Data protection and privacy in USA

Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The US legislative framework for the protection of PII historically has resembled a patchwork quilt. Unlike other jurisdictions, the US does not have a single dedicated data protection law at the federal level, but instead regulates privacy primarily by industry, on a sector-by-sector basis. There are numerous sources of privacy law in the US, including laws and regulations developed at both the federal and state levels. These laws and regulations may be enforced by federal and state authorities, and many provide individuals with a private right to bring lawsuits against organisations they believe are violating the law. Starting in 2018, increased legislative activity at the state level signalled a shift in focus toward more broad-based consumer privacy legislation in the United States. California became the first state to enact such legislation with the passage of the California Consumer Privacy Act (CCPA), a broad privacy law inspired in part by the EU General Data Protection Regulation (GDPR) that is aimed at protecting personal information of consumers across industry. Since then, numerous other states have proposed similarly broad privacy legislation, while multiple comprehensive privacy bills have been introduced at the federal level in the US Congress.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

There is no single regulatory authority dedicated to overseeing data protection law in the US. At the federal level, the regulatory authority responsible for oversight depends on the law or regulation in question. In the financial services context, for example, the Consumer Financial Protection Bureau and various financial services regulators (as well as state insurance regulators) have adopted standards pursuant to the Gramm-Leach-Bliley Act (GLB) that dictate how firms subject to their regulation may collect, use and disclose non-public personal information. Similarly, in the healthcare context, the Department of Health and Human Services is responsible for enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Outside of the regulated industries context, the Federal Trade Commission (FTC) is the primary federal privacy regulator in the US. Section 5 of the FTC Act, which is a general consumer protection law that prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, is the FTC’s primary enforcement tool in the privacy arena. The FTC has used its authority under section 5 to bring numerous privacy enforcement actions for a wide range of alleged violations by entities whose information practices have been deemed ‘deceptive’ or ‘unfair’. Although section 5 does not give the FTC fining authority, it does enable the FTC to bring enforcement actions against alleged violators, and these enforcement actions typically have resulted in consent decrees that prohibit the company from future misconduct and often require audits biennially for up to 20 years. Under section 5, the FTC is able to fine businesses that have violated a consent order.

At the state level, attorneys general also have the ability to bring enforcement actions for unfair or deceptive trade practices, or to enforce violations of specific state privacy laws. The California attorney general, for example, will be empowered to enforce violations of the CCPA. Some state privacy laws allow affected individuals to bring lawsuits to enforce violations of the law.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

There are no regulations or structures that require the various federal and state data protection authorities to cooperate with one another. In the event of a data breach, however, many state attorneys general set up a multistate task force to pool resources, investigate the companies that experienced the breach and reach a settlement or collectively litigate against the company. The resolutions often require companies to improve their information security programmes and obtain third-party assessments of their programmes.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

In general, violations of federal and state privacy laws lead to civil, not criminal, penalties. The main exceptions are the laws directed at surveillance activities and computer crimes. Violations of the federal Electronic Communications Privacy Act (ECPA) (which is composed of the Wiretap Act, the Stored Communications Act and the Pen Register Act) or the Computer Fraud and Abuse Act (CFAA) can lead to criminal sanctions and civil liability. In addition, many states have enacted surveillance laws that include criminal sanctions, in addition to civil liability, for violations.

Outside the surveillance context, the US Department of Justice is authorised to criminally prosecute serious HIPAA violations. In circumstances where an individual knowingly violates restrictions on obtaining and disclosing legally cognisable health information, the DOJ may pursue criminal sanctions.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

There is no single regulatory authority dedicated to overseeing data protection law in the US. At the federal level, different privacy requirements apply to different industry sectors and data processing activities. These laws often are narrowly tailored and address specific data uses. For those entities not subject to industry-specific regulatory authority, the FTC has broad enforcement authority at the federal level, and attorneys general at the state level, to bring enforcement action for unfair or deceptive trade practices in the privacy context.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Interception of communications is regulated primarily at the federal level by the ECPA, which is composed of the Wiretap Act, the Stored Communications Act and the Pen Register Act. The federal CFAA also prohibits certain surveillance activities, but is focused primarily on restricting other computer-related activities pertaining to hacking and computer trespass. At the state level, most states have laws that regulate the interception of communications.

