The Evolution of Global Privacy LawThe Evolution of Global Privacy LawLisa J. Sotto
PartnerHunton & Williams LLP
(212) [email protected]
November 13, 2006
November 13, 2006
IBM Fall 2006 Security and Privacy Day
2
What is Privacy and Data Security?
• Privacy is the appropriate use of information as defined by:
• Law• Consumer expectations
• Security is the protection of information• Confidentiality (protection against
unauthorized access to data) • Data integrity
3
Four Privacy Risks
• Legal compliance• Reputation• Investment• Reticence
4
Data Protection LawsAround the World
5
US Privacy Laws
• Major federal laws are:• GLB: Financial institutions• HIPAA: Health care entities• FCRA/FACTA: Consumer reporting agencies
• FTC Disposal Rule• DPPA: DMV records• CAN-SPAM: Commercial e-mail• COPPA: Children’s data• Do-Not-Call Registry: Telemarketing• FTC Act Section 5: Prohibits unfair or deceptive
trade practices• Privacy Act of 1974
6
California
• Disclosures to Direct Marketers Law (SB 27)
• California Online Privacy Protection Act• Security of Personal Information
(AB 1950)• California Computer Security Breach Act
(SB 1386)
7
Information Security
• 2005 was the year of the security breach• In 2005/2006, 365 information security breaches
so far- ChoicePoint - DSW- Bank of America - CardSystems- Lexis Nexis - Boston Globe
• Over 97 million potentially affected• 34 state security breach notification laws• Numerous federal bills
8
State Security Breach Notification Laws
• Generally, the duty to notify arises when unencrypted “personal information” was (or was reasonably believed to have been) acquired or accessed by an unauthorized person• Some states require notification when encrypted information has been
acquired or accessed along with the encryption key
• “Personal information” is an individual’s name, combined with:• SSN• driver’s license or state ID card number• account, credit or debit card number along with password or access code
• But state laws differ:• Computerized v. paper data• Definition of PI• Notification to state agencies• CRA notification• Harm threshold
9
Recent FTC Enforcement Actions
• Most FTC privacy enforcement actions result from security breaches
• CardSystems• ChoicePoint• DSW• BJ’s Wholesale Club• Petco• Tower Records• Barnes & Noble.com• Guess.com, Inc.
• Enforcement trends
10
Emerging State Law Issues
• Social Security Numbers• A number of states regulate the private sector• Many others are considering similar legislation
• Child Protection Registry Laws• Michigan and Utah currently regulate
• Other states pending• Senders are prohibited from sending adult messages to
“contact points” listed on state registries• FTC’s view
• Employee Email Monitoring• Delaware and Connecticut have employee monitoring laws in
place
11
Emerging State Law Issues (cont’d.)
• Website Privacy Notices• California, Nebraska and Pennsylvania
• Radio Frequency Identification (RFID)• At least 13 states are considering privacy
legislation regulating the use of RFID
• Anti-Spyware• 12 states currently have anti-spyware laws• At least 17 other states are considering
anti-spyware legislation
12
The EU Directive
• Enacted in 1995, each country has its own national data protection law – the Directive sets the floor
• Requires entities to notify authorities or register before processing personal data
• Prohibits transfer of personal data to non-EU jurisdictions unless “adequate level of protection” is guaranteed
• U.S. is not “adequate” • Data transfer is permitted:
• To “adequate” countries (e.g., Switzerland, Canada)• Within the safe harbor framework (from EU to U.S. only)• Where a contract ensures adequate protection • With “unambiguous consent” of data subject• BCRs
13
Recent EU Issues
• Whistleblower hotlines• Data Retention Directive• PNR Data• SWIFT issue• New security breach notification
proposals
14
PIPEDA• The Personal Information Protection and Electronic Documents
Act (effective January 1, 2004)• Establishes rules for the management of personal
information by organizations involved in commercial activities• Applies to the collection, use and disclosure of personal
information by organizations during commercial activities • Personal information is any information about an identifiable
individual whether recorded or not• Requirements:
• Identify purposes of data collection• Obtain consent and limit use to identified purposes• Limit collection to necessary information• Limit use, disclosure and retention• Individual access
15
Latin America
• Argentina has an “adequate” comprehensive law, and now an active DPA
• Several nations have draft data protection laws• Other nations codify privacy in consumer
protection laws• Many Latin American nations implement data
protection concepts through habeas data rights• Habeas data rights are found in many national
constitutions
16
Japan• Personal Information Protection Act• Enacted in 2003, fully effective April 1, 2005• “Personal information” is any information that
identifies an individual “data subject” contained in a personal information database (online or offline)
• Applies to each “entity using a personal information database”
• “Third party” does not include data processors but does include affiliates
• Civil and criminal penalties for violations• Guidelines have been published by various
Ministries
17
APEC
• Created an information privacy framework with 9 privacy principles:
- Preventing harm - Integrity- Notice - Security- Collection limitation - Access and
correction- Uses of personal information - Accountability- Choice
• Endorsed by 21 member economies in November 2004
• Consistent with OECD Guidelines
18
• Russia• DP law passed July 2006• Bears strong resemblance to EU Directive
• India• New data security proposals to amend India’s IT
Act of 2000• The proposals result from recent breaches and
reports of lax security practices
• China• Law is currently being drafted
New and Expected Global Privacy Regimes
19
U.S. Enforcement and Litigation
• FTC’s new Division of Privacy and Identity Protection• The FTC’s enforcement tools are evolving to meet new
problems• CardSystems• ChoicePoint• DSW• BJ’s Wholesale Club• Petco• Tower Records• Barnes & Noble.com• Guess.com, Inc.
• U.S. privacy litigation trends
20
Privacy Issues Are Often Unexpected
• Information security breaches pose new and sometimes acute risks
• FTC enforcement and litigation• Erosion of customer trust• Public perception of brand plummets• Investor concerns and market reaction
• Whistleblower hotlines• HP’s pretexting issues
21
Minimizing the Risk
• Prevention is the primary goal, but proactive planning can minimize impact if a privacy event occurs
• Concern and focus on data privacy and security must come from the top
• Data privacy now often involves the CEO, CFO, CPO, CIO and GC
• Re-evaluate security systems and privacy and security policies on an ongoing basis
• Integrate the concern for information privacy and security as a core value and train often
22
The Global Perspective
• Information security is the global topic du jour
• Expect new U.S. privacy legislation• New level of professionalism of EU
DPAs• There is significant activity globally to
enact new data protection laws• There will be a focus on data protection
harmonization in coming years
23
Questions?
Lisa J. SottoPartnerHead, Privacy and Information Management PracticeHunton & Williams LLP(212) [email protected]
233317v2