FAQ on Alberta's New Breach Notice Law
Earlier this month (May 1, 2010), Alberta became the first Canadian province to pass a broad breach notice law (“Bill 54”) as part of their comprehensive data privacy statute, the Personal Information Protection Act (“the Act”; technically, Alberta is the second province to pass a breach notice law in Canada, Ontario previously passed a breach notice law that focuses on health information custodians).
It will be interesting to see whether the Alberta law ushers in the passage of additional provincial laws similar to way California's SB 1386 lead to breach notice laws in over forty U.S. states. There appear to be several breach notice initiatives at the provincial and federal level in Canada, some of which may be on the verge of passing. If a wave of breach notice laws do pass throughout Canada, it will be interesting to see if it will have the same impact as in the United States (e.g. frequent reporting of breaches, lawsuits, etc.). It will also be interesting to see whether the Canadian approach differs from the U.S. approach.
This blog post breaks down Alberta’s breach notice provisions in a “Frequently Asked Questions” format, and includes commentary and comparisons to existing U.S. law. Note that the Act also now includes obligations concerning collecting and transferring of personal information outside of Canada. That is also discussed briefly in this blog post.
Obligations Concerning Personal Information Collection and Transfer Outside of Canada
First, before diving into the FAQ on the breach notice provisions of Bill 54, let’s take a quick look an amendment in Bill 54 that addresses the use of service providers outside of Canada for purposes of collecting or transferring personal information. Bill 54 added the following provision to the Act:
13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).
(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).
(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of (a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and (b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
While this provision does not require an individual’s consent to use a service provider outside of Canada, it does require certain notice of certain information to the individual prior to collecting or transferring personal information to such service providers. This specific information referenced in the Act can probably be put into an organization’s privacy policy. However, for organizations that have existing non-Canadian service provider relationships, a process must be put in place to provide notice to individuals. This provision may also have implications with respect to Cloud computing. Some organizations in Canada using the Cloud may not know whether personal information is being transferred outside of the United States. As such, these organizations may have to examine their existing service provider relationships, including identifying subcontractors outside of Canada that service providers may be using.
FAQ on the Personal Information Protection Act’s Breach Notice Obligations.
What breach notification obligations are set forth in Alberta’s breach notice law?
There are actually two potential notification obligations in Alberta’s breach notice law. The primary obligation requires organizations to provide notice to Alberta’s Information and Privacy Commissioner (the “Commissioner”):
34.1(1) An organization having personal information under its control must, without unreasonable delay, provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.
(emphasis supplied). In addition, organizations that suffer a breach may also have to provide notice to the impacted individuals:
37.1(1) Where an organization suffers a loss of or unauthorized access to or disclosure of personal information that the organization is required to provide notice of under section 34.1, the Commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure (a) in a form and manner prescribed by the regulations, and (b) within a time period determined by the Commissioner.
(emphasis supplied). Two points jump out based on these duties. First, it appears that any notice obligation for individuals applies only to those individuals as to whom there is a “real risk of significant harm.” So with respect to a particular breach, this may involve only a subset of those individuals whose personal information was subject to loss or unauthorized access. Second, even if a real risk of significant harm does exist, there is no automatic mandatory reporting obligation to the impacted individuals. Rather, there is only a reporting obligation if the Commissioner requires reporting. At the end of the day however, depending on the regulations and procedures created by the Commissioner, this notification obligation may effectively become “mandatory.” In fact, subsection 37.1(3) requires the Commissioner to establish an “expedited process” for determining whether to require notification where the harm to the individual is “obvious and immediate.”
Differences against U.S. State breach notice laws:
- Regulator Involvement. The obvious difference between Alberta and most U.S. breach notice laws is that the primary notification obligation is to the regulators. In the U.S. the breach notice laws require notification to the impacted individuals, and some also require concurrent notification to the state regulators (e.g. state attorneys general). In addition, the U.S. breach notice laws typically do not give the regulators discretion as to whether to require notice to individuals.
