Privacy and Data Security
by Drew Larson Brian McCormac >
Download a PDF of this article
Hardly a day goes by without a headline about data security and online privacy issues. From Edward Snowden to Target to Heartbleed, the public is being constantly bombarded with reasons to worry about their security and privacy online. The public scrutiny is leading to calls for new regulations and increased enforcement of consumer privacy and data protection laws.While no single article can even come close to summarizing the many data security and privacy rules and regulations that exist, we will highlight some of the major rules that could apply to your business. Before describing particular rules, it is important to note that data security and privacy rules are not just an issue for internet companies like Facebook, Twitter, and Google. Rather, the rules can apply to any business that collects data about its prospects, customers, employees, or vendors.
In general, there is no comprehensive privacy or data security law in the United States. However, there are a number of federal laws that apply to certain types of data that a business may collect, and various states have enacted rules regarding data privacy and security that apply to data about their citizens. Here is a summary of some of the laws that could apply to your business:
The CAN-SPAM Act regulates the use of email addresses for commercial advertisement or promotional purposes. Generally, it (i) prohibits senders of commercial emails from using misleading header information or subject lines, (ii) requires senders to identify the message as an advertisement or solicitation, and (iii) requires senders to provide a method to opt-out from receiving further commercial emails from the sender. CAN-SPAM applies to a business even if it engages a third-party to actually send out the marketing emails.
State Breach Notification Laws
To date, 46 states have adopted data breach notification laws that require notice to affected individuals if there is an unauthorized disclosure of certain personal information. In general, personal information is defined as a person's name plus one of the following (depending on the state): social security number, driver's license number, financial account number, medical information, insurance information, biometric information, passport numbers, date of birth, mother's maiden name, or DNA. In general, there is a "safe harbor" that allows companies to avoid sending notice if the personal information is encrypted. In addition, 35 states include provisions that only require notification if the breach poses, or is likely to pose, a significant risk of harm to the affected individuals.
Data Security Laws
A small number of states have begun to implement data security rules. For example, Massachusetts has implemented laws that require businesses that collect personal information about Massachusetts to implement a written information security program that has appropriate administrative, technical, and physical safeguards for the personal information. Personal information is defined as a name plus a SSN, driver's license number, or financial account number. The laws specify a number of actions that must be taken, including encryption of personal information while being transferred electronically, implementation of secure user authentication and file access protocols, encryption of laptops and portable devices, installing up-to-date firewall protections, and similar requirements. It is expected that more states will implement data security laws in the coming years.
California "Shine the Light" Law
Health care providers are subject to stringent privacy and data security rules for personal health information pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). In addition, businesses that access personal health information by providing services to health care providers are also subject to HIPAA's rules as "business associates." Business associates can include software providers, service providers, lawyers, and others. Enforcement activity has been increasing in this area, and the fines can be substantial. If your business has access to personal health information, it is important that you are aware of HIPAA's requirements.
Gramm-Leach-Bliley Act ("GLBA") governs and protects personally identifiable financial information that is collected by financial institutions such as banks, securities firms, insurance companies, retailers that issue their own credit cards, and other similar businesses. GLBA requires financial institutions to notify customers about their information sharing practices, provide an opt-out method for sharing with unaffiliated third parties, and to implement a written security program to protect against unauthorized disclosures.
The Children's Online Privacy Protection Act is a federal law that regulates the collection of individually identifiable information about a child under the age of 13. In general, websites that collect information about a child must (i) provide certain notices and obtain certain consents from parents, (ii) provide methods for parents to prevent future use and collection of information about this child, and (iii) maintain procedures to ensure the confidentiality, security, and integrity of the child's personal information.
Drew Larson is an associate at BrownWinick and practices primarily in the areas of corporate formation and transactions, intellectual property, estate planning, and tax. Drew can be reached at (515) 242-2485 or firstname.lastname@example.org.
Brian McCormac is a member at BrownWinick and assists clients with a wide range of legal concerns, including litigation, business transactions, compliance, and advertising and promotions. Brian can be reached at (515) 242-2431 or email@example.com.