A Legal Guide To PRIVACY AND DATA SECURITY
202 4
A CollaborativeEffort Minnesota Department of Employment and Economic Development Lathrop GPM
A Legal Guide To PRIVACY AND DATA SECURITY 20 2 4 is available without charge from the Minnesota Department of Employment & Economic Development (DEED), Small Business Assistance Office, 180 E 5th St Suite 1200, Saint Paul, MN 55101
The Guide is available to view or download at Small Business Assistance Office.
Telephone: 651-556-8425 | 800-310-8323 Email: deed.mnsbao@state.mn.us
Upon request, this publication can be made available in alternative formats by contacting 651-259-7476.
The Minnesota Department of Employment & Economic Development is an equal opportunity employer and service provider.
This guide is also available from Lathrop GPM , 500 IDS Center, 80 South Eighth Street, Minneapolis, MN 55402. Telephone: 612-632-3000
A Legal Guide To PRIVACY AND DATA SECURITY
2024
Primary Author: Michael R. Cohen CIPP/US, CIPP/E, CIPM, FIP, PLS
A Collaborative Effort Minnesota Department of Employment & Economic Development (DEED) Lathrop GPM Copyright © 2024 Minnesota Department of Employment & Economic Development (DEED) and Lathrop GPM ISBN 978-1-888404-95-01
TABLE OF CONTENTS
DISCLAIMER .............................................................................................vi INTRODUCTION .......................................................................................vii LEGAL BASIS FOR A RIGHT TO PRIVACY .....................................................1 FEDERAL LAWS GOVERNING DATA PRIVACY AND SECURITY .....................3 HIPAA, COPPA, CAN-SPAM, ECPA, GLBA, TCPA, FCRA,FACTA, CFAA…...3 Welcome to federal data privacy law and the world of acronyms .................................................................................3 Use and Disclosure of Financial Information ..............................4 Gramm-Leach-Bliley Act (GLBA) .....................................4 Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA) .......11 Use and Disclosure of Medical Information ...............................17 The Health Insurance Portability and Federal Trade Commission Act (FTC Act) ...................................23 FTC Online Behavioral Advertising Principles .............................33 Children’s Online Privacy Protection Act (COPPA) .....................35 Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) ................................................39 The Telephone Consumer Protection Act (TCPA) [47 U.S.C. § 227] ........................................................................42 Accountability Act (HIPAA) ............................................17 Medical Research - The Common Rule .........................23
i
Telemarketing and Consumer Fraud and Abuse Prevention Act [15 U.S.C. §§ 6101-6108] ..................................47 Deceptive Mail Prevention and Enforcement Act (DMPEA) ..............48 Junk Fax Prevention Act (JFPA) ..................................................48 Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030 (c)] ...49 Electronic Communications Privacy Act (ECPA) [18 U.S.C. §§ 2510-3127] ...........................................................50 Federal Laws Related To Social Security Numbers .....................51 The Driver’s Privacy Protection Act (DPPA) [18 U.S.C. §§ 2721-2725] ...........................................................52 Video Privacy Protection Act (VPPA) [18 U.S.C. § 2710] ....................................................................53 Other Federal Privacy Laws .......................................................53 Identity Theft and Assumption Deterrence Act of 1998, 15 U.S.C. § 1028 .........................................................................54 The National Institute of Standards and Technology (NIST) Cybersecurity Framework .........................................................56 Federal Law and Proposed Legislation.........................................57 Data Breach ...............................................................................58 PRIVACY AND THE EMPLOYMENT RELATIONSHIP ...................................60 Discrimination Laws ...............................................................61 Protected Activity Laws .............................................................63 Applicant Screening Laws ..........................................................66 Employee Privacy Considerations ..........................................68 Federal Laws Applicable to Electronic Communications and Data ................................................................................71 The Electronic Communications Privacy Act (ECPA or the “Wiretap Act”) .........................................71 The Stored Communications Act (SCA) [18 U.S.C. § 2701, et seq.] ............................................72
ii
The Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030, et seq.] .............................................73 References and Recommendations ...........................................73 Safeguarding Confidential and Proprietary Information ............74 Employer Policies and Practices .................................................75 STATE DATA PRIVACY AND SECURITY LAWS .............................................78 Minnesota Data Privacy and Security Laws ......................................80 Internet Service Providers [Minn. Stat. § 325M.01]...................80 Identity Theft/Phishing...............................................................84 Minnesota Data Breach Notification ..........................................90 Minn. Stat. § 13.0 Minnesota Government Data Practices Act...9 7 Minn. Stat. § 13.15 Government Websites ...............................98 Plastic Card Security Act ............................................................99 Use of Social Security Numbers [Minn. Stat. § 325E.59]..............102 Recording Communications [Minn. Stat. § 626A.02 Wiretap law] ............................................................................104 California ........................................................................................110 Virginia............................................................................................118 Colorado..........................................................................................119 Connecticut..........................................................................................121 Utah.................................................................................................122 Massachusetts.................................................................................123 New York .........................................................................................124 Other State Privacy and Breach Notification Laws .........................125 State Breach Notification Laws ..............................................126 State Data Protection and Security Laws .................................127 Maine.......................................................................................129 Nevada.....................................................................................130 Massachusets..........................................................................132 New Hampshire.......................................................................132 New Jersey...............................................................................132
