U NDERSTAND Y OUR U NIVERSE : K NOW Y OUR D ATA -P RIVACY O - - PDF document

• 1-

UNDERSTAND YOUR UNIVERSE: KNOW YOUR DATA-PRIVACY OBLIGATIONS

David Rice, Brian Sniffen, Paul Firuz, and Emily Raymond Data privacy and security are some of the most important emerging legal issues in recent times. Advancements in technology have made it easier than ever to gather immense quantities of information about all of us and at the same time have created risks of unauthorized disclosure and use of that information. Many familiar companies (such as Target) have suffered damaging, high-profile data breaches that exposed them to lawsuits and led to dismissal of company board members and

• fficers. Regulators are playing catch-up by trying to develop laws to confront these new

challenges or in some cases are adapting old laws to meet them, with varying success. In this new environment, it is essential for companies to understand how data security and privacy laws affect them and the unexpected ways in which these issues are intertwined with their operations. Many state and federal laws dictate how data is obtained, stored, used, protected, and disposed of. Companies must also develop policies that conform their practices to these laws and must train employees to implement them. Many companies are confronting these issues for the first time. Some are adapting existing policies to evolving risks that are difficult to anticipate. But the law may not always offer enough guidance to give companies the comfort of a regulatory “safe harbor.” To help meet this challenge, we present this introduction to U.S. data-privacy law to highlight rules that all companies should be aware of and help with high-level issue-spotting. I. OVERVIEW. U.S. data-security law consists of a collection of federal and state laws. There is no overarching, comprehensive data-security law that covers all issues. On the federal side, the laws tend to be specific to particular types of data, such as financial data or health data. Or they address specific situations, such as credit accounts. The Federal Trade Commission (the “FTC”) essentially fills the role as privacy regulator based on its jurisdiction over unfair and deceptive practices in commerce. The FTC punishes companies that fail to protect data from unauthorized disclosure or use, and it issues guidance to businesses to help them protect data. On the state side, almost every state has a law that details how companies must respond if there is a data breach. These responses typically involve sending a notice to the affected individuals, contacting law enforcement, and taking steps to mitigate harm from the breach and prevent further breaches. States also have their own consumer-protection laws that are similar to the FTC, so in some cases they may take action against companies that misuse

• data. State laws typically regulate disposal of sensitive data.

• 2-

As a general note, you will often see the terms “data security” and “data privacy” used interchangeably. It is probably more accurate to think of “data security” as involving the protection of data from unauthorized disclosure, such as theft by hackers. “Data privacy” involves the appropriate and legal collection and use of data, such as gathering information from customers online and using it to target advertising to them, while using the required disclosures. II. GENERAL DATA-SECURITY AND PRIVACY LAWS APPLICABLE TO VIRTUALLY ALL BUSINESSES. A. Data-breach notification laws. A data breach can be a dramatic and often newsworthy event. These events occur without warning, and the initial hours of investigation can involve a lot of confusion as companies scramble to determine what actually happened. We recommend that companies have a data-breach policy in place before any such event, so that everyone knows what to do if it

• ccurs.

The applicable data-breach law is generally based on the residency of the person whose information has been compromised. In some cases, this means complying with the laws

• f many different states. Fortunately, the laws are often close enough that a single notification to

those affected individuals that incorporates all the state-required elements will generally suffice. We have summarized the data-breach laws of Oregon and Washington below and discussed potential litigation risk from breaches. 1. Oregon. Oregon’s data-breach law (also known as the Oregon Consumer Identity Theft Protection Act) is codified at ORS 646A.604. It provides that anyone owning, maintaining, or possessing personal data in the course of his or her business or volunteer work must give notice

