Important Update on Privacy and Security Issues – 2006 May Be a Watershed Year
During 2005, consumer privacy and data security took center stage for policy-makers and consumer advocates. High profile data breaches and a greater awareness of the vulnerability of consumers’ personally identifiable information (“PII”) have prompted legislative initiatives and broader state and federal privacy enforcement directed at businesses that collect, purchase, sell, or use PII. The Privacy Rights Clearinghouse has tracked over 100 data breaches since February 2005, involving the PII of over 52 million consumers. ChoicePoint, LexisNexis, Time Warner, Bank of America, CitiFinancial, DSW Shoe Warehouse, BJ’s Wholesale Club, Ford Motor Co., Marriott International, CardSystems Solutions and others have inadvertently sold or lost files with PII, or have been victimized by hackers or even their own employees. No industry is immune. Indeed, businesses offering video, Internet, telecommunications or other services routinely collect, store and utilize PII in order to render and market services to customers. These businesses should pay close attention to the many legal and regulatory constraints on using PII.
There are dozens of federal laws and regulations and a multitude of state laws governing privacy and security. For example, at the federal level alone, a few of the federal statutes concerning privacy potentially applicable to your business include the:
• Cable Communications Policy Act
• Telecommunications Act provisions regarding customer proprietary network information
• Electronic Communications Privacy Act
• Children’s Online Privacy Protection Act
• Communications Assistance for Law Enforcement Act
• Telephone Consumer Protection Act
• Telemarketing and Consumer Fraud and Abuse Prevention Act
• Foreign Intelligence Surveillance Act
• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
• Fair Credit Reporting Act (covering consumer reporting agencies, users of consumer reports, and entities that furnish information to CRAs, as amended by the Fair and Accurate Credit Transactions Act
• Federal Trade Commission Act
• Gramm-Leach Bliley Act (applicable to financial institutions)
• Health Insurance Portability and Accountability Act (applicable to health information)
• Video Privacy Protection Act
• Sarbanes Oxley Act
Complying with the sheer number and complexity of privacy laws coupled with renewed legislative focus on these issues requires that companies assess their privacy obligations and data security practices or risk not only legal liability but harm to their reputations. If not yet addressed, we strongly recommend that your company’s plans for the new year include a thorough review and assessment of privacy and data security policies and the development of a comprehensive information security program. Cole, Raywid & Braverman has extensive experience in each of these areas and is available to assist you with your company’s development of a comprehensive information security program or to provide counsel on specific privacy law issues.
I. Data Breach Notification
Public concern over privacy and information security has heightened significantly with the many highly publicized reports of the improper sharing of PII with third parties and the “loss” of customer information due to intentional or negligent security breaches. California’s enactment of its landmark security breach notification legislation in 2003 has been widely credited with forcing businesses to disclose breaches of PII. (See News Update dated June 13, 2003) In 2005, twenty-one additional states followed suit (including New York, Florida, Texas, Pennsylvania and Illinois) with data breach notification laws applicable to at least some private entities. The states’ varied approaches to these laws and public concern over identity theft and data breaches have led Congress to consider many forms of data breach notice and identity theft legislation with preemption of state law one of the preeminent issues. In 2005, more than a dozen such bills were introduced in Congress, with three bills passing the committee level in the Senate and one bill passing the subcommittee level in the House. We expect significant ongoing legislative activity in this area and anticipate some federal legislation being signed into law in 2006. Given the state laws and the likelihood of federal law, companies should have an incident response plan in place in case of any data breach (employee theft, hacker intrusion, or virus) that warrants consumer notification.
II. Securing PII
The data breach laws also highlight the importance of securing PII. The Federal Trade Commission’s (“FTC”) Safeguards Rule, promulgated pursuant to the Gramm-Leach Bliley Act (“GLBA”) and initially applicable to financial companies only, is increasingly becoming the de facto standard for securing PII in all industries. In 2005, the FTC began a novel use of its “unfair” practices enforcement authority under Section 5 of the FTC Act, entering into settlements with BJ’s Wholesale Club, Inc. and DSW, Inc., because of those companies’ failure to implement reasonable security procedures to protect consumer PII, even though they did not make affirmative privacy or security promises to consumers. Previously, the FTC’s privacy enforcement actions primarily attacked “deceptive” practices, specifically, instances where companies acted contrary to express promises to consumers. The BJ’s and DSW settlements required that the companies adhere to the Safeguards Rule obligations and are an indication that compliance by any industry with the Safeguards Rules is likely a safe harbor from enforcement action. The Safeguards Rule requires a risk assessment against technical and environmental threats, including threats from employees; physical, procedural and technical safeguards; regular testing and monitoring; and audits and update procedures. Many of these requirements have been incorporated into the Payment Card Industry’s Data Security Standard, which went into effect last year.
