2 - Time Warner reports that a shipment of backup tapes with personal information of about 600,000 current and former employees was lost during a routine shipment to offsite storage • June 1 - Washington Post reports that FBI is investigating theft of Justice Department laptop from Omega World Travel office in Fairfax, VA, believed to contain personal data on 80,000 Justice Department employees
“Read All About It!” • June 6- CitiFinancial states that it has begun notifying 3.9 million customers that computer tapes containing information about their accounts had been lost • June 18- MasterCard International reports that the networks of its third- party processor, CardSystems Solutions, were hacked and that data on 40 million credit card accounts were compromised • June 24 - IRS discloses that it is investigating whether unauthorized people gained access to sensitive taxpayer and bank account information. • Someone has estimated 50 million people!
California SB 1386 • Effective July 1, 2003 • ChoicePoint story breaks February 2005 (approximately 18 months) • Followed by report after report, disclosure after disclosure • What’s going on here?
Fundamental Shift • “Privacy breaches” come in all shapes and sizes • Some are the result of old-fashioned “con” • Some are the result of a sophisticated computer “hack” • Some are the result of simple larceny • Some are the result of basic human error (i.e., it’s just lost) • Some are the result of a third-party’s non-performance • But all are “big news”
The Shift is Broader Than Data Theft • “CardSystems: Should Not Have Kept Records” – June 20, 2005, Atlanta Journal-Constitution • “Bosses on the prowl for risqué pics” – June 17, 2005, News.com • “119 students who failed courses get group e-mail” – June 20, 2005, USA Today
Gramm-Leach-Bliley FCRA-FACTA HIPAA COPPA USA Patriot Act EU Data Protection Directive Privacy in the workplace (i.e., background screening, employing monitoring, video surveillance) Federal Sentencing Guidelines regarding executive background checks Customer Proprietary Network Information CALEA E-mail hazards (i.e., SPAM, Phishing, Spoofing) Data aggregator liability and compliance* Identity theft and other cybercrimes Department of Homeland Security/FERC regulations regarding critical infrastructure information ISP liability Spyware Document retention and destruction Sarbanes-Oxley What Is “Privacy” Law?
Privacy & Data Security Team Multi-Disciplinary • Banking & Finance • Bankruptcy • Compensation & Benefits • Consumer Law • Governmental Law • Health Care • Homeland Security • Immigration • Intellectual Property • Labor & Employment • Litigation • Securities • Technology
Rapidly Changing Legal Issues • Are you covered? • Including GLB, FCRA, CALEA, etc. (Melissa Yost) • Data Collection/Legislative Trends (John Hutchins) • Compliance Issues – FACTA; Patriot Act/Wire Tap; HIPAA; Bankruptcy (Mary Zinsner, Dan Seikaly, Steve Gravely, Rich Hagerty) • New Litigation and Legal Theories (John Anderson) • Communicating the Privacy Challenge (Chuck Palmer)
Overview of Key Privacy Laws – Are You Covered? Melissa Yost Associate Troutman Sanders LLP 404.885.3486 firstname.lastname@example.org
Are You Covered? • What Types of Information are Shared? • With Whom Do We Share Data? • What are the Risks? • How Do We Protect Against These Risks?
Are You Covered? • What Types of Data are Shared? • Consumer Information • Internal Company Information • Third Party Information • Information Key to National Security
Are You Covered? • With Whom do We Share Data? • Business Associates • Affiliates • Government Entities • Legally Required Disclosure • Political Reasons • Other Private Parties
Are You Covered? • What are the Risks? • Security • Undermine security of infrastructures and systems • Competitive Disadvantage • Allows competitors to obtain your nonpublic data • Legal Liability • Disclosures to Government Entities • Customer Privacy/Public Perception • Hurt customer relationships and market credibility
Legal Liability Federal Laws Gramm Leach Bliley (GLB) • Prohibits financial institutions from disclosing personally identifiable information of the customer to non-affiliated third parties without satisfying certain disclosure and consent requirements. • Broad definition for financial institution • Security Safeguard Rule – must implement reasonable policies and procedures to ensure the security and confidentiality of customer information • Written security program • Assign employee to oversee • Include service providers
Legal Liability Federal Laws Fair Credit Reporting Act (FCRA) • Regulates the use of consumer reports for consumer reporting agencies, and users and furnishers of such reports.