There are only a handful of laws that specifically target the practice of electronic marketing and the relevant laws are specific to the marketing channel in question. Commercial email is regulated at the federal level by the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). There are also state laws regulating commercial email, but these laws are generally pre-empted by CAN-SPAM. Telemarketing is regulated at the federal level by the Telephone Consumer Protection Act of 1991 (TCPA) and the Telemarketing and Consumer Fraud and Abuse Prevention Act, as well as regulations implemented by the FTC and the Federal Communications Commission (FCC). There are also state laws regulating telemarketing activities. Text message marketing is regulated primarily by the TCPA and regulations implemented by the FCC. Fax marketing is regulated by the TCPA, as amended by the Junk Fax Prevention Act of 2005, and state laws.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

In addition to the laws set forth above, there are numerous other federal and state laws that address privacy issues, including state information security laws and laws that apply to:

consumer report information: the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act of 2003 (FACTA);
children’s information: the Children’s Online Privacy Protection Act (COPPA);
driver’s information: the Driver’s Privacy Protection Act of 1994;
video rental records: the Video Privacy Protection Act; and
federal government activities: the Privacy Act of 1974.

The Cybersecurity Information Sharing Act (CISA) authorises entities to engage in certain cybersecurity monitoring, defence practices and information-sharing activities for purposes of protecting against cybersecurity threats. To help companies secure their information and systems, CISA provides businesses with certain liability protections in connection with monitoring information systems for cybersecurity purposes, implementing cybersecurity defensive measures, and sharing cyber intelligence with other private entities and federal government agencies.

In 2018, the California legislature enacted the CCPA, which becomes effective on 1 January 2020. The Act applies to any for-profit business that:

does business in California;
collects consumers’ personal information (or on whose behalf such information is collected);
alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; and
satisfies certain revenue thresholds or collects the personal information of 50,000 or more consumers, households or devices.

The CCPA defines ‘personal information’ broadly and contains provisions granting California consumers certain rights with respect to their personal information. This new legislation in California has helped set the stage for a number of similar proposed laws currently pending in various state legislatures across the US, as well as a possible federal data privacy law.

PII formats

What forms of PII are covered by the law?

The US does not have a dedicated data protection law. Thus, the definition of PII varies depending on the underlying law or regulation. In the state security breach notification law context, for example, the definition of PII generally includes an individual’s name plus his or her Social Security number, driver’s licence number, or financial account number. Some states broaden the definition of PII under the data breach notification laws to include such elements as medical information, insurance information, biometrics, email addresses and passwords to online accounts. In other contexts, such as FTC enforcement actions, GLB or HIPAA, the definition of PII is much broader. Although certain laws apply only to electronic PII, many cover PII in any medium, including hard copy records.

The CCPA contains a broad definition of PII that includes any ‘information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household’.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

As a general matter, the reach of US privacy laws is limited to organisations that are subject to the jurisdiction of US courts as constrained by constitutional due process considerations. Determinations regarding such jurisdiction are highly fact-specific and depend on the details of an organisation’s contacts with the US.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Generally, US privacy laws apply to all processing of PII. There are no formal designations of ‘controllers’ and ‘processors’ under US law as there are in the laws of other jurisdictions. There are, however, specific laws that set forth different obligations based on whether an organisation would be considered a data owner or a service provider. The most prominent example of this distinction is found in the US state breach notification laws. Pursuant to these laws, it is generally the case that the owner of the PII is responsible for notifying affected individuals of a breach, whereas a service provider is responsible for informing the data owner that it has suffered a breach affecting the data owner’s data. Once a data owner has been notified of a breach by a service provider, the data owner, not the service provider, then must notify affected individuals.