iii
North Carolina..............................................................................132 Pennsylvania........................................................................132 Wisconsin.............................................................................132 Minnesota...............................................................................132 Mississippi.............................................................................133 New York...................................................................................134 Rhode Island.............................................................................134 Washington...............................................................................134 Vermont...................................................................................134 West Virginia............................................................................134 Summary..................................................................................134 GLOBAL PRIVACY AND DATA SECURITY LAW...........................................135 EU 1995 Data Directive/General Data Protection Regulation...136 Transfer of Personal Data Outside of the European Union......141 Prior EU-U.S. Safe Harbor ............................................144 Model Contracts - Standard Contractual Clauses (SCCs) ..........................................................................146 Key Differences between the Old SCCs and New SCCs.....................................................................148 Binding Corporate Rules..............................................149 CANADA..........................................................................................153 Personal Information Protection and Electronic Documents Act (PIPEDA) ...................................................153 Canada Anti-Spam Law [SC 2010,C23] ...............................155 OTHER COUNTRIES...........................................................................156 BEST PRACTICES ....................................................................................158 Key Questions Every Business Should Ask Related to Data Privacy and Security....................................................158 Establish a Compliance Program ........................................161 Customized Program ..................................................161
iv
Security Incident and Data Breach Plan ..............................162 Mitigating Risk By Contract .........................................165 Insurance ............................................................................167 Physical Safeguards/Office Design ......................................168 Storage and Maintenance of Electronic Data ..............168 Document Retention - Storage and Maintenance of Hard Copies..........................................................16 9 Technical Safeguards ..................................................16 9 Encryption, Encryption, Encryption ............................170 Limit Access ................................................................171 Limit Data Collected ....................................................171 Remote Access ............................................................171 Administrative Safeguards ..........................................172 Steps to Take in Event of Identity Theft .......................174 FINAL THOUGHTS - WHAT IS NEXT? .....................................................176 PRIVACY LAW TIMELINE ........................................................................180 SOURCES OF INFORMATION ON DATA PRIVACY AND SECURITY ...........185 Other government sites and publications that provide privacy related information ........................................................................186 Other Useful Websites....................................................................187 Selected Books, Articles and Treatises on Privacy......................188
v
DISCLAIMER
This Guide is designed to alert businesses to legal issues related to privacy and data security. It is intended as a guide and not as a definitive source to answer your legal and business questions. It should not be relied upon for specific legal advice. Legal and other professional counsel should be consulted. Lathrop GPM and the Minnesota Department of Employment and Economic Development, Small Business Assistance Office cannot and do not assume responsibility for decisions made based upon the information contained herein.
vi
INTRODUCTION
The race is on to enact consumer data privacy laws across state lines, which, in the absence of a comprehensive federal law, would provide individuals with more choice over how companies acquire and utilize their personal data. Currently, there are 12 states – California, Virginia , Delaware, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, and Texas – that have comprehensive data privacy laws in place. During the 2022-23 legislative cycle, at least 16 states introduced privacy bills that addressed a range of issues, including protecting biometric identifiers and health data. This patchwork approach to privacy legislation could pose compliance and liability risks for companies that have multi-state operations. A Minnesota business that participates in ecommerce must look beyond Minnesota laws and become familiar with the multiple federal and state laws that govern how personal data can be collected and used. Minnesota businesses of all sizes collect, store, and share personal information about individuals. While new technology and access to information allows for greater innovation and delivery of products and services, it also creates a challenge. How does a business optimize the information available and remain in compliance with the evolving and ever-changing legal landscape? How does a business not compromise consumer privacy as more and more information is shared and collected? What about privacy rights of employees and prospective employees?
