In the first post on privacy and data security, we examined federal laws and policies affecting privacy and data security. Continuing our look at relevant statutes, we now turn to state-level laws and policies, as well as several international trends.
State Privacy Laws
Many states have begun to enact their own laws to protect Personal Information. This is an area that is changing rapidly, so it will be important to work with legal counsel to obtain the most up-to-date information about the requirements of the states in which you will do business and/or collect Personal Information. The following paragraphs provide illustrative examples of state laws. They are not a complete list of all state privacy laws.
Connecticut regulates the use of Social Security numbers collected from consumers. Under its policy, an individual’s Social Security number may not be publicly displayed or printed on a card required to access services. It further may not require individuals to transmit unencrypted Social Security numbers or use a Social Security number to access a website unless another authentication device is also required. The law also mandates the creation and public display of a privacy protection policy that protects the confidentiality of Social Security numbers and prohibits their unlawful disclosure.
Nebraska and Pennsylvania have dealt with privacy through their deceptive trade practices laws, with identical statutes imposing penalties for knowingly making false or misleading statements in privacy policies regarding the use of personal information. Minnesota and Nevada have passed laws governing when Internet service providers can disclose private information. Utah requires all businesses, whether online or otherwise, to disclose to customers what personal information it will share to third parties. Review with legal counsel applicable laws of states in which your company will do business and/or in which you will collect Personal Information.
Data Security Requirements
California was the first state to implement a breach notification law. Under its legislation, any entity that does business in California must report breaches of unencrypted personal information to any California resident whose information is compromised by the breach. This notification must be given expediently and without unreasonable delay. In certain situations, notice can be given through the media. Similar breach notification obligations are now in place in the vast majority of states.
In addition to breach notification laws, states have been considering measures that would require companies to adopt and implement specific data security requirements. Massachusetts has emerged as a leader in this new trend. On March 1, 2010 comprehensive data security regulations entered into force in Massachusetts. These regulations require companies to develop and maintain written information security policies and technological controls to protect certain Personal Information concerning residents of Massachusetts. While similar in aim, procedural differences can make compliance tricky when breaches implicate residents of multiple states.
Foreign data privacy and security laws are often more stringent than U.S. requirements. At the forefront of this movement is the European Union, which has passed the European Data Protection Directive (the “Directive”). The Directive is a set of guidelines to which Member States must conform, so individual requirements of each country may be very different. Entities which process personal data must conform to the laws of both the country where they are established and the country where their processing operations take place.
The Directive restricts what categories of data may be processed and when. Companies must notify supervisory authorities about many aspects of the processing, including the categories of information collected, the purpose and to whom the data may be disclosed. The person whose data is processed must also be allowed access to information about the collected data, including the actual data in a readable form. Member States are required to implement appropriate security measures to protect personal data.
What security measures qualify depends upon available technology, cost, risks and the nature of the data. Entities that wish to delegate data processing functions must choose processors that will provide sufficient security guarantees. Additionally, the delegating entity is held accountable for the security of the data, even after the third party has taken over processing. The Directive also generally prohibits the transfer of personal data to third countries unless those countries provide adequate data protection. Only a few non-Member States have been approved by the EU.
Data protection requirements in other countries vary greatly in the level of protection required, with some countries opting for national protection schemes and others allowing industries to regulate themselves. Be sure to perform a review of applicable laws before doing business in any foreign country.