The CCPA has adopted a concept quite similar to the controller concept under the GDPR, in that businesses directly subject to the law are defined to mean those entities that determine the purposes and means of the processing of consumers’ personal information.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

US privacy laws generally do not limit the retention of PII to certain specified grounds. There are, however, laws that may indirectly affect an organisation’s ability to retain PII. For example, organisations that are collecting personal information online from California residents must comply with the California Online Privacy Protection Act. Pursuant to this law, and general consumer expectations in the US, the organisation must provide a privacy notice detailing the PII the company collects and how it is used. If the organisation uses the PII in materially different ways than those set forth in the privacy notice without providing notice and obtaining consent for such uses from the relevant consumers, these uses would likely be considered a deceptive trade practice under federal and state unfair competition laws. Similar laws are in place in Delaware and Nevada.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Since the US does not have a dedicated data protection law, there is no singular concept of ‘sensitive data’ that is subject to heightened standards. There are, however, certain types of information that generally are subject to more stringent rules, such as:

Sensitive data in the security breach notification context

To the extent an organisation maintains individuals’ names plus their Social Security numbers, driver’s licence numbers or financial account numbers, notification generally is required under state and federal breach notification laws to the extent the information has been acquired or accessed by an unauthorised third party. Some states include additional data elements that could trigger breach notification. These include medical information, insurance information, biometrics, email addresses and passwords to online accounts.

Consumer report information

The FCRA seeks to protect the confidentiality of information bearing on the creditworthiness and standing of consumers. The FCRA limits the permissible purposes for which reports that contain such information (known as consumer reports) may be disseminated, and consumer reporting agencies must verify that anyone requesting a consumer report has a permissible purpose for receiving the report.

Background screening information

Many sources of information used in background checks are considered public records in the US, including criminal, civil court, bankruptcy, tax lien, professional licensing, workers’ compensation and driving records. The FCRA imposes restrictions on the inclusion of certain public records in background screening reports when performed by consumer reporting agencies. Employers also can investigate job applicants and employees using internet search engines, but they must comply with their legal obligations under various labour and employment laws to the extent such laws restrict the use of the information. For instance, consideration of factors such as age, race, religion, disability, or political or union affiliation in making employment decisions can be the basis for a claim of unlawful discrimination under federal or state law.

Health information

HIPAA specifies permissible uses and disclosures of protected health information (PHI), mandates that HIPAA-covered entities provide individuals with a privacy notice and other rights, regulates covered entities’ use of service providers (known as business associates), and sets forth extensive information security safeguards relevant to electronic PHI.

Children’s information

COPPA imposes extensive obligations on organisations that collect personal information from children under 13 years of age online. COPPA’s purpose is to provide parents and legal guardians greater control over the online collection, retention and disclosure of information about their children.

Under the Privacy Rights for California Minors in the Digital World law, California minors who are registered users of a website, online service or mobile application may seek the removal of content and information that the minors have posted. A ‘minor’ is defined as a California resident under the age of 18.

The California Consumer Privacy Act prohibits a business from selling a minor’s personal information unless:

the consumer is between 13 and 16 years of age and has affirmatively authorised the sale (ie, they opt in); or
the consumer is less than 13 years of age and the consumer’s parent or guardian has affirmatively authorised the sale.

Biometric information

Illinois, Texas and Washington have enacted biometric privacy laws that set forth requirements for businesses that collect and use biometric information for commercial purposes. These laws generally require that companies must provide notice to individuals and obtain their affirmative consent before using their biometric identifiers for commercial purposes. The laws also require companies to implement security measures to protect the biometric information they maintain and to retain the biometric identifiers for no longer than necessary to comply with the law, protect against fraud, criminal activity, security threats or liability, or to provide the service for which the biometric identifier was collected.

State Social Security number (SSN) laws

Numerous state laws impose obligations with respect to the processing of SSNs. These laws generally prohibit:

intentionally communicating SSNs to the general public;
using SSNs on ID cards required for individuals to receive goods or services;
requiring that SSNs be used in internet transactions unless the transaction is secure or the SSN is encrypted or redacted;
requiring an individual to use an SSN to access a website unless another authentication device is also used; and
mailing materials with SSNs (subject to certain exceptions).

A number of state laws also impose restrictions targeting specific SSN uses.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

For organisations not otherwise subject to specific regulation, the primary law requiring them to provide a privacy notice to consumers is California’s Online Privacy Protection Act. This law requires a notice when an organisation collects personal information from individuals in the online and mobile contexts. The law requires organisations to specify in the notice:

the categories of PII collected through the website;
the categories of third-party persons or entities with whom the operator may share the PII;
the process an individual must follow to review and request changes to any of his or her PII collected online, to the extent such a process exists;
how the operator responds to web browser ‘do not track’ signals or similar mechanisms that permit individuals to exercise choice regarding the collection of their PII online over time and across third-party websites or online services, if the operator engages in such collection;
whether third parties collect PII about individuals’ online activities over time and across different websites when an individual uses the operator’s website or online service;
the process by which consumers who visit the website or online service are notified of material changes to the privacy notice for that website; and
the privacy notice’s effective date.