vii
The scope and type of personal data collected by businesses continues to grow, as does the ease of gathering and storing the data. A small thumb drive containing all of a business’ trade secrets and employee information can be easily removed and transported in a person’s pocket. New technology allows for the tracking of consumer preferences and information, including their exact location, making it possible to do real- time targeted marketing. The aggregation of consumer data by data brokers is increasingly being monetized and used by businesses as even more detailed information about consumers becomes available. Big data is viewed as both a savior in medical research and a menace to privacy. The so-called “Internet of Things” allows for household appliances and cars to collect and share personal consumer data like never before. High profile data breach incidents exemplify the need for businesses to take a serious look at data privacy and security issues and how they fit within their business operations. Potential breaches are not simply the result of lax computer systems and poor data security. A business can be just as liable for a data breach by leaving job applications in a public dumpster or mailing medical information to the wrong patient due to a printing error. While it is impossible for a business to become an expert in all the laws related to data privacy and security, it is our hope that this Guide will at least provide a basic understanding of the wide variety of laws and how those laws may impact your business. This Guide was prepared for Minnesota-based businesses. Data, however, crosses state and national borders, and thanks to the Internet, most businesses have now become global. It is no longer safe to just consider Minnesota and U.S. laws and federal regulations when it comes to data privacy and security. For this reason, we have included some basic information on data privacy laws outside of the United States.
viii
ix
insurance, and take other activities necessary to comply with the CCPA/ CPRA and other state data privacy laws as well as the GDPR if personal data of EU residents is collected. At the end of this Guide, we offer best practices and a list of sources and references for further information on these issues. We welcome your comments on this Guide and any suggestions you might have for data privacy and security issues to cover in future editions. Finally, I would like to thank Jesse Berg and Caitlin Gehlen at Lathrop GPM for their support in preparing this version of A Legal Guide To Privacy and Data Security . Michael R. Cohen, CIPP/US, CIPP/E, CIPM, FIP, PLS Lathrop GPM 2024
x
LEGAL BASIS FOR A RIGHT TO PRIVACY
Sources of privacy law include constitutional law, tort law, contract law, federal and state laws and regulations, and foreign laws. Constitutional. There is no explicit reference to privacy as a right in the United States Constitution. The Supreme Court of the United States has, however, held in several cases that there exists a right to privacy or at least a “reasonable expectation of privacy” as implied in the First, Third, Fourth, Ninth, and Fourteenth amendments. [See Olmstead v. United States , 277 U.S. 438 (1928), Kat z v. United States , 389 U.S. 347 (1967), Griswold v. Connecticut , 381 U.S. 479 (1965), Roe v. Wade , 410 U.S. 113 (1973), Whalen v. Roe , 429 U.S. 589 (1977)]. In United States v. Jones , 132 S. Ct. 945 (2012), the installation of a GPS device by law enforcement in a car without a warrant was found to constitute a search under the Fourth Amendment because it represented a trespass on a person’s property. In concurring opinions, it was noted that the use of long term surveillance violates a “reasonable expectation of privacy.” This was followed by Riley v. California , 573 U.S. (2014), where the Supreme Court ruled that the contents of mobile devices are protected by the Fourth Amendment’s warrant requirement. The Supreme Court issued its landmark privacy decision in Carpenter v. United States , 138 S. Ct. 2206 (2018) ruling that the government must get a warrant before accessing a person’s sensitive cellphone location data. The Dobbs v. Jackson Women’s Health Organization landmark decision overruling Roe v. Wade and Planned Parenthood v. Casey has profound implications for privacy and data protection regarding abortion.
1
There are now explicit data privacy provisions in the constitutions of at least ten states, including Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington. There is no explicit data privacy provision in the Minnesota State Constitution. Tort law. The tort of invasion of privacy has been identified and described in the Restatement (Second) of Torts § 652 (1977) (“Restatement”) and includes: 1) intrusion upon seclusion; 2) public disclosure of private facts; 3) appropriation of name or likeness; and 4) publicly placing a person in false light. Other torts and causes of action related to privacy may include defamation, assault and battery, trespass, breach of confidentiality, intentional infliction of emotional distress, negligence, and right of publicity. In a Minnesota case, Lake v. Wal-Mart Stores, Inc. 582 N.W.2d 231 (Minn. Sup. Ct. 1998), the Minnesota Supreme Court recognized a right to privacy in Minnesota, and adopted the Restatement definitions for three of the Restatement torts - intrusion upon seclusion, appropriation, and publication of private facts. [See also Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550 (Minn. 2003) and the common law of privacy later in this Guide]. Contracts. Confidentiality agreements and related contracts may have specific provisions restricting the right to use or disclose information and are generally governed by state law. Terms of Use and Privacy Policies that appear on websites may also be enforceable. Business Associate agreements may be required under the Health Insurance Portability and Accountability Act (“HIPAA”). See discussion of Business Associate agreements later in this Guide. Commercial agreements now also include provisions on handling personal information and data security. Social media platforms such as Facebook have terms of use and privacy policies that include provisions regarding the sharing of personal information. [See Lathrop GPM and Minnesota Department of Employment and Economic Development publication A Legal Guide To the Use of Social Media in the Workplace July 2013 ]. 2
FEDERAL LAWS GOVERNING DATA PRIVACY AND SECURITY
HIPAA, COPPA, CAN-SPAM, ECPA, GLBA, TCPA, FCRA, FACTA, CFAA…. Welcome to federal data privacy law and the world of acronyms. There is no single federal law governing data privacy and security in the United States. There are, however, many different requirements for implementing data security procedures or protecting personal data that can be found in a host of federal laws. Most of the federal laws that cover data privacy and security obligations for businesses are specific to certain industries and types of information such as: Financial information. The Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and Fair and Accurate Act Credit Transactions Act (FACTA) Healthcare and medical information. The Health Insurance Portability and Accountability Act (HIPAA) Other federal laws cover specific activities that may use personal information such as: Telemarketing (including text messages used for marketing purposes). The Telephone Consumer Protection Act (TCPA)
3
Commercial email. The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) The online collection, use, and disclosure of information from children. The Children’s Online Privacy Protection Act (COPPA) Other key federal laws that are discussed in this section of the Guide include the Telemarketing and Consumer Fraud and Abuse Prevention Act, Deceptive Mail Prevention and Enforcement Act, Junk Fax Prevention Act, the Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA), Driver’s Privacy Protection Act, (DPPA), Video Privacy Protection Act (VPPA), and other “safeguard” regulations imposed by the Federal Trade Commission Act as necessary to regulate unfair and deceptive trade practices. At the end of this section we have listed some other federal laws that govern privacy rights but that may be more focused on government obligations and not the private sector. The absence of a single comprehensive federal data privacy and security law in the United States forces a business to become familiar with a variety of federal and state laws that may impact their operations.
