H&H Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan & Hartson Law Firm : Data Security, E-Commerce & Technology

• Email This
• Print

On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the "Data Accountability and Trust Act," which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud.

These measures include:

• Requiring covered organizations to establish and implement comprehensive policies and procedures regarding information security practices for the treatment and protection of personal information, tailored to the individual organization's capabilities.  This would include:
  • the creation of a security policy;
  • the identification of a security officer or other individual as the point of contact for the organization's security program;
  • the creation of a process for assessing vulnerabilities to electronic systems containing personal information, including regular monitoring for security breaches;
  • the creation of a process for taking preventative and corrective action to mitigate against any vulnerabilities found; and
  • the creation of a process for the secure disposal of obsolete data.
• Subjecting data brokers maintaining PII to standards similar to credit reporting agencies, including allowing individuals to request and correct false information maintained about them, and punishing data brokers for the unauthorized disclosure of personal information through "pretexting" -- that is, obtaining or hiring someone who obtains personal information of others through false pretenses.
• Creating a federal data breach notification requirement that would mandate any organization suffering a breach of personal information to notify all affected individuals, unless it determines that there is no reasonable risk of identity theft, fraud, or other unlawful conduct (which can be presumed if the data is properly encrypted or otherwise rendered in an electronic form unreadable or undecipherable).  Organizations suffering breaches would also be required to provide consumer credit reports to affected individuals on a quarterly basis for two years.

The FTC would be directed to pass regulations and guidance implementing and interpreting many of the specifics, and would be granted civil enforcement authority through its power under the FTC Act to prevent unfair and deceptive trade practices.  In addition, the bill would empower state attorneys general to bring civil actions to enforce its provisions with regard to violations against residents of their respective states.

Penalties would be substantial.  The failure of any covered organization to implement a comprehensive data security program or of data brokers to implement requirements specific to them would carry a maximum penalty of $11,000 per violation -- which in the case of the data security program would be $11,000 per day -- up to a maximum of $5,000,000.  Failing to comply with the breach notification provision would carry a penalty of up to $11,000 per failed notification, up to a maximum of $5,000,000, which could theoretically be reached by an unreported breach of the personal information of only 455 individuals .

Importantly, the bill would preempt the breach notification laws of forty-five states, the District of Columbia, Puerto Rico, and the Virgin Islands, as well as the recent controversial Massachusetts regulations requiring the creation of a comprehensive data security program and policy of all organizations maintaining the electronic personal information of residents of that state.  It would not, however, replace any of the parallel federal breach notification standards, such as the breach notification rule recently issued by the department of Health and Human Services under the HITECH Act and other disclosure requirements under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

Just last month, the Senate Judiciary Committee approved two bills very similar to H.R. 2221.  While there are some notable differences -- including criminal penalties, an applicability threshold for the data security program requirement, and express exemptions for entities in compliance with similar federal regulations in the Senate versions, and prohibition of pretexting and higher penalties in the House version -- all three bills have enjoyed bipartisan support and their purposes are aligned.  Though health care and other items remain higher on the Senate's agenda, and the full chamber is unlikely to vote on the bills for some time, proponents are now likely to point to the momentum generated by the passage of the House version to bring the issue before the Senate sooner rather than later.

• Email This
• Print

On December 1, Judge Reggie Walton of the U.S. District Court for the District of Columbia issued a memorandum opinion in a lawsuit by the American Bar Association against the Federal Trade Commission, explaining his October 29 ruling from the bench that the FTC's Red Flags Rule does not apply to lawyers.  Holding that "[e]ven a cursory review of the language of [the Fair and Accurate Transactions Act (FACT Act), through which Congress authorized the creation of the Red Flags Rule, and other legislation defining relevant terms] and the purposes underlying their enactment leads the Court to the conclusion that it was not 'the unambiguously expressed intent of Congress' to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule," Judge Walton rejected almost every argument put forth by the FTC and indicated that the court would similarly condemn any FTC attempt to apply the Rule to other professionals outside of the banking, lending, and financial sectors who bill periodically for services previously rendered.

