Privacy + Data Security

Privacy and data security issues are important for companies that collect, use, process, store, license and/or disclose personally identifiable information (“Personal Information”) whether from customers, employees, business partners or other third parties. The regulation of privacy and data security continues to evolve rapidly. Moreover, these laws are often dependent on the types of Personal Information that a company processes and the industry in which the company operates. As a result, we recommend consulting with an attorney that has expertise in this field prior to processing Personal Information.

U.S. Federal Privacy Laws

U.S. federal privacy laws tend to be based upon a company’s industry and/or the type of Personal Information involved. Some of the key federal laws that may impact your company are highlighted below.

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

HIPAA deals with the protection of certain kinds of health information, known as protected health information (“PHI”). PHI is information that can be used to identify an individual and that relates to an individual’s physical or mental health, the provision of health care to him or her, or payment for that provision. HIPAA applies to health plans, healthcare providers, healthcare clearinghouses (each, a “Covered Entity”), and business associates performing certain services for a Covered Entity involving the use or disclosure of PHI (each, a “Business Associate”).

A Covered Entity may only disclose PHI as required, permitted or authorized by HIPAA, or as authorized by the individual. A Covered Entity is required to disclose PHI to individuals or their personal representatives in most situations, and to the Department of Health and Human Services (“HHS”) if it is undertaking a compliance investigation, review or enforcement action. HIPAA also allows discretionary disclosures in certain situations, including for treatment or payment operations, disclosures incidental to other permitted uses and when in the public interest (such as for law enforcement purposes or relating to victims of abuse or domestic violence). If a disclosure is not required or permitted under HIPAA, the individual’s authorization must be obtained in writing before the disclosure can be made. Disclosures must normally be limited to the minimum amount necessary to satisfy the purpose of the request for the information.

Covered Entities are required to create policies and procedures for routine or recurring disclosures, as well as for disclosure requests. A privacy policy must also be created, describing possible uses and disclosures of PHI as well as duties and practices for protecting that information. The Covered Entity must deliver a notice describing this policy to all individuals with which it has a direct treatment relationship. In addition to a privacy policy, Covered Entities must designate privacy personnel, train employees and management to follow the policy, create reasonable data safeguards, and maintain documents and records. Failure to comply with HIPAA can subject the Covered Entity and individuals within it to both civil and criminal penalties. The Health Information Technology for Economic and Clinical Health Act (“HITECH”) a measure included in the American Reinvestment and Recovery Act (“ARRA”) signed into law in 2009, increases the requirements and liability of both Covered Entities and Business Associates. The HITECH Act also introduced data breach notification obligations that will apply not only to HIPAA Covered Entities and their Business Associates, but also vendors of personal health records, as well as the service providers to these vendors. State attorney generals are given express authority to bring enforcement actions in addition to HHS, and penalties have increased.

The Gramm-Leach-Bliley Act (“GLBA”)

The GLBA applies to any business that is significantly engaged in financial activities, such as lending money or providing financial advisory services. Whether a company is “significantly engaged” in financial activities depends on whether there is a formal arrangement and how often the company engages in that activity.

Under the GLBA, financial institutions must provide their customers with a privacy notice disclosing what categories of nonpublic personal information (“NPI”) are collected, what categories of NPI are disclosed, third parties to whom it will be disclosed, any disclosures required by law and any disclosures otherwise permitted by law. This privacy notice must be delivered to the customer in writing. Electronic delivery is permitted if the customer so agrees.

Customers must also be given a reasonable opportunity (such as a toll-free number or a simple form) to opt-out of any NPI-sharing agreement. The privacy notice and the opt-out usually must be provided to the customer at the time the customer relationship is established, and at least once annually thereafter. An opt-out does not need to be given if NPI is disclosed only to certain third-party service providers or to a financial institution that you have entered into a joint agreement to provide financial services with; however the privacy notice must still be delivered annually.

Consumers (customers who are commercial clients or individuals using your product or service for a business purpose) must only be provided with a privacy notice if the company significantly engaged in financial activities will share their NPI with nonaffiliated third parties outside of any exception (such as where necessary for a transaction authorized by a consumer or where necessary to comply with applicable laws). This privacy notice must only explain a reasonable way for the consumer to get the full privacy notice and must include an opt-out.

Children’s Online Privacy Protection Act (“COPPA”)

COPPA establishes rules for the collection, use, and distribution of information about children under 13 that could be used to identify the child. COPPA applies to operators of websites or online services that are directed in whole or in part at children under 13 or that are directed at a general audience but knowingly collect information from children under 13 (each, an “Operator”).

Every Operator must clearly and prominently display a link to a privacy notice on the home page of its website and at each area where personal data is collected from children. This notice must contain the name of all Operators collecting or maintaining personal information from children as well as the contact information of an Operator who will respond to all privacy inquiries. It must also describe the types of information collected, how the information will be used, and to whom and for what purposes it will be disclosed. Parents must be given the option to consent to collection without disclosure.