Legal Liability Federal Laws Amended in 2003 by the Fair and Accurate Credit Transaction Act (FACTA) – Effective Date? • Purpose to prevent identity theft, improve resolution of consumer disputes, improve accuracy of consumer records, make improvements in the use of and consumer access to credit information. • Fraud alerts • Truncation of credit cards and debit card account numbers • Rights of identity theft victims • Free Consumer Reports • Special notice and opt-out rules for affiliate sharing of information in a consumer report with respect to marketing solicitations
Legal Liability Federal Laws • FTC adopt rules implementing several provisions in FACTA (more to follow. . .) • Prescreen Opt-Out Disclosure – August 1, 2005. • Summaries of Rights and Notices of Duties for Identity Theft Victims – January 31, 2005. • Disposal of Consumer Report Information and Records – June 1, 2005. • Related Identity Theft Definitions, Duration of Active Duty Alerts and Appropriate Proof of Identity under FCRA – December 1, 2004. • Free Annual File Disclosures – December 1, 2004. • Prohibition Against Circumventing Treatment as a Nationwide Consumer Reporting Agency – June 12, 2004.
Legal Liability Federal Laws Health Insurance Portability and Accountability Act (HIPAA) • Privacy Rule • No covered entity (i.e., health care provider, health plans, or health care clearing houses) or business associate of a covered entity may access, use or disclose health information without first obtaining from the consumer informed and written permission. • Security Rule • Security Obligations • Business Associate Agreement/Security Rule
Legal Liability Federal Laws Customer Proprietary Network Information (CPNI) • Except as required by law or with approval of the customer, a telecommunication carrier that obtains customer proprietary network information (CPNI) by virtue of its provision of telecommunications service will only use, disclose or permit access to CPNI in its provision of telecommunications service or for services necessary to or used in the provision of service. • Location Based Information • Except as required by law . . .
Legal Liability Federal Laws Children’s Online Privacy Protection Act (COPPA) • Commercial websites must provide notice and obtain parent’s consent prior to collecting personal information from children under the age of 13.
Legal Liability Federal Laws Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN – SPAM ACT) • Covers email whose primary purpose is advertising or promoting a commercial product or service. • Transactional or relationship message emails that facilitates an agreed upon transaction or updates a customer in an existing business relationship is exempt (except for one). • The Act • Bans false or misleading header information • Prohibits deceptive subject lines • Provide an opt-out method • Identify as an address and include sender’s valid physical postal address
Legal Liability Federal Laws Communications Assistance for Law Enforcement Act (CALEA) • Requires telecommunications carriers to assist law enforcement in executing electronic surveillance pursuant to a court order or other lawful authorization and requires carriers to design or modify their systems to ensure that lawfully-authorized electronic surveillance can be performed.
Legal Liability Federal Laws FTC Guidelines for Privacy Policies • The FTC recognizes information practice principles for protecting customer information and enforces these principles through a federal statute prohibiting unfair and deceptive trade practices. • Publish information practices: 1) notice, 2) choice, 3) access, 4) security and 5) enforcement
Legal Liability Federal Laws Federal Trade Commission Act (FTC Act) • The FTC Act prohibits unfair and deceptive acts or practices in or affecting commerce. • To establish an unfair or deceptive act or practice, the FTC must show that (1) a representation, omission or practice was made to customers, (2) the representation, omission or practice is likely to mislead customers acting reasonably under the circumstances to their detriment, and (3) the representation, omission or practice is material or important to customers.
Legal Liability Federal Laws National Do-Not-Call Registry • Establishes a national do-not-call registry for residential customers who wish to avoid telemarketing calls. • Covered calls include any plan, program or campaign to sell goods or services through interstate phone calls, but do not cover calls from political organizations, charities, telephone surveyors or companies with which consumer has an existing business relationship (18 months after last purchase).
Legal Liability Federal Laws Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act) • Title 6: Disclosures of Records and Information Makes all federal government agency records available to the public unless these records are protected by a FOIA exemption.
