DATA

A guide to US data protection

A mosaic of industry-focused federal data protection measures makes the United States’ regime among the strictest in the world, writes Michelle Reed.

he mosaic of data protection laws in the United States is filled with T various pieces – from federal to state laws and regulations – which blend together to create the whole that invokes privacy protection in the United States. Although there is no overarching federal data protection law like the European Union’s General Data Protection Regulation (‘GDPR’), the requirements surrounding data privacy and cybersecurity are well developed and industry specific. The United States has some of the strictest data breach notification standards in the world and these standards have been in place far longer than most other countries.

Underpinnings of US Data Privacy Law Privacy protections in the United States have existed since the beginnings of the republic. The Constitution enshrines protections against unlawful intrusion into our homes and personal papers in the Fourth Amendment and other limitations on government intrusion into individual privacy in the First, Ninth, and Fourteenth Amendments. ‘The ,’ a 15 December 1890 article in the Harvard Law Review an independent agency authorised to issued its first ‘Framework for Improving authored by attorney Samuel D. Warren enforce against ‘unfair and deceptive Critical Infrastructure Cybersecurity’ in and future US Supreme Court Justice, trade practices’ has been the leader in 2014. The framework continues to be , became the first implicit developing and enforcing privacy updated and tailored to fit specific declaration of a right to privacy in the protections. At the state level, state industries, and version 1.1 of the NIST United States. Privacy protections were attorneys general lead the way with Cybersecurity Framework was released first given to mail and then as new forms enforcing privacy and cybersecurity in 2018. The NIST Cybersecurity of communication developed, standards. Framework is often used as a benchmark protections were extended to the for reasonable cybersecurity controls in telephone, the computer, and eventually both enforcement actions and litigation email. The United States has some matters. Over time, data protection in the of the strictest data breach United States became an intricate mosaic, notification standards in the The FTC with laws and regulations issued by both The Federal Trade Commission Act the federal government (at the national world and these standards (‘FTCA’) 1 is a broad consumer protection level) and state governments (at the state have been in place far longer law that prohibits unfair or deceptive level). Federal law generally preempts practices. The FTC has used this act to state law on the same subject, though than most other countries. bring enforcement actions against there are instances where the state law is companies failing to comply with posted not subject to federal preemption. Some In addition, there are many private privacy policies, unauthorised disclosure laws apply to certain types of industry groups that issue self- of , and failure to enforce information (e.g., financial or health regulatory guidelines and frameworks, reasonable cybersecurity policies. The information) and others apply to use of which have often been used as an FTC’s ability to enforce reasonable information (e.g., telemarketing or enforcement framework for state and cybersecurity protections as an unfair commercial emails). At the national level, federal regulators. The National Institute trade practice was recently limited by the the Federal Trade Commission (‘FTC’), of Standards and Technology (‘NIST’) US Court of Appeals for the Eleventh

1 Trade Security Journal Issue 9 DATA PRIVACY

Circuit, which held that the lack of impose some of the most stringent defined regulations in a cease and desist security requirements of any state law or order did not provide companies with regulation, including a 72-hour data sufficient notice for compliance. 2 Despite breach notification requirement, and this limitation, the FTC continues to be have caused many financial services the preeminent regulator of privacy and companies to take a deeper look at data protection in the United States. compliance.