Before collecting most kinds of Personal Information, Operators must also give direct notice to parents including the information in the privacy notice, as well as a request for consent to collect information from the parent’s child. The method for consent depends on how the information will be used, with internal uses requiring less rigorous methods such as email, and external uses requiring stricter methods. Parental consent may always be revoked.

Operators who violate the policies of COPPA are subject to enforcement actions and civil penalties by the Federal Trade Commission (“FTC”). The FTC can also punish deceptive and unfair practices such as using collected information for undisclosed purposes or disclosing to third parties without parental consent. Individual states can also bring enforcement actions against companies for violating COPPA. Operators can meet safe harbor criteria by establishing self-regulatory programs to govern compliance with COPPA that are approved by the FTC and include independent monitoring and disciplinary provisions.

State Privacy Laws

Many states have begun to enact their own laws to protect Personal Information. This is an area that is changing rapidly, so it will be important to work with legal counsel to obtain the most up-to-date information about the requirements of the states in which you will do business and/or collect Personal Information. The following paragraphs provide illustrative examples of state laws. They are not a complete list of all state privacy laws.

California requires all operators of commercial websites or online services that collect personally identifiable information to conspicuously post a privacy policy. This policy must identify the categories of personally identifiable information collected and the categories of third parties to whom it may be shared. The policy must also describe the process by which the Operator will notify consumers of changes to the privacy policy.

Connecticut regulates the use of Social Security numbers collected from consumers. Under its policy, an individual’s Social Security number may not be publicly displayed or printed on a card required to access services. It further may not require individuals to transmit unencrypted Social Security numbers or use a Social Security number to access a website unless another authentication device is also required. The law also mandates the creation and public display of a privacy protection policy that protects the confidentiality of Social Security numbers and prohibits their unlawful disclosure.

Nebraska and Pennsylvania have dealt with privacy through their deceptive trade practices laws, with identical statutes imposing penalties for knowingly making false or misleading statements in privacy policies regarding the use of personal information. Minnesota and Nevada have passed laws governing when Internet service providers can disclose private information. Utah requires all businesses, whether online or otherwise, to disclose to customers what personal information it will share to third parties. Review with legal counsel applicable laws of states in which your company will do business and/or in which you will collect Personal Information.

Data Security Requirements

California was the first state to implement a breach notification law. Under its legislation, any entity that does business in California must report breaches of unencrypted personal information to any California resident whose information is compromised by the breach. This notification must be given expediently and without unreasonable delay. In certain situations, notice can be given through the media. Similar breach notification obligations are now in place in the vast majority of states.

In addition to breach notification laws, states have been considering measures that would require companies to adopt and implement specific data security requirements. Massachusetts has emerged as a leader in this new trend. On March 1, 2010 comprehensive data security regulations entered into force in Massachusetts. These regulations require companies to develop and maintain written information security policies and technological controls to protect certain Personal Information concerning residents of Massachusetts. While similar in aim, procedural differences can make compliance tricky when breaches implicate residents of multiple states.

International Trends

Foreign data privacy and security laws are often more stringent than U.S. requirements. At the forefront of this movement is the European Union, which has passed the European Data Protection Directive (the “Directive”). The Directive is a set of guidelines to which Member States must conform, so individual requirements of each country may be very different. Entities which process personal data must conform to the laws of both the country where they are established and the country where their processing operations take place.

The Directive restricts what categories of data may be processed and when. Companies must notify supervisory authorities about many aspects of the processing, including the categories of information collected, the purpose and to whom the data may be disclosed. The person whose data is processed must also be allowed access to information about the collected data, including the actual data in a readable form. Member States are required to implement appropriate security measures to protect personal data.

What security measures qualify depends upon available technology, cost, risks and the nature of the data. Entities that wish to delegate data processing functions must choose processors that will provide sufficient security guarantees. Additionally, the delegating entity is held accountable for the security of the data, even after the third party has taken over processing. The Directive also generally prohibits the transfer of personal data to third countries unless those countries provide adequate data protection. Only a few non-Member States have been approved by the EU.

Data protection requirements in other countries vary greatly in the level of protection required, with some countries opting for national protection schemes and others allowing industries to regulate themselves. Be sure to perform a review of applicable laws before doing business in any foreign country.

Privacy Policies

In order to comply with state and federal law, companies should have a privacy policy. The privacy policy must be responsive to the individual requirements of each law, and so the specific features of each company’s privacy policy will differ depending on the industry and on the states in which it does business. However, most policies should at a minimum include which categories of information it will collect and with whom that information may be shared.

Companies must be sure to follow their own policies carefully, as failure to do so will open the company up to potential liability from state action pursuant to that state’s law. The FTC can also punish failure to follow privacy policies as an unfair or deceptive trade practice whether or not one of the federal privacy laws applies. Private lawsuits are also possible. This threat of liability makes it extremely important to craft a privacy policy that will follow all legal requirements while not unnecessarily restricting the company’s business opportunities.