Legal Liability Federal Laws Department of Homeland Security • Protect the confidentiality of Critical Infrastructure Information (CII) voluntarily submitted to DHS. • CII means information not customarily in the public domain and (ii) related to the security of vital US systems or assets of which the incapacity or destruction of systems or assets would impact national security, public health or safety. • Information submission requirements.
Legal Liability Federal Laws Federal Energy Regulatory Commission (FERC) • Protect the confidentiality of critical energy infrastructure information (CEII). • CEII means existing and proposed systems and assets the incapacity or destruction of which would negatively affect security, economic security, public health or safety.
Legal Liability State Laws • Old Regime – Only Case Law • Case law recognizes a cause of action for public disclosure of private facts. • Prove three prongs: (1) facts were publicly disclosed, (2) the facts disclosed were private facts, (3) the disclosure would offend a reasonable person of ordinary sensibilities. • New regime – Statutory Framework. • Information Security Breach Laws Immediate notice when customer information may have been breached.
Legal Liability State Laws • Identity Theft Statutes • Requires that companies not discard customer information prior to ensuring that unauthorized persons may not access such information. • Directly addresses companies responsibilities with regards to record disposal procedures. • Imply obligation to protect because companies must protect information from unauthorized access prior to information destruction.
Legal Liability State Laws • Deceptive Trade Practices Act • Companies may not engage in conduct that creates a likelihood of confusion or misunderstanding of services (e.g., do not follow publish privacy policies). • Open Records Act • All state, county and municipal records are open for personal inspection of any citizen of Georgia at a reasonable time and place.
Customer Privacy/Public Perception • Public perception is important. • What is everyone else doing? Do not want to employ lower standards than your industry. • Don’t forget about third party service providers.
How Do We Protect Against These Risks? • Confidentiality Agreements / Provisions • Definition of Confidential Information • Require Third Parties • to only use your data to perform their obligations to you. • to only disclose data on a need to know basis. • to protect information from unauthorized disclosure. • Address FOIA and open records act.
How Do We Protect Against These Risks? • Company Wide Security Policies • Provide formal use and disclosure data practices to prevent unauthorized and unnecessary disclosures • Proprietary and Confidential Notices • Limit Disclosures • Electronic copy vs. hard copy • Limit electronic access to computer systems • Proper destruction of information
When Are Companies Liable for Identity Theft? Data Collection and Legislative Trends John Hutchins Partner Troutman Sanders LLP 404.885.3460 email@example.com
California SB 1386California Information Practice Act or Security Breach Information Act • First in the nation • Effective July 1, 2003 • “Law uses fear and shame to make companies think more seriously about information security” • ChoicePoint reported in accordance with this law • Opened floodgates • Media • other businesses experiencing data “breaches” • Copycat legislation, lawsuits, new legal theories, technical reactions (encryption)
Fundamental Shift “I’m mad as hell, and I’m not going to take this anymore!” “Howard Beale” – Network (1976)
Legislation • Copycat Legislation introduced in at least 35 states • Legislation enacted in at least 15 states in 2005: Arkansas, Connecticut, Florida, Georgia, Illinois, Indiana, Maine, Minnesota, Montana, Nevada, New York, North Dakota, Tennessee, Texas and Washington • At least nine federal bills pending
Federal Legislation • Feinstein Bill • Modeled after California legislation • Specter/Leahy Legislation • Personal Data Privacy & Security Act • most likely federal bill? • pre-emption • SS # control • Other bills exploring multiple approaches • tax incentives for security • fraud alerts/credit freezes • Focus on identity theft?
California SB 1386 Whom Does It Affect? • Applies to state government agencies, for-profit and non-profit organizations • Applies to all “data collectors” who maintain computerized “personal information” on Californians
What Does It Require? • Requires that any business that owns or licenses computerized data that includes personal information to give notice of any breach of the security of the data following discovery of such breach to any resident of the state whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person
Personal Information • Personal Information – a person's name in combination with: • social security number • driver's license or state issued i.d. number • account number or credit card number, in combination with security code
NOT Personal Information • Personal Information specifically does not include “information lawfully made available to the general public from federal, state or local government records.”