Industry regulations Credit reporting agencies Data protection regulation in the United In the United States, credit reporting States varies by industry. Industries that agencies collect extensive information have a higher risk profile due to extensive about the creditworthiness of consumers. use of personal data or unique risk of These credit scores and reports can have critical industries are more likely to be collection, use, and disclosure of financial a significant impact on access to credit targeted by regulations. information. and housing. In response to concerns GLB prohibits disclosure of non- about proper protections governing such Healthcare public personal information, which is a powerful tool, Congress passed the Fair As one of the longest standing areas of more broadly defined than personally Credit Reporting Act (‘FCRA’) 9, later regulation, health privacy and identifiable information and includes (1) amended by the Fair and Accurate Credit cybersecurity is governed primarily by any information an individual provides Transactions Act. FCRA regulates the Health Insurance Portability and to obtain a financial product or service consumer reporting agencies, companies Accountability Act (‘HIPAA’). 3 Health (e.g., name, address, income, social who use consumer reports (e.g., a care providers, data processors, security number, or other information on lender), and companies that provide pharmacies, and other business an application); (2) any information about consumer-reporting information (e.g., a associates are all subject to HIPAA, which an individual from a transaction credit card company). defines specific standards for privacy involving a financial product or service Following the data breach of 148 (‘the HIPAA Privacy Rule’) and security (e.g., the fact that an individual is a million consumers’ information at (‘the HIPAA Security Rule’). 4 The HIPAA consumer or customer, account numbers, Equifax – one of the largest consumer Breach Notification Rule 5 requires payment history, loan or deposit reporting agencies – there has been HIPAA covered entities and their balances, and credit or debit card significant discussion of further business associates to provide purchases); or (3) any information about regulation of consumer reporting notification following a breach of an individual in connection with agencies, though none has been enacted unsecured protected health information. providing a financial product or service to date. Such notification must be made (e.g., information from court records or without unreasonable delay and in no from a consumer report). Marketing and advertising case later than 60 days following the Companies subject to GLB are also The FTC has been the primary regulator discovery of a breach and must include, required to provide notice of their for marketing and advertising, to the extent possible, a brief description privacy practices and an opportunity for encouraging companies to implement of the breach, a description of the types data subjects to opt out of having their four fair information practices: (1) giving of information that were involved in the information shared with third parties. consumers notice of a website's breach, the steps affected individuals information practices; (2) offering should take to protect themselves from Industries that have a higher consumers choice as to how their potential harm, a brief description of personally identifying information is what the covered entity is doing to risk profile due to extensive used; (3) providing consumers with investigate the breach, mitigate the harm, use of personal data or access to the information collected about and prevent further breaches, as well as them; and (4) ensuring the security of the contact information for the covered entity unique risk of critical information collected. or business associate. California’s industries are more likely to The FTC implies these principles from Confidentiality of Medical Information its unfair and deceptive trade practices Act (‘CMIA’) provides stronger privacy be targeted by regulations. jurisdiction through the FTCA. There protections for medical information than have also been significant discussions in HIPAA. 6 Various other federal agencies have Congress about imposing additional also promulgated data protection rules regulations. Financial services such as the Safeguards Rule, Disposal Even more stringent requirements are Banks, securities firms, insurance Rule, and the Red Flags Rule for imposed by the Children’s Online companies, and other financial services protecting and ensuring safe disposal of Privacy Protection Act (‘COPPA’), 10 organisations serve a key role in the financial data. which is enforced by the FTC. COPPA economy and accordingly the privacy In an attempt to force more rigorous requires websites to obtain verifiable and cybersecurity protections mandated security controls, the New York State parental before collecting, using, under both federal and state law are Department of Financial Services or disclosing personal information from extensive. The Financial Services (‘NYDFS’) passed its own cybersecurity children, including their names, home Modernization Act, more commonly regulations to apply to financial services addresses, email addresses, or hobbies. known as the Gramm-Leach-Bliley Act companies that operate in New York, The industry has also introduced self- (‘GLB’) 7 is the principal framework for effective March 2017. 8 The NYDFS rules regulatory principles for behavioural

2 Trade Security Journal Issue 9 DATA PRIVACY

advertising. As a general rule, ‘opt out’ and protecting customers’ data and a consent is generally considered way to communicate that commitment to Data breach notification acceptable in the United States, with customers. requirements some exceptions for special types of data and classes of individuals. Retail All 50 states and three territories States have also begun to regulate The retail industry has been the source of have imposed laws that require large data brokers. In May 2018, Vermont significant privacy and cybersecurity notification of data breaches passed legislation to regulate data threats – from the Target breach, which involving personally identifiable brokers, effective 1 January 2019. Data cost the company over $250 million, to information. The standards are brokers will be required to register with the previously undisclosed Uber data similar, but also inconsistent. In the Vermont attorney general and pay a breach of millions of customers’ data, general, they require notification $100 registration fee; provide annual which caused a public relations crisis. in a reasonable time period disclosures to the Vermont attorney Regulation of credit card data in the (which varies by state) of any general concerning data privacy practices United States is governed by the Payment breach of data that could lead to and data breaches; and develop, Card Industry Standard . Some generally implement, and maintain a (‘PCI DSS’). This set of security standards define personally identifiable comprehensive written information is designed to ensure that all companies information and others provide security programme that contains that accept, process, store or transmit other, specific combinations of administrative, technical, and physical credit card information maintain a secure data that require notice. Many, safeguards. environment. The enforcement but not all, require notification of mechanism is contractual – retailers have the state attorney general and Energy with the major card brands that some require notification of Security has been the primary focus of impose significant penalties for specific law enforcement the energy industry, with extensive noncompliance. agencies. Although legislation to regulation for utilities. Electric grid Retailers also face close scrutiny from enact a federal standard that regulations apply to utility companies the FTC, particularly with the advent of would preempt state notification under the Critical Infrastructure the Internet of Things, which has further laws has been proposed in Protection (‘CIP’) Standards, issued by implications for data privacy. Other Congress, it has never passed, the North American Electric Reliability federal regulations, such as the Video despite the transactional costs to Corporation (‘NERC’) and approved by Privacy Protection Act (‘VPPA’), 12 companies of complying with 50 the Federal Energy Regulatory provide further limitations on the different standards. Commission. Oil and gas companies wrongful disclosure of video tape rental have not been subject to the same degree or sale records [or similar audio visual of scrutiny, even though the materials, to cover items such as video cybersecurity requirements. implementing recommendations of the games and the future DVD format] and have resulted in significant private Other state and federal regulations Privacy has also been an litigation. There are a host of non-industry-specific regulations governing privacy. The increased focus as many Government contracts Controlling the of No-Solicited energy companies develop Government contractors face significant Pornography and Marketing Act (‘CAN- privacy and cybersecurity requirements SPAM Act’) 13 and the Telephone smart grid technologies. under the Federal Acquisition Regulation Consumer Protection Act 14 were passed (‘FAR’) and Defense Federal Acquisition by Congress to curb unsolicited email Regulation Supplement (‘DFARS’) for and telephone calls, providing strict 9/11 Commission Act of 2007 11 authorises classified information, controlled limitations on commercial emails and the Department of Homeland Security’s unclassified information, and covered telephone calls to consumers. The Transportation Safety Administration defence information. Detailed NIST 800- Electronic Communications 15 (‘TSA’) to issue pipeline security 171 standards are contractually required and the Consumer and Abuse Act 16 regulations if the TSA determines that to be implemented into the contractors’ make it illegal to intercept electronic doing so is necessary. security programmes, depending on the communications and tamper with Privacy has also been an increased regulations to which the contractor is computers. focus as many energy companies develop subject. The Department of Defense The Securities & Exchange smart grid technologies. The Smart Grid requires that contractors rapidly report Commission (‘SEC’) also issued rules Data Privacy Voluntary Code of Conduct any breaches within 72 hours. regarding privacy and cybersecurity for (‘VCC’) Initiative began in 2012, The Department of Defense and other public companies, broker dealers, and undertaken in partnership with the government agencies have also investment funds regulated by the Federal Smart Grid Task Force (a multi- announced that they will continue to industry. The SEC adopted Commission- stakeholder effort involving utilities, scrutinise contractors’ supply chain level guidance on cybersecurity regulatory bodies, consumer and privacy security plans and programmes from disclosures in 2018 and brought its first advocates, technology providers, and proposal submission to closeout. high-profile enforcement action and associations). The initiative developed The 2019 National Defense Authorization settlement for non-disclosure against the DataGuard Energy Data Privacy Act as approved by Congress and DHS Altaba, formerly known as Yahoo, for Program that provides utilities and third initiatives highlight the government’s $35 million. parties with a framework for handling increased focus on supply chain and At the state level, certain states have