• f any data breach to any Oregon “consumer” (defined as an Oregon resident) whose personal

data was included in the breach. Additionally, any party that possesses or maintains personal information on another’s behalf must notify the original owner or licensor of the information upon discovery of a breach. All notifications must be made as quickly as possible, unless delayed disclosure is requested by law enforcement agencies. Notice can be given by mail, e-mail, telephone, or, in certain circumstances if notifying each affected consumer would be too burdensome, posting a notice on the person’s or business’s website and notifying “major statewide television and newspaper media.” 2. Washington. Similarly, RCW 19.255.010 requires any person or business that owns or licenses computerized personal data to disclose any breach of security to Washington residents whose data is believed to have been accessed by an unauthorized person. Washington defines “personal information” under this statute as name plus social security number, debit/credit-card number, or driver’s license/state ID number. This law applies to employee data. Any business maintaining

• 3-

computerized personal data that the business does not own must notify the owners of the data in the event of a potential breach. 3. Litigation risk due to data breaches. Sending out the required data-breach notification might not end the matter, since a data breach can result in a lawsuit filed by the affected parties. Oregon and Washington permit a private right of action for injured parties under certain circumstances to seek damages from those who have released their personal information without authorization (although it remains to be seen how successful these lawsuits will be). In the Target litigation, plaintiffs have been citing state prohibitions against unfair and deceptive practices to claim that Target’s practices were negligent. So essentially these statutes are being used to establish a standard of care for handling data. In Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), Starbucks employees sued their employer under Washington law after a manager’s laptop, which contained the employees’ personal information, was stolen out of a car. Starbucks paid for several months

• f credit monitoring, and no identity theft was detected during that time. After the free credit

monitoring expired, the employees sued, alleging that they had been exposed to an increased risk

• f identity theft. The court agreed, stating that no actual identity theft was required for the

employees to recover. Rather, it was enough that Starbucks’ actions had exposed them to greater

• risk. After this case, businesses could face liability for data breaches even if no identity theft

results. These are just two examples. There are many other cases, and the variety of claims and factual scenarios is broad. Covering all the types of claims cited in data-breach lawsuits is beyond the scope of this paper. B. State and federal unfair trade practices legislation. Federal and state regulators typically rely on statutory prohibitions against unfair and deceptive actions in commerce to punish companies that promise to protect consumer data but do not do so, or that collect data from consumers and then use it in a manner that is not disclosed to the consumer. 1. The FTC Act. The FTC Act, 15 U.S.C. § 45, prevents “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” “[U]nfair or deceptive act” is defined as an act that causes, or is likely to cause, a reasonably foreseeable injury. As with the state statutes, this federal statute might be used to sue a company for identity theft stemming from a data breach. The FTC has relied on this broad authority to punish many companies for misleading consumers about the collection and use of data or for failing to protect data in accordance with representations made to consumers, including Facebook, Google, and Twitter.

• 4-

2. Oregon. ORS 646.607 similarly prohibits unlawful trade practices generally, and prohibits companies from using “unconscionable tactic[s]” to sell or promote goods or services and from failing to deliver promised goods or services. This statute could potentially be used to hold a business liable for promising that customer information would be kept secure if the business is unable to provide the promised level of security. 3. Washington. RCW 19.86.020 states that “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.” As in Oregon, this statute could create liability for businesses that fail to appropriately secure customer data. C. Identity-theft and data-protection laws. In addition to data-breach notification laws, there are state laws designed to prevent identity theft. 1. Oregon. In addition to requiring consumer notification in the event of a data breach (as discussed above), the Oregon Consumer Identity Theft Protection Act also prohibits the public display of consumers’ full Social Security numbers (e.g., on a card needed to access a business’s services) and requires a business that stores consumers’ personal information to develop a plan for safeguarding that information. Oregon law further outlines steps that businesses can take to comply with Oregon law, including (see ORS 646A.622): (a) Designating one or more employees to coordinate a security program; (b) Identifying reasonably foreseeable internal and external risks; (c) Assessing the sufficiency of safeguards in place to control the identified risks; (d) Training and managing employees in the security program practices and procedures; (e) Selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; (f) Adjusting the security program in light of business changes or new circumstances; (g) Assessing risks in network and software design;