III. DMCA and Copyright Infringement
Providers of high speed Internet access are increasingly drawn into battles between video and audio content owners who are suing to gain access to PII on customers who are suspected of infringing copyrights. Providers must have policies for responding to demands for identification and terminating repeat infringers, or they will be subject to liability for non-compliance. Proper policies will enable a company to respond appropriately to requests from content owners and other non-governmental requests for subscriber PII.
IV. Government Seeking PII
In addition to information sought from content owners, businesses also have to respond appropriately to government requests for PII. Depending on the service received by the customer and the type of information sought, different requirements apply for cable operators, telephone companies and ISPs, and oftentimes requirements overlap or conflict. In many instances, companies are also required to assist law enforcement with wiretaps, pen registers and similar surveillance tools. Companies should have processes in place to appropriately handle the various government requests and court orders for PII and assistance.
V. Sharing Information with Third Parties
Companies must be aware of the risks in sharing information with third parties for marketing or other business functions and comply with various federal and state laws. For example, California has enacted a unique law, S.B. 27, which took effect January 2005, pertaining to information-sharing. Although S.B. 27 does not restrict information sharing, it imposes new notice requirements for companies that do share PII by requiring that any business that disclosed customer PII, including information relating to income or purchases during the preceding calendar year, to any third party (including affiliates) for direct marketing purposes, must provide a customer, within 30 days after a request, a written or electronic response identifying the names and addresses of the recipients of the PII and categories of PII that was disclosed (a more limited disclosure option is available if sharing for with third parties for their marketing purposes was with affiliates only). Other states are considering similar laws and federal laws applicable to cable operators (Cable Act) and telecommunications carriers (CPNI) have inconsistent rules regarding marketing and sharing PII with affiliates and third-parties.
In addition, in any instance where a company is sharing PII with a third party vendor, it is imperative that the third party vendor be contractually obligated to treat the information securely, and that all other privacy and security responsibilities be clearly established. Other prudent actions include conducting due diligence on vendors to determine their information security and privacy practices, establishing controls based on the extent of access vendors have to data and databases and the security practices of the vendor, and supervising the vendor through internal control and audits. Companies engaged in the cross-border transfer of information should be aware that special requirements may apply.
VI. Document Destruction
There are various state and federal laws regulating the disposal of consumer PII. The Cable Act, FTC rule, and state laws require or impact document retention and destruction policies, which are a vital part of an information security program.
VII. Targeted Advertising and Audience Measurement
Digital cable technology now allows cable operators greater accuracy in knowing what channels and programs are being viewed by their subscribers. This information can be used not just to determine the popularity of a show, but when combined with demographic data, can be used to allow more pertinent advertising targeted to the interests of the individual subscriber. Information collection must be handled with full respect to consumer privacy and security interests.
VIII. Privacy Policies
Cable operators and telephony providers have certain privacy practice notice requirements imposed by law and other entities that voluntarily have privacy policies or that make privacy claims must ensure those claims accurately reflect the company’s actual privacy practices. Privacy policies must be updated and assessed as privacy law and a company’s business practices evolve.
The Children’s Online Privacy Protection Act of 1998 governs operators of commercial websites and online services directed to children under the age of 13 that collect personal information and general audience websites and online services that have actual knowledge they are collecting the personal information on children under the age of 13 even though not specifically directed to such children. Before collecting, using, or disclosing personal information from children under 13, web site operators must post privacy policies, provide parental notice, and get verifiable consent from a parent or guardian. The level of verifiable parental consent necessary is dependent on how the company uses the information collected.
Any company that telemarkets or contracts with third parties to telemarket on its behalf must be aware of both state and federal telemarketing and Do Not Call (“DNC”) requirements designed to protect consumer privacy. Federal regulation of telemarketing practices has increased markedly in the last few years after the FCC and FTC issued new rules encompassing a wide array of operational restrictions. (See News Update dated September 30, 2003). Most notably, federal DNC regulations went into effect in 2003 and have not only significantly restricted telemarketing activity, but have led to greater consumer awareness of telemarketing restrictions. Most states also have their own telemarketing laws, and many states also have their own Do Not Call lists that must be accessed separate and apart from the federal Do Not Call registry. State laws differ greatly and may contain telemarketer registration requirements and many other restrictions that exceed federal requirements. Failure to comply with DNC and other telemarketing requirements can have serious consequences as demonstrated by DirecTV’s agreement to pay 5.335 million dollars as part of a settlement agreement with the FTC.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”) creates obligations for companies seeking to market to consumers through the use of e-mail. In an effort to protect consumer privacy, the CAN-SPAM Act requires that “commercial electronic mail messages” whose primary purpose is the commercial advertisement or promotion of a product or service meet certain criteria. (See News Updates dated December 2, 2003, December 17, 2003, March 30, 2004, April 15, 2004, and April 7, 2005). Additional CAN-SPAM rules that could impact companies’ marketing practices remain pending at the FTC.
If you would like assistance in developing a comprehensive information security program or guidance concerning existing federal and state privacy and security laws, or legislation that has been proposed in the states or Congress, please contact us.