This Guide is designed to alert businesses to legal issues related to privacy and data security. It is intended as a guide and not as a definitive source to answer legal and business questions.
TABLE OF CONTENTS | 4 |
DISCLAIMER | 9 |
INTRODUCTION | 10 |
LEGAL BASIS FOR A RIGHT TO PRIVACY | 14 |
FEDERAL LAWS GOVERNING DATA PRIVACY AND SECURITY | 16 |
HIPAA, COPPA, CAN-SPAM, ECPA, GLBA, TCPA, FCRA, FACTA, CFAA…. | 16 |
Welcome to federal data privacy law and the world of acronyms. | 16 |
Use and Disclosure of Financial Information | 17 |
Gramm-Leach-Bliley Act (GLBA) | 17 |
Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA) | 24 |
Use and Disclosure of Medical Information | 30 |
The Health Insurance Portability andAccountability Act (HIPAA) | 30 |
Medical Research - The Common Rule | 36 |
Federal Trade Commission Act (FTC Act) | 36 |
FTC Online Behavioral Advertising Principles | 46 |
Children’s Online Privacy Protection Act (COPPA) | 48 |
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) | 52 |
The Telephone Consumer Protection Act (TCPA)[47 U.S.C. § 227] | 55 |
Telemarketing and Consumer Fraud and Abuse Prevention Act [15 U.S.C. §§ 6101-6108] | 61 |
“Click-to-Cancel Rule” | 62 |
Deceptive Mail Prevention and Enforcement Act (DMPEA) | 62 |
Junk Fax Prevention Act (JFPA) | 63 |
Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030 (c)] | 64 |
Electronic Communications Privacy Act (ECPA) [18 U.S.C. §§ 2510-3127] | 65 |
Federal Laws Related To Social Security Numbers | 66 |
The Driver’s Privacy Protection Act (DPPA) [18 U.S.C. §§ 2721-2725] | 67 |
Video Privacy Protection Act (VPPA) [18 U.S.C. § 2710] | 67 |
Other Federal Privacy Laws | 68 |
Identity Theft and Assumption Deterrence Act of 1998, 15 U.S.C. § 1028 | 69 |
The National Institute of Standards and Technology (NIST) Cybersecurity Framework | 70 |
Federal Law and Proposed Legislation | 72 |
Data Breach | 73 |
PRIVACY AND THE EMPLOYMENT RELATIONSHIP | 74 |
Discrimination Laws | 75 |
Protected Activity Laws | 76 |
Applicant Screening Laws | 79 |
Employee Privacy Considerations | 82 |
Federal Laws Applicable to Electronic Communications and Data | 85 |
The Electronic Communications Privacy Act (ECPA or the “Wiretap Act”) | 85 |
The Stored Communications Act (SCA) [18 U.S.C. § 2701, et seq.] | 85 |
The Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030, et seq.] | 86 |
References and Recommendations | 87 |
Safeguarding Confidential and Proprietary Information | 87 |
Employer Policies and Practices | 88 |
STATE DATA PRIVACY AND SECURITY LAWS | 91 |
Minnesota Data Privacy and Security Laws | 93 |
Minnesota Enacts Comprehensive Data Privacy Law | 93 |
Internet Service Providers [Minn. Stat. § 325M.01] | 99 |
Identity Theft/Phishing [Minn. Stat. § 609.527, Subd. 2.] | 103 |
Minnesota Data Breach Notification [Minn. Stat. §§ 325E.61 and 13.055] | 108 |
Minn. Stat. § 13.0 Minnesota Government Data Practices Act | 115 |
Minn. Stat. § 13.15 Government Websites | 116 |
Plastic Card Security Act [Minn. Stat. § 325E.64] | 117 |
Use of Social Security Numbers [Minn. Stat. § 325E.59] | 120 |
Recording Communications [Minn. Stat. § 626A.02 Wiretap law] | 123 |
California | 128 |
Virginia | 137 |
Colorado | 138 |
Connecticut | 141 |
Utah | 141 |
Massachusetts | 142 |
New York | 144 |
Other State Privacy and Breach Notification Laws | 145 |
State Breach Notification Laws | 145 |
State Data Protection and Security Laws | 147 |
KENTUCKY | 149 |
MARYLAND | 149 |
NEVADA | 150 |
NEBRASKA | 152 |
NEW HAMPSHIRE | 152 |
NEW JERSEY | 152 |
SUMMARY | 152 |
GLOBAL PRIVACY AND DATA SECURITY LAW | 153 |
EU 1995 Data Directive/General Data Protection Regulation | 154 |
Transfer of Personal Data Outside of the European Union | 159 |
Prior EU-U.S. Safe Harbor | 161 |
Key Differences between the Old SCCs and New SCCs | 165 |
Binding Corporate Rules | 166 |
Model Contracts-Standard Contractual Clauses (SCCs) | 164 |
CANADA | 170 |
Personal Information Protection and Electronic Documents Act (PIPEDA) | 170 |
Canada Anti-Spam Law [SC 2010,C23] | 172 |
OTHER COUNTRIES | 173 |
BEST PRACTICES | 175 |
Key Questions Every Business Should Ask Related to Data Privacy and Security | 175 |
Establish a Compliance Program | 178 |
Customized Program | 178 |
Security Incident and Data Breach Plan | 179 |
Mitigating Risk By Contract | 182 |
Insurance | 184 |
Physical Safeguards/Office Design | 185 |
Storage and Maintenance of Electronic Data | 185 |
Document Retention - Storage and Maintenance of Hard Copies | 186 |
Technical Safeguards | 186 |
Encryption, Encryption, Encryption | 187 |
Encryption, Encryption, Encryption | 187 |
Limit Access | 188 |
Limit Data Collected | 188 |
Remote Access | 188 |
Administrative Safeguards | 189 |
Steps to Take in Event of Identity Theft | 191 |
FINAL THOUGHTS - WHAT IS NEXT? | 193 |
PRIVACY LAW TIMELINE | 197 |
SOURCES OF INFORMATION ON DATA PRIVACY AND SECURITY | 202 |
Other government sites and publications that provide privacy related information | 203 |
Other Useful Websites | 204 |
Selected Books, Articles and Treatises on Privacy | 205 |
Made with FlippingBook - Online Brochure Maker