Your SlideShare is downloading. ×
How to Protect Your Personally Identifiable Information
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

How to Protect Your Personally Identifiable Information


Published on

CLE Presentation: Dan Nelson, Intellectual Property Attorney at Armstrong Teasdale …

CLE Presentation: Dan Nelson, Intellectual Property Attorney at Armstrong Teasdale

Data is the key currency of today's information-based economy so regardless of your industry, you collect, store and share information. But how do you keep this data private? This slideshow will provide you an overview of many laws addressing privacy, as well as provide suggestions for compliance.

The choice of a lawyer is an important decision and should not be based solely on this presentation. All rights are reserved and content may not be reproduced, disseminated or transferred, in any form or by means, except with the prior written consent of Armstrong Teasdale.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. © 2013 Armstrong Teasdale LLP© 2013 Armstrong Teasdale LLPPrivacyDan Nelson, CIPP/USMay 23, 2013
  • 2. © 2013 Armstrong Teasdale LLPWhat is Privacy Law Multiple concepts• What can you collect• What can you do with the information• What are your data security obligations2
  • 3. © 2013 Armstrong Teasdale LLPWhat law are we talking about? Big problem: Data does not respect borders Key distinctions between United States and many foreigncountriesUnited States•No comprehensive “law”•Patchwork of sector-specific (e.g. HIPAA)and jurisdiction-specific regulations•Overall: less privacy protectionEurope•Comprehensive data protection scheme•Strict privacy protection•“Privacy as a human right”Rest of the World: Tends towards European Data Privacy model3
  • 4. © 2013 Armstrong Teasdale LLPTakeaways Key data definitions Key data practices Overview of some of the data laws most likely to touch yourbusiness4
  • 5. © 2013 Armstrong Teasdale LLPKey data definitions "Data Controller"• Entity for whose benefit data is collected/proccesed• While the express term comes from EU law, the concept ismirrored in several US laws "Data Processor"• Entity that collects, stores, or handles data on behalf of aData Controller Data Subject• Person whose data is being collected/stored/used5
  • 6. © 2013 Armstrong Teasdale LLPKey data definitions Personally identifiable information (PII)• Definition is context-sensitive− Often depends on• Context in which data collected• Promises made to Data Subject• PII can be simultaneously public and private• Just because PII can be located publically does not mean that itis not protected in other contexts PHI• Personal Health Information− Type of PII• In the US, specifically protected by both Federal and State HIPAA laws6
  • 7. © 2013 Armstrong Teasdale LLPKey data definitions Opt In/Opt Out• Opt IN:− Affirmative action by Data Subject to agree• e.g. "Check this box if you agree that we can share your data,""initial here if you agree to our collection of data"• In many parts of the world, including EU, Opt IN is the defaultstandard• Even in the US, provides a greater level of protection: indicates DataSubjects affirmative consent• Opt OUT:− General US default standard• But, seeing indications that this is changing− E.g. "Uncheck this box if we cant collect your data," "Checkthis box if you do NOT want your data shared"7
  • 8. © 2013 Armstrong Teasdale LLPKey data practices Numerous US and Foreign Regulatory and Oversight Groupshave promulgated very similar guidelines Often variations of 9 or 10 of the same key concepts A quick overview:• Notice: Individuals should be told what is being collected, how it isbeing collected, and how it is being used• Choice: Individuals should be given meaningful options on collectionand use of PII• Access: Individuals should be able to find out what PII is beingcollected and retained, and have a right to correct or complete theinformation• Security & Integrity: Data is from reputable source, is not stale, andis appropriately secured8
  • 9. © 2013 Armstrong Teasdale LLPMany “Privacy” LawsECPATCPACOPPACalOPPAFCRAGLBAFACTSCATSRFERPASong BeverlyHIPAAFTC ActDRPAEPPADNCCAN-SPAMPatriot ActBreach NotificationLawsJFPACALEAFederal Privacy ActMass. Data SecurityLawEU-US Safe HarborVPA9
  • 10. © 2013 Armstrong Teasdale LLPSome Key US data protection laws Federal Trade Commission Act California Online Privacy Protection Act (“CalOPPA”) Fair Credit Reporting Act (“FCRA”) Children’s Online Privacy Protection Act (“COPPA”) Health Insurance Portability and Accountability Act(“HIPAA”) Telephone Consumer Protection Act (“TCPA”) Breach Notification Laws Massachusetts Data Security Law10
