Posted on March 25, 2011 by Nicole Friess

Kerry Releases Draft of "Privacy Bill of Rights"

A week after the Senate held a hearing on the state of online consumer privacy, Senator John Kerry (D-Mass) has published a draft of the "Commercial Privacy Bill of Rights Act of 2011." The Act, co-sponsored by Senator John McCain (R-Ariz.), directs the FTC to make rules requiring certain entities that handle information covered by the Act to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains. The Act aims to enhance individual privacy protections “in a balanced way that establishes clear, consistent rules,” and “will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad.” In this post, we take a look at the highlights of the Act.

Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.

Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

Some information is always considered PII of the individual to whom it pertains, including:

  • First name (or initial) and last name;
  • Residential address;
  • E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
  • Telephone or mobile device numbers other than those considered work contact numbers;
  • Social security numbers and other government-issued identification numbers
  • Credit card numbers;
  • Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
  • Biometric data, including fingerprints and retina scans.

If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:

  • Birth date, birth or adoption certificate number, or place of birth;
  • Unique persistent identifiers (not limited to those used to identify a specific individual);
  • Precise geographic location; and
  • Any other information concerning an individual that may “reasonably be used to identify that individual.”

UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”

Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.

Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:

  • The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
  • The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
  • The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.

The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.

Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.

Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.

A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.

Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:

  • To process a transaction or service requested by that individual;
  • To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
  • To prevent or detect fraud or to provide for a secure environment;
  • To investigate a possible crime or that is required by law or legal process;
  • To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
  • Necessary for the improvement of the transaction or service through research and development; or
  • Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.

Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.

Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.

Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.

With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).

 
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on February 24, 2011 by David Navetta

A Novel Data Security Law Proposed in Colorado

There has been a lot of buzz around various privacy and security bills presented on the Federal level, including the reintroduction of the BEST PRACTICES ACT and a new privacy bill put out by Congresswoman Speier that brings "do-not-track" into the fray (not to mention the previously introduced Boucher Bill, which is now missing its named sponsor). Yet, for the most part, these types of bills have languished on the Federal level, while interesting new approaches race ahead from State legislatures (see for example, SB1386, Minnesota’s Plastic Card Protection Act, Massachusetts’ 201 CMR 17:00, et. seq., Nevada’s Security of Personal Information Law, and Washington state’s PCI Law) Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill.

UPDATE -- 022810:  Apparently there has been a committee vote on the Colorado bill that was split 5-5 along party lines.  As such, this bill will not move forward in this session.

Colorado HB 11-1225 – An Information Security Carrot

Regulation is achieved via the “carrot” or the “stick” (and sometimes both). This is true in the information security context as well. For example, to incentivize encryption of personal information, breach notice laws use a stick: those that fail to encrypt may have to provide notice to affected individuals in the event of a security breach. In the credit card breach context, a Washington state law provides banks with a stick (e.g. the right to seek fraud and reissuance expenses from breached merchants), but also provides those merchants with a shield to block that stick (e.g. validation of PCI compliance blocks a bank’s ability to recover). In HB 11-1225, Colorado state legislator, Dan Pabon, apparently wants to give the carrot a chance. In the process, I am told that part of the goal is to make Colorado the “Delaware” of data storage. Here is how it works.

Immunity from Liability. Under HB 11-1225, if certain conditions are met (discussed below) a person or entity operating in Colorado that owns, licenses or maintains computerized data that includes “personal information” shall not be liable for civil damages resulting from a breach of data security due to its acts or omissions that are in good faith, and not grossly negligent or willful and wonton.  So essentially, this would provide immunity from negligence claims. In order to receive this protection, two conditions must be satisfied: (1) the breach must have been caused by an unauthorized third party, or an employee or agent acting outside the scope of his employment; and (2) the person or entity must have been certified by a “qualified information technology auditor or assessor” as having used “best practices of data security and meeting information technology standards” established by an authorized state entity.

Rebuttable Presumption of Non-Negligence. Even if a breached organization has not been certified as compliant with best practices/information technology standards, it can achieve certain protections under the bill. In court, an organization can establish a rebuttable presumption that it was not negligent if it can produce evidence that the organization implemented best practices and was compliant with technology security standards established pursuant to the bill.

Consumers’ Right to Petition Court for Subpoena. The bill provides persons whose personal information was compromised or who are victims of a computer crime, to seek a petition from a court impelling the breached organization or any third party to produce “any” information concerning the unauthorized access to personal information or the computer crime. This information may be obtained in order to facilitate the detection, apprehension and prosecution of the computer crime or breach.

Key Definitions. “Personal information” as defined under the bill is broader than definitions in most breach notice laws. One defined category of personal information is information that can be used, alone or in conjunction with any other information, to obtain cash, credit, property, services, or any other thing of value, or to make a financial payment, including personal identification number, credit card number, banking card number, checking account number, etc. Personal information is also defined as information that can be used, alone or in conjunction with other information, to identify a specific individual, including name, date of birth, social security number, government ID, passport number, etc.

In order to be a “qualified information technology auditor or assessor” one must be certified by a nationally recognized organization or association as having expertise in data security, and cannot have any convictions involving moral turpitude offenses. The bill indicates that the CIO of the State of Colorado is required to establish an entity to maintain a list of the nationally recognized IT associations that may certify a person’s qualifications in data security systems for purposes of the bill.

