Category: The PT Law Blog

Who Is Covered?

The proposed bill covers all types of business entities, profit and not for profits.  State and Federal governments are not covered.

How Is Data Defined?

The proposed bill has a detailed definition of personal information. The bill defines “sensitive personally identifiable information” as “any information or compilation of information in electronic or digital form that includes:

• An individual’s first and last name or first initial or last name in combination with any two of the following data elements: home address or phone number; mother’s maiden name; month, day, and year of birth.
• One’s complete Social Security number, driver’s license, passport number, alien registration number or government issued unique identification number
• Biometric data
• A unique account identifier (i.e. credit card number, financial account number, routing code, electronic identification number, and user name).
• User name or e-mail address in combination with a password or security question and answer
• A combination of data elements.”

What Is The Protocol?

Pursuant to the proposed legislation, notification would apply to all business entities “engaged in or affecting interstate commerce, that uses, access, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12 month period…” Notification is required immediately after the discovery of the breach, however one can request a thirty-day extension, unless a federal law enforcement agency requests for additional time due to an active investigation.

The bill also provides company with exceptions from compliance. Exceptions can include, but not limited to matters of national security, the information was encrypted, security programs that automatically notifies the user of a fraudulent use of the credit card. 

The other exemption is the risk assessment exception. The risk assessment exception is when an entity conducts a study of its data security system and shows that the data breach would pose no reasonable risk due to how the information is protected.  The risk assessment is evaluated under the data security standards. Failure to comply with these standards would be a violation under the unfair or deceptive trade standard. The risk assessment exception must be in writing and documentation of the assessment must be shown within thirty-days after the alleged incident.

If there are no exceptions, notice must be given to the victims. The notice must include the description of their personal information that was hacked, a toll free number that the individual may call the entity for further information, major credit reporting agencies, the Federal Trade Commission, and any assistance that the state may provide where the victim may live. 

Who Has Jurisdiction?

The Federal Trade Commission has jurisdiction under the proposed legislation. As previously stated, the Federal Trade Commission would use the unfair or deceptive trade standard to enforce any and all violations. 

What Is The Impact To State Notification Laws?

The proposed legislation would supersede all state notification laws as it applies to the entities as already defined.  However, state attorneys can file a data breach action against the entities only if “the interest of residents of that State has been or is threatened or adversely affected by the engagement of a business entity in a practice that is prohibited under this title or the failure to meet a requirement imposed under this title…” If the state does meet this standard, it can impose, among other things, a $1,000 Dollar fine per victim up to $1,000,000 Dollars.

Potential Issues:

With any new proposed legislation, there are many issues that Congress and the White House would need to work on. 

One of the first issues involves the jurisdiction matter concerning the other data breach statues. Currently, there are federal data breach provisions for the medical sector (HIPPA and HITECH), financial sector (GLBA), and the education sector (FERPA). Although entities covered under HITECH, there are no exemptions under the other aforementioned legislation. Any federal data breach legislation needs to either exempt the aforementioned legislation or incorporate them into the legislation. Failure to do so would result in confusion, such as double jeopardy if two federal agencies were prosecuting the same entity under different federal legislation covering data breaches.

Congress also needs to clarify the state’s role under this section. The question of double jeopardy would also apply here if a state files suit after the Federal Trade Commission issued its administrative decision. 

We can expect more data breaches occurring such as the one impacting Target, Sony, or even our own government in 2015. The pressure of having a federal data breach will mount with each breach. However, both Congress and the White House would need to work together to develop data breach legislation that is clear, concise, and complements the other federal data breach provisions.

We will keep you updated regarding the progress of this legislation and please do not hesitate to contact us to discuss ways that we can help your company become data privacy compliant prior to any federal data breach law is passed. 

With increased media and government scrutiny of data privacy matters, customers are demanding more from businesses and the government. Customers expect the information they give you is safe from unauthorized use by your employees or outsiders. Indeed, government regulators around the world are also starting to encourage, and in some cases require, companies to protect their citizens’ privacy. Market forces and government regulations are forcing many corporations how to apply protection standards. For many companies and organizations – small and large – the question is how?