- Harm Threshold. Like some state breach notice laws, Alberta’s law has a “harm” threshold built into it. While no U.S. breach notice law uses the “real risk of significant harm” terminology, some states do require a material risk of harm, a material compromise, a material risk of identity theft, or similar. While it is difficult to compare harm standards, and more research would be necessary to get a clearer picture, it appears that the real risk of significant harm threshold is relatively high. The term does not appear to be defined in the Act itself, but perhaps the Commissioner will get an opportunity to clarify its meaning as it develops regulations and processes for managing the notifications it receives.
What kind of information does the Alberta breach notice law apply to?
It applies to “personal information”, which is defined as follows:
“personal information” means information about an identifiable individual.
Differences against U.S. State breach notice laws:
- No residency requirement. Unlike U.S. state laws, the residency of the individual does not matter. Personal information could relate to any individual whether a resident of Alberta or not. This could serve to limit the Commissioner’s jurisdiction to some degree. In the U.S. states, a state breach notice law could apply to a company with little to no “presence” in that state simply if they held personal information of a resident. Under Alberta’s law, there may need to be more traditional “doing business” jurisdiction for this law to apply. However, this jurisdictional issue is outside of the scope of this article (Michael Power, please weigh in if you would like/have the time).
- Less precise definition than U.S. breach notice laws. In U.S. breach notice laws the definition of “personal information” or “personally identifiable information” is more precise: typically requiring first name/first initial and last name, in combination with some kind of a account number. The concept of “identifiable individual” is arguably a broader concept than PI or PII in the United States, and therefore there may be instances of reporting required under Alberta’s law that may not be required under U.S. law (on the argument that PI or PII was not at issue as defined under the U.S. breach notice law[s]).
How is a “security breach” defined that would trigger Alberta's breach notice law?
There is no formal definition for “security breach” or “breach of the security of the system.” Nonetheless, a security breach trigger is described in Alberta law as follows: “any incident involving the loss of or unauthorized access to or disclosure of the personal information.” However, a breach by itself does not trigger a reporting obligation unless “there [also] exists a real risk of significant harm to an individual.”
Differences against U.S. State breach notice laws:
- Actual Loss/Unauthorized Access/Disclosure. Under Alberta's law it appears that there must be an actual loss or unauthorized access to or disclosure of the personal information to activate the trigger. Many U.S. breach notice laws are triggered if there is a reasonable belief or suspicion of unauthorized access or acquisition. As anybody knows who has handled a breach, it is not entirely clear in some cases whether actual unauthorized access occurred (often there is circumstantial or tangential evidence of unauthorized access). If construed in this matter, the Alberta law may result in some breaches not being reported.
- Alberta's Loss Trigger. Second, the Alberta law includes “loss” as a trigger. The classic example is a lost laptop. Under many/most U.S. statutes, loss of personal information is not a explicit trigger. Depending on the circumstances, under U.S. state breach notice laws, some organizations may argue that a lost laptop with personal information does not amount to a reasonable belief of unauthorized access. Alberta’s law takes that argument away (however, the harm threshold must still be met).
What is the risk of harm threshold under Alberta’s breach notice law, and how does it operate in terms of the individuals who must be notified?
As discussed above the risk of harm threshold for notification is a “real risk of significant harm.” This harm threshold appears to apply in two different ways under the Alberta law. Under section 34.1 if there is a security breach where a reasonable person would consider that there exists a real risk of significant harm to an individual, the organization must report to the Commissioner. Notice of the entire security incident to the Commissioner is required if a real risk of significant harm exists for a single individual impacted by the incident.
However, under section 37.1, notification is required only to those individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. This standard takes out the “reasonable person” test and appears to require actual an actual risk of harm. Moreover, notice is only required to those individuals as to whom a real risk of harm exists. So, if the organization reports a breach involving 1 million people and one may have reasonable suffered significant harm, it must report the entire breach to the Commissioner. However, it appears that the only individual that the organization must provide notice to is the individual as to whom an actual real risk of significant harm exists.
What notification obligations does an organization have if its service provider suffers a breach involving personal information?
The Alberta law applies to an organization that has personal information “under its control.” On its face, this control standard appears ambiguous when a service provider breach has occurred. If personal information is stored offsite on a service provider’s computer, but is accessible to an organization, is it under the “control” of the organization or the service provider (or both)? Unlike U.S. breach notice laws, Alberta’s law does not distinguish between the “owner” or “licensee” of personal information and the “service provider” (whose typical breach notice obligation under U.S. laws is to report the breach to the owner/licensee). This of course begs the next question.