Establishing Best Practices and Information Technology Security Standards. One of the key challenges for implementing this HB 11-1225 (should it become law in its current form) is going to be the establishment of best practices and IT security standards. On this issue the bill requires the CIO of the State of Colorado to create an “entity” to establish these best practices and standards for commercial entities and persons that own, license or maintain computerized data that includes personal information. The bill does not provide additional guidance as to how those best practices shall be determined, or whether there will be one set of best practices that will apply to all entities (regardless of size, complexity or resources).

Analysis and Observations

Novel approaches to information security and privacy legislation are, of course, welcomed. The questions remain, however. Will it work? Will it pass? Unclear at this point. Below are a few observations pertaining to these questions.

  • Does a duty exist to safeguard personal information under common law negligence principles? Surprisingly, at this point we have very little case law directly on point that delves into this issue. However, a recent Illinois appellate court recently ruled that a common law duty to safeguard personal information did not exist. In contrast, we are aware of cases that did find a duty to secure personal information, but both were in the banking context and were arguably based mainly on the expectations that arise in that context (e.g. banking customers are specifically providing their money to banks for safeguarding, among other reasons). If indeed, no case law establishing such a duty exists in Colorado, the question becomes whether the existence of a law providing immunity for negligence implies that the duty exists. Worse (from the company point of view), it is possible that the best practices established under the bill could end up establishing a standard of care, in and of themselves (where one may arguably not exist).
  • Even if such a duty does exist, do the “good faith” and “gross negligence “exceptions” effectively eat the immunity? In the wake of a data breach where a plaintiff’s attorney has filed a lawsuit, you can bet that any and all potential theories of liability will be alleged. That of course may include allegations of gross negligence and “bad faith.” One of the benefits of HB 11-1225, assuming only a negligence claim is alleged, would be the ability of defendants to have lawsuits dismissed early, perhaps in a motion to dismiss or motion for summary judgment phase. However, if gross negligence, bad faith or other non-negligence claims are alleged, the plaintiff may have a better chance to get past early motions to dismiss. If that is the case, plaintiffs will still have litigation leverage (regardless of whether they have a truly winning case).  In fact, we are aware of one case in Federal court in Michigan that allowed a case to go to trial based on the issue of "good faith" behavior in the context of security. These “exceptions,” therefore, could undermine the effectiveness of the immunity granted in HB 11-1225. Of course, much more research is necessary to look into these issues.
  • Is the jurisdictional scope of the immunity too narrow? At this stage in the game a large percentage of companies, big and small, conduct business with residents of more than one state (and in many cases all 50 states), and even with people residing outside of the United States. While HB 11-1225 may provide immunity from negligence claims for cases contained in Colorado, it may not help with lawsuits, for example, filed in other jurisdictions or Federal court where Colorado law is not the choice of law. So, if the goal of the law is to become the "Delaware of data storage", it may not be effective to shield companies that deal with personal information from non-Colorado states.  That all said,  there may be jurisdictional arguments that would preclude plaintiffs residing in other states from pursuing a company storing data in Colorado (although making and prevailing in such arguments in court can be an expensive process in and of itself). In addition, a choice of law provision in contracts with out-of-state counter parties might also do the trick to keep the immunity intact.
  • Can the “entity” established by the State actually establish best practices that can work universally and result in good security? Legislating security controls is not an easy task. Two general approaches are used typically. One approach does not require specific controls, but rather mandates “reasonable” “adequate” “comprehensive” or “appropriate” security. The other method is more prescriptive in its approach, and seeks to require specific controls that certain entities must implement (e.g. Massachusett’s and Nevada’s personal information security laws). The risk of a prescriptive approach is the “check list” mentality whereby organizations simply address the specific requirements and don’t actually worry about truly securing themselves (this is a criticism of PCI, the ultimate prescriptive standard). However, even those taking a prescriptive approach may reference various risk factors that relate to the sensitivity of the data and the size, complexity and resources of the company trying to comply. The challenge for the entity developing these best practices is to provide enough clarity/certainty so companies have confidence that they are truly in the safe harbor, and yet to provide enough flexibility to allow companies of all shapes and sizes to get into the safe harbor in a relatively cost-efficient and realistic fashion. The failure to solve this problem could undermine the efficacy of the legislation if it is perceived to be unfair or discriminatory to small and medium-sized businesses who may have neither the expertise nor resources to implement a highly prescriptive set of controls.
     
  • A Shift of Liability to the Auditors? On the one hand, this bill may serve as a business bonanza for IT security auditors who are called into validate compliance with the best practices laid out by the act. On the other hand, a mistake in validating the compliance of a company that suffers a breach could potentially lead to a lawsuit against not only the breached company, but the auditor as well. While a third party affected individual may have difficulty holding an IT security auditor liable without a contract, precedent may exist by analogy to accountants. Moreover, there is at least one known case (Merrick Bank v. Savvis) where an IT assessor (in this case a payment card security assessor) was sued by a party that allegedly relied on its compliance findings. So, from a “passability” point of view, does the IT security assessment community get on board or do they demand some of their own immunity in exchange for supporting this bill?

Conclusion

Overall, Representative Pabon’s bill represents a very interesting approach to data security regulation, and we applaud his efforts and creativity. There may be some hurdles to overcome to see this passed, and a vigorous debate on its mechanics is necessary. We will keep you up to date on its progress.
 
Tags: , , , , , , , , ,
Posted on August 4, 2010 by David Navetta

FAQ on the "BEST PRACTICES Act" - Part Two

We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. “BEST PRACTICES Act” or “Act”). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the “Safe Harbor” outlined in the Act, various exemptions for de-identified information, and application and enforcement of the Act.

What is the “Safe Harbor and Self-Regulatory Choice Program” that is referenced in the Act?