In addition to the requirements of the California Online Privacy Protection Act, the CCPA requires businesses to provide notice to consumers of their rights under the Act (eg, the right to opt out of the sale of personal information), a list of the categories of personal information collected about consumers in the preceding 12 months and, where applicable, that the business sells or discloses their personal information. If the business sells consumers’ personal information or discloses it to third parties for a business purpose, the notice also must include lists of the categories of personal information sold and disclosed about consumers, respectively. Businesses must separately provide a clear and conspicuous link on their website that says ‘Do not sell my personal information’ and provide consumers a mechanism to opt out of the sale of their personal information, a decision the business must respect. Companies must update their notices at least once every 12 months.

Delaware and Nevada have also enacted laws that require operators of commercial internet services to provide similar information to their users when collecting PII online. In addition to the California, Delaware and Nevada laws, there are other federal laws that require a privacy notice to be provided in certain circumstances, such as:

COPPA

Pursuant to the FTC’s Children’s Online Privacy Protection Rule, implemented pursuant to COPPA, operators of websites or online services that are directed to children under 13 years old, or who knowingly collect information from children online, must provide a conspicuous privacy notice on their site. The notice must include statutorily prescribed information, such as the types of personal information collected, how the operator will use the personal information, how the operator may disclose the personal information to third parties, and details regarding a parent’s ability to review the information collected about a child and opt out of further information collection and use. In most cases, an operator that collects information from children online also must send a direct notice to parents that contains the information set forth above along with a statement that informs parents the operator intends to collect the personal information from their child. The operator also must obtain verifiable parental consent prior to collecting, using or disclosing personal information from children.

FCRA and FACTA

The FCRA, as amended by FACTA, imposes several requirements on consumer reporting agencies to provide consumers with notices, including in the context of written disclosures made to consumers by a consumer reporting agency, identity theft, employment screening, pre-screened offers of credit or insurance, information sharing with affiliates, and adverse actions taken on the basis of a consumer report.

GLB

Financial institutions must provide an initial privacy notice to customers by the time the customer relationship is established. If the financial institution shares non-public personal information with non-affiliated third parties outside of an enumerated exception, the entity must provide each relevant customer with an opportunity to opt out of the information sharing. Following this initial notice, financial institutions subject to GLB must provide customers with an annual notice. The annual notice is a copy of the full privacy notice and must be provided to customers each year for as long as the customer relationship persists. For ‘consumers’ (individuals that have obtained a financial product or service for personal, family or household purposes but do not have an ongoing, continuing relationship with the financial institution), a notice generally must be provided before the financial institution shares the individual’s non-public personal information with third parties outside of an enumerated exception. A GLB privacy notice must explain what non-public personal information is collected, the types of entities with whom the information is shared, how the information is used, and how it is protected. The notice also must indicate the consumer’s right to opt out of certain information sharing with non-affiliated parties. In 2009, the federal financial regulators responsible for enforcing privacy regulations implemented pursuant to GLB released model forms for financial institutions to use when developing their privacy notices. Financial institutions that use the model form in a manner consistent with the regulators’ published instructions are deemed compliant with the regulation’s notice requirements. In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act transferred GLB privacy notice rule-making authority from the financial regulatory agencies to the CFPB. The CFPB then restated the GLB implementing regulations, including those pertaining to the model form, in Regulation P.

HIPAA

The Privacy Rule promulgated pursuant to HIPAA requires covered entities to provide individuals with a notice of privacy practices. The Rule imposes several content requirements, including:

the covered entities’ permissible uses and disclosures of PHI;
the individual’s rights with respect to the PHI and how those rights may be exercised;
a list of the covered entity’s statutorily prescribed duties with respect to the PHI; and
contact information for the individual at the covered entity responsible for addressing complaints regarding the handling of PHI.

Exemption from notification

When is notice not required?