Use and Disclosure of Financial Information Gramm-Leach-Bliley Act (GLBA)
Among other things, the Gramm-Leach-Bliley Act (GLBA) regulates the collection, use, protection, and disclosure of nonpublic personal information by financial institutions. With respect to banks and credit unions, the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) are the primary regulators and enforcers of the GLBA. The Federal Trade Commission (FTC) is the primary enforcer of the GLBA for all financial institutions other than those banking entities.
4
The definition of “financial institution” is quite broad and includes businesses that are significantly engaged in providing financial products or services, such as check-cashing businesses, mortgage or nonbank lenders, loan brokers, financial and investment advisors, real estate service providers, insurance, debt collectors, and businesses providing retail financing to consumers. A Minnesota business can also be covered under these laws if they collect and maintain financial information for companies that fall directly under these laws. Service providers to financial institutions are subject to examination by the regulators and will generally be expected to contractually agree to comply with the GLBA requirements. Amendments to the Safeguards Rule of the Gramm Leach Bliley Act became effective October 27, 2022, expanded the definition of financial institutions covered by the law and imposed new burdensome requirements related to data security. Motor vehicle dealers and colleges are just two examples of non -banking financial institutions that now fit the expanded definition of so-called “finders” and are required to implement and maintain a comprehensive data security system that protects customer information. In general the amendments impose more specific requirements on the covered business or organization such as encryption, employee training, secure development practices, multi-factor authentication, information disposal procedures, vendor management, reporting to boards of directors, and assigning a person to implement and manage the data security program. Purpose. The purpose of the GLBA is to restrict the sharing of customers’ financial information by requiring financial institutions to give customers notice of their privacy practices, providing a right of a consumer to opt-out of certain types of sharing, and requiring financial institutions to implement appropriate safeguards to protect their customers’ “nonpublic personal information.”
5
Definition of Nonpublic Personal Information. The privacy provisions of the GLBA apply only to “personally identifiable financial information.” 15 U.S.C. § 6809(4). “Personally identifiable financial information” means any information: (i) that a consumer provides to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service; or (iii) obtained about a consumer in connection with providing a financial product or service to the consumer. Sharing of Information with Affiliated Companies . The GLBA does not restrict the sharing of nonpublic personal information with affiliates although it does require disclosures regarding affiliate-sharing practices. The Fair Credit Reporting Act (FCRA) does limit the sharing of certain financial information with affiliates for marketing purposes and requires that consumers be given notice of the affiliate sharing and the right to opt-out. 15 U.S.C. § 1681s-3. Sharing of Information with Third Parties. Nonpublic personal information can be shared with nonaffiliated companies only if: (i) the individual is first given a right to opt-out of the sharing and does not do so; (ii) the consumer consents to the sharing; or (iii) the sharing falls within an exception that permits sharing without consent or right to opt-out. 15 U.S.C. § 6802(b). The exceptions to the requirement of providing a right to opt-out address a number of otherwise normal business activities and legal requirements such as responding to subpoenas, or delivering the information to service providers or consumer reporting agencies. A financial institution will generally be required to have a contract in place with the third party that requires the third party to maintain the information as confidential. Restrictions. Financial Institutions cannot disclose account numbers or credit card numbers for direct mail marketing, telemarketing or other electronic marketing purposes. 15 U.S.C. § 6802(d). Privacy Notices. Financial institutions must provide a written notice to customers of their privacy policies. 15 U.S.C. § 6803(a).
