How to Protect Your Personally Identifiable Information

© 2013 Armstrong Teasdale LLP© 2013 Armstrong Teasdale LLP
Privacy
Dan Nelson, CIPP/US
May 23, 2013

© 2013 Armstrong Teasdale LLP
What is Privacy Law
 Multiple concepts
• What can you collect
• What can you do with the information
• What are your data security obligations
2

What law are we talking about?
 Big problem: Data does not respect borders
 Key distinctions between United States and many foreign
countries
United States
•No comprehensive “law”
•Patchwork of sector-specific (e.g. HIPAA)
and jurisdiction-specific regulations
•Overall: less privacy protection
Europe
•Comprehensive data protection scheme
•Strict privacy protection
•“Privacy as a human right”
Rest of the World: Tends towards European Data Privacy model
3

Takeaways
 Key data definitions
 Key data practices
 Overview of some of the data laws most likely to touch your
business
4

Key data definitions
 "Data Controller"
• Entity for whose benefit data is collected/proccesed
• While the express term comes from EU law, the concept is
mirrored in several US laws
 "Data Processor"
• Entity that collects, stores, or handles data on behalf of a
Data Controller
 Data Subject
• Person whose data is being collected/stored/used
5

 Personally identifiable information (PII)
• Definition is context-sensitive
− Often depends on
• Context in which data collected
• Promises made to Data Subject
• PII can be simultaneously public and private
• Just because PII can be located publically does not mean that it
is not protected in other contexts
 PHI
• Personal Health Information
− Type of PII
• In the US, specifically protected by both Federal and State HIPAA laws
6

 Opt In/Opt Out
• Opt IN:
− Affirmative action by Data Subject to agree
• e.g. "Check this box if you agree that we can share your data,"
"initial here if you agree to our collection of data"
• In many parts of the world, including EU, Opt IN is the default
standard
• Even in the US, provides a greater level of protection: indicates Data
Subject's affirmative consent
• Opt OUT:
− General US default standard
• But, seeing indications that this is changing
− E.g. "Uncheck this box if we can't collect your data," "Check
this box if you do NOT want your data shared"
7

Key data practices
 Numerous US and Foreign Regulatory and Oversight Groups
have promulgated very similar guidelines
 Often variations of 9 or 10 of the same key concepts
 A quick overview:
• Notice: Individuals should be told what is being collected, how it is
being collected, and how it is being used
• Choice: Individuals should be given meaningful options on collection
and use of PII
• Access: Individuals should be able to find out what PII is being
collected and retained, and have a right to correct or complete the
information
• Security & Integrity: Data is from reputable source, is not stale, and
is appropriately secured
8

Many “Privacy” Laws
ECPA
TCPA
COPPA
CalOPPA
FCRA
GLBA
FACT
SCA
TSR
FERPA
Song Beverly
HIPAA
FTC Act
DRPA
EPPA
DNC
CAN-SPAM
Patriot Act
Breach Notification
Laws
JFPA
CALEA
Federal Privacy Act
Mass. Data Security
Law
EU-US Safe Harbor
VPA
9

Some Key US data protection laws
 Federal Trade Commission Act
 California Online Privacy Protection Act (“CalOPPA”)
 Fair Credit Reporting Act (“FCRA”)
 Children’s Online Privacy Protection Act (“COPPA”)
 Health Insurance Portability and Accountability Act
(“HIPAA”)
 Telephone Consumer Protection Act (“TCPA”)
 Breach Notification Laws
 Massachusetts Data Security Law
10

FTC Act
 Prohibits both "Deceptive" and "Unfair" Trade practices
• "Deceptive Practices": Common scenario
− Failure to comply with own Privacy Policy
• Sample Complaint
• "Unfair Trade Practice"
− No policy, plus
− Substantial harm to consumer
− Increasingly rare to see "No Policy," which heightens
enforcement risk
− See also California’s Online Privacy Protection Act, which
requires a posted privacy policy
11

Recent Enforcement Actions
 Cbr Systems, Inc.
• Cbr’s privacy policy promised to handle personal information
securely and in accordance with its Privacy Policy and Terms
of Service
• After unencrypted data contained on storage media and a
laptop were stolen from a Cbr employee’s car, the FTC
charged Cbr with deceptive trade practices because Cbr
failed to provide the promised security. In particular, the
FTC focused on Cbr’s failure to employ secure data transport
practices, failure to encrypt data, and retention of data for
which Cbr no longer had a business need
12

Recent Enforcement Actions (continued)
 Epic Marketplace, Inc.
• Epic employed “history sniffing technology” which allowed
site operators to “sniff” a browser to determine past website
visits
• But, Epic told consumers that it only collected information
about consumer visits to sites within its advertising network
• The FTC charged Epic with deceptive trade practices
13

FTC Act
14
 I should be thinking about the FTC Act when:
• I collect, store or process PII.
 Big Picture:
• Non-compliance with a privacy policy will be treated as a
deceptive trade practice
• Not having a privacy policy will be deemed an unfair trade
practice.
 Keys to avoiding trouble:
• Have a meaningful privacy policy that reflects actual
company practices.
• Emphasize, Audit and Train on your policy.