Outside of the specifically regulated contexts discussed above, a privacy notice in the US must only be provided in the context of collecting personal information from consumers online. There is no requirement of general application that imposes an obligation on unregulated organisations to provide a privacy notice regarding its offline activities with respect to personal information. There is also no obligation to provide a general privacy notice in the employment context.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

In the regulated contexts discussed above, individuals are provided with limited choices regarding the use of their information. The choices are dependent upon the underlying law. Under GLB, for example, customers and consumers have a legal right to opt out of having their non-public personal information shared by a financial institution with third parties (outside an enumerated exception). Similarly, under the FCRA, as amended by FACTA, individuals have a right to opt out of having certain consumer report information shared by a consumer reporting agency with an affiliate, in addition to another opt-out opportunity prior to any use of a broader set of consumer report information by an affiliate for marketing reasons. Federal telemarketing laws and the CAN-SPAM Act give individuals the right to opt out of receiving certain types of communications, as do similar state laws.

In addition, California’s Shine the Light Law requires companies that collect personal information from residents of California generally to either provide such individuals with an opportunity to know which third parties the organisation shared California consumers’ personal information with for such third parties’ direct marketing purposes during the preceding calendar year or, alternatively, to give the individuals the right to opt out of such third-party sharing. This right is expanded in the CCPA, which provides that, upon request from a California consumer, an organisation must disclose:

the categories and specific pieces of personal information the business has collected about the consumer;
the categories of sources from which the personal information is collected;
the business or commercial purposes for collecting or selling personal information; and
the categories of third parties with whom the business shares personal information.

The CCPA also provides consumers with the right to opt out of the sale of their personal information.

As the primary regulator of privacy issues in the US, the FTC periodically issues guidance on pressing issues. In the FTC’s 2012 report entitled ‘Protecting Consumer Privacy in an Era of Rapid Change’, the FTC set forth guidance indicating that organisations should provide consumers with choices with regard to uses of personal information that are inconsistent with the context of the interaction through which the organisation obtained the personal information. In circumstances where the use of the information is consistent with the context of the transaction, the FTC indicated that offering such choices is not necessary.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

There is no law of general application in the US that imposes standards related to the quality, currency and accuracy of PII. There are laws, however, in specific contexts that contain standards intended to ensure the integrity of personal information maintained by an organisation. The FCRA, for example, requires users of consumer reports to provide consumers with notices if the user will be taking an adverse action against the consumer based on information contained in a consumer report. These adverse action notices must provide the consumer with information about the consumer’s right to obtain a copy of the consumer report used in making the adverse decision and to dispute the accuracy or completeness of the underlying consumer report. Similarly, pursuant to the HIPAA Security Rule, covered entities must ensure, among other things, the integrity of electronic protected health information (ePHI).

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

US privacy laws generally do not impose direct restrictions on an organisation’s retention of personal information. There are, however, thousands of records retention laws at the federal and state level that impose specific obligations on how long an organisation may (or must) retain records, many of which cover records that contain personal information.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

US privacy laws have not specifically adopted the finality principle. As a practical matter, organisations typically describe their uses of personal information collected from consumers in their privacy notices. To the extent an organisation uses the personal information it collects subject to such a privacy notice for materially different purposes than those set forth in the notice, it is likely that such a practice would be considered a deceptive trade practice under federal and state consumer protection laws.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

In the US, organisations must use the personal information they collect in a manner that is consistent with the uses set forth in the privacy notice. To the extent an organisation would like to use previously collected personal information for a materially different purpose, the FTC and state attorneys general would expect the organisation to first obtain opt-in consent from the consumer for such use. Where the privacy notice is required by a statute (eg, a notice to parents pursuant to COPPA), failure to handle the PII as described pursuant to such notice also may constitute a violation of the statute.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Similar to privacy regulation, there is no comprehensive federal information security law in the US. Accordingly, the security obligations that are imposed on data owners and entities that process PII on their behalf depend on the regulatory context. These security obligations include:

GLB

The Safeguards Rule implemented pursuant to GLB requires financial institutions to ‘develop, implement, and maintain a comprehensive information security programme’ that contains administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of customer information. The requirements of the Safeguards Rule apply to all non-public personal information in a financial institution’s possession, including information about the institution’s customers as well as customers of other financial institutions. Although the Safeguards Rule is not prescriptive in nature, it does set forth five key elements of a comprehensive information security programme:

designation of one or more employees to coordinate the programme;
conducting risk assessments;
implementation of safeguards to address risks identified in risk assessments;
oversight of service providers; and
evaluation and revision of the programme in light of material changes to the financial institution’s business.