6
Security. Financial institutions must develop, implement, and maintain a comprehensive information security program. 16 C.F.R. § 314.3(a). Preemption. The GLBA does not preempt state laws that may provide greater privacy protection to consumers. 15 U.S.C. § 6807(b). GLBA Privacy and Safeguards Rules. The GLBA regulations consist of a “Privacy Rule” (requiring disclosure to consumers about the use and dissemination of their nonpublic personal financial information) and a “Safeguards Rule” (requiring safeguarding any financial information obtained from an individual that is not publicly available). Subject to certain exceptions, financial institutions are also prohibited from disclosing any “nonpublic personal information” to unrelated third parties without first giving customers the ability to opt-out of the sharing. Consumer Distinguished from Customer. Nonpublic personal information under GLBA is any “personally identifiable financial information” that is not publicly available and is capable of personally identifying a consumer or customer. A consumer is anyone who has obtained a financial product or service but does not necessarily have an ongoing relationship with the financial institution and a customer is a person with an ongoing relationship with the financial institution. GLBA Requirements. The GLBA requires the financial institution to: 1) notify its customers about its information-sharing practices and provide customers with a right to opt out if they do not want their information shared with certain unaffiliated third parties (GLBA Financial Privacy Rule); 2) implement a risk - based written security program to protect nonpublic personal information from unauthorized disclosure (GLBA Safeguards Rule); and 3) provide notice of its information sharing to consumers in some situations. GLBA Notice and Disclosure Requirements. A customer is entitled to receive the financial institution’s privacy notice both when the relationship is created and annually thereafter. After the initial disclosure,
7
the rule generally requires that an annual privacy notice be provided to a customer. The rule provides an alternate means of complying with the annual disclosure requirement if the financial institution does not share a customer’s nonpublic personal information with nonaffiliated third parties, or with affiliates for marketing purposes, and the content of the privacy disclosure has not changed since the last privacy notice. If a financial institution qualifies to use the alternate annual notice, it need only annually disclose that a privacy notice is available on the financial institution’s website and will be mailed at no cost to the customer. The privacy notice itself must be a clear, conspicuous, and accurate statement of the financial institution’s privacy practices. It must state: 1) the categories of information that the financial institution collects and discloses; 2) the categories of affiliated and nonaffiliated entities with which it shares information; 3) that the consumer or customer has the right to opt out of some disclosures; and 4) how the consumer or customer can opt out (if an opt-out right is available). GLBA Consent Requirements. There are no requirements for affirmative consent before sharing information from a customer or consumer, but a financial institution is required at the time of setting up the customer relationship and annually thereafter to: 1) notify customers and consumers of the institution’s privacy policy and practices; and 2) provide the individual with “reasonable means” to opt out of certain uses and disclosures of the individual’s nonpublic personal information. Consent can be obtained through written, oral or electronic means. No Opt-Out Required. A financial institution does not need to provide an opt-out right to the individual in certain defined circumstances, including when nonpublic personal information is shared: 1) for the purpose of administering or enforcing a transaction that a customer requests or authorizes; or 2) with outside companies that provide essential services to the financial institution, such as data processing or servicing accounts, if certain conditions are met (like contractually binding the outside company to protect the confidentiality and security of the data).
8
GLBA Privacy Requirements. Under the GLBA, financial institutions are restricted as to when they may disclose consumer personal information to nonaffiliated third parties. Financial institutions must provide “Privacy Notices” to their customers about their information-sharing practices. Subject to certain exceptions, customers may opt-out if they do not want their information shared with nonaffiliated third parties. The content of these notices may vary based on the relationship with the consumer and the data sharing practices of the business. The Privacy Rule includes several model “safe harbor” notices that can be used by any company to describe their privacy practices and provide the necessary opt-out for sharing of certain information. GLBA Safeguards Requirements. The GLBA requires financial institutions, or those handling financial information, to have a written information security plan that describes their program to protect customer information. The plan must be appropriate for the size, scope of activities, and sensitivity of the customer information collected by the business. The federal banking regulatory agencies issued an Interagency Guidelines Establishing Information Security Standards and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information to further define these requirements. The plan required by the Interagency Guidelines requires the business to: 1) designate one or more employees to coordinate an information security program; 2) identify and assess the risks to customer information in each relevant area of operation, and assess the effectiveness of the current safeguards; 3) develop a plan for safeguarding customer information, and regularly monitor and test the safeguards program; 4) exercise due diligence in selecting service providers (third-party vendors) and require them to implement safeguards; and 5) evaluate and adjust the program as needed. Examples of such safeguards that can help protect against unauthorized access to, or use of, nonpublic personal information of individuals include: 1) data encryption; 2) authentication mechanisms; 3) background checks; and 4) frequent monitoring and testing of information security protocols and systems. 9