What notification obligations does a service provider have if it suffers a breach involving personal information of its customers?
This is the flip-side of the question posed above. Service providers may be hard pressed to argue that they were not in “control” of personal information provided by their customers, and therefore may have an independent duty to notify under the Commissioner and possibly the impacted data subjects. Again, this is less clear than U.S. laws that only require service providers to report the breaches to their customers (a.k.a data owners/licensees; although some have argued that ambiguity exists as to the meaning of data "licensee" under U.S. laws).
Under Alberta’s breach notice law, do the notification obligations apply to personal information that is encrypted?
Unlike most U.S. laws there is no specific reference to encryption under Alberta’s breach notice law, and therefore no explicit encryption safe harbor. However, practically speaking, the definitions and triggers in Alberta’s law may preclude notice obligations with respect to encrypted personal information. For example, organizations may argue that, with respect to encrypted personal information, a reasonable person would NOT consider that there exists a real risk of significant harm to an individual whose personal information was lost or subject to unauthorized access.
Conclusion
Alberta's breach notice provisions are very interesting, especially when compared and contrasted against the approach of U.S. states. It will be even more interesting to see if Alberta's law becomes the model for other provinces, and whether it will have a similar impact on Canadian organizations as it did in the United States.
Security Breach Notices for Canadian Data
There’s some Canadian data on that lost laptop or hacked server. Do you have to notify individuals or authorities in Canada, as you are often required to do in the United States?
The US model of security breach notice laws has not been widely emulated abroad, although several jurisdictions are considering similar measures. Nevertheless, a duty to give notice of significant security breaches has been inferred in some cases from general principles found in comprehensive privacy and data protection laws in Europe, Canada, Japan, and elsewhere. Privacy commissioners in Canada have applied such general principles in publishing guidelines for companies suffering a data leak involving personal information. In addition, the province of Ontario expressly requires notice to individuals if their personal health information is compromised.
More recently, Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches. Alberta is the first to act on this recommendation. Bill 54, amending Alberta’s Personal Information Privacy Act, will soon require organizations to notify potentially harmful security breaches to the Alberta Privacy Commissioner – who may then dictate the terms of notice to affected individuals.
As readers of this blog are no doubt aware, security breach notice laws have proliferated in the United States since California’s SB 1386 came into effect in 2003. Forty-five states, the District of Columbia, Puerto Rico, the Virgin Islands, and the US federal government (with respect to medical and financial data) have established obligations to notify potentially affected individuals, and sometimes relevant authorities, when there is reason to believe that the security of certain kinds of personal information has been compromised.
The focus in the US has been on the kinds of information most likely to be abused for purposes of identity theft and fraud. The “standard set” of personal information covered by state breach notice laws is limited to unencrypted, name-linked Social Security Numbers, driver’s license or other official state identification numbers, and bank account or payment card numbers (if the access code is compromised as well). The federal HITECH Act requires notice in many cases where personally identifiable medical information has been compromised, and several states require notice of security breaches involving health-related information or other data elements beyond the “standard set,” ranging from date of birth and mother’s maiden name to employer and tribal ID numbers.
American companies, nonprofits, and public entities are becoming familiar with breach notice obligations and consequences in the US, but some of the same security incidents also compromise data concerning individuals residing in other countries, most commonly Canada. US-based enterprises often ask how a data leak including protected information about Canadians should be handled.
While I am not a Canadian lawyer, I have had occasion to help clients determine how to address international data leaks, often with assistance from qualified Canadian counsel. Here are some important background facts and guiding principles gleaned from these experiences and from recent developments in Canadian law and official guidance:
PIPEDA and Provincial Privacy Laws
While Canada has not (yet) adopted federal breach notice legislation, relevant obligations are found in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), which came fully into effect in 2004. PIPEDA’s Schedule 1 states ten “fair information principles” articulated by the Canadian Standards Association (CSA) for the collection, use, or disclosure of personal information. Unlike the American approach of protecting only specific kinds of personal information, PIPEDA defines personal information broadly as any information about an identifiable individual except business contact information.