This appears to be a novel new mechanism that allows covered entities to avoid certain obligations under the Act if they fall into a “safe harbor” that is based on a self regulatory program (known as a “Choice Program”). In particular, covered entities that satisfy certain Choice Program requirements shall not be subject to:

  • the express affirmative consent obligations in 104(a);
  • the requirements of access to information under section 202(b) of the Act; or
  • liability in a private right of action brought under section 604 of the Act (discussed below)

Avoidance of the Act’s private right of action is especially significant in this context.

How does the “Choice Program” work?

It appears that people or entities (it does not appear to be limited to covered entities) can submit an application to the FTC for approval of a self-regulatory program (a.k.a Choice Program). The FTC can approve one or more of these programs. The FTC must either initially approve or deny a Choice Program within 270 days after the submission of the application. Modifications may be made to a Choice Program that was initially approved, and such modification must be approved or denied by the FTC within 120 days. Applicants have the right to appeal the FTC’s decision or failure to act within the 270 period to a U.S. District Court.

The FTC will only approve a Choice Program (or amendments) after notice and comments, and only if it satisfies the requirements of section 403 of the Act. If approved, a Choice Program remains approved for 5 years.

This section is very interesting as it appear to allow for some regulatory flexibility and recognizes the limitations of a one-sized-fits-all approach. Ostensibly certain industry segments could develop a Choice Program that more close fits their business model/industry (while of course still providing the protection and choice the Act seeks to impose).

What are the requirements of a Choice Program under section 403 of the Act?

In order to be approved a Choice Program must meet certain criteria. The Choice Program must provide individuals with:

  • a clear and conspicuous opt-out mechanism that, when selected by the individual prohibits all covered entities participating in the Choice Program from disclosing covered information to a third party for one or more specified uses, and may offer individuals a preference tool to enable individuals to make more detailed choices about the transfer of covered information to a third party; and
  • a clear an conspicuous mechanism to set communication preferences, online behavioral advertising preferences and other relevant preference options, and these preference would have to be followed by all covered entities in the Choice Program.

I almost think of this as a sort of “do not call list” type of mechanism. If a group of covered entity can agree to provide individuals with a set of choices, the individual does not have to constantly make a choice over and over again whenever engaging in particular transactions. While this is a little vague in terms of its mechanics and scope, it is very interesting and could provide meaningful trade-offs between business and individuals seeking to protect their privacy and more efficiently control their information.

In addition, a Choice Program will be approved by the FTC only if it establishes:

  • Guidelines and procedures requiring participants to provide equivalent or greater protection for individuals and their covered information as set forth in titles I and II of the Act;
  • Procedures for reviewing applications by covered entities to participate in the Choice Program (this appears to require an application and approval process, but it is not clear who would administer that process)
  • Procedures for periodic assessment of the Choice Program’s procedures
  • Periodic compliance testing of covered entities participating in the Choice Program; and
  • Consequences for failure to comply with program requirements (e.g. public notice, suspension, expulsion or referral to the FTC)

Again, this provision is extremely interesting. It would appear to require some sort of private regulatory body be set up around the Choice Program (e.g. like the PCI Council for the PCI Standard), as well as a funding mechanism. Note that under section 404 of the Act, the FTC is charged with implementing regulations to provide further details as to how this safe harbor system is to work.

Are there any types of information or activities exempted from regulation by the Act?

Yes, section 501 of the Act sets forth some general exclusions. The Act does not prohibit a covered entity from collecting, using or disclosing:

  • Aggregate information (see 501(a)(1)), which means data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed; or
  • Covered information or sensitive information from which identifying information has been removed or obscured using reasonable/appropriate methods such that there is no reasonable basis to believe that the information can be used to identify the specific individual to which it relates or the computer or device owned or used by a specific individual (see 501(a)(2)).

May covered entities disclose aggregate information or information stripped of identifying information (as referenced in section 501(a)(1) and (2)) to third parties?

Yes, under section 502 information in that format may be disclosed to a third party, but the covered entity is required to take reasonable steps to protect that information. The Act provides two examples of “reasonable steps to protect,” including:

  • refraining from disclosing to the third party the algorithm or other mechanism used to obscure or remove the identifying information, and obtaining; and
  • obtaining satisfactory written assurances from the third party that it will not attempt to reconstruct the identifying information.

Does the Act prohibit any uses of covered/sensitive information stripped of identifying information (as referenced in section 501(a)(2))?

Yes, under section 501(c), if a covered entity claims the exemption for de-identified information under section 501(a)(2), it is unlawful for any person to reconstruct or reveal the identifying information that has been removed or obscured from information stripped of identifying information (as referenced in section 501(a)(2)). In short, the Act makes it illegal for third parties that receive de-identified covered/sensitive information to re-identify it. However, the Act also requires the FTC to promulgate regulations to establish exemptions from this rule.

How does the Act relate/interact with other Federal privacy laws?

Section 502 of the Act indicates that, unless expressly provided for in the Act, the Act shall not have any effect on activities already covered under other Federal laws, including GLBA, FCRA, HIPAA, certain parts of the Social Security Act, COPPA, certain sections of the Communications Act of 1934, CAN-SPAM Act, ECPA, and the Video Privacy Protection Act. On the one hand, this provision may be helpful for limiting the scope of the Act’s application to some entities, especially those that only deal with particular types of personal information. However, since the Act does not override other Federal requirements, entities that deal with different types of personal information in different contexts, may find themselves with the need to address multiple regulatory regimes for different parts of their organization or with respect to different business practices.

How is the Act to be enforced by government agencies?