• 5-

(h) Assessing risks in information processing, transmission, and storage; (i) Detecting, preventing, and responding to attacks or system failures; (j) Regularly testing and monitoring the effectiveness of key controls, systems, and procedures; (k) Assessing risks of information storage and disposal; (l) Detecting, preventing, and responding to intrusions; (m) Protecting against unauthorized access to or use of personal information during or after the collection, transportation, and destruction or disposal of the information; and (n) Disposing of personal information after it is no longer needed for business purposes or as required by law. 2. Washington. RCW 9.35.020 is Washington’s identity-theft law. It states that no person may knowingly obtain, possess, use, or transfer a means of identification or financial information of another person, living or dead, with the intent to commit, or to aid or abet, any crime. Like Washington’s data-breach notification law, this law applies broadly to any theft of personal data, not just consumer or employee data. III. DATA-PRIVACY RULES APPLICABLE TO SPECIFIC INDUSTRIES, TYPES OF DATA, AND SITUATIONS. In addition to the general requirements above, there are data-security and privacy laws containing requirements regarding particular classes of data or addressing specific

• scenarios. The situations and data classes covered below involve health information, student

information, financial information, credit cards, payment accounts, children’s data, and data held by insurance companies. A. Businesses dealing with health information. Any business dealing with health information should be aware of whether it is covered by the Health Insurance Portability and Accountability Act (“HIPAA”) and, if so, how HIPAA affects its use and storage of data. HIPAA establishes federal protections for individuals’ personal health information (“PHI”) and medical records, and rules regarding whether and how such information may be disclosed. The HIPAA Privacy Rule applies to health insurance plans, healthcare clearinghouses, and healthcare providers conducting certain electronic transactions. See 45 C.F.R. pt. 160, pt. 164, subpts. A, E. This Privacy Rule requires that appropriate safeguards be in place to protect the privacy of PHI, and also sets conditions and limits on the use and

• 6-

disclosures of PHI. Patients are given specific rights over their PHI, including the rights to

• btain and examine copies of their health records, and also to request corrections. HIPAA’s

Privacy Rule details the administrative, physical, and technical safeguards that covered entities and their business associates must have in place to ensure the integrity, confidentiality, and availability of electronic PHI. Covered entities and their business associates must notify patients or customers if a breach of unsecured PHI occurs. The FTC enforces similar breach-notification rules under the HITECH Act, which applies to vendors of personal health records and third-party service providers. For purposes of these rules, a breach is generally defined as an impermissible use

• r disclosure that would compromise the security or privacy of PHI. Factors considered in

determining whether there has been a breach include the nature and extent of the PHI involved, the unauthorized person to whom the disclosure was made or who used the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk of disclosure of PHI was subsequently mitigated. B. Educational institutions. The Family Educational Rights and Privacy Act (“FERPA”) covers all schools receiving funds under applicable programs of the U.S. Department of Education. See 20 U.S.C. § 1232g. FERPA protects the privacy of student education records, and gives parents rights regarding their children’s education records as well. Rights initially granted to parents transfer to the student when he or she attends school beyond the high school level or reaches age 18. Once rights have been transferred to a student, that student will be deemed an “eligible student” under federal FERPA regulations A parent or eligible student has certain rights under FERPA, including the right to review and inspect the student’s education records that the school maintains, and to request that records believed to be inaccurate or misleading be corrected by the school. If such a request is made and the school decides against amending the records, the eligible student or parent then has a right to a formal hearing. If the school decides not to amend the records after a hearing, the eligible student or parent then has the right to file a statement with the student’s records containing his or her view regarding the contested information. In order to release information from a student’s education records, a school must generally have written permission from a parent or eligible student. Under FERPA, a school may disclose those records without consent to specified third parties only under certain circumstances (e.g., to other schools to which a student is transferring, accrediting organizations, etc.). Schools do not need consent in order to disclose “directory” information, such as a student’s name, phone number, address, date and place of birth, dates of attendance, and honors and awards. A school must tell the parent or eligible student about this directory information, however, and the parent or eligible student must be allowed a reasonable amount of time to request that the school not disclose directory information about the student.

