Privacy Laws in Business

There are a ever growing number of state and federal privacy laws. Plus, it is the resposibility of every business to report when their is a breach. To better prepare your business, you first need to know what is considered “Personal Information (PI)”. Not all the laws take into account all these identifiers, but it is best that everyone knows what to conciser as PI.

  • Resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:
    • Social Security number.
    • Driver’s license number or Massachusetts identification card number.
    • Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account.
    • A biometric indicator.
    • Insurance number
    • Health information

US Federal Data Privacy Legislation

Businesses, educational institutions, medical facilities and government agentsare required by law to protect all customer, employee, patient and vendor personal information.

The average data breach in 2010 cost  businesses $7.2 million per incident*.  Healthcare accounted for over 66% of all 2010 data breaches**.

  •  American Recovery and Reinvestment Act: ARRA allows state attorney generals & individuals to seek financial damage from a security breach.
  • HITECH: Title 13, Subtitle D of ARRA defines data protection, what is a breach and notification rules after a breach.
  • FTC Red Flag Rules: Identity Theft Prevention Program for document management, access & disposal.
  • Health Insurance Portability and Accountability Act (HIPAA): All medical facilities and businesses that store medical or health insurance information is subject to HIPAA.
  • Fair and Accurate Credit Transaction Act (FACTA): Businesses must take “reasonable measures” to protect, store and disposal of  personal information in electronic media.
  • Gramm – Leach – Bliley Act (GLBA): Mortgage companies, schools, car dealers, insurance companies, retail stores, etc. are now “Financial Institutions”.
  • Federal Information Security Management Act (FISMA): U.S. federal law that recognizes information
    security  to its economic and security interests. Each federal agency must provide agency-wide information security and their contractors.
  • Children’s Internet Protection Act of 2001 (CIPA): Requires K-12 schools and libraries to operate technology protection measures on computers with Internet access that protects against access to visual depictions that are obscene, child pornography, or harmful to minors.
  • Children’s Online Privacy Protection Act of 1998 (COPPA): applies to the online collection of personal information by persons under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing to those under 13.
  • Privacy Act of 1974: Establishes certain controls over what personal information is collected by the federal government and how it is used. The act guarantees three primary rights: (1) the right to see records about oneself, subject to the Privacy Act’s exemptions; (2) the right to amend that record if it is inaccurate, irrelevant, untimely, or incomplete; and (3) the right to sue the government for violations of the statute, including permitting others to see your records, unless specifically permitted by the act.
  • Electronic Communications Privacy Act (ECPA): Prohibits the unauthorized interception of electronic communications, like email, texts and instant messages.
  • Stored Communications Act (SCA): Prohibits unauthorized access to electronic communications stored in certain computer systems.

US State Data Privacy Legislation

The hardest part now for businesses is that they must be aware of all the 50 states privacy laws because most include a clause the business doesn’t have to reside in that state, but stores information on a resident of that state. With eCommerce, everyone is affected.

  • California’s SB1386 (the Database Security Breach notification Act): Requires any holder of personal information about a California resident – regardless of where they are located – to notify each resident whose information may have been compromised in some way. Almost every US state have passed similar laws.
  • Massachusetts Data Privacy Act (201 CMR 17): Requires all private and public sector entities, including non-profits , that collect and handle Personal Information of MA residents regardless of where that entity is located to institute safeguards by adopting a Comprehensive Written Information Security Program by March 1, 2010.

Industry Data Privacy Legislation

  • Payment Card Industry Data Security Standard (PCI DSS): Industry standard that encompasses a set of requirements for protecting the security of consumers’ payment account information.

 

* Ponemon Institution, Annual Study   ** 2010 ITRC Breach Stats Report

Link to a white paper by the Better Business Bureaus, “A Review of Federal and State Privacy Laws.

Share and Enjoy:
  • Facebook
  • LinkedIn
  • Twitter
  • Print
  • Digg
  • StumbleUpon
  • FriendFeed
  • del.icio.us
  • Yahoo! Buzz
  • Google Bookmarks
  • Add to favorites
  • Live
  • HackerNews
  • Ping.fm
  • Tumblr
  • Netvibes
  • Plurk
  • Sphinn
  • Technorati