Both the GLBA privacy and safeguard requirements mandate ongoing monitoring and changes. Those responsible for GLBA compliance in a business should periodically update the written information security plan as necessary to keep up with any changes in the law, as well as potential data security threats, or its own business practices. GLBA Data Breach Notification Requirements. As of April 4, 2022 there is a security incident notification requirement. See Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers. Using their authority under the GLBA, the federal bank regulatory agencies issued the Interagency Guidelines regarding Response Programs that requires financial institutions to adopt policies and procedures regarding unauthorized access to protected personal information of customers. This includes notifying both the regulator and the customer when there has been an unauthorized access to “sensitive customer information.” In addition to nonpublic personal information of the customer, sensitive customer information generally includes a customer’s name, address, or telephone number combined with one or more of the following items of information about the customer: 1) social security number; 2) driver’s license number; 3) account number; 4) credit or debit card number; or 5) a personal identification number or password that would permit access to the customer’s account. GLBA Enforcement. GLBA is enforced by eight federal regulatory agencies, including the FTC and the federal banking agencies, as well as state insurance regulators and attorneys general. GLBA does not include a right for individuals to bring private actions. Potential Liability. GLBA has severe civil and criminal penalties for noncompliance including fines and imprisonment. If a financial institution violates GLBA the institution may be subject to a civil penalty of up to $100,000 for each violation. Officers and directors of the institution may be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation. Additionally, the institution and its officers and directors may be subject to criminal fines and imprisonment of up to
10
five years. Criminal penalties of up to ten years’ imprisonment and fines of up to $500,000 (for an individual) or $1 million (for a company), are possible if the acts are committed or attempted while violating another U.S. law, or as part of a pattern of illegal activity involving more than $100,000 in a year.
Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA)
The Fair Credit Reporting Act (FCRA) as amended by the Fair and Accurate Credit Transactions Act (FACTA) limits how consumer reports and credit card account numbers can be used and disclosed. The FCRA applies to businesses that compile “consumer reports” as well as those who use such reports (lenders and employers) or those who provide consumer credit information to consumer reporting agencies (also known as credit reporting agencies, such as lenders, creditors, and credit card companies). What is a Consumer Report? A consumer report is any communication issued by a consumer reporting agency that is used to evaluate a consumer’s eligibility for credit, employment, or insurance that relates to a consumer’s creditworthiness, credit history, credit capacity, character, or general reputation. A consumer report containing information about a consumer’s character, general reputation, personal characteristics, or mode of living gathered through personal interviews with neighbors, friends, or associates of the consumer is called an “investigative consumer report.” Purpose. Companies that are subject to these laws are required, among other things, to implement programs to help mitigate the risk of identity theft and unauthorized access to consumer reports. The FCRA requires companies that use credit reports to give consumers notice of adverse action resulting from a consumer report (e.g., credit denial or declining to offer employment based on a consumer report) and also requires notices to be provided to a consumer when an investigative consumer report is obtained.
11
Employment. A business that uses information obtained from consumer reporting agencies for employment purposes, including background checks, must comply with FCRA by: 1) disclosing that a consumer report is to be obtained; 2) obtaining consent of the person to obtain a consumer report; 3) notifying the person if any adverse action is taken based on information in the report; and 4) identifying the consumer reporting agency so that the accuracy and completeness of the report can be challenged by the applicant. Free Annual Report. FACTA allows consumers to receive upon request a free copy of his or her consumer report once per year from the consumer reporting agencies and, in appropriate circumstances, to place fraud alerts on their credit histories to reduce identity theft. Credit Card Numbers. Businesses are also (with some exceptions) prohibited from printing more than five digits of a consumer’s credit card number on receipts provided to the cardholder at the point of sale. Consumer Access. FACTA gives consumers access to their credit report, and in some instances, their credit score, and may require a business to give consumers notice of how their credit score was used in developing the interest rates or adverse terms offered to consumers. Disposal of Consumer Report Information. Consumer reporting agencies and any other businesses that use consumer reports are required to adopt procedures for properly disposing of consumer report information (the FACTA Disposal Rule). Sharing Consumer Information with Affiliates. Companies are prohibited from using certain credit information received from an affiliate to market goods or services to a consumer unless the consumer is given notice of the sharing, a reasonable opportunity to opt-out, and a simple and reasonable method for opting-out (the FTC Affiliate Sharing Rule).