Specifically, Judge Walton rejected the Rule's applicability to lawyers under both prongs of the Chevron test regarding judicial deference to agency interpretation, finding that no evidence indicated that Congress intended that rules promulgated under the FACT Act would apply to lawyers, but even if Congressional intent could be considered ambiguous, that the FTC's interpretation of the FACT Act and its resulting application of the Rule to lawyers was unreasonable and therefore undeserving of deference.

• Email This
• Print

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

• Email This
• Print

On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today.

S. 1490, introduced by Sen. Patrick Leahy (D-Vt.), would preempt most state data security laws. The bill would mandate the implementation of a comprehensive data security program by all businesses maintaining personally identifiable information (PII) of 10,000 or more individuals not currently required to do so by certain federal laws (such as GLBA for those maintaining financial information and HIPAA for those maintaining health information). Covered businesses would be required to conduct an internal data security risk assessment, adopt controls to reasonably manage these risks and to detect security breaches, and conduct regular vulnerability testing and reassessment to ensure their program is appropriately managing risks.

The bill would also create a federal data breach notification requirement, preempting the variety of state laws that today cause compliance headaches among those that experience such a breach. The bill's provisions mirror most of the common themes of the state laws, including that breaches must be reported "without unreasonable delay" except as necessary for law enforcement or national security purposes, and that in addition to the affected individuals notification must be made to prominent media in all states in which the information of 5,000 or more individuals is reasonably believed to have been breached. Like some of  the state laws, the bill contains a "risk of harm" threshold, exempting notification in situations in which it is determined that there exists no significant risk that the breach will result in harm (with the approval of the Secret Service of this determination). The use of effective encryption, redaction, or other industry-standard controls would create a statutory presumption that no harm is likely to occur from a breach.

• Email This
• Print

As reported in the blog of the American Bar Association Section of Antitrust Law Privacy and Information Security Committee:

Judge Reggie Walton of the U.S. District Court for the District of Columbia ruled today that the FTC cannot force practicing lawyers to comply with Red Flags Rule.

With the November 1st enforcement date for the Red Flags Rule looming, the court's ruling for now eliminates uncertainty for lawyers, who the FTC had argued should be covered because among other things, billing on a monthly basis made them “creditors” under the Rule.  The ABA had argued that Congress did not intend to subject lawyers to FTC regulation (an area traditionally left to the States) and that the extension of the Rule to lawyer billing practices was overly-broad.  Judge Walton's oral ruling appeared to agree with the ABA arguments.  Whether or not the FTC will appeal remains to be seen, but given the fact that it did so in the case involving the applicability of the Gramm-Leach-Bliley to lawyers suggests that it will.  See ABA v. FTC,  430 F.3d 457 (D.C. Cir. 2005).

• Email This
• Print

The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services.  While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.

Comprehensive Federal Regulation of “Data Brokers”

Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as

“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.” 

PDPSA § 3(5).  Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted.  See PDPSA § 201(b)(1)-(3).  Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports. 

• Email This
• Print

 On July 22, 2009, Sen. Patrick Leahy (D-VT) reintroduced S. 1490, the Personal Data Privacy and Security Act (“PDPSA”), which has been referred to the Senate Judiciary Committee.   The reintroduced PDPSA is substantially similar to the prior version reported out by the Judiciary Committee in 2007, which was co-sponsored by then-Sen. Barack Obama.  Among the provisions of the proposed law are a mandated adoption and maintenance of a comprehensive information security program, a national data breach notification law, and regulation of data broker services.  Further, while the bill as currently drafted reflects many commonly accepted principles of data privacy and security underlying existing federal and state laws, it deviates from current laws and standards regarding data security and breach notification on several noteworthy points.  Although passage of this legislation during the current session of Congress is far from certain, the existing PDPSA draft may foreshadow future legislative and regulatory trends. 

• Email This
• Print