  • 11. © 2013 Armstrong Teasdale LLPFTC Act Prohibits both "Deceptive" and "Unfair" Trade practices• "Deceptive Practices": Common scenario− Failure to comply with own Privacy Policy• Sample Complaint• "Unfair Trade Practice"− No policy, plus− Substantial harm to consumer− Increasingly rare to see "No Policy," which heightensenforcement risk− See also California’s Online Privacy Protection Act, whichrequires a posted privacy policy11
  • 12. © 2013 Armstrong Teasdale LLPRecent Enforcement Actions Cbr Systems, Inc.• Cbr’s privacy policy promised to handle personal informationsecurely and in accordance with its Privacy Policy and Termsof Service• After unencrypted data contained on storage media and alaptop were stolen from a Cbr employee’s car, the FTCcharged Cbr with deceptive trade practices because Cbrfailed to provide the promised security. In particular, theFTC focused on Cbr’s failure to employ secure data transportpractices, failure to encrypt data, and retention of data forwhich Cbr no longer had a business need12
  • 13. © 2013 Armstrong Teasdale LLPRecent Enforcement Actions (continued) Epic Marketplace, Inc.• Epic employed “history sniffing technology” which allowedsite operators to “sniff” a browser to determine past websitevisits• But, Epic told consumers that it only collected informationabout consumer visits to sites within its advertising network• The FTC charged Epic with deceptive trade practices13
  • 14. © 2013 Armstrong Teasdale LLPFTC Act14 I should be thinking about the FTC Act when:• I collect, store or process PII. Big Picture:• Non-compliance with a privacy policy will be treated as adeceptive trade practice• Not having a privacy policy will be deemed an unfair tradepractice. Keys to avoiding trouble:• Have a meaningful privacy policy that reflects actualcompany practices.• Emphasize, Audit and Train on your policy.
  • 15. © 2013 Armstrong Teasdale LLPCalifornia Online Privacy Protection Act Applies to website/online service/mobile app providers whocollect California resident’s PII Requires conspicuous privacy policy Policy must, at a minimum:• Tell data subject categories of PII being collected• Describe any available means by which data subject canreview or request changes to retained PII• Identifies means by which policy changes will be madeknown to users• Specifies an effective date15
  • 16. © 2013 Armstrong Teasdale LLPCalifornia v. Delta Air Lines, Inc. Filed 12/06/12 Complaint alleges that Delta violated California’s Online Privacy ProtectionAct (“CalOPPA”) and California’s Unfair Competition Law: The “Fly Delta” mobile app collected user’s PII, including name, contactinformation, passport information, photographs and geo-location data. Delta did not conspicuously post a privacy policy, thus depriving users of:• Knowledge of what PII Delta collected• What Delta did with the PII• To whom Delta may have disclosed or sold the PII While Delta’s website does contain a posted privacy policy, that policy did notmention the Fly Delta app, and the Fly Delta app did not point users to thisprivacy policy. Moreover, the app collected certain types of PII that thewebsite did not.16
  • 17. © 2013 Armstrong Teasdale LLPCalifornia Online Privacy Protection Act I should be thinking about CalOPPA when:• I operate a website/online service/application that collectsor stores consumer’s PII. Big Picture:• Must have a privacy policy Keys to avoiding trouble:• Post a meaningful privacy policy that reflects theorganization’s actual practices17
  • 18. © 2013 Armstrong Teasdale LLPFCRA Summary: Regulates the use of “Consumer Reports.” Many people think the law regulates “Credit Reporting Agencies.”This is true, but is a misunderstanding of the FCRA’s actual scope. Better to think of the FCRA as regulating the use of a type ofinformation (“Consumer Reports”) than as regulating certainentities.• “Consumer Reports,” defined as information pertaining to:− Credit (including credit worthiness or history)− Character− General reputation− Personal characteristics− Mode of living18
  • 19. © 2013 Armstrong Teasdale LLPFCRA “Consumer Reports,” defined as information pertaining to:• Credit (including credit worthiness or history)• Character• General reputation• Personal characteristics• Mode of living The FCRA Regulates both data providers and data users. Includes data provided by Consumer Reporting Agencies(“CRA’s”) and others, including non-CRA third parties andaffiliates of the data user.19