HIPAA

The Security Rule implemented pursuant to HIPAA, which applies to ePHI, sets forth specific steps that covered entities and their service providers must take to:

ensure the confidentiality, integrity, and availability of ePHI;
protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI;
protect against any reasonably anticipated uses or disclosures of ePHI; and
ensure compliance with the Security Rule by the covered entity’s workforce.

Unlike other US information security laws, the Security Rule is highly prescriptive and sets forth detailed administrative, technical and physical safeguards.

State information security laws

Laws in several US states, including California, impose general information security standards on organisations that maintain personal information. California’s law, for example, requires organisations that own or license personal information about California residents to implement and maintain reasonable security procedures and practices to protect the information from unauthorised access, destruction, use, modification or disclosure. In addition, organisations that disclose personal information to non-affiliated third parties must contractually require those entities to maintain reasonable security procedures.

Massachusetts Standards for the Protection of Personal Information

In 2008, Massachusetts issued regulations requiring any person who holds personal information about Massachusetts residents to develop and implement a comprehensive, written information security programme to protect the data. The regulations apply in the context of both consumer and employee information, and require the protection of personal data in both paper and electronic formats. Unlike the California law, the Massachusetts law contains certain specific data security standards, including required technical safeguards, on all private entities with Massachusetts consumers or employees.

New York Department of Financial Services Cybersecurity Regulation

In 2017, the New York State Department of Financial Services (NYDFS) issued a regulation that establishes a robust set of cybersecurity requirements for financial services providers regulated by the NYDFS. The cybersecurity regulation applies to entities that operate under a NYDFS licence, registration or charter pursuant to New York banking, insurance or financial services law. The cybersecurity regulation requires such covered entities to maintain a comprehensive cyber-security programme and implement certain processes and technical controls related to risk assessments, user access privileges, software security, system auditing and monitoring, data encryption, data disposal and retention, and cybersecurity incident response. In addition, the regulation assigns cybersecurity oversight responsibilities to senior officials and boards of directors and requires entities to report cyber-security events to the NYDFS.

Nevada encryption law

Nevada law requires that organisations doing business in Nevada and that accept payment cards must comply with the Payment Card Industry Data Security Standard. It requires that other organisations doing business in Nevada use encryption when transferring ‘any personal information through an electronic, non-voice transmission other than a facsimile to a person outside of the secure system of the data collector’, and moving ‘any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor’.

State Social Security number laws

Numerous state laws impose obligations with respect to the processing of SSNs. These laws generally prohibit:

intentionally communicating SSNs to the general public;
using SSNs on ID cards required for individuals to receive goods or services;
requiring that SSNs be used in internet transactions unless the transaction is secure or the SSN is encrypted or redacted;
requiring an individual to use an SSN to access a website unless another authentication device is also used; and
mailing materials with SSNs (subject to certain exceptions).

A number of state laws also impose restrictions targeting specific SSN uses.

Key industry and government standards

There are several key industry standards in the area of information security. The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that process credit or debit cards. It obligates covered entities to comply with prescriptive information security requirements, which include:

installing and maintaining a firewall configuration to protect cardholder data;
encrypting transmission of cardholder data across public networks;
protecting systems against malware and regularly updating anti-virus software or programs; and
restricting physical access to cardholder data.

Entities subject to the PCI DSS are required to validate their compliance on an annual basis. The specific requirements necessary to certify compliance depend on the type of entity involved in the processing of payment cards and the number of payment cards processed by the covered entity pursuant to each payment card brand’s compliance validation programme.

The National Institute of Standards and Technology (NIST), which is part of the US Department of Commerce, has produced various publications and guidance on a host of information security topics that are intended to help businesses. The most significant of the NIST security publications is the NIST Cybersecurity Framework. This is a flexible document that gives users the discretion to decide which aspects of network security to prioritise, what level of security to adopt and which standards, if any, to apply. Other guidance documents address methods of media sanitisation, conducting risk assessments, security considerations in the information system development life cycle and storage encryption for end user devices.