12
Identity Theft (the FACTA Red Flags Rule). The Red Flags” Rule was issued jointly by the FTC and the federal banking agencies. The rule requires “financial institutions” and “creditors” holding “covered accounts,” as defined in the Red Flags Rule, to develop and implement written programs designed to help to reduce the risk of identity theft. “Financial institutions” generally includes, banks, credit unions, or other entities holding transactions accounts of a consumer. “Creditor” generally means a business that uses a consumer report and that allows a consumer to defer payment for goods and services or bill its customers, grants or arranges credit, or participate in the decision to extend, renew, or set the terms of credit. For example, businesses that offer home or personal services on a recurring basis, (e.g. cleaning services, lawn services, or personal care services) that use consumer reports and defer billing the customer for services would likely be subject to these requirements. All companies covered by the rules are required to establish an Identity Theft Prevention Program to detect, prevent, and mitigate identity theft. Companies subject to the Red Flags Rule are required to establish and implement a program appropriate for the size of their business and the type of information stored in their systems. These written programs are supposed to identify the relevant “red flags” of identity theft including: 1) unusual account activity; 2) fraud alerts on a consumer report; and 3) attempted use of suspicious account application documents. More information on the Red Flags Rule and how to implement an appropriate identity theft program is available from the FTC website at Fighting Identity Theft with Red Flags Rule: A How-To Guide For Business . Regulation and Enforcement. The responsibility for issuing regulations related to the FCRA and GLBA and the enforcement of those regulations is shared by a number of federal agencies, and, in some cases, the ability to enforce the rules has been delegated to the attorneys general for the States. The authority to issue regulations for most federal consumer
13
protection laws rests with the Consumer Financial Protection Bureau (for banks, credit unions, and certain large business related to financial services, including consumer reporting and loan servicing) and the Federal Trade Commission (for businesses other than financial institutions). Consumer Financial Protection Bureau. The Consumer Financial Protection Bureau (CFPB), created in 2011 by the Dodd-Frank Wall Street Reform and Consumer Protection Act, has primary rulemaking authority for the FCRA as well as the Electronic Funds Transfer Act, the Fair Debt Collection Practices Act, and certain sections of GLBA. The CFPB is an independent agency within the Federal Reserve System. Federal Trade Commission. The FTC retains rulemaking authority regarding the FACTA Disposal Rule, Red Flags Rule, and GLBA Safeguards Rule. Enforcement. The CFPB, Office of Comptroller of the Currency, Federal Reserve Board, NCUA and the FDIC have enforcement authority over financial institutions subject to their oversight. The FTC has authority to carry out certain investigations and enforce consumer protection laws with regard to businesses and nonbank financial institutions that are outside the enforcement authority of the CFPB and the banking regulators. Civil Liability. Any person that negligently violates the FCRA may be liable for the actual damages incurred by the consumer together with reasonable attorneys’ fees. 15 U.S.C. § 1681o. Any person that willfully violates the FCRA may be liable to the consumer for any actual damages sustained by the consumer or statutory damages of not less than $100 and not more than $1,000, punitive damages, and attorneys’ fees and costs. 15 U.S.C. § 1681. Additionally, the FTC can impose administrative penalties under the Federal Trade Commission Act. FTC Enforcement Actions Under FCRA . A data broker, Spokeo , marketed consumer profiles to employers. Spokeo paid $800,000 to settle the charges after the FTC rejected their claim that they were not a
14
consumer reporting agency and therefore not covered by FCRA. According to the FTC, Spokeo sold personal profiles that it had assembled, including information gleaned from social media, to HR, recruiting, and screening businesses as information they could then use in deciding whether or not to interview or hire a candidate. [See U.S. v. Spokeo, Inc. No. 2:12-cv- 05001 (C.D.Cal. 2012)]. Telecheck Services, Inc., one of the largest check authorization service companies, agreed to pay $3.5 million and to alter their business practices as necessary to settle FTC charges that it violated FCRA. [See U.S. v. Telecheck Services, Inc. et al. , No. 1:14-cv-00062 2014)]. This followed an earlier FTC settlement with Certegy Check Services, Inc., another check authorization company for $3.5 million based on similar charges of FCRA violations. [See U.S. v. Certegy Check Services, Inc. , No. 1:13-cv-01247 (D.C. 2014)]. In 2020, the FTC announced its first action against a business for failing to provide transaction records to identity theft victims as required by the FCRA. The settlement with retailer Kohl’s included a $220,000 civil penalty. The FTC also took action against Midwest Recovery Systems, a debt collection agency for its violation of the FCRA. Midwest Recovery Systems allegedly placed questionable or inaccurate debts onto consumers’ credit reports to coerce them to pay the debts. The settlement prohibits the company from such practice, known as “debt parking” and requires that the company delete the debts it previously reported to credit reporting agencies. The FTC has also brought enforcement actions against a number of other businesses that are often settled by entry of a consent decree and typically involve civil fines, consumer reimbursement and additional regulatory oversight. On December 19, 2022 the FTC announced that it reached the largest
15
administrative settlement ever with Fortnite video game maker Epic games. Epic was fined more than half a billion dollars based on allegations of numerous privacy violations and unwanted charges. Alleged violations included COPPA violations, problematic default settings, dark patterns on site used by individuals under 18. On January 27, 2023 the FTC finalized its order with education technology provider Chegg, Inc. for its careless data security practices that exposed sensitive information about millions of Chegg customers and employees including social security numbers, email addresses, and passwords. The FTC order requires Chegg to enhance their data security practices, limit the personal data collected and stored, allowing for multi-factor authentication, and ability of users to access and delete their data. Credit Card Data and the Payment Card Industry Data Security Standards (“PCI-DSS”). In addition to the federal laws discussed above and certain state laws, [See Minn. Stat. § 325E.64] businesses handling credit card data are self-regulated through the Payment Card Industry (PCI) Security Standards Council. The Council has developed the comprehensive Payment Card Industry Data Security Standards (PCI-DSS) followed by merchants and “all entities that store, process or transmit cardholder data.” PCI-DSS requires the installation and maintenance of firewalls, system passwords, encryption of cardholder data across open or public networks, use of anti-virus software, employee access restrictions, physical access restrictions, development of a credit card specific security policy, and restricts the retention of cardholder data. These standards are mandatory for any businesses handling credit card data. Larger merchants may be required to pass regular external security assessments and be subject to frequent scans to assess technical vulnerabilities. Failure to comply with PCI-DSS can result in significant penalties in the event of a data breach.