PIPEDA applies to federal works, undertakings, or businesses (“FWUBs,” notably banks, telecommunications firms, transportation companies, and enterprises operating in the territories), as well as to inter-provincial and international commercial activities and to commercial activities within provinces that have not enacted similar privacy legislation.
However, under Canada’s constitution, employment matters are traditionally left to provincial law, so PIPEDA normally does not govern an employer’s handling of employee data unless the employer is an FWUB. Provincial law rather than PIPEDA also applies if the federal Governor in Council determines that provincial legislation is “substantially similar” to PIPEDA and incorporates the CSA fair information principles. So far, Alberta and British Columbia have enacted personal information protection acts (“PIPAs”) based on PIPEDA, and Quebec has an older personal data protection statute based on broadly similar principles. Ontario enacted a Personal Health Information Protection Act in 2004 modeled on PIPEDA’s approach to personal information, although the act concerns only health-related information. These four laws have been deemed “substantially similar” to PIPEDA.
The federal and provincial privacy commissioners are authorized to investigate compliance issues, including security breaches, as well as offering interpretation and guidance on the application of privacy laws. The commissioners may refer suspected violations to prosecutors. The commissioners’ guidance documents are not legally binding, but they serve to establish “best practices” in industry and are likely to be influential in court.
So, an American company suffering a data leak involving Canadian consumers normally looks to PIPEDA and guidance from the federal Privacy Commissioner, because the company is typically engaged in international or inter-provincial commerce. To the extent that the data leak involves Canadian employee data, the American company normally looks to provincial law, and only Alberta, British Columbia, and Quebec have PIPAs (and guidance from provincial privacy commissioners) governing employee privacy. If the incident involves health information in Ontario, the Ontario Personal Health Information Protection Act generally applies. (As in the US, there may also be liability for a security incident under tort or contract law, but the focus here is on laws and guidance concerning breach notice.)
Is Breach Notice Required under Canadian Privacy Laws?
PIPEDA does not explicitly address security breach notice to affected individuals or to the relevant privacy commissioner. However, PIPEDA (like the provincial PIPAs) regulates the authorized “collection, use or disclosure” of personal information, and lost or stolen personal information may be deemed an unauthorized collection or use of data, or, from the perspective of the responsible organization, an unauthorized “disclosure” of personal information.
Specifically, PIPEDA holds an organization “responsible for personal information under its control” (Sch. 1, sec. 4.1) and requires the organization to designate one or more individuals who are “accountable” for the organization’s compliance (Sch. 1, secs. 4.1.1, 4.1.2). The Act requires the organization to ensure a comparable level of protection, contractually or by other means, when the information is handled by a third party (Sch. 1, sec. 4.1.3). The consent of the individual is required for the collection, use, or disclosure of personal information, except where consent would be “inappropriate” (Sch. 1, sec. 4.3). Personal information is not to be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law (Sch. 1, sec. 4.5). Organizations must protect personal information with “security safeguards appropriate to the sensitivity of the information” (Sch. 1, sec. 4.7). A security breach might be viewed as a violation of any or all of these principles.
PIPEDA does not explicitly include a requirement to notify privacy commissioners or individuals of instances of noncompliance. Organizations are not required to register or report to privacy commissions, as in many European countries, although PIPEDA (like the provincial PIPAs) empowers the privacy commission to “audit” the personal information management practices of any organization if the commission has “reasonable grounds” to suspect a violation (PIPEDA sec. 18). The “openness” principle of PIPEDA and the provincial PIPAs directs organizations to make their personal information “policies and practices” readily available to individuals (PIPEDA Schedule 1, sec. 4.8), and the law provides that organizations must have procedures for receiving and responding to requests for information and complaints (Sch. 1, secs. 4.9, 4.10). Arguably, this may imply openness about known, substantial security failures, and it certainly means that the organization must have procedures in place for fielding any questions about an announced or suspected security breach involving personal information.
