This Guide is designed to alert businesses to legal issues related to privacy and data security. It is intended as a guide and not as a definitive source to answer legal and business questions.
TABLE OF CONTENTS | 4 |
DISCLAIMER | 9 |
INTRODUCTION | 10 |
LEGAL BASIS FOR A RIGHT TO PRIVACY | 14 |
FEDERAL LAWS GOVERNING DATA PRIVACY AND SECURITY | 16 |
HIPAA, COPPA, CAN-SPAM, ECPA, GLBA, TCPA, FCRA, FACTA,CFAA…. | 16 |
Welcome to federal data privacy law and the world ofacronyms. | 16 |
Use and Disclosure of Financial Information | 17 |
Gramm-Leach-Bliley Act (GLBA) | 17 |
Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA) | 24 |
Use and Disclosure of Medical Information | 30 |
The Health Insurance Portability and Accountability Act (HIPAA) | 30 |
Medical Research - 2018 Requirements | 36 |
Federal Trade Commission Act (FTC Act) | 37 |
FTC Online Behavioral Advertising Principles | 46 |
Children’s Online Privacy Protection Act (COPPA) | 48 |
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) | 53 |
The Telephone Consumer Protection Act (TCPA) [47 U.S.C. § 227] | 55 |
Telemarketing and Consumer Fraud and Abuse Prevention Act [15 U.S.C. §§ 6101-6108] | 62 |
“Click-to-Cancel Rule” | 63 |
Deceptive Mail Prevention and Enforcement Act (DMPEA) | 63 |
Junk Fax Prevention Act (JFPA) | 64 |
Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030 (c)] | 64 |
Electronic Communications Privacy Act (ECPA) [18 U.S.C. §§ 2510-3127] | 65 |
Federal Laws Related To Social Security Numbers | 67 |
The Driver’s Privacy Protection Act (DPPA) [18 U.S.C. §§ 2721-2725] | 68 |
Video Privacy Protection Act (VPPA) [18 U.S.C. § 2710] | 68 |
Other Federal Privacy Laws | 68 |
Identity Theft and Assumption Deterrence Act of 1998, 15 U.S.C. § 1028 | 70 |
The National Institute of Standards and Technology (NIST) Cybersecurity Framework | 71 |
Federal Law and Proposed Legislation | 72 |
Data Breach | 73 |
PRIVACY AND THE EMPLOYMENT RELATIONSHIP | 76 |
Discrimination Laws | 77 |
Protected Activity Laws | 78 |
Applicant Screening Laws | 81 |
Employee Privacy Considerations | 84 |
Federal Laws Applicable to Electronic Communications and Data | 87 |
The Electronic Communications Privacy Act (ECPA or the “Wiretap Act”) | 87 |
The Stored Communications Act (SCA) [18 U.S.C. § 2701, et seq.] | 87 |
The Computer Fraud and Abuse Act (CFAA) [18 U.S.C. § 1030, et seq.] | 88 |
References and Recommendations | 89 |
Safeguarding Confidential and Proprietary Information | 89 |
Employer Policies and Practices | 90 |
STATE DATA PRIVACY AND SECURITY LAWS | 93 |
Minnesota Data Privacy and Security Laws | 95 |
Minnesota Enacts Comprehensive Data Privacy Law | 95 |
Internet Service Providers [Minn. Stat. § 325M.01] | 100 |
Identity Theft/Phishing [Minn. Stat. § 609.527, Subd. 2.] | 104 |
Minnesota Data Breach Notification [Minn. Stat. §§ 325E.61 and 13.055] | 109 |
Minn. Stat. § 13.0 Minnesota Government Data Practices Act | 117 |
Minn. Stat. § 13.15 Government Websites | 118 |
Plastic Card Security Act [Minn. Stat. § 325E.64] | 119 |
Use of Social Security Numbers [Minn. Stat. § 325E.59] | 122 |
Recording Communications [Minn. Stat. § 626A.02 Wiretap law] | 124 |
California | 129 |
Virginia | 140 |
Colorado | 141 |
Connecticut | 144 |
Utah | 145 |
Massachusetts | 146 |
New York | 147 |
Other State Privacy and Breach Notification Laws | 149 |
State Breach Notification Laws | 149 |
MARYLAND | 153 |
SUMMARY | 156 |
NEVADA | 154 |
State Data Protection and Security Laws | 151 |
GLOBAL PRIVACY AND DATA SECURITY LAW | 157 |
EU 1995 Data Directive/General Data Protection Regulation | 158 |
Transfer of Personal Data Outside of the European Union | 163 |
Prior EU-U.S. Safe Harbor | 165 |
Model Contracts-Standard Contractual Clauses (SCCs) | 168 |
Key Differences between the Old SCCs and New SCCs | 169 |
Binding Corporate Rules | 171 |
CANADA | 175 |
Canada Anti-Spam Law [SC 2010,C23] | 177 |
OTHER COUNTRIES | 178 |
BEST PRACTICES | 180 |
Key Questions Every Business Should Ask Related to Data Privacy and Security | 180 |
Establish a Compliance Program | 183 |
Customized Program | 183 |
Security Incident and Data Breach Plan | 184 |
Mitigating Risk By Contract | 187 |
Insurance | 189 |
Physical Safeguards/Office Design | 190 |
Storage and Maintenance of Electronic Data | 190 |
Document Retention - Storage and Maintenance of Hard Copies | 191 |
Technical Safeguards | 191 |
Encryption, Encryption, Encryption | 192 |
Limit Access | 193 |
Limit Data Collected | 193 |
Remote Access | 193 |
Administrative Safeguards | 194 |
Steps to Take in Event of Identity Theft | 196 |
FINAL THOUGHTS - WHAT IS NEXT? | 198 |
PRIVACY LAW TIMELINE | 202 |
SOURCES OF INFORMATION ON DATA PRIVACY AND SECURITY | 207 |
Governmental and Standards Bodies | 208 |
Other government sites and publications that provide privacy related information: | 208 |
Other Useful Websites | 209 |
Selected Books, Articles and Treatises on Privacy | 210 |
Made with FlippingBook - Online Brochure Maker