16
Use and Disclosure of Medical Information The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA does not just apply to health care providers. HIPAA governs individually identifiable health information . It applies broadly to “covered entities”, which are health plans, health care providers, and health care clearinghouses. HIPAA also can apply to data processors, pharmacy benefit managers, accountants, and many other types of organizations that come into contact with this information. These organizations can, depending on the services they provide, become, “business associates” under HIPAA. This is the case even where they do not deliver health care directly but provide services to the “covered entity” using information that qualifies as “ protected health information.” The U.S. Department of Health and Human Services (HHS) has issued several sets of regulations including regulations for the privacy and security of health information otherwise known as the “Privacy Rule” and the “Security Rule”, and “Breach Notification Rule” Privacy Rule. Standards for the privacy of individually identifiable health information are set forth in the HIPAA Privacy Rule. The Privacy Rule defines this health information as “protected health information” or PHI, which includes information related to the past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for such health care which is created or received by a covered entity. The Privacy Rule limits any entity covered under HIPAA to disclosure of PHI to: (1) the individual; (2) for use in treatment, payment, or health care operations; (3) for certain purposes where an individual has been given an opportunity to object or opt-out; (4) when required by law or in accordance with other strong public interest policies (such as law enforcement or in the course of judicial or administrative proceedings); or 5) for other purposes pursuant to an “authorization” that meets certain requirements spelled out in the Privacy Rule, or 6) certain other limited purposes.
17
Security Rule. Security standards for the protection of electronic PHI are set forth in the HIPAA Security Rule. Prior to passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), business associates were liable only indirectly for their violations of the commitments set forth in a business associate agreement with a covered entity. HITECH obligates business associates to comply with all of the HIPAA Security Rule and many parts of the HIPAA Privacy Rule. Violations of HIPAA requirements by business associates expose those organizations to enforcement actions by the HHS Office for Civil Rights (OCR). HITECH also changed many of the substantive requirements of the Privacy Rule, including adopting more restrictive guidelines to govern marketing activities using PHI. In addition, HITECH gave HIPAA enforcement authority to state attorneys general. The HITECH Act also created an obligation for covered entities, their business associates, and in some cases subcontractors to provide certain notifications in the event the security or privacy of an individual’s PHI has been compromised. These guidelines have been codified in the HIPAA Breach Notification Rule. Application. HIPAA applies to “covered entities” and “business associates” as defined in the regulation 45 C.F.R. § 160.103. It applies to those who transmit PHI electronically as part of certain “standard transactions.” This means that most health care providers who submit claims to health plans, HMOs and other managed care organizations such as doctors, hospitals, insurance companies, and pharmacies are subject to HIPAA. Business associates that create, receive, maintain, or transmit PHI on behalf of covered entities (and subcontractors that engage in similar types of activities on behalf of business associates) are also directly subject to the HIPAA Security Rule and parts of the Privacy Rule. Scope. HIPAA is limited to covered entities over which the United States government has enforcement authority. However, certain business associates of covered entities may have contractual obligations to safeguard PHI, including those operating outside of the United States.
18
Page i Page ii Page iii Page iv Page v Page vi Page vii Page viii Page ix Page x Page xi Page xii Page xiii Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164 Page 165 Page 166 Page 167 Page 168 Page 169 Page 170 Page 171 Page 172 Page 173 Page 174 Page 175 Page 176 Page 177 Page 178 Page 179 Page 180 Page 181 Page 182 Page 183 Page 184 Page 185 Page 186 Page 187Made with FlippingBook - Online Brochure Maker