FW speaks with L. Richard Fischer, a partner at Morrison & Foerster, about data privacy rules in the US.
FW: What is the current landscape of US data security laws?
Fischer: Today, there is no federal data security or security breach notification law of general application. Instead, federal data security law is sector specific. For example, the Gramm-Leach-Bliley Act imposes data security obligations on financial institutions with respect to information regarding their customers. Similarly, the Health Insurance Portability and Accountability Act imposes data security obligations on health care providers, health plans and others with respect to personally identifiable health information. Also, the Fair Credit Reporting Act includes requirements for the appropriate disposal of credit report information. While not codified as an express data security law, the Federal Trade Commission has used its authority under Section 5 of the Federal Trade Commission Act (prohibiting unfair or deceptive acts or practices) to bring enforcement actions for inadequate data security and for breach incidents.
FW: What is the status of federal data security legislation?
Fischer: For nearly 10 years, Congress has considered a litany of bills that would require all businesses in the US to safeguard personal information and to provide notice of data breaches. Congress, however, has been unable to agree on the exact requirements of such a national data security law, and, as a result, the legislative efforts have been unsuccessful.
FW: What about federal laws addressing cybersecurity?
Fischer: Recently, Congress has actively considered the issue of cybersecurity and the protection of the nation’s critical cyber infrastructure. Like general data security legislation, however, Congress has thus far failed to agree on a statutory approach. For example, many in Congress prefer the creation of a new regulatory structure led by the Department of Homeland Security that would identify covered critical infrastructure, and develop and enforce standards for the protection of the identified critical infrastructure. However, others in Congress focus instead on improving information sharing between the federal government and the private sector without imposing a new regulatory regime.
FW: What types of data security laws exist today in the US at the individual state level?
Fischer: State information security laws generally fall into three categories: first, laws that require companies to notify consumers of security breaches involving personal information; second, laws that require businesses to safeguard personal information; and third, laws that impose limitations on the collection, use and disclosure of social security numbers. Specifically, 46 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands, have enacted security breach notification laws. In addition, at least 30 states have enacted laws that require businesses to safeguard personal information in some way - sometimes very general, sometimes very specific. Finally, at least 31 states, Guam and Puerto Rico, have enacted laws restricting or prohibiting the collection, use or disclosure of Social Security Numbers.
FW: What types of personal information are commonly covered by these state laws?
Fischer: The state data security laws and security breach notification laws tend to focus on the types of data elements that could be used to commit identity theft. For example, most of these laws cover an individual’s first name or initial and last name in combination with the individual’s Social Security Number, driver’s licence number, or financial account numbers – generally in combination with any password or PIN necessary to access the account. However, some state laws cover other types of data elements, such as passport numbers, employer identification numbers, tax information and health information.
FW: What types of data security requirements are commonly established?
Fischer: Some existing data security laws are quite general. For example, many laws generally require a business to maintain reasonable security practices and procedures to protect personal information that it owns or maintains from unauthorised access, destruction, use, modification or disclosure. In addition, other laws require the appropriate disposal of personal information. On the other hand, a few states impose quite detailed and specific requirements. For example, the Commonwealth of Massachusetts and the State of Nevada require the encryption of personal information for certain types of transmission and storage. In addition, the Massachusetts data security regulations require storage of personal information in locked facilities or containers, secure user authentication and access controls for computer systems maintaining personal information.
FW: What data security best practices should a company consider?
Fischer: There are many data security best practices a company could consider. For example, a company could develop and maintain a comprehensive, written information security program that includes administrative, technical and physical safeguards designed to protect the security of the company’s information. A company also could consider developing an information retention policy and limiting access to personal information to those who need access to perform their employment duties. In addition, a company could consider implementing a password policy, malware protections, logging of significant computer and network security events, and the management of security patches and updates. A company also should take steps to select vendors that are capable of protecting the company’s information and require such protection by contract.
FW: What kinds of notice are required by state security breach notification laws?
Fischer: State breach notification laws are far from uniform and vary significantly in terms of their requirements, including scope, notice triggers and notice content. However, the laws share a common policy objective: to notify individuals of breaches to enable them to take actions to protect themselves against identity theft or other possible harm that may result from a data breach. Breach notification laws generally require a company to provide notice to consumers when covered personal information is accessed or acquired by an unauthorised person. These laws also include other types of notice requirements, including notice to a state Attorney General or another state official, or to consumer reporting agencies for incidents where the consumer reporting agencies are likely to be contacted by consumers.
FW: Are there current trends in state security breach notification requirements?
Fischer: As time has passed, states also have begun to address new issues associated with breach notification. For example, over the past year, states have amended their laws to specify content requirements for consumer notices and to require notice to state officials. States also have been more aggressive in enforcing their notice laws, including the imposition of penalties and fines.
FW: How can a company prepare for a breach?
Fischer: While each company should take steps to develop meaningful data security controls and practices, the importance of having an incident response program in place cannot be overstated. Because there is no such thing as ‘perfect’ security, incidents will happen. As a result, a company should have a flexible plan in place for how to respond when data incidents occur. As an initial matter, it is essential for company employees to promptly report suspected security incidents to a designated breach control officer or team. An effective response program usually involves a core response team responsible for receiving reports of potential incidents and determining whether to trigger a broader inquiry and response. Specifically, the response team should investigate the cause and circumstances of the incident, assign appropriate personnel to remediate ongoing incidents, engage third-party resources, where appropriate, and manage public communications related to the incident.
L. Richard Fischer is a partner in the Washington office of Morrison & Foerster. His practice focuses on retail financial services, privacy and data security. For over 40 years, he has advised a wide variety of companies, including banks, retailers, insurers, technology and other companies, across the US on the full range of financial services, payment system and data security issues. His practice has a special emphasis on privacy, e-commerce, technology and joint venture issues. He is a recognised expert on Washington legislative and regulatory issues. Mr Fischer can be contracted on +1 (202) 887 1566 or by email: firstname.lastname@example.org.
© Financier Worldwide
L. Richard Fischer
Morrison & Foerster