Under section 602, the Act may be enforced in two different ways by the government. First, the Act grants the FTC the authority to enforce the Act under section 18(a)(1)(B) of the FTC Act. The Act indicates that any violation of titles I – III of the Act shall be considered an unfair and deceptive act or practice under the FTC Act. The penalties, privileges and immunities of the FTC Act shall apply as well.

Second, under section 603, the Act may also be enforced by the states. In particular, if a State AG or an official or agency of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a violation of the Act, they may bring a civil action on behalf of those residents. However, no AG or state official/agency may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. The civil action may seek to enjoin further violation of the Act, compel compliance with the Act or impose civil penalties as described in the Act. The Act describes the various civil penalties that are available for violations of particular sections of the Act. In general penalties may be available for every day that a covered entity is not in compliance with the act, up to $11,000 per day. These penalties, however, are capped at $5 million for a related series of violations under title I of the Act, and $5 million for any related series of violations under titles II and III of the Act.

Does the Act provide a privacy right of action?

Yes, section 604 of the Act provides a private right of action for certain violations. In particular, covered entities that willfully violate sections 103 or 104 of the Act may be liable to affected individuals. However, no individual may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. Section 604 provides that affected individuals may recover the following amounts for such a willful violation:

  •  the greater of actual damages of not less than $100 and not more than $1000;
  •  punitive damages;  and
  • in the case of a successful action under this section, the costs of the action together with reasonable attorney fees.

Individuals have two years from their discovery of a violation (or reasonable opportunity to discover) to bring a civil action under section 604.

Does the Act preempt similar State laws?

The Act would preempt any State law with respect to covered entities that “expressly requires covered entities to implement requirements with respect to the collection, use or disclosure of covered information address in the Act. However, the Act specifically would not preempt any of the following State laws:

  • State laws that address the collection, use or disclosure of health information or financial information
  • State breach notice laws
  • State trespass, contract or tort law; or
  • Other State laws to the extent that those laws related to acts of fraud.

When would the Act come into effect if passed into law?

The Act, if passed, will take effect 2 years after the date it is enacted. However the FTC has the option to stay enforcement of the Act in order for the FTC to establish the parameters of the Choice Program under title IV.
Tags: , , , , , , , , ,
Posted on July 22, 2010 by David Navetta

FAQ on the "BEST PRACTICES Act" - Part One

Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. “BEST PRACTICES Act” or “Act”). Congressman Rush has been active in the data security/privacy legislation space. In December of 2009, his “Data Accountability and Trust Act” or (“DATA Act”) passed the House of Representatives. While DATA focused more on data security and breach notice, the stated focus of the BEST PRACTICES Act is as follows:

To foster transparency about the transparency about the commercial use of personal
information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.

This Act comes on the heels of the Boucher Bill, which also represents a comprehensive data privacy approach (for more information on the reactions to the Boucher Bill you can look here and here).

We have put together a summary of the Act in “FAQ” format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two focuses on the “Safe Harbor” outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.  Final note, this is not a law, but rather only a bill -- if passed at all, it is likely that the final version will vary from this initial proposal.

What kinds of entities does the Act apply to?

The Act defines “covered entities” to mean any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information.  However, section 601 of the Act limits the application of the Act to only those persons over which the Commission has authority pursuant to section 5(a)(2) of the FTC Act (Note:  this section previously indicated that the Act applied to all persons engaged in interstate commerce [which is in the definition of covered entity]; the error was noted by a reader and the correction made here). Covered entities do not include any divisions of Federal or state government or some entities that meet specified criteria (e.g. store less than 15,000 records; collect less than 12,000 records in a year, etc.; see definition of “covered entity” for more detail).

Observations:  Significantly, it does not appear that the definition of covered entity makes the traditional distinction between data owner/controller and service provider/processor. As such, service providers may be directly subject to the Act as a result of collection or storage of covered/sensitive information on behalf of their customers.

What kinds of information does the Act regulate?

The Act regulates “covered information” and “sensitive information.”

“Covered information” includes such information elements as first name or initial and last name, postal address, email address, telephone/fax number, government issued identification numbers (e.g. tax ID, driver’s license number, etc.), financial account numbers, credit/debit card number, access codes/passwords, “unique persistent identifiers” used to collect, store or identify information about a specific individual or create a profile (e.g. customer numbers, IP addresses, unique pseudonym), and any information collected, stored, used or disclosed in connection with the foregoing information. Section (B) of the definition also lists a number of important exclusions concerning certain business-related information.

“Sensitive information” means information associated with covered information of an individual that relates directly to the individual’s medical history or health, race or ethnicity, religious beliefs/affiliations, sexual orientation/behavior, financial information (income, assets, liabilities, etc.), a person’s geolocation information, unique biometric information or social security number.

Observations: The definitions of information regulated under the Act go well beyond any U.S. definition of personally identifiable information. For example, the “traditional” definition of PII normally requires first name and last name combined with additional information such as financial account numbers. The definition of “covered information” in the Act does not require such a combination – each data element stands on its own and may not need to be tied to or identify a specific person. If I, as an individual, had an email address that was wildwolf432@hotmail.com, that would would appear to satisfy the definition of covered information even if my name was not associated with it.

The definition of “sensitive information” echos similar definitions under the EU Data Protection Directive and other laws based on an EU Model. Interestingly, however, it also specifically includes geolocation information (which some believe may become a larger privacy issue with the prevalence of mobile computing and smartphones).

How does the Act promote transparency about the commercial use of information?