California Online Privacy Protection Act
 Applies to website/online service/mobile app providers who
collect California resident’s PII
 Requires conspicuous privacy policy
 Policy must, at a minimum:
• Tell data subject categories of PII being collected
• Describe any available means by which data subject can
review or request changes to retained PII
• Identifies means by which policy changes will be made
known to users
• Specifies an effective date
15

California v. Delta Air Lines, Inc.
 Filed 12/06/12
 Complaint alleges that Delta violated California’s Online Privacy Protection
Act (“CalOPPA”) and California’s Unfair Competition Law:
 The “Fly Delta” mobile app collected user’s PII, including name, contact
information, passport information, photographs and geo-location data.
 Delta did not conspicuously post a privacy policy, thus depriving users of:
• Knowledge of what PII Delta collected
• What Delta did with the PII
• To whom Delta may have disclosed or sold the PII
 While Delta’s website does contain a posted privacy policy, that policy did not
mention the Fly Delta app, and the Fly Delta app did not point users to this
privacy policy. Moreover, the app collected certain types of PII that the
website did not.
16

California Online Privacy Protection Act
 I should be thinking about CalOPPA when:
• I operate a website/online service/application that collects
or stores consumer’s PII.
 Big Picture:
• Must have a privacy policy
• Post a meaningful privacy policy that reflects the
organization’s actual practices
17

FCRA
 Summary: Regulates the use of “Consumer Reports.”
 Many people think the law regulates “Credit Reporting Agencies.”
This is true, but is a misunderstanding of the FCRA’s actual scope.
 Better to think of the FCRA as regulating the use of a type of
information (“Consumer Reports”) than as regulating certain
entities.
• “Consumer Reports,” defined as information pertaining to:
− Credit (including credit worthiness or history)
− Character
− General reputation
− Personal characteristics
− Mode of living
18

FCRA
 “Consumer Reports,” defined as information pertaining to:
• Credit (including credit worthiness or history)
• Character
• General reputation
• Personal characteristics
• Mode of living
 The FCRA Regulates both data providers and data users.
 Includes data provided by Consumer Reporting Agencies
(“CRA’s”) and others, including non-CRA third parties and
affiliates of the data user.
19

FCRA
 From the data user’s perspective:
• Must have a “permissible” purpose for obtaining the data;
− Statute defines permissible purposes.
• Often must provide certification of permissible purpose to
the data provider;
• Generally, must notify data subject if the data is a factor in
an adverse action against the data subject (e.g. denial of
credit, denial of employment).
• Additional rules apply in a variety of scenarios, including:
− Use in in hiring
− Employee investigations
− “Investigative Consumer Reports”
20

FCRA
 I should be thinking about the FCRA when:
• I obtain consumer data from any third party, or even from
the consumer if the data will be used for a business purpose.
 Big Picture:
• FCRA primarily regulates the information, not just specific
providers
• Must have a permissible purpose to obtain
• Recognize the Act’s potentially broad reach
• Think through the Act’s requirements: (a) permissible
purpose; (b) consumer notification
• Additional special requirements
21

COPPA
 Act’s primary focus is to safeguard the PII of children.
• PII includes a large array of information
− The obvious: name, address, etc.
− But also:
• Geolocation data
• Photos and Videos
• Computerized Persistent Identifiers
 If you operate a website, online service, or mobile app
directed towards kids, you must pay attention to COPPA.
22

COPPA
 The problem: The FTC has stated that the operator’s intent is
not determinative of whether a site, service or app is
primarily or secondarily directed to kids. Modified scope
definition: sites “directed to children”
• Problematic, in that new definition looks not to operator’s
intent, but to “totality of the circumstances” test.” The FTC
intends to look at the “attributes, look and feel” of a site.
COPPA may apply even if children are deemed to be a
secondary audience.
 Moreover, if you have actual knowledge that your are
gathering kids’ PII, you must comply with COPPA
23

COPPA
 COPPA is a minefield of stringent rules, including specific
rules on methods of parental notification and obtaining
parental opt-in consent.
• If you didn’t know COPPA applied to your site/service/app,
the chances of accidental compliance are virtually zero.
 The FTC takes COPPA violations very seriously. A COPPA
violation may be your surest ticket to an FTC enforcement
action.
24

COPPA Enforcement
 U.S. v. Path, Inc.: filed 1/31/13
• Path: social networking site operating through an iOS app
• App collected and stored information from user’s mobile address book,
even if user did not elect this option
• FTC challenged the practice is a Deceptive Trade Practice because the
collection violated Path’s published privacy policy
• FTC also alleged that violations of the Children’s Online Privacy
Protection Act because, among other things, the App allowed for the
knowing collection of personal data of children under age 13, and
allowed children to post text, photos, and the child’s precise location
• Settlement with the FTC that included $800,000 payment, as well as
audited monitoring for next 20 years
25

