U NDERSTAND Y OUR U NIVERSE : K NOW Y OUR D ATA -P RIVACY O BLIGATIONS David Rice, Brian Sniffen, Paul Firuz, and Emily Raymond Data privacy and security are some of the most important emerging legal issues in recent times. Advancements in technology have made it easier than ever to gather immense quantities of information about all of us and at the same time have created risks of unauthorized disclosure and use of that information. Many familiar companies (such as Target) have suffered damaging, high-profile data breaches that exposed them to lawsuits and led to dismissal of company board members and officers. Regulators are playing catch-up by trying to develop laws to confront these new challenges or in some cases are adapting old laws to meet them, with varying success. In this new environment, it is essential for companies to understand how data security and privacy laws affect them and the unexpected ways in which these issues are intertwined with their operations. Many state and federal laws dictate how data is obtained, stored, used, protected, and disposed of. Companies must also develop policies that conform their practices to these laws and must train employees to implement them. Many companies are confronting these issues for the first time. Some are adapting existing policies to evolving risks that are difficult to anticipate. But the law may not always offer enough guidance to give companies the comfort of a regulatory “safe harbor.” To help meet this challenge, we present this introduction to U.S. data-privacy law to highlight rules that all companies should be aware of and help with high-level issue-spotting. I. OVERVIEW. U.S. data-security law consists of a collection of federal and state laws. There is no overarching, comprehensive data-security law that covers all issues. On the federal side, the laws tend to be specific to particular types of data, such as financial data or health data. Or they address specific situations, such as credit accounts. The Federal Trade Commission (the “FTC”) essentially fills the role as privacy regulator based on its jurisdiction over unfair and deceptive practices in commerce. The FTC punishes companies that fail to protect data from unauthorized disclosure or use, and it issues guidance to businesses to help them protect data. On the state side, almost every state has a law that details how companies must respond if there is a data breach. These responses typically involve sending a notice to the affected individuals, contacting law enforcement, and taking steps to mitigate harm from the breach and prevent further breaches. States also have their own consumer-protection laws that are similar to the FTC, so in some cases they may take action against companies that misuse data. State laws typically regulate disposal of sensitive data. -1-
As a general note, you will often see the terms “data security” and “data privacy” used interchangeably. It is probably more accurate to think of “data security” as involving the protection of data from unauthorized disclosure, such as theft by hackers. “Data privacy” involves the appropriate and legal collection and use of data, such as gathering information from customers online and using it to target advertising to them, while using the required disclosures. II. GENERAL DATA-SECURITY AND PRIVACY LAWS APPLICABLE TO VIRTUALLY ALL BUSINESSES. A. Data-breach notification laws. A data breach can be a dramatic and often newsworthy event. These events occur without warning, and the initial hours of investigation can involve a lot of confusion as companies scramble to determine what actually happened. We recommend that companies have a data-breach policy in place before any such event, so that everyone knows what to do if it occurs. The applicable data-breach law is generally based on the residency of the person whose information has been compromised. In some cases, this means complying with the laws of many different states. Fortunately, the laws are often close enough that a single notification to those affected individuals that incorporates all the state-required elements will generally suffice. We have summarized the data-breach laws of Oregon and Washington below and discussed potential litigation risk from breaches. 1. Oregon. Oregon’s data-breach law (also known as the Oregon Consumer Identity Theft Protection Act) is codified at ORS 646A.604. It provides that anyone owning, maintaining, or possessing personal data in the course of his or her business or volunteer work must give notice of any data breach to any Oregon “consumer” (defined as an Oregon resident) whose personal data was included in the breach. Additionally, any party that possesses or maintains personal information on another’s behalf must notify the original owner or licensor of the information upon discovery of a breach. All notifications must be made as quickly as possible, unless delayed disclosure is requested by law enforcement agencies. Notice can be given by mail, e-mail, telephone, or, in certain circumstances if notifying each affected consumer would be too burdensome, posting a notice on the person’s or business’s website and notifying “major statewide television and newspaper media.” 2. Washington. Similarly, RCW 19.255.010 requires any person or business that owns or licenses computerized personal data to disclose any breach of security to Washington residents whose data is believed to have been accessed by an unauthorized person. Washington defines “personal information” under this statute as name plus social security number, debit/credit-card number, or driver’s license/state ID number. This law applies to employee data. Any business maintaining -2-
computerized personal data that the business does not own must notify the owners of the data in the event of a potential breach. 3. Litigation risk due to data breaches. Sending out the required data-breach notification might not end the matter, since a data breach can result in a lawsuit filed by the affected parties. Oregon and Washington permit a private right of action for injured parties under certain circumstances to seek damages from those who have released their personal information without authorization (although it remains to be seen how successful these lawsuits will be). In the Target litigation, plaintiffs have been citing state prohibitions against unfair and deceptive practices to claim that Target’s practices were negligent. So essentially these statutes are being used to establish a standard of care for handling data. In Krottner v. Starbucks Corp. , 628 F.3d 1139 (9th Cir. 2010), Starbucks employees sued their employer under Washington law after a manager’s laptop, which contained the employees’ personal information, was stolen out of a car. Starbucks paid for several months of credit monitoring, and no identity theft was detected during that time. After the free credit monitoring expired, the employees sued, alleging that they had been exposed to an increased risk of identity theft. The court agreed, stating that no actual identity theft was required for the employees to recover. Rather, it was enough that Starbucks’ actions had exposed them to greater risk. After this case, businesses could face liability for data breaches even if no identity theft results. These are just two examples. There are many other cases, and the variety of claims and factual scenarios is broad. Covering all the types of claims cited in data-breach lawsuits is beyond the scope of this paper. B. State and federal unfair trade practices legislation. Federal and state regulators typically rely on statutory prohibitions against unfair and deceptive actions in commerce to punish companies that promise to protect consumer data but do not do so, or that collect data from consumers and then use it in a manner that is not disclosed to the consumer. 1. The FTC Act. The FTC Act, 15 U.S.C. § 45, prevents “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” “[U]nfair or deceptive act” is defined as an act that causes, or is likely to cause, a reasonably foreseeable injury. As with the state statutes, this federal statute might be used to sue a company for identity theft stemming from a data breach. The FTC has relied on this broad authority to punish many companies for misleading consumers about the collection and use of data or for failing to protect data in accordance with representations made to consumers, including Facebook, Google, and Twitter. -3-
Recommend
More recommend