• 7-

C. Companies that process credit-card data. The Payment Card Industry Data Security Standard (“PCI DSS”) is a standard issued by the Payment Card Industry Security Standards Council, and was created to increase cardholder data security and thereby reduce credit-card fraud. PCI DSS is not a federal law, but rather a security standard that is broadly recognized and enforced. PCI DSS was created when major credit-card companies (Visa, MasterCard, Discover, American Express, and Japan Credit Bureau) aligned their individual security policies in 2004. Today, PCI DSS constitutes a widely accepted set of procedures and policies intended to keep credit, debit, and cash-card transactions secure, and to protect cardholders against misuse of their personal data. It provides a framework for developing payment-card- data-security processes, including detection, prevention, and appropriate reaction to security incidents. Specific rules regarding compliance with PCI DSS vary depending on the volume

• f applicable transactions that a company processes. And although PCI DSS is not promulgated

by the government, companies that process payment information should be aware of how the standards apply to them. Fines for noncompliance can range from $5,000 to $100,000 per month. PCI DSS is relevant for organizations handling cardholder information for major debit, credit, e-purse, ATM, prepaid, and POS cards, and generally applies to all merchants that store, process, or transmit cardholder data. D. FTC “Red Flags Rule.” The “Red Flags Rule” requires businesses and organizations classified as creditors that have “covered accounts” to implement a written program to detect warning signs of identity theft in regular operations. See 16 C.F.R. at pt. 681. Businesses must also take steps to prevent the potential for identity theft, and to mitigate harm in the event of identity theft or a data breach. The intention is to aid businesses in identifying suspicious patterns and to prevent identity theft and its consequences. The Red Flags Rule tells organizations how to properly develop, implement, and administer identity-theft prevention programs. The basic requirements for these programs are reasonable policies and procedures to identify “red flags” of identity theft that could occur under normal circumstances; a description of action that will be taken if and when red flags are detected; and how the program will be kept current to reflect new threats. E. Financial institutions: the Gramm-Leach-Bliley Act. The Gramm-Leach-Bliley Act (the “GLBA”) requires companies that offer consumers financial products or services (e.g., loans, financial advice, or insurance)—so-called “financial institutions” under the GLBA—to safeguard sensitive data and to explain their information-sharing practices to customers. See 15 U.S.C. § 6801 et seq. The definition of “financial institutions” for the purposes of the GLBA is broad and includes all businesses that are “significantly engaged” in providing financial products or services.

• 8-

Covered entities must provide a privacy notice that is clear, is conspicuous, and accurately states their privacy practices. The notice should detail what information the company collects about its consumers and customers, with whom that information is shared, and how the company protects and safeguards that information. The notice requirements apply to “nonpublic personal information” that a company gathers and discloses about its customers and consumers. In practice, this may include most or all of the information that a financial institution has about its customers and consumers. For example, the simple fact that a particular individual is a consumer or customer of a financial institution is potentially nonpublic personal