In addition, the International Organization for Standardization (ISO) is a non-governmental organisation composed of the national standards institutes of 161 countries. The ISO sets international standards across a range of industries. In the area of information security, the ISO has promulgated two important standards: 27001 and 17799/27002. ISO 27001 provides a ‘process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system’. It is a flexible standard, and users are encouraged to:

understand their information security requirements and the need to establish policy objectives for information;
implement controls to manage information security risks in the context of the organisation’s overall business risks;
monitor and review the performance and effectiveness of the Information Security Management System; and
continually improve the Information Security Management System based on objective measurement.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

There are no breach notification laws of general application at the federal level. There are, however, numerous targeted breach notification laws at both the state and federal level, including:

State breach laws

At present, all 50 states, the District of Columbia, the US Virgin Islands, Guam and Puerto Rico have enacted breach notification laws that require data owners to notify affected individuals in the event of unauthorised access to or acquisition of personal information, as that term is defined in each law. In addition to notification of individuals, the laws of 23 states also require notice to a state regulator in the event of a breach, typically the state attorney general. Although most state breach laws require notification only if there is a reasonable likelihood that the breach will result in harm to affected individuals, a number of jurisdictions do not employ such a harm threshold and require notification of any incident that meets their definition of a breach.

Federal Interagency Guidance

Several federal banking regulators issued the Interagency Guidance on Response Programs for Unauthorised Access to Customer Information and Customer Notice. Entities regulated by the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation and the Office of Thrift Supervision are subject to the Interagency Guidance. The Interagency Guidance sets forth that subject financial institutions develop and implement a response programme to address incidents of unauthorised access to customer information processed in systems the institutions or their service providers use to access, collect, store, use, transmit, protect, or dispose of the information. In addition, the Interagency Guidance contains two key breach notification requirements. First, when a financial institution becomes aware of an incident involving unauthorised access to or use of sensitive customer information, the institution must promptly notify its primary federal regulator. Second, the institution must notify appropriate law enforcement authorities in situations involving federal criminal violations requiring immediate attention. Third, the institution also must notify relevant customers of the incident if the institution’s investigation determines that misuse of sensitive customer information has occurred or is reasonably possible. In this context, ‘sensitive customer information’ means a customer’s name, address, or telephone number in conjunction with the customer’s SSN, driver’s licence number, account number, credit or debit card number, or a PIN or password that would permit access to the customer’s account. Any combination of these data elements that would allow an unauthorised individual to access the customer’s account also would constitute sensitive customer information.

HITECH Act

The Health Information Technology for Economic and Clinical Health Act’s (HITECH Act) information security breach provisions apply in the healthcare context, governing both HIPAA-covered entities and non-HIPAA covered entities. The HITECH Act and the breach-related provisions of the HHS regulations implementing the Act require HIPAA-covered entities that experience an information security breach to notify affected individuals, and service providers of HIPAA-covered entities to notify the HIPAA-covered entity following the discovery of a breach. Unlike the state breach notification laws, the obligation to notify as a result of an information security breach under the HITECH Act falls on any HIPAA covered entity that ‘accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHI’. Any HIPAA-covered entity that processes unsecured PHI must notify affected individuals in the event of a breach, whether the covered entity owns the data or not.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

No, the appointment of a data protection officer is not mandatory under the privacy rules of general application. Many organisations in the US appoint a chief privacy officer (CPO), but his or her responsibilities are dictated by business need rather than legal requirements. Certain sector-specific laws do require the appointment of a CPO. For example, HIPAA requires the appointment of a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. In addition, several federal and state laws require that a chief information security officer or an equivalent be appointed. These laws include GLB, HIPAA and the NYDFS Cybersecurity Regulations.

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

There are no legal requirements of general application that obligate owners of PII to maintain internal records or establish internal processes or documentation. As discussed in question 20, there are several statutory frameworks in the US that require organisations to develop an information security programme, which typically must contain internal processes and documentation. These include requirements imposed by GLB, HIPAA and state information security laws.

New processing regulations

Are there any obligations in relation to new processing operations?

Generally, there are no legal obligations in relation to new processing operations, such as to apply a privacy-by-design approach or carry out privacy impact assessments. Applicable to US federal agencies only, the E-Government Act of 2002 requires the completion and publication of privacy impact assessments when the agency engages in a new collection of, or applies new technologies to, personally identifiable information. The FTC issued a report, however, that recommends that companies consider privacy-by-design principles during all stages of the design and development of products and services.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?