Financier Worldwide .com logo
Free trial subscription | Subscribe now | Register for free NEWSwire | Products & services | FW Direct (RSS/XML)
User ID:  password:  
remember me
Forgot your password?
= requires subscription
search: 
Advanced Search
Print Edition
April 2014

issue

menu1
Current issue
Subscriptions
Editorial submissions
About FW magazine
FW Digital
Advertising
Media Information
Contact us
menu1
Reprints & syndications
Contract publishing
Creative marketing solutions
button
button
button
10Questions: Data Privacy Rules In The US « Back
August 2012
 
FW speaks with L. Richard Fischer, a partner at Morrison & Foerster, about data privacy rules in the US.



FW: What is the current landscape of US data security laws?

Fischer: Today, there is no federal data security or security breach notification law of general application. Instead, federal data security law is sector specific. For example, the Gramm-Leach-Bliley Act imposes data security obligations on financial institutions with respect to information regarding their customers. Similarly, the Health Insurance Portability and Accountability Act imposes data security obligations on health care providers, health plans and others with respect to personally identifiable health information. Also, the Fair Credit Reporting Act includes requirements for the appropriate disposal of credit report information. While not codified as an express data security law, the Federal Trade Commission has used its authority under Section 5 of the Federal Trade Commission Act (prohibiting unfair or deceptive acts or practices) to bring enforcement actions for inadequate data security and for breach incidents.

FW: What is the status of federal data security legislation?

Fischer: For nearly 10 years, Congress has considered a litany of bills that would require all businesses in the US to safeguard personal information and to provide notice of data breaches. Congress, however, has been unable to agree on the exact requirements of such a national data security law, and, as a result, the legislative efforts have been unsuccessful.

FW: What about federal laws addressing cybersecurity?

Fischer: Recently, Congress has actively considered the issue of cybersecurity and the protection of the nation’s critical cyber infrastructure. Like general data security legislation, however, Congress has thus far failed to agree on a statutory approach. For example, many in Congress prefer the creation of a new regulatory structure led by the Department of Homeland Security that would identify covered critical infrastructure, and develop and enforce standards for the protection of the identified critical infrastructure. However, others in Congress focus instead on improving information sharing between the federal government and the private sector without imposing a new regulatory regime.

FW: What types of data security laws exist today in the US at the individual state level?

Fischer: State information security laws generally fall into three categories: first, laws that require companies to notify consumers of security breaches involving personal information; second, laws that require businesses to safeguard personal information; and third, laws that impose limitations on the collection, use and disclosure of social security numbers. Specifically, 46 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands, have enacted security breach notification laws. In addition, at least 30 states have enacted laws that require businesses to safeguard personal information in some way - sometimes very general, sometimes very specific. Finally, at least 31 states, Guam and Puerto Rico, have enacted laws restricting or prohibiting the collection, use or disclosure of Social Security Numbers.

FW: What types of personal information are commonly covered by these state laws?

Fischer: The state data security laws and security breach notification laws tend to focus on the types of data elements that could be used to commit identity theft. For example, most of these laws cover an individual’s first name or initial and last name in combination with the individual’s Social Security Number, driver’s licence number, or financial account numbers – generally in combination with any password or PIN necessary to access the account. However, some state laws cover other types of data elements, such as passport numbers, employer identification numbers, tax information and health information.



FW: What types of data security requirements are commonly established?

Fischer: Some existing data security laws are quite general. For example, many laws generally require a business to maintain reasonable security practices and procedures to protect personal information that it owns or maintains from unauthorised access, destruction, use, modification or disclosure. In addition, other laws require the appropriate disposal of personal information. On the other hand, a few states impose quite detailed and specific requirements. For example, the Commonwealth of Massachusetts and the State of Nevada require the encryption of personal information for certain types of transmission and storage. In addition, the Massachusetts data security regulations require storage of personal information in locked facilities or containers, secure user authentication and access controls for computer systems maintaining personal information.

FW: What data security best practices should a company consider?

Fischer: There are many data security best practices a company could consider. For example, a company could develop and maintain a comprehensive, written information security program that includes administrative, technical and physical safeguards designed to protect the security of the company’s information. A company also could consider developing an information retention policy and limiting access to personal information to those who need access to perform their employment duties. In addition, a company could consider implementing a password policy, malware protections, logging of significant computer and network security events, and the management of security patches and updates. A company also should take steps to select vendors that are capable of protecting the company’s information and require such protection by contract.
Prev | 1 | 2 | Next

Add Comment
No comments yet


Options
Subscribe Now
Products and Services
View basket (0) items
Article options
 Printable Version
 Research Assistant
 Add to Assistant
 Send to a Colleague
Also in this section
 • Bankruptcy & Restructuring: Corporate Advisor Handbook 2014
 • TalkingPoint: Valuations and fairness opinions for ESOPs
 • The value of a proactive legal risk management policy for retail companies
 • The move to mobile: an overview of the key mobile payment technologies and the challenge of risk management
 • Utilising transactional insurance as a financial solution for your next deal
About Us | Contact Us | Advertise | Careers | Privacy Policy | Terms & Conditions
© Copyright 2001-2014 Financier Worldwide Limited. All rights reserved.