• information. Nonpublic personal information can also include information that a customer puts
• n an application, information about a consumer gained from another source, such as a credit

bureau, or information about transactions between an individual and the financial institution, such as an account balance. Information that is lawfully public is not restricted by the GLBA. Customers and consumers have the right to keep their information from being shared with certain third parties. Privacy notices must allow people to opt out of having their information shared, and financial institutions must offer a reasonable procedure for opting out. Providing a detachable form with a preprinted address or a toll-free phone number are both reasonable ways to opt out; requiring an individual to write a letter is not reasonable under the GLBA. The GLBA also prohibits financial institutions from disclosing customers’ account numbers to companies that are not affiliated with the source institution for telemarketing, direct-mail marketing, or e-mail marketing, even if the customers in question have not opted out of sharing their information for marketing. F. Collecting data from children. The Children’s Online Privacy Protection Act (“COPPA”) applies to companies with websites designed for children and companies whose websites are intended for general audiences but collect information from individuals known to be under age 13. See 15 U.S.C. § 6501 et seq. COPPA’s goal is to allow parents to control what information websites can collect from their children. Generally, companies subject to COPPA must establish and maintain reasonable procedures to ensure that the confidentiality, security, and integrity of personal information collected from children are protected. Parental consent is required before collecting information. Information collected from children should be minimized to the extent possible, and reasonable steps must be taken to release such information only to third parties capable of maintaining its security, confidentiality, and integrity. Personal information should be retained only as long as is reasonably necessary, and must be securely disposed of once there is no longer a legitimate reason for retaining it. G. Insurers. In addition to governing the collection, use, and dissemination of consumer information for credit and employment purposes, the Fair Credit Reporting Act (“FCRA”) also regulates the collection, use, and dissemination of consumer information for insurance purposes.

• 9-

Users of this information must (1) notify the consumer when an adverse action is taken based on that information; and (2) identify the company that provided the information, so that the information’s accuracy and completeness may be verified or contested by the consumer. H. Federal rules regarding using personal data for employment decisions. The laws described below deal directly with the relationship between the employer and employee. 1. Using background information for employment decisions. The Equal Employment Opportunity Commission (the “EEOC”) and the FTC jointly published guidance regarding background checks in the spring of 2014. This section summarizes that guidance, but any employer considering the background information of its applicants or employees should review the joint guidance in full. The EEOC generally requires that employers treat all employees equally. In this context, equal treatment means that background checks may not be conducted or waived based

• n a person’s race, national origin, sex, religion, disability, genetic information, or age. In

addition, any background information received must not be used to discriminate in a way that would violate the law. So the same standards must be applied to everyone, special care should be taken when basing employment decisions on background information, and if problems revealed during a background check were caused by a disability, exceptions may be necessary. The FCRA protects consumer credit data, and requires that certain steps be taken when an employer takes adverse action (e.g., firing an employee; not hiring an applicant) based

• n information obtained from a company in the business of collecting background information.

Before the adverse action, the applicant or employee must be given a notice including a copy of the consumer report relied on to make the adverse decision, and a copy of the document titled “A Summary of Your Rights Under the Fair Credit Reporting Act.” After an adverse employment action is taken, the applicant or employee must be told that he or she was rejected because of information in the report, the name, address, and phone number of the company that sold the report, that the company selling the report did not make the adverse employment decision, but only supplied the data on which the decision was based, and that the employee or applicant has a right to dispute the completeness or accuracy of the report, or to get a free report from the reporting company within 60 days. In Oregon, the use of credit history for hiring decisions is even more restricted: it is generally illegal to obtain information contained in an individual’s credit history or to make employment decisions based on credit information. ORS 659A.320. Similarly, in Washington, employers cannot obtain a credit report as part of a background check unless the information is required by law or “[s]ubstantially job related and the employer’s reasons for the use of such information are disclosed . . . in writing.” RCW 19.182.020.

• 10-

2. Disposing of an employee’s personal information. The EEOC requires that personnel and employment records that an employer makes or keeps (including application forms, even when an applicant was not hired) must be kept for one year after the records were made, or for one year after a personnel action was taken. The FTC requires that after recordkeeping requirements have been satisfied, employers must dispose of any background reports and any information gathered from them in a secure manner. This includes burning, pulverizing, or shredding paper documents, and disposing

• f electronic information so that it cannot be reconstructed or read.