Section 101 of the Act purports to promote transparency by requiring covered entities to provide certain information about the covered entity’s information practices and the individual’s options with respect to such practices, including:

  • the identity of the covered entity
  • description of covered/sensitive information collected or stored by covered entity
  • the specific purposes for which the covered entity collects and used the covered information, including how the covered entity customizes products/services/prices based on such information
  • the specific purposes for which covered/sensitive information may be disclosed to third parties and the categories of third parties who may receive such information the choice and means for limiting the collection, use and disclosure of covered/sensitive information
  • a description of the information any individual may request access to and the means for making such a request
  • how the covered entity may merge, link or combine covered/sensitive information
  • the retention schedule for covered/sensitive information including whether the entity will retain information permanently
  • whether the individual can direct the deletion of information collected from or about the individual
  • a reasonable means for individuals to contact the covered entities regarding their handing of covered/sensitive information
  • the process by which the covered entity notifies individuals of material changes to its practices or policies
  • a hyperlink to the FTC Commissioner’s online consumer complaint form or the FTC’s toll-free number for the Commissions Consumer Response Center
  • the effective date of the privacy notice.

Observations: While much of the notice requirements of the Act parallel the Fair Information Privacy Principles, one could argue that the Act also includes notice elements that appear to go beyond such principles. These additional elements also appear to address current issues that some believe may pose privacy problems. For example, it is interesting that notice is required concerning where/how information will be merged or combined with other data. The retention schedule requirement is also interesting as it may address concerns that some have about some companies retaining data too long.

How must the notice required under the Act be provided?

Under section 102 of the Act, the notices described in the prior FAQ must be “concise, meaningful, timely, prominent, and easy-to-understand” in accordance with FTC regulations authorized under the Act that will be published later. Notices must be retained for six years from the later of the date the notice was issued or the date it was last in effect.

Is notice required for “in-person transactions”?

Under section 103 of the Act, it appears that the notice and information referenced above is not necessary for “in-person transactions” but only if the covered information is collected for an “operational purpose” (e.g.for the purpose of providing goods or services, managing operations, compliance with legal obligations or protection against risks and threats ) or if the covered entity is only collecting name, address, email or phone/fax and does not share the information or use that information to acquire additional information about the individual from third parties.

Observations:  Notably, the Act does not indicate that covered information needs to be collected solely for operational purposes. Based on the current wording, one could argue that if covered information was covered for both operational purposes and marketing purposes, it could fall under the “operational purposes” exception.

Are covered entities required to get consent from individuals for the collection and use of covered information?

Yes, under section 103 of the Act covered entities must provide “opt-out” consent in order to collect or use covered information (except for the collection or use of covered information for operational purposes). The Act indicates that a covered entity shall be considered to have obtained proper consent if it has provided the notice required under the Act, provides a reasonable means to exercise an opt-out right and decline consent; and the individual either affirmatively grants consent or does not decline consent.

The consent shall be considered permanent unless directed by the individual. However, the covered entity must provide an individual with a reasonable means to decline or revoke previously granted consent at any time.

A covered entity may also provide individuals with the ability to decline consent for specific uses of his or her personal information, but only if the individual has been given an opportunity to broadly opt-out of all collection and use of covered information.

May covered entities collection or use covered information as a condition of an individual’s receipt of a service or other benefit?

Yes, but only if: the covered entity has a direct relationship with the individual; the information is not shared with any third party without the express affirmative consent of the individual; the covered entity provides a clear, prominent and specific statement of the specific purposes for which covered information will be used; the individual provides consent by acknowledging such uses; and the individual is able to later withdraw consent.

Are covered entities required to get consent from individuals for the disclosure of covered information to third parties?

Yes. In general, a covered entity may not disclose information to a third party unless it has received express affirmative consent from the individual prior to disclosure. However, some exceptions apply.  For example, no such consent is necessary for joint marketing activities as long as the covered entity has entered into a contract with the third party that prohibits the disclosure of the information except as necessary to carry out the joint marketing relationship.

Are covered entities required to get consent from individuals for the collection, use or disclosure of sensitive information?

Yes. In general, under section 104 of the Act, a covered entity may not collect, use or disclose sensitive information to a third party unless it has received express affirmative consent from the individual.

Does the Act put any limitations or restrictions on behavioral advertising or tracking an individual’s Internet browsing activities?

Yes. Under section 104 of the Act, covered entities may not use software or hardware to monitor all or substantially all (a.k.a. “comprehensive online data collection”) of an individual’s browsing activity (or other significant Internet or computer activity), and may not collect, use or disclose information concerning that activity unless certain conditions are met.

Covered entities may engage in comprehensive online data collection if: they receive the express written consent of the individual or for the purpose of making such information accessible to the individual for the use by the individual.

Are there any exceptions to the consent requirements of the Act?

Yes, exceptions exist under section 106 of the Act.

Covered entities may disclose information to a service provider as long as it has obtained the initial consent to collect information and contractually prohibits the service provider from disclosing the information other than for purposes of carrying out the purpose for which the information was disclosed. However, the Act indicates that the covered entity remains responsible and liable for the protection of the information transferred to a service provider for processing.

Consent is also not required for collection, use or disclosure necessary for fraud detection, imminent danger or compliance with law.

In addition, consent under the Act is not necessary for the collection, use or disclosure of publicly available information. However, even publicly available information cannot be used by a covered entity for marketing purposes if the individual has opted out of such use.

Do covered entities have any obligation concerning the accuracy of information they collect, assemble or maintain?

Yes, section 201 of the Act requires covered entities to establish reasonable procedures to assure the accuracy of covered information or sensitive information they collect, assemble or maintain. This duty may be further fleshed out as section 201 requires the FTC to promulgate regulations to implement this section. Limited exceptions exist with respect to fraud databases and publicly available information.

