Data Protection & Privacy Laws 2012
Copyright 2012 Financier Worldwide. Originally published in Financier Worldwide's Annual Review, December 2012.
Could you provide a brief overview of the principles behind data privacy laws in the US? How do the local laws compare to data privacy laws elsewhere?
Data privacy laws in much of the world apply regardless of industry, source or region. In contrast, the US features an alphabet soup of sector-specific federal data privacy laws. For example, the German-Leach-Bliley Act (GLBA) applies to financial institutions, the Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare institutions, the Children's Online Privacy Protection Act (COPPA) applies to online businesses collecting information from children under age 13, the Family Educational Rights and Privacy Act (FERPA) and Protection of Pupil Rights Amendment (PPRA) apply to student records, the Driver Privacy Protection Act (DPPA) applies to motor vehicle records, and the Fair Credit Reporting Act (FCRA) applies to data collected by consumer reporting agencies. Stir in 50 US state and territorial data security laws governing data breach notice, security and destruction, and you get a complex thicket of data privacy and security laws.
Have there been any proposed or actual regulatory developments affecting data privacy that are worth noting?
2012 saw many notable changes to state data security and privacy laws. Vermont imposed a 14-day deadline for notifying the Attorney General of a data security breach affecting consumers in that state. Maryland, Illinois and California passed laws limiting employer access to employee or applicant social media accounts, and California formed a new Privacy Enforcement and Protection Unit. At the federal level, efforts to pass a law to pre-empt state data security breach notice laws failed, as did efforts to pass a federal law to regulate critical infrastructure. In response, the Obama administration is considering an Executive Order to develop voluntary cyber security standards for critical infrastructure.
What kinds of penalties may be issued against companies following data misuse or data leaks?
Remedies available in a particular case depend on which of the many state or federal data privacy or security laws is at issue. But, generally speaking, remedies may include damages, restitution, civil penalties and, in some cases, criminal penalties. For example, violations of the HIPAA may result in civil penalties up to $1.5m per calendar year, or criminal penalties of up to $250,000 and 10 years in prison. Violations of the COPPA Rule may result in civil penalties of up to $11,000 per violation. A HIPPA settlement in June with the Massachusetts Attorney General included a $750,000 civil penalty, and a June COPPA settlement included a $250,000 civil penalty.
To what extent has the government in the US increased its monitoring, audit and enforcement activities with respect to data privacy?
In 2012, the US Federal Trade Commission (FTC) and several state attorneys general brought many data privacy and security enforcement actions. The FTC cases effectively extended data security obligations to otherwise unregulated sectors on the theory that failing to provide "reasonable and appropriate" data security for consumer information is an unfair trade practice. FTC settlements usually require the company to establish and maintain a comprehensive, written data security program that must be audited by an independent third party at least biennially for up to 20 years. 2012 also saw an expanded focus by the Securities and Exchange Commission on public company disclosures concerning risks related to data security.
What trends have you seen in litigation against companies over data-related disputes?
The number of data privacy and security class action lawsuits is on the rise. For example, in 2012, Facebook settled a privacy class action for $20m, and Netflix settled a class action for alleged violation of the Video Privacy Protection Act for $9m. New class action suits were brought against Yahoo! for allegedly violating the California Invasion of Privacy Act, and LinkedIn for allegedly violating its own privacy policy. In addition, a federal court certified a class action against IKEA for requesting and recording zip codes in violation of California's Song-Beverly Credit Card Act.
What advice would you give to companies on managing data risk, installing internal compliance processes and maintaining compliance on data privacy?
Before expanding your business into the US, take stock of your company's data collection, use and security procedures. Then, map and classify those elements according to promises made to customers, vendors and partners; relative sensitivity; internal requirements; and external regulatory requirements. Next, draft and implement a written information security plan (WISP), and make sure this addresses all elements of information security, governance and risk - not just cyber security - including Data Classification Policies, Cloud Policies, Board and Management Oversight and Monitoring, Records Management and Retention, Incident Response Management, Litigation Preparedness and Business Continuity.