Privacy Commissioner Guidelines
Following widely publicized data breaches at a unit of the Canadian Imperial Bank of Commerce and Canadian subsidiaries of the US-owned TJX retail group, the federal Privacy Commissioner, in collaboration with the Privacy Commissioners of Alberta, British Columbia, and Ontario, issued a document entitled “Key Steps for Organizations in Responding to Privacy Breaches” (the “Guidelines”) in late 2007. The Guidelines define a breach as “an unauthorized access to, or collection, use or disclosure of, personal information.” “Unauthorized” refers to an act in violation of PIPEDA or similar provincial legislation, thus tying security breaches to compliance with the laws for which the privacy commissions are responsible. The Privacy Commissioner of Ontario issued similar guidance for health information custodians under the Ontario Personal Health Information Protection Act.
According to the federal Guidelines, an organization that becomes aware of an unauthorized access to personal information should consider the following steps and implement them to the extent necessary to mitigate harm:
1. Breach containment and preliminary assessment (shutting down systems, recovering records, designating a lead investigator, determining who needs to be notified inside and outside the organization, notifying the police of suspected criminal activity, preserving evidence)
2. Risk evaluation (kinds of data involved, causes and risk of further exposure, number and names of affected individuals, who received access to the data and what kind of harm could result)
3. Notification (see below)
4. Prevention of future breaches (security audit, assessment of policies, employee training)
Notification is to be determined on a case-by-case basis including the following factors:
• Individuals should be notified if the breach poses a risk of personal harm, including physical injury, identity theft, fraud, financial loss, loss of business or employment opportunities, humiliation, or damage to reputation or relationships.
• Individuals should be notified “as soon as possible” following assessment and evaluation of the breach.
• The preferred form of notification is direct – by phone, email, or postal mail. Indirect methods (such as media announcements) are appropriate only where direct notification could cause further harm.
• The organization with a direct relationship with the individuals should normally be the one to notify them.
• Notices should generally include descriptions of:
o The incident
o The information compromised
o Actions taken by the organization to mitigate harm
o Resources to help the individuals take protective measures.
• Notification may also be appropriate to other parties such as
o Privacy commissioners
o Police
o Licensing or other regulatory bodies
o Affiliates or business units
o Trade unions
o Third-party contractors affected by the breach
o Insurers
o Credit card issuers.
Unlike American breach notice statutes and regulations, which are legally enforceable, the Guidelines themselves do not have the force of law. Canadian lawyers emphasize, however, that courts are likely to defer to the expert commissions and consult the Guidelines in deciding whether an organization suffering a security breach has violated PIPEDA or a provincial PIPA, or whether the organization has met contractual expectations or a duty of reasonable care under tort law.
Other notable differences between the Canadian approach and US breach notice laws:
• Scope: US laws require breach notice for only certain kinds of unencrypted personal information, with an emphasis on preventing ID theft or protecting medical data. Canada’s PIPEDA and provincial PIPAs cover all personally identifiable information and all forms of harm.
• Encryption: Unlike US laws, Canada’s PIPEDA and PIPAs, as interpreted by privacy commissioners, do not expressly offer a “safe harbor” for encrypted data. However, encryption presumably should be taken into consideration in determining whether there has been “unauthorized access” to the data and whether there is a material risk of future harm.
• Notice to authorities: Some US laws mandate notice to specified authorities, such as law enforcement, regulatory, or consumer protection agencies. The Canadian laws are silent on this, but the Guidelines “encourage” organizations to report to the relevant privacy commission(s) and, where appropriate, to police and regulatory authorities and affected third parties.
• Notice to individuals: US laws make breach notice mandatory under specified conditions, while the Canadian Guidelines simply list factors to consider in determining whether notice is necessary.
• Form of notice: The Guidelines show a strong preference for direct notice to the affected individuals, delivered by the party with the closest relationship to the individuals. Many of the US breach notice laws permit (or require) mass media announcements where large numbers of individuals are involved or it is “impractical” to notify individuals directly.
Ontario’s Personal Health Information Protection Act
Although Ontario has not yet enacted a comprehensive PIPA, its Personal Health Information Protection Act already includes breach notice requirements for custodians of personal health information (sec. 12(2)):
“a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.”
The Act appears to hold a health information custodian in Ontario responsible for breach notice regardless of where the breach occurs. A security breach at an American affiliate or service provider, for example, could trigger notice obligations on the part of the Canadian health information custodian.
