Information security is one of the most pressing concerns for businesses today. The high level of criminal activity involving personal information (sometimes leading to ID theft or account fraud) affects every company that maintains personal information, whether customer or employee data. In addition, the publicity surrounding the many high-profile data breaches during the past year has focused CEOs and boards of directors on this topic. Information security is no longer an issue that is relegated to the dusty basement.
1. Security Breach Notification In the U.S., when there is a security breach that involves unencrypted, computerized sensitive personal information (such as Social Security or credit card numbers), the company that maintains the information must notify all the individuals whose data was reasonably likely to have been compromised. There currently are over 30 state security breach notification laws. While they are similar, they are not harmonized. This lack of uniformity makes compliance in the event of a security breach a logistical nightmare.
How do the state laws differ? First, the type of information covered by the laws varies from state to state. In addition, in some states, there is a harm threshold for notification -- that is, an entity that experiences a data breach does not need to provide notification in certain states unless there is a "substantial" or "reasonable" risk of harm. In other states, there is a private right of action so that individuals can sue if an entity does not provide the required notice. In yet other states, an entity that experiences a data breach must notify the state attorney general. These are just a few examples of the legal nuances that make compliance with over 30 state security breach laws daunting.
The federal government is likely to step in to resolve the lack of consistency among the states. In 2007, with a Democratic Congress at the helm, we are likely to see a federal breach notification law that preempts state law. In addition to U.S. initiatives, officials in the E.U. and Canada have taken up the issue of breach notification. In the E.U. in particular, there is a proposed directive that would require certain entities to provide notification to individuals if their data were compromised.
2. Information Security Requirements In the U.S., most businesses are not subject to any federal requirement to safeguard personal information. There is no federal law that requires entities other than those in the financial and health care sectors to keep data safe. In 2007, Congress is likely to pass a federal law requiring all entities that maintain sensitive personal information to implement a comprehensive information security program. Such a law probably will resemble the security standards currently in place for financial institutions, requiring businesses that handle sensitive data to develop administrative, technical and physical safeguards to protect the data.
3. Privacy Litigation and Enforcement To date, there have been surprisingly few lawsuits brought in connection with information security breaches and other privacy events. But plaintiffs are becoming more creative in pursuing new grounds for lawsuits and bolder in bringing actions against major global entities. We are likely to see a rise in litigation and more willingness on the part of courts to grant relief to plaintiffs.
Recently, the Federal Trade Commission formed a new division to handle privacy and data security matters (called the Division of Privacy and Identity Protection). This indicates a new focus by the FTC on privacy and data security matters. Indeed, the FTC considers privacy and data protection to be a central part of its consumer protection mission. We will likely see more FTC privacy investigations and enforcement actions against companies that have suffered serious security lapses or data breaches.
4. New Privacy Laws Overseas While many countries have extant privacy regimes, a number of high-profile countries do not yet have comprehensive data protection laws in place. In 2007, we are likely to see serious discussions about a new privacy law in China. In addition, reacting to a number of significant data breaches, India will likely amend its existing rules to enhance security requirements and penalties for data compromises.
5. Data Sharing to Combat Terrorism There has been significant confusion surrounding the sharing of information both among governments and between the private sector and governments for use in anti-terrorism activities. There are inadequate guidelines globally to assist companies in determining to which jurisdiction they are subject and whether sharing data with one nation will violate the laws of another nation. There will likely be extensive dialogue about this issue on a global level. Given the global nature of information, this issue cannot be governed by individual countries' laws but instead must be managed through agreement among the nations.
Conclusion Privacy and data protection laws are evolving rapidly. The number of regulatory enforcement and individual privacy actions is increasing. Individuals are growing more aware of and concerned with protecting their privacy. We can anticipate more high-profile privacy events, putting this area even higher on the corporate compliance agenda. Companies would be well advised to prepare for the onslaught.
Lisa J. Sotto is a partner in the New York office of Hunton & Williams and heads the firm's Privacy and Information Management practice. She also serves as Vice Chair of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Ms. Sotto has testified before Congress and an executive branch agency on privacy and data security issues. She writes and speaks extensively on these topics. Ms. Sotto can be reached at [email protected]