PobleteTamargo attorneys, working alongside data privacy technology experts at ProPrivatus as well as senior public policy advisors, can assist you in this fast-changing data privacy arena. We will help you assess vulnerabilities regarding the management of the customer’s confidential information. Our legal team and Certified Information Privacy Professionals (CIPP) will help your organization create custom strategies to better ensure date privacy.

Using privacy principals that are in use for almost twenty years, we offer the following services:

• Privacy gap and risk analysis
• Reviewing and developing your business strategic privacy plan
• Designing privacy policies and procedures consistent with U.S. and international laws and regulations
• Legal representation before state and federal agencies
• Data Breach management Data Privacy advice and training

Additional Reading

• Gramm-Leach-Bliley Act of 1999 (GLB)
• Fair Credit Reporting Act of 1970 (FCRA)
• Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
• Telecommunications Act, Communications Decency Act Electronic Communications Privacy Act of 1986 (ECPA)
• Computer Fraud and Abuse Act of 1986 (CFAA)
• Foreign Intelligence Surveillance Act of 1978 (FISA)
• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
• Communications Assistance for Law Enforcement Act of 1994 (CALEA)
• Right to Financial Privacy Act of 1978 (RFPA)
• National Security Letters (NSLs)

The FTC is one of the federal agencies that currently has administrative jurisdiction regarding whether or not corporations had adequately protected consumer’s data privacy. This study provides you with a general idea of what reasonable care looks like. Reasonable care can be summed up in one word: proactive. How proactive is your company protecting data? Being proactive is not a one-time event for data privacy.

Being proactive requires you not only to assess, devise, and implement a data privacy plan, but it also requires you to assess whether or not your data privacy policy is sufficient in the changing world of technology. Being proactive also includes training and educating your staff with the data privacy protocols and the necessary changes in those protocols. 

Failures in being proactive may cost your company not only fines at an administrative level, but it will also damage your reputation in the marketplace.

Although FIPA does not define reasonable measures, looking at what the FTC requires through their enforcement actions does provide us with an idea of what reasonable measures looks like. And while there is no cookie-cutter approach – every business is different, even within the same fields – you can begin to consider what may or may not work for you by reviewing these recent enforcement actions. 

Working in conjunction with data privacy professionals at ProPrivatus, your data privacy and legal compliance team offers the following services:

1. Privacy gap and risk analysis
2. A privacy strategic and business plan
3. Privacy advice and training
4. Designing privacy policies and procedures
5. Breach Management.

Unfortunately, the hacks, coupled with Target’s failure to follow through on its own data security system, were not acted on until the Department of Justice notified them of the breach. The technology revolution has changed the world, as it has retail as we know it. Information formerly stored in secure warehouses is now somewhere in the ether, forcing small and large businesses to begin to think about how to protect their information and ultimately their reputations from hackers.

In short, Good privacy is good business. Good privacy practices are a key part of corporate governance and accountability. One of today’s key business imperatives is maintaining the privacy of personal information.

As business systems and processes become increasingly complex and sophisticated, organizations are collecting growing amounts of personal information. As a result, personal information is vulnerable to a variety of risks, including loss, misuse, unauthorized access, and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments, and the public in general.

Organizations are trying to strike a balance between the proper collection and use of their customers’ personal information. Governments are trying to protect the public interest and, at the same time, manage their cache of personal information gathered from citizens.

Consumers are very concerned about their personal information, and many believe they have lost control of it. Furthermore, the public has a significant concern about identity theft and inappropriate access to personal information, especially financial and medical records, and information about children.

Individuals expect their privacy to be respected and their personal information to be protected by the organizations with which they do business. They are no longer willing to overlook an organization’s failure to protect their privacy. Therefore, all businesses need to effectively address privacy as a risk management issue.