Alberta’s Bill 54
While the federal government continues to consider proposed PIPEDA amendments, including provisions that would introduce specific breach notice requirements, the province of Alberta has gone ahead with Bill 54, amending Alberta’s PIPA. The bill, adopted by the legislature last year, has already received Royal Assent and will come into force on proclamation, which is likely to occur in the near future.
Bill 54 is significant for companies operating in Alberta or otherwise handling data concerning Alberta customers or employees. It increases penalties for noncompliance, imposes a duty to destroy personal information when it is no longer needed, and requires notice to individuals before transferring personal information to a foreign service provider, a practice that must also be described in the organization’s personal information management policies and procedures.
Importantly, Bill 54 also requires an organization to notify the Privacy Commissioner of Alberta if personal information under its control is lost, accessed, or disclosed to a third party without authorization and if “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.” The details to be included in such a notice will be prescribed by regulation, and the Commissioner may request additional information concerning the breach.
Once notified, the Privacy Commissioner is authorized to require that the organization provide notice to affected individuals, under terms and conditions that the Commissioner deems appropriate in the circumstances, following an “expedited” procedure. The law expressly permits organizations to notify individuals on their own initiative, but the Commissioner may require additional notice.
If Alberta’s new law is a good indicator of where federal and provincial legislation is headed, companies can expect that significant data breaches in the future will typically involve a prompt notice to the relevant privacy commissioner(s) and some colloquy with their offices before sending notices to individuals in Canada. This represents a level of official involvement beyond what is common in the United States outside the investigation of potentially criminal acts of theft or fraud.
Celebrating Data Privacy from A to Z
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
A is for Advance Encryption Standard or AES, approved by NIST. Are you encrypting transmissions of sensitive data and portable storage devices? See more below.
B is for Breach Notification Laws, including the 45 state laws, District of Columbia, Puerto Rico, Virgin Islands, HITECH Act, and international regulations. (Also Behavioral Advertising.)
C is for . . . what to Choose? -- Contracts? Cloud Computing? How about California - the first state to enact a breach notification law, California Civil Code sections 1798.29, 1798.82 et seq. (SB 1386), and the first state Office of Privacy Protection
D is for Data Protection Authorities in the European Union
E is for the EU Data Protection Directive. Oh, and Encryption, of course. See above and below.
F is for Financial Institutions, regulated by (wait for it . . . after the jump . . .)
G is for the Gramm-Leach-Bliley Act and the new model privacy notice form
H is for HIPAA and the HITECH Act, which impose privacy and data security obligations on health care providers and their business associates
I is for the International Association of Privacy Professionals, IAPP
J is for John and Jane Doe, anonymity - is there any such thing?
K is for Kearney v. Salomon Smith Barney Inc, California Supreme Court (2006), requiring two-party consent for recording or eavesdropping on telephone conversations, even if only one of the participants is in a two-party consent state
L is for Legislation -- will there be a federal breach notification law in 2010 (other than HITECH) that will preempt the state data breach notification laws?
M is for Massachusetts and its new data security regulations, 201 CMR 17.00 et seq., effective March 1, 2010
N is for Nevada and its new encryption law, SB 227, effective January 1, 2010
O is for Outsourcing, and the need for due diligence and contractual provisions to safeguard personally identifiable information (and other kinds of sensitive information) shared with third parties. See, e.g., Massachusetts 201 CMR 17.00 et seq. and California Civil Code section 1798.81.5. Oh yes, and don't forget the Cloud in this context - are you putting data in the cloud? Have you done your due diligence?
P is Personally Identifiable Information or PII -- what IS it anyway? Depends where you live.
Q is for Questions, Q & A, and the Q in FAQ: ASK QUESTIONS early and often about how your organization will use personal information of customers and/or employees in its business operations.
R is for Radio Frequency Identification or RFID and locational privacy issues - should organizations be able to use RFID to track customers/products?
S is for SO many things -- Social Networking, Social Security numbers, Surveillance, Spam, . . .
T is for Telemarketing, Text Messages, and the TCPA -- do you have opt-in for your mobile marketing campaigns?
