Privacy and Information SecurityPrivacy and Information Security

Lisa J. SottoPartner

Hunton & Williams LLP(212) 309-1223

lsotto@hunton.com

April 7, 2006

2

Our Firm• Founded in 1901, Hunton & Williams is one of the nation’s

leading law firms with over 850 attorneys in 16 offices, serving clients in over 100 countries

• 21 privacy professionals in the U.S., EU and Asia• Our privacy clients include:

- Kraft Foods - Visa- General Dynamics - British Telecom- Holtzbrinck Publishers - Google- Kodak - TJX- Estee Lauder - IKEA- Pitney Bowes - Computer

Associates• The Center for Information Policy Leadership at Hunton &

Williams

3

What is Privacy?

• Privacy is the appropriate use of information as defined by:

• Law• Consumer expectations

• Security is the protection of information

• Confidentiality (protection against unauthorized access to data)

• Data integrity

4

Four Privacy Risks

• Legal compliance• Reputation• Investment• Reticence

5

U.S. Privacy Laws

• Major federal laws are:• GLB: Financial institutions• HIPAA: Health care entities• FCRA/FACTA: Consumer reporting agencies

• FTC Disposal Rule• DPPA: DMV records• CAN-SPAM: Commercial e-mail• COPPA: Children’s data• Do-Not-Call Registry: Telemarketing• FTC Act Section 5: Prohibits unfair or deceptive trade

practices• Privacy Act of 1974

6

California

• Disclosures to Direct Marketers Law (SB 27)

• California Online Privacy Protection Act• Security of Personal Information

(AB 1950)• California Computer Security Breach Act

(SB 1386)

7

Information Security

• 2005 was the year of the security breach• In 2005/2006,141 information security breaches

so far- ChoicePoint - DSW- Bank of America - CardSystems- Lexis Nexis - Boston Globe

• Over 53 million potentially affected• 22 additional state security breach notification

laws• Numerous federal bills

8

Recent FTC Enforcement Actions

• Most FTC privacy enforcement actions result from security breaches

• CardSystems• ChoicePoint• DSW• BJ’s Wholesale Club• Petco• Tower Records• Barnes & Noble.com• Guess.com, Inc.

9

Data Protection Laws Around the World

USA

Canada

Mexico

Australia

Europe

Japan

Argentina

Brazil

10

The EU Directive

• Enacted in 1995, each country has its own national data protection law – the Directive sets the floor

• Requires entities to notify authorities or register before processing personal data

• Prohibits transfer of personal data to non-EU jurisdictions unless “adequate level of protection” is guaranteed

• U.S. is not “adequate” • Data transfer is permitted:

• To “adequate” countries (e.g., Switzerland, Canada)• Within the safe harbor framework (from EU to U.S. only)• Where a contract ensures adequate protection • With “unambiguous consent” of data subject• BCRs

11

PIPEDA• The Personal Information Protection and Electronic Documents

Act (effective January 1, 2004)• Establishes rules for the management of personal

information by organizations involved in commercial activities• Applies to the collection, use and disclosure of personal

information by organizations during commercial activities • Personal information is any information about an identifiable

individual whether recorded or not• Requirements:

• Identify purposes of data collection• Obtain consent and limit use to identified purposes• Limit collection to necessary information• Limit use, disclosure and retention• Individual access

12

Latin America

• Argentina has an “adequate” comprehensive law, and now an active DPA

• Several nations have draft data protection laws• Other nations codify privacy in consumer

protection laws • Many Latin American nations implement data

protection concepts through habeas data rights• Habeas data rights are found in many national

constitutions

13

Japan• Personal Information Protection Act• Enacted in 2003, fully effective April 1, 2005• “Personal information” is any information that

identifies an individual “data subject” contained in a personal information database (online or offline)

• Applies to each “entity using a personal information database”

• “Third party” does not include data processors but does include affiliates

• Civil and criminal penalties for violations• Guidelines have been published by various

Ministries

14

APEC

• Created an information privacy framework with 9 privacy principles:

- Preventing harm - Integrity- Notice - Security- Collection limitation - Access and

correction- Uses of personal information - Accountability- Choice

• Endorsed by 21 member economies in November 2004

• Consistent with OECD Guidelines

15

Final Thoughts

• Information security is the topic du jour• Expect new US privacy legislation• New level of professionalism of EU

DPAs• There is significant activity globally to

enact new data protection laws• There will be a focus on data protection

harmonization in coming years

16

Questions?

Lisa J. SottoPartnerHead, Privacy and Information Management PracticeHunton & Williams LLP(212) 309-1223lsotto@hunton.com

219913