Does the Act require the covered entity to provide individuals with access to covered information or sensitive information?

Yes, under section 202, covered entities are required to provide access to such information if such information may be used for purposes that could result in an adverse decision against the individual, including the denial of a right, benefit, or privilege. If the information could not reasonably result in an adverse decision, the covered entity is only required to provide a notice to the individual of the type of information the covered entity typically collects.

In addition, covered entities, upon request, must provide individuals with access to their personal files, but only if the entity stores such file in a manner that makes it accessible in the normal course of business.

However, none of the foregoing obligations apply to information retained for under 30 days.

Is there any time frame by which a covered entity must respond to a permitted access, correction or amendment request?

Yes, in general, under section 202(f), covered entities have thirty days from the receipt of such request to respond.

Does the Act impose any data security requirements with respect to covered information or sensitive information?

Yes, under section 302 of the Act each covered entity and service provider must establish, implement and maintain “reasonable and appropriate” administrative, technical and physical safeguards to:

  • ensure the security, integrity, and confidentiality of the covered information or sensitive information it collects, assembles, or maintains
  • protect against any anticipated threats, reasonably foreseeable vulnerabilities, or hazards to the security or integrity of such information; and
  • protect against unauthorized access to or use of such information and loss, misuse, alteration, or destruction of such information.

The Act requires the FTC to promulgate regulations to implement this section.

Does the Act require covered entities to conduct any risk assessment with respect to its information handling practices?

Yes, under section 302 of the Act covered entities are required to conduct an assessment of the risks to individuals raised by its collection, use and disclosure of covered information or sensitive information prior to engaging in such activities (or if it believes there is a reasonable likelihood that it will engage in such activities), but only if such activities will involve more than 1 million individuals.

Does the Act require any audits or assessments?

Yes, covered entities must conduct periodic assessments to evaluate whether the covered/sensitive information it has collected remains necessary for the purposes described at the time of collection, and whether the covered entities’ ongoing collection practices remain necessary for legitimate business purposes.

Does the Act limit how long a covered entity can retain covered/sensitive information?

Yes, under section 303 of the Act covered entities may retain covered/sensitive information for only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement.

Coming up next in Part Two:  the “Safe Harbor” outlined in the Act, various exemptions for de-identified information and application and enforcement of the Act.

 
 
Tags: , , , , , , , , , , ,
Posted on May 12, 2010 by Tanya Forsheit

Breaking Down the Boucher Bill

In early May, Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) introduced a long anticipated "discussion draft" of a bill "[t]o require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual."  You have probably heard that industry and consumer groups alike are not happy with the discussion draft.  What exactly is the Boucher Bill and what would it mean for almost every company engaged in the collection, use or disclosure of personal information (not just companies engaged in online behavioral advertising)?  Following is a FAQ.  Comments on the draft legislation are due June 4 (mark your calendars).

 

  • Isn't the Boucher Bill just about online behavioral advertising conducted by large marketers?

No.  The Boucher Bill is proposed federal privacy and data security legislation that is very broad and far-reaching and goes way beyond regulation of online behavioral advertising as defined by the FTC.

  • What would the Boucher Bill prohibit?

Under the Boucher Bill, a "covered entity" would be prohibited from collecting, using, or disclosing "covered information" from or about an individual for any purpose unless the covered entity (A) makes available to the individual a prescribed form of privacy notice prior to the collection of any covered information; and (B) obtains the consent of the individual to such collection in the manner set forth in the Bill.

This is interesting given that many regulators and legislators, including the FTC, have been calling for an end to the notice and consent model when it comes to meaningful privacy choice.

  • What is a "covered entity"?

The Boucher Bill broadly defines a "covered entity" as any person engaged in interstate commerce that collects data containing covered information.  A covered entity would not include a government agency or any person that collects covered information from fewer than 5,000 individuals in any 12-month period and does not collect sensitive information.  Thus, it appears that just about any organization with more than 5,000 employees and/or customers would be a "covered entity" under the Boucher Bill.

  • What is "covered information"?

The short answer is - just about anything that identifies (or even might identify) an individual.  "Covered information" is defined as, with respect to an individual, any of the following:

  1. The first name or initial and last name.
  2. A postal address.
  3. A telephone or fax number.
  4. An email address.
  5. Unique biometric data, including a fingerprint or retina scan.
  6. Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number.
  7. A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
  8. Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used
    to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user.
  9. A preference profile.
  10. Any other information that is collected, stored, used, or disclosed in connection with any covered information described in 1-9 above.
  • What is a "preference profile"?

A "preference profile" is a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity.

  • How would a "covered entity" collecting "covered information" provide the required notice?

The answer depends on whether the covered entity collects the information online or offline.

Online:  If a covered entity collects covered information through the Internet, the Boucher Bill requires that it must post a privacy notice clearly and conspicuously on the website through which the covered information is collected.  The privacy notice must be accessible through a direct link from the Internet homepage of the covered entity.  This is very much like California's Online Privacy Protection Act, Business and Professions Code section 22575 et seq. 

Offline:  Unlike California (or any existing state law), the Boucher Bill would require notice even where information is collected offline or by means other than the Internet.  If a covered entity collects covered information by any means that does not utilize the Internet, the Bill requires that notice be made available to an individual in writing before the covered entity collects any covered information from that individual.

  • What information must be included in the privacy notice?