  • 20. © 2013 Armstrong Teasdale LLPFCRA From the data user’s perspective:• Must have a “permissible” purpose for obtaining the data;− Statute defines permissible purposes.• Often must provide certification of permissible purpose tothe data provider;• Generally, must notify data subject if the data is a factor inan adverse action against the data subject (e.g. denial ofcredit, denial of employment).• Additional rules apply in a variety of scenarios, including:− Use in in hiring− Employee investigations− “Investigative Consumer Reports”20
  • 21. © 2013 Armstrong Teasdale LLPFCRA I should be thinking about the FCRA when:• I obtain consumer data from any third party, or even fromthe consumer if the data will be used for a business purpose. Big Picture:• FCRA primarily regulates the information, not just specificproviders• Must have a permissible purpose to obtain Keys to avoiding trouble:• Recognize the Act’s potentially broad reach• Think through the Act’s requirements: (a) permissiblepurpose; (b) consumer notification• Additional special requirements21
  • 22. © 2013 Armstrong Teasdale LLPCOPPA Act’s primary focus is to safeguard the PII of children.• PII includes a large array of information− The obvious: name, address, etc.− But also:• Geolocation data• Photos and Videos• Computerized Persistent Identifiers If you operate a website, online service, or mobile appdirected towards kids, you must pay attention to COPPA.22
  • 23. © 2013 Armstrong Teasdale LLPCOPPA The problem: The FTC has stated that the operator’s intent isnot determinative of whether a site, service or app isprimarily or secondarily directed to kids. Modified scopedefinition: sites “directed to children”• Problematic, in that new definition looks not to operator’sintent, but to “totality of the circumstances” test.” The FTCintends to look at the “attributes, look and feel” of a site.COPPA may apply even if children are deemed to be asecondary audience. Moreover, if you have actual knowledge that your aregathering kids’ PII, you must comply with COPPA23
  • 24. © 2013 Armstrong Teasdale LLPCOPPA COPPA is a minefield of stringent rules, including specificrules on methods of parental notification and obtainingparental opt-in consent.• If you didn’t know COPPA applied to your site/service/app,the chances of accidental compliance are virtually zero. The FTC takes COPPA violations very seriously. A COPPAviolation may be your surest ticket to an FTC enforcementaction.24
  • 25. © 2013 Armstrong Teasdale LLPCOPPA Enforcement U.S. v. Path, Inc.: filed 1/31/13• Path: social networking site operating through an iOS app• App collected and stored information from user’s mobile address book,even if user did not elect this option• FTC challenged the practice is a Deceptive Trade Practice because thecollection violated Path’s published privacy policy• FTC also alleged that violations of the Children’s Online PrivacyProtection Act because, among other things, the App allowed for theknowing collection of personal data of children under age 13, andallowed children to post text, photos, and the child’s precise location• Settlement with the FTC that included $800,000 payment, as well asaudited monitoring for next 20 years25
  • 26. © 2013 Armstrong Teasdale LLPCOPPA I should be thinking about COPPA when:• I operate a website/service/mobile app that would beattractive to kids. Big Picture:• FTC’s “Look and Feel” test creates uncertainty• High-value target for FTC enforcement combined with verylow probability of accidental compliance Keys to avoiding trouble:• Take a hard look at your website/service/mobile appofferings• Don’t ignore evidence that you are acquiring kid’s data26
  • 27. © 2013 Armstrong Teasdale LLPHIPAA Provides broad protection for Protected Health Information(“PHI”). Applies to “Covered Entities”:• Health Care Providers• Health Plans• Health Care Clearinghouses But, recent HIPAA amendments have expanded compliance to“Business Associates,” including subcontractors (at alllevels) of Business Associates.• If your business is a downstream data processor for PHIoriginating with a Covered Entity, then you likely have HIPAACompliance obligations.27
  • 28. © 2013 Armstrong Teasdale LLPHIPAA Developments Texas HIPAA Law:• Stricter provisions than Federal HIPAA law• Broadly covers virtually anyone who receives or storesProtected Health Information of Texas residents (“CoveredEntities”)• Covered Entities subject to numerous requirements,including:− Specific employee training− Substantial restrictions on “disclosure” (broadly defined)• Many commentators believe that other states will follow28
  • 29. © 2013 Armstrong Teasdale LLPHIPAA I should be thinking about the HIPAA when:• My business performs some process with respect to PHI Big Picture:• Stringent Data Privacy and Data Security Rules Keys to avoiding trouble:• Recognize the Act’s extended reach29