U is for the UK ICO, which will order companies to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act
V is for the Video Privacy Protection Act or VPPA, the basis for a recent privacy class action filed against Netflix in the Northern District of California
W is for Website Privacy Policies, required under California law for any website that collects information from California residents, Cal. Bus & Prof. Code section 22575 et seq. When was the last time you updated yours? Is it accurate?
X is for XXXXX -- Redact the information!
Y is for Yes, You can implement a successful data protection program in Your organization
Z is for Zango, the adware distributor that settled FTC charges that it used unfair and deceptive methods (FTC Act Section 5) to download adware and block consumer efforts to remove it
Happy Data Privacy Day!
Legal Implications of Cloud Computing -- Part Two (Privacy and the Cloud)
Last month we posted some basics on cloud computing designed to provide some context and identify the legal issues. What is the cloud? Why is everyone in the tech community talking about it? Why do we as lawyers even care? Dave provided a few things for our readers to think about -- privacy, security, e-discovery.
Now, let's dig a little deeper.
I am going to start with privacy and cross-border data transfers. Is there privacy in the cloud? What are the privacy laws to keep in mind? What are an organization's compliance obligations? As with so many issues in the privacy space, the answer begins with one key principle -- location, location, location. For those of you who prefer to listen, check out my recent webinar on International Regulatory Issues in the Cloud, or you can download the slides (PPTX). For everyone else, read on after the jump.
In the world of the cloud, location appears to be irrelevant. In the cloud, data effortlessly flows around the globe, ignoring boundaries and time zones, and magically appears on demand. Not surprisingly, the existing legal structure is far from prepared for the reality of existing technology. Every jurisdiction has its own laws, and its own compliance requirements. As that data instantaneously circumnavigates the globe, it may already be too late to comply with privacy laws in every jurisdiction.
You have undoubtedly heard that the laws of this country are like a patchwork quilt. They have popped up in certain sectors (financial, health) and with respect to certain types of sensitive information (e.g., kids' data). There are federal laws like Gramm-Leach-Bliley (applicable to financial institutions), HIPAA (applicable to health care providers and others dealing with health information and related entities), COPPA (applicable to data of children under 13 collected online), and the USA Patriot Act (may be applicable to foreign companies that work with cloud providers that allow data to reside in or flow through the US). In addition, we have a panoply of state laws requiring notification in the event of a breach of sensitive information and, in some cases, requiring the implementation of safeguards to protect sensitive information and/or secure disposal of such information.
By contrast, the European Union has a comprehensive privacy framework, the EU Data Protection Directive. Each member state has its own unique law implementing the Directive. The most notable thing about the EU Directive and member state laws for purposes of cloud computing is this -- in the absence of specific compliance mechanisms, the EU prohibits (yes, you read correctly, prohibits) the transfer of personal information of EU residents out of the EU to the US and the vast majority of countries around the world.
What does this mean for cloud computing? If you want to put data in the cloud that includes personal information of EU residents (and that might be something as simple as an email address or employment information), and the data will flow from the EU to almost anywhere in the world, you cannot simple throw the data in the cloud and hope for the best. You need to have, at a minimum, one or more of the following:
- International Safe Harbor Certification (which allows data transfer from the EU to the US, but not from the EU to other countries);
- model contracts (which allow data transfer from the EU to non-US countries, but do not always work well with multi-tiered vendor relationships); or
- Binding Corporate Rules (which are designed for a multinational company and therefore may not function well for cloud provider relationships).
So what, what does this tell us? All of the stakeholders within an organization should be part of the cloud discussion and due diligence -- IT, legal, information security, and all of the relevant business groups. And those stakeholders, in investigating a potential cloud relationship and in negotiating the terms of a relationship with a cloud provider, should consider and pose the following questions internally and to the vendor long before any contract is signed:
- What kind of data will be in the cloud?
- Where do the data subjects reside?
- Where will the data be stored?
- Where are the servers?
- Will the data be transferred to other locations and, if so, when and where?
- Can certain types of data be restricted to particular geographic areas?
- What is our compliance plan for cross-border data transfers?
Is that the end of the inquiry? No, it is just the tip of the iceberg, but it is a good start.