The privacy notice (for online and offline collection) must include all of the following:

  1. The identity of the covered entity collecting the covered information;
  2. A description of any covered information collected by the covered entity;
  3. How the covered entity collects covered information;
  4. The specific purposes for which the covered entity collects and uses covered information;
  5. How the covered entity stores covered information.
  6. How the covered entity may merge, link, or combine covered information collected about the individual with other information about the individual that the covered entity may acquire from unaffiliated parties [an "unaffiliated party" is any entity that is not related by common ownership or affiliated by corporate control with a covered entity];
  7. How long the covered entity retains covered information in identifiable form;
  8. How the covered entity disposes of or renders anonymous covered information after the expiration of the retention period;
  9. The purposes for which covered information may be disclosed, and the categories of unaffiliated parties who may receive such information for each such purpose;
  10. The choice and means the covered entity offers individuals to limit or prohibit the collection and disclosure of covered information;
  11. The means by and the extent to which individuals may obtain access to covered information that has been collected by the covered entity;
  12. A means by which an individual may contact the covered entity with any inquiries or complaints regarding the covered entity’s handling of covered information;
  13. The process by which the covered entity notifies individuals of material changes to its privacy notice;
  14. A hyperlink to or a listing of the FTC's online consumer complaint form or the toll-free telephone number for the FTC's Consumer Response Center; and
  15. The effective date of the privacy notice.

This goes far beyond the content requirements of California's Online Privacy Protection Act.

  • Are there any exceptions to these notice requirements?

Yes. The notice requirements would not apply to covered information that (1)  is collected by any means that does not utilize the Internet and (2)  (a)  is collected for a "transactional purpose" or an "operational purpose" or (b)  consists solely of a first name or initial and last name, a postal address, a telephone or fax number, and/or an email address, and is part of a "first party transaction."

  • What is a "transactional purpose"?

A "transactional purpose" is a purpose necessary for effecting, administering, or enforcing a transaction between a covered entity and an individual.

  • What is an "operational purpose"?

An "operational purpose" is a purpose reasonably necessary for the operation of the covered entity, including (i) providing, operating, or improving a product or service used, requested, or authorized by an individual; (ii) detecting, preventing, or acting against actual or reasonably suspected threats to the covered entity’s product or service, including security attacks, unauthorized transactions, and fraud; (iii) analyzing data related to use of the product or service for purposes of optimizing or improving the covered entity’s products, services, or operations; (iv) carrying out an employment relationship with an individual; (v) disclosing covered information based on a good faith belief that such disclosure is necessary to comply with a Federal, State, or local law, rule, or other applicable legal requirement, including disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process; and (vi) disclosing covered information to a parent company of, controlled subsidiary of, or affiliate of the covered entity, or other covered entity under common control with the covered entity where the parent, subsidiary, affiliate, or other covered entity operates under a common or substantially similar set of internal policies and procedures as the covered entity, and the policies and procedures include adherence to the covered entity’s privacy policies as set forth in its privacy notice.  However, "operational purpose" does not include the use of covered information for marketing, advertising, or sales purposes, or any use of or disclosure of covered information to an unaffiliated party for such purposes.

  • What is a "first party transaction"?

A "first party transaction" is an interaction between an entity that collects covered information when an individual visits that entity’s website or place of business and the individual from whom covered information is collected.

  • Do the consent requirements call for opt-in or opt-out consent?

It depends. 

Opt-out consent is enough in many circumstances.  Under the Bill, a covered entity is deemed to have the consent of an individual for the collection and use of covered information relating to that individual if the covered entity has provided to the individual a clear statement containing the information described above and informing the individual that he or she has the right to decline consent to such collection and use, and the individual either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual.  (However, if an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected.)  Alternatively, a covered entity may comply by enabling an individual to decline consent for the collection and use only of particular covered information, provided the individual has been given the opportunity to decline consent for the collection and use of all covered information.

However, some situations require opt-in consent:

  1. A covered entity must provide the notice described above and obtain the express affirmative consent of the individual prior to making a material change in privacy practices governing previously collected covered information from that individual or disclosing covered information for a purpose not previously disclosed to the individual and which the individual, acting reasonably under the circumstances, would not expect based on the covered entity’s prior privacy notice.  This would codify existing law that a company may not unilaterally alter its privacy policy and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).
     
  2. A covered entity is prohibited from selling, sharing, or otherwise disclosing covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates.  This would represent a fundamental change in existing US privacy law, except in particular narrow sectors.  Further, a covered entity that has obtained express affirmative consent from an individual must provide the individual with the opportunity, without charge, to withdraw such consent at any time thereafter.
     
  3. A covered entity is prohibited from collecting or disclosing sensitive information from or about an individual for any purpose unless the covered entity makes available to such individual the privacy notice described above prior to the collection of any sensitive information and obtains the express affirmative consent of the individual to whom the sensitive information relates prior to collecting or disclosing such sensitive information.  ["Sensitive information" is any information that is associated with covered information of an individual and relates to that individual’s (A) medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (B) race or ethnicity; (C) religious beliefs; (D) sexual orientation; (E) financial records and other financial information associated with a financial account, including balances and other financial information; or (F) precise geolocation information.]  This would also be a significant shift in US privacy law, bringing the US much closer to existing stringent privacy protections in the EU.
     
  4. A covered entity is prohibited from collecting or disclosing covered information about all or substantially all of an individual’s online activity, including across websites, for any purpose unless such covered entity makes available to such individual the privacy notice described above prior to the collection of the covered information about all or substantially all of the individual’s online activity and obtains the express affirmative consent of the individual to whom the covered information relates prior to collecting or disclosing such covered information.
     
