The United States does not currently have a single comprehensive federal law regulating data privacy and cybersecurity matters. Instead, there is a patchwork of laws which at times overlap, and in other cases may even potentially contradict one another. This patchwork, together with the growth in interstate and international data flow, heightens the risk of privacy violations and can create significant compliance challenges. Failure to meet these challenges, however, can result in government imposed civil and criminal sanctions (including fines and penalties), private lawsuits and class actions, as well as damage to a company’s reputation and customer trust.
The following is a brief summary of some of the most significant Federal legislation impacting data privacy and cybersecurity matters.
Federal Trade Commission Act (the “FTC Act”)
The FTC Act is a federal consumer protection law that prohibits unfair or deceptive commercial practices that affect consumer privacy and data security. The Federal Trade Commission (the “FTC”) is vested with broad enforcement authority, and has begun to emerge as the primary federal regulator in protecting consumers in the field of privacy and data security. The FTC brings enforcement actions against companies for:
- Failing to comply with statements in their online posted privacy policies
- Making significant changes to their privacy policies without adequate notice to consumer
- Failing to provide reasonable and appropriate protections for sensitive consumer information they hold
The FTC Act provides penalties of up to $40,654 per offense (effective January 24, 2017), criminal penalties of up to ten years imprisonment, and can require a company to repay all investigation and prosecution costs attributable to the FTC’s enforcement action.
Health Insurance Portability and Accountability Act (“HIPAA”)
HIPAA governs individually identifiable health information. It applies broadly to healthcare providers, data processors, health plans, and other entities that come into contact with this information. HIPAA requires that covered entities:
- Use, request, and disclose only the minimum amount of protected health information (“PHI”) needed to complete a transaction
- Implement data security procedures, protocols, and policies at administrative, technical, physical, and organizational levels to protect PHI
- Comply with uniform standards for certain electronic transactions
- Notify individuals if there is a security breach of PHI [Note: The FTC has issued a similar breach notification requirement for companies that are not subject to HIPAA, but that develop and distribute software applications that process personal health records]
HIPAA also requires that each covered entity must provide notice to individuals of its privacy policies and of individuals’ rights under HIPAA, generally on the first visit for treatment. Covered entities must obtain written consent from an individual before using or disclosing that individual’s PHI to third parties (with specified exceptions, e.g., in connection with medical treatment).
HIPAA authorizes the U.S. Department of Health and Human Services to impose civil penalties of up to $1.5 Million, and criminal penalties of up to $250,000 and ten years’ imprisonment.
Gramm-Leach-Bliley Act (“GLBA”)
The GLBA applies to financial institutions, including banks, securities firms, insurance companies, mortgage lenders, and certain other credit counselling services, financial advisors, collection agencies, and retailers that issue their own credit cards. The data which is regulated by GLBA is non-public personal information that a financial institution collects in connection with consumers or other customers who obtain financial products or services from such financial institution. The concern is particularly data containing information that is capable of personally identifying a consumer or customer. GLBA regulates the collection, use, and disclosure of such personal information, and requires that customers be notified about the financial institution’s information sharing practices (and allow customers to opt out if they do not want such information shared with certain unaffiliated third parties). Financial institutions are also required to implement a written information security program to protect non-public personal information from unauthorized disclosure. The Office of the Comptroller of Currency and the Federal Reserve Board have issued guidance requiring financial institutions to notify their regulator, and in some cases affected customers, when there has been unauthorized access to sensitive customer information. Penalties for violation of GLBA vary depending on the authorizing statute of the agency that brings the enforcement action.
Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”)
The Dodd-Frank Act granted the Consumer Financial Protection Bureau (the “CFPB”) rulemaking and enforcement authority under GLBA. The CFPB has interpreted this authority to authorize it to bring data security enforcement actions against consumer financial service providers.
Children’s Online Privacy Protection Act (“COPPA”)
COPPA applies to commercial websites or online services that are directed at children under age 13, and which collect personal information from children (and have actual knowledge that they are collecting personal information from children). Personal information means individually identifiable information about a child such as:
- A full name
- A home address
- Online contact information
- A telephone number
- A social security number
- Photos or recordings of a child
- Geolocation information
COPPA generally requires prominently displayed links to a privacy notice on the website. Before collecting, using, or disclosing personal information of children there must be a direct notice to the parents containing the same information as in the online privacy notice, and (with limited exceptions) verifiable parental consent must be obtained.
Fair Credit Reporting Act (“FCRA”)
FCRA limits how consumer reports and credit card account numbers can be used and disclosed. FCRA applies to consumer reporting agencies, those who use consumer reports (such as lenders and employers), and those who provide consumer credit information to reporting agencies (e.g. credit card companies).
The Red Flags Rule
The Red Flags Rule, issued by the FTC, requires financial institutions and creditors with covered accounts to develop a written program that identifies and detects the relevant warning signs (or red flags) of identity theft.
The CAN-SPAM Act regulates the collection and use of e-mail addresses for commercial purposes.
Telephone Consumer Protection Act (“TCPA”)
The TCPA regulates the collection and use of telephone numbers for commercial purposes.
Electronic Communications Privacy Act (“ECPA”)
The ECPA governs the interception of electronic communications. It applies to anyone who improperly accesses, intercepts, or discloses electronic communications (whether stored or in transit) that affect interstate or foreign commerce.
Computer Fraud and Abuse Act (“CFAA”)
The CFAA governs computer hacking, and makes certain acts regarding the unauthorized access to protected computers a criminal offense.
The Communications Act regulates telecommunications carriers and services, and requires carriers to protect the privacy of customer proprietary network information. Federal Communications Commission (“FCC”) regulations require carriers to report certain data breaches. On October 27, 2016, the FCC adopted new privacy regulations for carriers and internet service providers (“ISPs”), requiring them to:
- Provide customers with notice and choice regarding personal information that they collect and how they will use and share the data
- Take reasonable security measures to protect customer information
- Notify customers, the FCC, the FBI, and the U.S. Secret Service in certain cases, if a data breach occurs
On April 4, 2017 the President signed a repeal of the above Internet privacy protection regulations.