13 Privacy and Data Security

13 Privacy and Data Security¹

13.1 Introduction

Privacy was classically defined as the "right to be let alone"² from government surveillance and the prying eyes of your neighbors. With the advent of the information age, the casting-off of bits of personal information in nearly all commercial transactions, content consumption, and mediated social interactions, privacy is as much about control over what information is collected, how it is stored, and when and by whom it is used. As the ability to collect and aggregate disparate bits of data about consumer behavior continues to increase—and with it the ability to associate that data with specific individuals—companies that collect, store, aggregate, use, and transmit such data face increasing scrutiny and regulation aimed at giving consumers greater control over their informational privacy.³

The United States does not have a comprehensive privacy regime. Rather, U.S. privacy and data security law is largely a conglomeration of disparate, overlapping, and evolving legal rights and requirements aimed at protecting sensitive or personal information. Privacy and data security requirements extend to the collection, storage, use, security, sharing, and disposal of protected information. Despite some overlap, privacy protections at their core focus on the appropriate use and sharing of protected data, while data security protections focus on storing, securing, and disposing of protected data.

Because privacy and data security requirements vary by industry, data type, state, and country, it is important that compliance officers be familiar with the kinds of data handled by the company, as well as the jurisdictions where the company not only does business but stores data. This chapter provides an overview of U.S. laws, as well as several prominent international privacy and data protection laws. It concludes with several practical pointers for compliance officers.

13.2 U.S. Privacy Protections

Privacy laws in the United States seek to protect specific forms of sensitive information traceable to a specific person. Generally, personally identifiable information includes "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or bio-metric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."⁴ In the United States, however, there is no comprehensive national privacy framework. Rather, at the federal level, there are disparate privacy laws and regulations that govern specific industry sectors, the kinds of data collected, and particular usage. Some of the sectoral laws companies are most likely to encounter include the following:

• The Cable Communications Policy Act, 47 U.S.C. § 551. The Cable Communications Policy Act requires cable operators to advise customers of the personally identifiable information it collects, limits the use and disclosure of that data, provides customers with the opportunity to inspect the data, and requires the deletion of the data.⁵ The Federal Communications Commission (FCC) is primarily responsible for enforcing the Cable Communications Policy Act.
• The Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6506. COPPA imposes liability on website and electronic service operators for the collection of "personal information" from children.⁶ The Federal Trade Commission (FTC) is the primary enforcement agency for COPPA.
• The Communications Act, 47 U.S.C. §§ 151, et seq. The Communications Act imposes liability on telecommunications carriers for disclosure of customer proprietary network information (CPNI), including information that relates to the quantity, technical configuration, type, destination, location, and amount of use of telecommunications services, and information contained in billing statements such as call detail and calling plan information.⁷ The FCC is responsible for enforcing the Communications Act.
• The Driver's Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721, et seq. The DPPA prohibits, among other things, any person from knowingly obtaining or disclosing personal information from a motor vehicle record, absent a permissible use, or using false statements to obtain motor vehicle records.⁸
• The Electronic Communications Privacy Act (ECPA), Pub. L. No. 99-508, 100 Stat. 1848 (1986). Among its various protections, ECPA contains three distinct privacy regimes: the Wiretap Act, 18 U.S.C. §§ 2510-2522; the Stored Communications Act, 18 U.S.C. §§ 2701-2709, 2711; and the pen register and trap and trace provisions, 18 U.S.C. §§ 3121-3127.
• The Wiretap Act protects all persons from the interception in transit of the content of their oral, wire, or electronic communications (or the disclosure of intercepted communications), subject to enumerated statutory exceptions.⁹
• The Stored Communications Act (SCA) governs electronic communications services (any service that provides users the ability to send or receive wire or electronic communications) and remote computing services (services that provide computer storage or processing services by means of an electronic communications system).¹⁰ The SCA protects basic subscriber information (name, address, phone connection, duration records, length of service, and instrument identifier), along with the content of communications, and certain noncontent records and information, such as access and viewing history.¹¹ The SCA prohibits unauthorized access to stored communications, and the disclosure of such communications to third parties, absent a statutory exception.¹²
• The pen register and trap and trace provisions protect all persons from the installation of a pen register or trap and trace device designed to capture the non content information of oral, wire, or electronic communications, except as authorized by statute.¹³
• The Fair Credit Reporting Act (FCRA), 15 U.S.C. §§ 1681 to 1681t. Among other things, the FCRA aims to protect consumer privacy with respect to credit reports and transactions.¹⁴ The FCRA limits the circumstances under which a "consumer reporting agency" may furnish a consumer report. In short, consumer reporting agencies may only provide credit reports to individuals or entities with a valid need.¹⁵ Consumer reporting agencies have been broadly defined as any person or entity that regularly engages in the practice of assembling or evaluating consumer credit information or providing consumer reports.¹⁶ Consumer reports include "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living" that are used to establish credit or insurance eligibility, employment, or another enumerated statutory purpose.¹⁷ Consumers are entitled to know the information about them contained in their files, as well as know when a consumer report has been used to deny an application for credit.¹⁸ Consumers also have the right to correct inaccurate information in their reports, and consumer reporting agencies are required to correct or remove inaccurate, incomplete, or unverifiable information.¹⁹ The FCRA also prohibits the printing of either credit card numbers beyond the last five digits, or the expiration date on receipts in point-of-sale transactions.²⁰
• The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 C.F.R. §§ 99.1-99.67. FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. FERPA protects the privacy of education records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution.²¹ Ordinarily, education records may not be disclosed without written parental consent.²² FERPA, however, does allow disclosure without consent to providers of institutional services. Institutional service providers are contractors, consultants, volunteers, or other parties to whom an agency or institution outsources functions, such as IT services or legal advice, for which the educational institution could otherwise use its own employees, provided that the service provider is under the direct control of the educational institution and complies with the use and disclosure provisions of FERPA.²³ FERPA is enforced by the U.S. Department of Education.²⁴
• The Financial Services Modernization Act (or Gramm-Leach-Bliley Act) (GLBA), 15 U.S.C. §§ 6801-6809. The GLBA governs financial institutions, and third parties that provide services for or functions on behalf of a financial institution.²⁵ The GLBA protects any personal information collected by a financial institution in connection with providing a financial product or service, unless the information is otherwise publicly available.²⁶ Covered entities may not disclose such information absent customer consent, which can be obtained by notice of disclosure and the opportunity to opt out, or pursuant to the terms of the originating institution's privacy policy, or other statutory exception.²⁷
• The Health Insurance Portability and Accountability Act (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996).²⁸ HIPAA applies to health care clearinghouses, employer sponsored health plans, health insurers, certain medical service providers, and their business associates, which are defined as a "person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."²⁹ HIPAA covers "protected health information" (PHI), which is any information held by a covered entity that concerns health