Employers requiring a credit report from prospective employees must, according to the Fair and Accurate Credit Transactions Act, dispose of those reports and the information derived from them in a safe and secure manner. Any business using consumer reports for business purposes, including employers using consumer reports to make employment decisions, is subject to this “Disposal Rule,” which requires that information derived from consumer reports and records must be properly disposed of in order to protect against “unauthorized access to or use of the information.” The FTC allows for some flexibility in determining how to best protect against unauthorized use, and covered organizations may determine what measures are reasonable and appropriate based on the information’s sensitivity, the benefits and costs of different disposal methods, and technological developments. IV. BEST PRACTICES. Companies must have appropriate policies in place to deal with the data-security issues described above. It is also essential to ensure that companies are educated about those policies and trained in implementing them. In some cases, laws might not state specifically what companies must do, only that they may adopt practices that are appropriate to the types of data they collect and their needs. As a general guide, we provide the following tips for businesses that are adapted from the FTC document Protecting Personal Information: A Guide for Business. A. Take account. Know what personal information and other important and sensitive information you have in files and on computers and electronic devices. Know where and how this information is kept, and who has access to it. Consider different levels of data privacy for different documents to ensure that only people who need sensitive information can access it. Update access policies as people move within the company or leave the company.

• 11-

B. Scale down. Keep only the information you need for your business. Check default settings on credit-card processing software to make sure that entire card numbers aren’t kept. Develop a written records retention policy for what you do keep. C. Lock data. Encrypt digital files, and keep paper files or physical media in a secure place with limited employee access. Require employees to put files away, log off their computers, and lock cabinets and doors. Regularly check security systems and run antivirus programs. Make sure that employees have strong passwords and that passwords aren’t shared. Consider requiring regular password changes. Make sure that all new employees go through data and security training and know who has access to which information. D. Discard unused information. Dispose of data you no longer need in a secure manner and in accordance with applicable law. Make sure that employees are trained on these procedures. Shred paper records, use data-wiping software on old computers, and follow the FTC rules for disposing of credit reports. E. Plan ahead. Make sure that employees know what personal information is and how to safeguard it under the applicable state and federal laws. Regularly test and monitor security systems and be familiar with the steps to take in the event of a breach so that you can act quickly. Have a plan for notifying consumers in the event of a data breach.

• 12-

IDENTIFYING RISK—A DATA-SECURITY CHECKLIST

This list provides some questions that will help you start to identify how data is collected, used, stored, and shared at your organization, which is a key step in assessing risk and developing appropriate data-security and privacy procedures. This list is general and high-level, so additional or different requirements might apply based on your unique situation. Before implementing any plan, consult an attorney who can explain these requirements. Data Collection  What sensitive data is collected? Personal information? Health information? Financial information? When and how is data collected? When bills are paid? When accounts are established? Who collects the data? You or a third party that will later provide it to you?  What is disclosed to the data discloser about the collection and use of the data?  Is consent obtained for all uses?  Is disclosure handled though website terms and conditions or a privacy policy? By contract? Is it clear and conspicuous? Data Use How is the data used?  Research? Advertising? Hiring?  Is the actual use consistent with the use described to the discloser? How and where is the data stored?  Secure?  Encrypted?

• 13-

How long is the data stored?  Best to dispose of it securely and in accordance with the law when the need to have it passes. Data Flow What data is shared with third parties/data processors? Do you audit the privacy practices of those third parties and have appropriate contract provisions?  The third-party practices should be consistent with your standards. Do those third parties share that data with additional third parties, with which you may or may not have a relationship? What data is received from third parties?  How is that data handled, used, processed, stored, or combined with data from other sources? Internal Practices Are appropriate data-security policies in place that comply with applicable law? What happens if there is a breach? Who is responsible for managing data security? Are employees appropriately trained? Is access to data limited to “need to know” parties only? How can you update practices and policies as necessary and as risks evolve?

SEADOCS:467371.11