TABLE OF CONTENTS | 4 |
DISCLAIMER | 9 |
INTRODUCTION | 10 |
LEGAL BASIS FOR A RIGHT TO PRIVACY | 14 |
FEDERAL LAWS GOVERNING DATA PRIVACY AND SECURITY | 16 |
HIPAA, COPPA, CAN-SPAM, ECPA, GLBA, TCPA, FCRA, FACTA,CFAA | 16 |
Welcome to federal data privacy law and the world of acronyms | 16 |
Use and Disclosure of Financial Information | 17 |
Gramm-Leach-Bliley Act (GLBA) | 17 |
Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA) | 24 |
Use and Disclosure of Medical Information | 30 |
The Health Insurance Portability and Accountability Act (HIPAA) | 30 |
Medical Research - The Common Rule | 36 |
Federal Trade Commission Act (FTC Act) | 36 |
FTC Online Behavioral Advertising Principles | 46 |
Children’s Online Privacy Protection Act (COPPA) | 48 |
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) | 52 |
The Telephone Consumer Protection Act (TCPA) [47 U.S.C. § 227] | 55 |
Telemarketing and Consumer Fraud and Abuse Prevention Act [15 U.S.C. §§ 6101-6108] | 60 |
Deceptive Mail Prevention and Enforcement Act (DMPEA) | 61 |
Junk Fax Prevention Act (JFPA) | 61 |
Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030 (c)] | 62 |
Electronic Communications Privacy Act (ECPA) [18 U.S.C. §§ 2510-3127] | 63 |
Federal Laws Related To Social Security Numbers | 64 |
The Driver’s Privacy Protection Act (DPPA) [18 U.S.C. §§ 2721-2725] | 65 |
Video Privacy Protection Act (VPPA) [18 U.S.C. § 2710] | 66 |
Other Federal Privacy Laws | 66 |
Identity Theft and Assumption Deterrence Act of 1998, 15 U.S.C. § 1028 | 67 |
The National Institute of Standards and Technology (NIST) Cybersecurity Framework | 69 |
Federal Law and Proposed Legislation | 70 |
Data Breach | 71 |
PRIVACY AND THE EMPLOYMENT RELATIONSHIP | 73 |
Discrimination Laws | 74 |
Protected Activity Laws | 76 |
Applicant Screening Laws | 79 |
Employee Privacy Considerations | 81 |
Federal Laws Applicable to Electronic Communications and Data | 84 |
The Electronic Communications Privacy Act (ECPA or the “Wiretap Act”) | 84 |
The Stored Communications Act (SCA) [18 U.S.C. § 2701, et seq.] | 85 |
The Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030, et seq.] | 86 |
References and Recommendations | 86 |
Safeguarding Confidential and Proprietary Information | 86 |
Employer Policies and Practices | 88 |
STATE DATA PRIVACY AND SECURITY LAWS | 91 |
Minnesota Data Privacy and Security Laws | 93 |
Internet Service Providers [Minn. Stat. § 325M.01] | 93 |
Identity Theft/Phishing [Minn. Stat. § 609.527, Subd. 2.] | 97 |
Minnesota Data Breach Notification [Minn. Stat. §§ 325E.61 and 13.055] | 103 |
Minn. Stat. § 13.0 Minnesota Government Data Practices Act | 110 |
Minn. Stat. § 13.15 Government Websites | 111 |
Plastic Card Security Act [Minn. Stat. § 325E.64] | 112 |
Use of Social Security Numbers [Minn. Stat. § 325E.59] | 115 |
Recording Communications [Minn. Stat. § 626A.02 Wiretap law] | 117 |
California | 123 |
Virginia | 131 |
Colorado | 132 |
Connecticut | 134 |
Utah | 135 |
Massachusetts | 136 |
New York | 137 |
Other State Privacy and Breach Notification Laws | 138 |
State Breach Notification Laws | 139 |
State Data Protection and Security Laws | 140 |
MAINE | 142 |
NEVADA | 143 |
MASSACHUSETTS | 145 |
NEW HAMPSHIRE | 145 |
NEW JERSEY | 145 |
NORTH CAROLINA | 145 |
PENNSYLVANIA | 145 |
WISCONSIN | 145 |
MINNESOTA | 145 |
MISSISSIPPI | 146 |
NEW YORK | 147 |
RHODE ISLAND | 147 |
WASHINGTON | 147 |
VERMONT | 147 |
WEST VIRGINIA | 147 |
SUMMARY | 147 |
GLOBAL PRIVACY AND DATA SECURITY LAW | 148 |
EU 1995 Data Directive/General Data Protection Regulation | 149 |
Transfer of Personal Data Outside of the European Union | 154 |
Prior EU-U.S. Safe Harbor | 157 |
Model Contracts-Standard Contractual Clauses (SCCs) | 159 |
Key Differences between the Old SCCs and New SCCs | 161 |
Binding Corporate Rules | 162 |
CANADA | 166 |
Personal Information Protection and Electronic Documents Act (PIPEDA) | 166 |
Canada Anti-Spam Law [SC 2010,C23] | 168 |
OTHER COUNTRIES | 169 |
BEST PRACTICES | 171 |
Key Questions Every Business Should Ask Related to Data Privacy and Security | 171 |
Establish a Compliance Program | 174 |
Customized Program | 174 |
Security Incident and Data Breach Plan | 175 |
Mitigating Risk By Contract | 178 |
Insurance | 180 |
Physical Safeguards/Office Design | 181 |
Storage and Maintenance of Electronic Data | 181 |
Document Retention - Storage and Maintenance of Hard Copies | 182 |
Technical Safeguards | 182 |
Encryption, Encryption, Encryption | 183 |
Limit Access | 184 |
Limit Data Collected | 184 |
Remote Access | 184 |
Administrative Safeguards | 185 |
Steps to Take in Event of Identity Theft | 187 |
FINAL THOUGHTS - WHAT IS NEXT? | 189 |
PRIVACY LAW TIMELINE | 193 |
SOURCES OF INFORMATION ON DATA PRIVACY AND SECURITY | 198 |
Other government sites and publications that provide privacy related information: | 199 |
Other Useful Websites | 200 |
Selected Books, Articles and Treatises on Privacy | 201 |
Made with FlippingBook - Online Brochure Maker