  5. With certain limited exceptions, any provider of a product or service that uses location-based information would be prohibited from disclosing such location based information concerning the user of such product or service without that user’s express opt-in consent.
  • Are there any exceptions from these consent requirements?

Yes, but only with respect to the opt-out consent requirements and the opt-in consent requirements under (1) and (2) above.  There are no exceptions to the opt-in requirements under (3), (4) and (5) above.

The opt-out requirements and the Gateway-type opt-in requirements described in (1) above do not apply to the collection, use, or disclosure of covered information for a transactional purpose or an operational purpose.

The opt-in requirements described in (2) above do not apply to the disclosure of covered information by a covered entity to a service provider for purposes of executing a first party transaction if (A) the covered entity has obtained consent for the collection of covered information (opt-out and/or Gateway-type opt-in consent described above); and (B) the service provider agrees to use such covered information solely for the purpose of providing an agreed-upon service to a covered entity and not to disclose the covered information to any other person.   [A "service provider" is an entity that collects, maintains, processes, stores, or otherwise handles covered information on behalf of a covered entity, including, for the purposes of serving as a data processing center, providing customer support, serving advertisements to the website of the covered entity, maintaining the covered entity’s records, or performing other administrative support functions for the covered entity.]

In addition, notwithstanding (2) above, a covered entity may collect, use, and disclose covered information if (1) the covered entity provides individuals with the ability to opt out of the collection, use, and disclosure of covered information by the covered entity using a readily accessible opt-out mechanism whereby the opt-out choice of the individual is preserved and protected from incidental or accidental deletion, including by (A) website interactions on the covered entity’s website or a website where the preference profile is being used; (B) a toll-free phone number; or (C) letter to an address provided by the covered entity; (2) the covered entity deletes or renders anonymous any covered information not later than 24 months after the date the covered information is first collected; (3) the covered entity includes the placement of a symbol or seal in a prominent location on the website of the covered entity and on or near any advertisements delivered by the covered entity based on the preference profile of an individual that enables an individual to connect to additional information that (A) describes the practices used by the covered entity or by an advertisement network in which the covered entity participates to create a preference profile and that led to the delivery of the advertisement using an individual’s preference profile, including the information, categories of information, or list of preferences associated with the individual that may have led to the delivery of the advertisement to that individual; and (B) allows individuals to review and modify, or completely opt out of having, a preference profile created and maintained by a covered entity or by an advertisement network in which the covered entity participates; and (4) an advertisement network to which a covered entity discloses covered information does not disclose such covered information to any other entity without the express affirmative consent of the individual to whom the covered information relates.  [An "advertisement network" is an entity that provides advertisements to participating websites on the basis of individuals’ activity across some or all of those websites.]

  • Are there any other exemptions under the Bill?

Yes.  The Bill explicitly provides that nothing therein shall prohibit a covered entity from collecting or disclosing aggregate information or covered information that has been rendered anonymous.

  • What is "aggregate information"?

"Aggregate information" is data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed.

  • What does "render anonymous" mean?

"Render anonymous" means to remove or obscure covered information such that the remaining information does not identify, and there is no reasonable basis to believe that the information can be used to identify the specific individual to whom such covered information relates or a computer or device owned or used by a particular user.

  • Does the Boucher Bill include any data security requirements?

Yes.  A covered entity or service provider that collects covered information about an individual for any purpose must establish, implement, and maintain appropriate administrative, technical, and physical safeguards that the FTC determines are necessary to (A) ensure the security, integrity, and confidentiality of such information; (B) protect against anticipated threats or hazards to the security or integrity of such information; (C) protect against unauthorized access to and loss, misuse, alteration, or destruction of, such information; and (D) in the event of a security breach, determine the scope of the breach, make every reasonable attempt to prevent further unauthorized access to the affected covered information, and restore reasonable integrity to the affected covered information.  The Bill would therefore extend certain GLBA- and HIPAA-like protections to non-financial and non-health care sectors.

The Bill anticipates that the FTC will develop standards to carry out this section and, in doing so, will consider the size and complexity of a covered entity, the nature and scope of the activities of a covered entity, the sensitivity of the covered information, the current state of the art in administrative, technical, and physical safeguards for protecting information, and the cost of implementing such safeguards. 

The Bill prohibits the FTC, in promulgating rules pursuant to the Bill, from requiring the deployment or use of any specific products or technologies, including any specific computer software or hardware. Thus, the Bill seeks to make any security requirements technology-neutral (similar to the Massachusetts data security regulations and other state data security laws).

  • Does the Boucher Bill say anything about data integrity?

Not exactly.  The Boucher Bill addresses data "accuracy," requiring in very general terms that a covered entity "establish reasonable procedures to assure the accuracy of the covered information it collects."

  • Who would enforce the Boucher Bill?

Not surprisingly, the Bill gives the FTC enforcement power and would make a violation an unfair and deceptive act or practice in violation of the FTC Act.

The Boucher Bill also gives State attorneys general the power to bring a civil action seeking injunctive relief and/or damages.

The Bill explicitly states that it does not provide any private right of action.

  • Would the Boucher Bill preempt state law?

Yes, the Bill would preempt many state laws.  The Bill would supersede any provision of a statute, regulation, or rule of a State or political subdivision of a State, that includes requirements for the collection, use, or disclosure of covered information. 

The Bill would have no effect on GLBA, HIPAA, COPPA, the CAN-SPAM Act, certain other federal laws, or the FTC's authority pursuant to other laws.

 

 
Tags: , , , , , , , , , , , ,