  • 30. © 2013 Armstrong Teasdale LLPTCPA The Telephone Consumer Protection Act Regulates a variety of practices regarding unsolicited faxes,text messaging and phone calls to consumers In addition to regulating Telemarketing calls, also regulatescertain contacts with existing customers (debt collectioncalls, for example) if the caller is utilizing commonautomated calling equipment to call a cell phone number. Common Litigation Scenario: Third-party telemarketer ordebt collector repeatedly calls wrong cell number. Classaction ensues. May 14, 2013: FCC holds that Seller can be held vicariouslyliable for certain TCPA violations by third-party callers.30
  • 31. © 2013 Armstrong Teasdale LLPTCPA I should be thinking about the TCPA when:• My business, or a third-party contractor, is calling or textingpotential consumers or existing customers. Big Picture:• Compliance with Do Not Call requirements• Effective programs to scrub wrong numbers and misdials Keys to avoiding trouble:• Due Diligence with respect to third-party calling services31
  • 32. © 2013 Armstrong Teasdale LLPBreach notification laws State law(s) generally apply Must identify state of residence of those effected by DataBreach Missouri: Fairly typical notification statute32
  • 33. © 2013 Armstrong Teasdale LLPBreach notification laws Has a breach occurred?• Yes, if unauthorized access and acquisition of “PersonalInformation” (“PI”)• PI generally includes Name, plus:− Social Security Number or other Gov’t Identification number− Account Number, together with any necessary accesscode/credential− Medical/Health insurance information• But, if this information is encrypted, de-identified orotherwise rendered unusable, then not “PI” for purposes ofbreach statutes− Extra caution is warranted in ensuring that this exceptionapplies.33
  • 34. © 2013 Armstrong Teasdale LLPBreach Notification Laws Notice in accordance with the Statute• Generally requires brief description of incident,identification of types of data at issue, and variousadvisories/warnings regarding data theft prevention• Many states have unique different/additional notice contentrequirements, e.g. must include State Attorney General’scontact information. Little uniformity in Notice timing requirements• Missouri: “without unreasonable delay”• Trend is to enact specific time frames for notice• Most states have exception for notification delay “at lawenforcement’s request”34
  • 35. © 2013 Armstrong Teasdale LLPBreach Notification Rules Many states have slightly different requirements:• Must send breach notification to Attorney General beforesending to data subject• Must include Attorney General’s contact information• Specific timing requirements• Specific text required in notice35
  • 36. © 2013 Armstrong Teasdale LLPData Breach Notification I should be thinking about the Data Breach Notificationwhen:• A possible security breach or PII disclosure has potentiallyoccurred Big Picture:• Different notification schemes by state• Timelines are increasingly strict Keys to avoiding trouble:• Early recognition of the potential problem and early reviewof applicable statute(s)36
  • 37. © 2013 Armstrong Teasdale LLPMassachusetts Data Security Laws Massachusetts: Standards for the Protection of PersonalInformation, 201 CMR 17.00• Applies to all entities that collect Massachusettss residents’PII• In addition to breach notification duties, requires acomprehensive information security program, includingadministrative, technical and physical safeguards37
  • 38. © 2013 Armstrong Teasdale LLPMassachusetts Data Security Laws (continued) “Comprehensive” program includes• Designated responsible employee(s)• Identification & assessment of risks• Employee security policies• Oversight of service providers (including requiring suchproviders, by contract, to maintain appropriate securitymeasures)• Encryption of data that will “travel across public networks”or that will be “transmitted wirelessly”Tyler v. Michaels Stores, Inc.,: Mass. Supreme Court holds that PIIincludes credit card consumer zip codes38
  • 39. © 2013 Armstrong Teasdale LLPMassachusetts Data Security Law I should be thinking about the the law when:• I am collecting third-party data Big Picture:• In addition to breach notification provisions:− Program to identify risks, train employees, and protect datasecurity Keys to avoiding trouble:• Being proactive39
  • 40. © 2013 Armstrong Teasdale LLPThank YouQuestions?40
  • 41. © 2013 Armstrong Teasdale LLPContact41Dan Nelson, CIPP/US, Partner314.552.6650 dnelson@armstrongteasdale.com