In your experience, do companies pay enough attention to the risks associated with data protection? Is this issue increasingly important as companies handle and transfer greater volumes of date internationally?
Most large US companies have begun to focus on data security risks in structuring processes and products, and in dealing with vendors and customers. Those companies at least recognize that they must make meaningful changes to keep pace with data security and legal risks flowing from their ever-increasing collection, storage and use of proprietary and personal data. But many firms of all sizes lag woefully behind. They are either unaware of the risks or obligations, or inadequately staffed or financed to deal with them. This is a particularly tough challenge for companies that do business across state and international lines because data security laws and enforcement vary across industries and jurisdictions.
Could you provide a brief overview of the principles behind data privacy laws in the US? How do the local laws compare to data privacy laws elsewhere?
Data privacy laws in much of the world apply regardless of industry, source or region. In contrast, the US features an alphabet soup of sector-specific federal data privacy laws. For example, the German-Leach-Bliley Act (GLBA) applies to financial institutions, the Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare institutions, the Children's Online Privacy Protection Act (COPPA) applies to online businesses collecting information from children under age 13, the Family Educational Rights and Privacy Act (FERPA) and Protection of Pupil Rights Amendment (PPRA) apply to student records, the Driver Privacy Protection Act (DPPA) applies to motor vehicle records, and the Fair Credit Reporting Act (FCRA) applies to data collected by consumer reporting agencies. Stir in 50 US state and territorial data security laws governing data breach notice, security and destruction, and you get a complex thicket of data privacy and security laws.
Have there been any proposed or actual regulatory developments affecting data privacy that are worth noting?
2012 saw many notable changes to state data security and privacy laws. Vermont imposed a 14-day deadline for notifying the Attorney General of a data security breach affecting consumers in that state. Maryland, Illinois and California passed laws limiting employer access to employee or applicant social media accounts, and California formed a new Privacy Enforcement and Protection Unit. At the federal level, efforts to pass a law to pre-empt state data security breach notice laws failed, as did efforts to pass a federal law to regulate critical infrastructure. In response, the Obama administration is considering an Executive Order to develop voluntary cyber security standards for critical infrastructure.
What kinds of penalties may be issued against companies following data misuse or data leaks?
Remedies available in a particular case depend on which of the many state or federal data privacy or security laws is at issue. But, generally speaking, remedies may include damages, restitution, civil penalties and, in some cases, criminal penalties. For example, violations of the HIPAA may result in civil penalties up to $1.5m per calendar year, or criminal penalties of up to $250,000 and 10 years in prison. Violations of the COPPA Rule may result in civil penalties of up to $11,000 per violation. A HIPPA settlement in June with the Massachusetts Attorney General included a $750,000 civil penalty, and a June COPPA settlement included a $250,000 civil penalty.
To what extent has the government in the US increased its monitoring, audit and enforcement activities with respect to data privacy?
In 2012, the US Federal Trade Commission (FTC) and several state attorneys general brought many data privacy and security enforcement actions. The FTC cases effectively extended data security obligations to otherwise unregulated sectors on the theory that failing to provide "reasonable and appropriate" data security for consumer information is an unfair trade practice. FTC settlements usually require the company to establish and maintain a comprehensive, written data security program that must be audited by an independent third party at least biennially for up to 20 years. 2012 also saw an expanded focus by the Securities and Exchange Commission on public company disclosures concerning risks related to data security.
What trends have you seen in litigation against companies over data-related disputes?
What advice would you give to companies on managing data risk, installing internal compliance processes and maintaining compliance on data privacy?
Before expanding your business into the US, take stock of your company's data collection, use and security procedures. Then, map and classify those elements according to promises made to customers, vendors and partners; relative sensitivity; internal requirements; and external regulatory requirements. Next, draft and implement a written information security plan (WISP), and make sure this addresses all elements of information security, governance and risk - not just cyber security - including Data Classification Policies, Cloud Policies, Board and Management Oversight and Monitoring, Records Management and Retention, Incident Response Management, Litigation Preparedness and Business Continuity.
Copyright 2012 Financier Worldwide. Originally published in Financier Worldwide's Annual Review, December 2012.