COPPA
 I should be thinking about COPPA when:
• I operate a website/service/mobile app that would be
attractive to kids.
 Big Picture:
• FTC’s “Look and Feel” test creates uncertainty
• High-value target for FTC enforcement combined with very
low probability of accidental compliance
• Take a hard look at your website/service/mobile app
offerings
• Don’t ignore evidence that you are acquiring kid’s data
26

HIPAA
 Provides broad protection for Protected Health Information
(“PHI”).
 Applies to “Covered Entities”:
• Health Care Providers
• Health Plans
• Health Care Clearinghouses
 But, recent HIPAA amendments have expanded compliance to
“Business Associates,” including subcontractors (at all
levels) of Business Associates.
• If your business is a downstream data processor for PHI
originating with a Covered Entity, then you likely have HIPAA
Compliance obligations.
27

HIPAA Developments
 Texas HIPAA Law:
• Stricter provisions than Federal HIPAA law
• Broadly covers virtually anyone who receives or stores
Protected Health Information of Texas residents (“Covered
Entities”)
• Covered Entities subject to numerous requirements,
including:
− Specific employee training
− Substantial restrictions on “disclosure” (broadly defined)
• Many commentators believe that other states will follow
28

HIPAA
 I should be thinking about the HIPAA when:
• My business performs some process with respect to PHI
 Big Picture:
• Stringent Data Privacy and Data Security Rules
• Recognize the Act’s extended reach
29

TCPA
 The Telephone Consumer Protection Act
 Regulates a variety of practices regarding unsolicited faxes,
text messaging and phone calls to consumers
 In addition to regulating Telemarketing calls, also regulates
certain contacts with existing customers (debt collection
calls, for example) if the caller is utilizing common
automated calling equipment to call a cell phone number.
 Common Litigation Scenario: Third-party telemarketer or
debt collector repeatedly calls wrong cell number. Class
action ensues.
 May 14, 2013: FCC holds that Seller can be held vicariously
liable for certain TCPA violations by third-party callers.
30

TCPA
 I should be thinking about the TCPA when:
• My business, or a third-party contractor, is calling or texting
potential consumers or existing customers.
 Big Picture:
• Compliance with Do Not Call requirements
• Effective programs to scrub wrong numbers and misdials
• Due Diligence with respect to third-party calling services
31

Breach notification laws
 State law(s) generally apply
 Must identify state of residence of those effected by Data
Breach
 Missouri: Fairly typical notification statute
32

Breach notification laws
 Has a breach occurred?
• Yes, if unauthorized access and acquisition of “Personal
Information” (“PI”)
• PI generally includes Name, plus:
− Social Security Number or other Gov’t Identification number
− Account Number, together with any necessary access
code/credential
− Medical/Health insurance information
• But, if this information is encrypted, de-identified or
otherwise rendered unusable, then not “PI” for purposes of
breach statutes
− Extra caution is warranted in ensuring that this exception
applies.33

Breach Notification Laws
 Notice in accordance with the Statute
• Generally requires brief description of incident,
identification of types of data at issue, and various
advisories/warnings regarding data theft prevention
• Many states have unique different/additional notice content
requirements, e.g. must include State Attorney General’s
contact information.
 Little uniformity in Notice timing requirements
• Missouri: “without unreasonable delay”
• Trend is to enact specific time frames for notice
• Most states have exception for notification delay “at law
enforcement’s request”
34

Breach Notification Rules
 Many states have slightly different requirements:
• Must send breach notification to Attorney General before
sending to data subject
• Must include Attorney General’s contact information
• Specific timing requirements
• Specific text required in notice
35

Data Breach Notification
 I should be thinking about the Data Breach Notification
when:
• A possible security breach or PII disclosure has potentially
occurred
 Big Picture:
• Different notification schemes by state
• Timelines are increasingly strict
• Early recognition of the potential problem and early review
of applicable statute(s)
36

Massachusetts Data Security Laws
 Massachusetts: Standards for the Protection of Personal
Information, 201 CMR 17.00
• Applies to all entities that collect Massachusetts's residents’
PII
• In addition to breach notification duties, requires a
comprehensive information security program, including
administrative, technical and physical safeguards
37

Massachusetts Data Security Laws (continued)
 “Comprehensive” program includes
• Designated responsible employee(s)
• Identification & assessment of risks
• Employee security policies
• Oversight of service providers (including requiring such
providers, by contract, to maintain appropriate security
measures)
• Encryption of data that will “travel across public networks”
or that will be “transmitted wirelessly”
Tyler v. Michaels Stores, Inc.,: Mass. Supreme Court holds that PII
includes credit card consumer zip codes
38

Massachusetts Data Security Law
 I should be thinking about the the law when:
• I am collecting third-party data
 Big Picture:
• In addition to breach notification provisions:
− Program to identify risks, train employees, and protect data
security
• Being proactive
39

Thank You
Questions?
40

Contact
41
Dan Nelson, CIPP/US, Partner
314.552.6650 dnelson@armstrongteasdale.com
http://twitter.com/DanNelsonEsq
www.linkedin.com/in/danielcnelson

How to Protect Your Personally Identifiable Information

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Mehr von Armstrong Teasdale

Mehr von Armstrong Teasdale (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

How to Protect Your Personally Identifiable Information