(Slides)

648 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
648
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Slides)

  1. 1. IBM Fall 2006 Security and Privacy Day The Evolution of Global Privacy Law Lisa J. Sotto Partner Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com November 13, 2006
  2. 2. What is Privacy and Data Security? • Privacy is the appropriate use of information as defined by: • Law • Consumer expectations • Security is the protection of information • Confidentiality (protection against unauthorized access to data) • Data integrity 2
  3. 3. Four Privacy Risks • Legal compliance • Reputation • Investment • Reticence 3
  4. 4. Data Protection Laws Around the World 4
  5. 5. US Privacy Laws • Major federal laws are: • GLB: Financial institutions • HIPAA: Health care entities • FCRA/FACTA: Consumer reporting agencies • FTC Disposal Rule • DPPA: DMV records • CAN-SPAM: Commercial e-mail • COPPA: Children’s data • Do-Not-Call Registry: Telemarketing • FTC Act Section 5: Prohibits unfair or deceptive trade practices • Privacy Act of 1974 5
  6. 6. California • Disclosures to Direct Marketers Law (SB 27) • California Online Privacy Protection Act • Security of Personal Information (AB 1950) • California Computer Security Breach Act (SB 1386) 6
  7. 7. Information Security • 2005 was the year of the security breach • In 2005/2006, 365 information security breaches so far - ChoicePoint - DSW - Bank of America - CardSystems - Lexis Nexis - Boston Globe • Over 97 million potentially affected • 34 state security breach notification laws • Numerous federal bills 7
  8. 8. State Security Breach Notification Laws • Generally, the duty to notify arises when unencrypted “personal information” was (or was reasonably believed to have been) acquired or accessed by an unauthorized person • Some states require notification when encrypted information has been acquired or accessed along with the encryption key • “Personal information” is an individual’s name, combined with: • SSN • driver’s license or state ID card number • account, credit or debit card number along with password or access code • But state laws differ: • Computerized v. paper data • Definition of PI • Notification to state agencies • CRA notification • Harm threshold 8
  9. 9. Recent FTC Enforcement Actions • Most FTC privacy enforcement actions result from security breaches • CardSystems • ChoicePoint • DSW • BJ’s Wholesale Club • Petco • Tower Records • Barnes & Noble.com • Guess.com, Inc. • Enforcement trends 9
  10. 10. Emerging State Law Issues • Social Security Numbers • A number of states regulate the private sector • Many others are considering similar legislation • Child Protection Registry Laws • Michigan and Utah currently regulate • Other states pending • Senders are prohibited from sending adult messages to “contact points” listed on state registries • FTC’s view • Employee Email Monitoring • Delaware and Connecticut have employee monitoring laws in place 10
  11. 11. Emerging State Law Issues (cont’d.) • Website Privacy Notices • California, Nebraska and Pennsylvania • Radio Frequency Identification (RFID) • At least 13 states are considering privacy legislation regulating the use of RFID • Anti-Spyware • 12 states currently have anti-spyware laws • At least 17 other states are considering anti-spyware legislation 11
  12. 12. The EU Directive • Enacted in 1995, each country has its own national data protection law – the Directive sets the floor • Requires entities to notify authorities or register before processing personal data • Prohibits transfer of personal data to non-EU jurisdictions unless “adequate level of protection” is guaranteed • U.S. is not “adequate” • Data transfer is permitted: • To “adequate” countries (e.g., Switzerland, Canada) • Within the safe harbor framework (from EU to U.S. only) • Where a contract ensures adequate protection • With “unambiguous consent” of data subject • BCRs 12
  13. 13. Recent EU Issues • Whistleblower hotlines • Data Retention Directive • PNR Data • SWIFT issue • New security breach notification proposals 13
  14. 14. PIPEDA • The Personal Information Protection and Electronic Documents Act (effective January 1, 2004) • Establishes rules for the management of personal information by organizations involved in commercial activities • Applies to the collection, use and disclosure of personal information by organizations during commercial activities • Personal information is any information about an identifiable individual whether recorded or not • Requirements: • Identify purposes of data collection • Obtain consent and limit use to identified purposes • Limit collection to necessary information • Limit use, disclosure and retention • Individual access 14
  15. 15. Latin America • Argentina has an “adequate” comprehensive law, and now an active DPA • Several nations have draft data protection laws • Other nations codify privacy in consumer protection laws • Many Latin American nations implement data protection concepts through habeas data rights • Habeas data rights are found in many national constitutions 15
  16. 16. Japan • Personal Information Protection Act • Enacted in 2003, fully effective April 1, 2005 • “Personal information” is any information that identifies an individual “data subject” contained in a personal information database (online or offline) • Applies to each “entity using a personal information database” • “Third party” does not include data processors but does include affiliates • Civil and criminal penalties for violations • Guidelines have been published by various Ministries 16
  17. 17. APEC • Created an information privacy framework with 9 privacy principles: - Preventing harm - Integrity - Notice - Security - Collection limitation - Access and correction - Uses of personal information - Accountability - Choice • Endorsed by 21 member economies in November 2004 • Consistent with OECD Guidelines 17
  18. 18. New and Expected Global Privacy Regimes • Russia • DP law passed July 2006 • Bears strong resemblance to EU Directive • India • New data security proposals to amend India’s IT Act of 2000 • The proposals result from recent breaches and reports of lax security practices • China • Law is currently being drafted 18
  19. 19. U.S. Enforcement and Litigation • FTC’s new Division of Privacy and Identity Protection • The FTC’s enforcement tools are evolving to meet new problems • CardSystems • ChoicePoint • DSW • BJ’s Wholesale Club • Petco • Tower Records • Barnes & Noble.com • Guess.com, Inc. • U.S. privacy litigation trends 19
  20. 20. Privacy Issues Are Often Unexpected • Information security breaches pose new and sometimes acute risks • FTC enforcement and litigation • Erosion of customer trust • Public perception of brand plummets • Investor concerns and market reaction • Whistleblower hotlines • HP’s pretexting issues 20
  21. 21. Minimizing the Risk • Prevention is the primary goal, but proactive planning can minimize impact if a privacy event occurs • Concern and focus on data privacy and security must come from the top • Data privacy now often involves the CEO, CFO, CPO, CIO and GC • Re-evaluate security systems and privacy and security policies on an ongoing basis • Integrate the concern for information privacy and security as a core value and train often 21
  22. 22. The Global Perspective • Information security is the global topic du jour • Expect new U.S. privacy legislation • New level of professionalism of EU DPAs • There is significant activity globally to enact new data protection laws • There will be a focus on data protection harmonization in coming years 22
  23. 23. Questions? Lisa J. Sotto Partner Head, Privacy and Information Management Practice Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com 233317v2 23

×