3 Trade Security Journal Issue 9 DATA PRIVACY

imposed more stringent data protection standards. For example, the Michelle Reed is a partner in the Dallas office of Akin Gump Massachusetts ‘Standards for The Strauss Hauer & Feld LLP, and is a co-leader of the firm’s Protection of Personal Information of cybersecurity, privacy, and data protection practice. Residents of the Commonwealth’ 17 includes strict requirements for data security: encryption of personal data; [email protected] retention and storage of both digital and physical records; network security controls (e.g., firewalls); risk- management policies and practices; of the Patriot Act expired on 1 June 2015. l Right to request deletion of their data employee training; adequate The USA Freedom Act on 2 June 2015 l Mandated right to opt in before the documentation of data breaches; then restored the expired parts and sale of information of children under adequate documentation of any policy renewed them through 2019. While the 16 changes; and ensuring that any government’s ability to obtain records l Right to know the categories of third associated third-party providers who has been largely circumscribed by parties with whom their data is have access to the data maintain the same subsequent law, these powers remain a shared, as well as those from whom standards. point of contention both in the United their data was acquired States and internationally. l Enforcement by the attorney general Government law enforcement The Supreme Court provided greater of the State of California and anti-terrorism efforts hope to privacy advocates in its decision l Private right of action should breach The law continues to evolve on the in Carpenter v. United States ,18 the occur, to ensure companies keep their government’s access to private records. landmark decision concerning the information safe The Patriot Act is a United States statute privacy of historical cellphone location that amended numerous existing laws to records. The court held, in a 5-4 decision As currently drafted, the statute grant federal law enforcement and authored by Chief Justice Roberts, that applies to ‘any business that earns intelligence officers increased powers to the government violates the Fourth $25 million in revenue per year, sells obtain and share records for counter- Amendment to the United States 50,000 consumer records per year, or terrorism purposes. Specifically, the Constitution by accessing historical derives 50 percent of its annual revenue Patriot Act allowed the Federal Bureau of records containing the physical locations from selling personal information.’ This Investigation (‘FBI’), including when it is of cellphones without a . includes businesses that collect or sell acting on behalf of the NSA (National personal information from consumers in Security Agency), to petition a Foreign New developments California, regardless of where the Intelligence Court (‘FISA The closest analog to the GDPR in the company itself is located. Based on the Court’) for an order to obtain any United States is the recently passed most recent census bureau data, it is business records. The Patriot Act was California Consumer Protection Act. In estimated that more than a half a million extended through 1 June 2015, but parts July 2018, one of the largest states in the companies in the United States will be United States – California – passed a state subject to the CCPA. California has long Links and notes law that requires businesses to tell been a leader in data privacy protections customers about the personal data they and the passage of the CCPA is viewed 1 15 USC. §§ 41-58 2 LabMD, Inc. v. FTC , No. 16-16270 (11th Cir. June 6, collect, give consumers more control over by many as a presage of things to come 2018) how companies use and share their in other states. 3 42 USC. § 1301 personal information, and provide Other states have issued recent data 4 45 C.F.R. §§ 160, 164 consumers with a way to request data protection guidance as well, with 5 45 C.F.R. §§ 164.400-414 deletion. This law will not be effective Colorado enacting Colorado House Bill 6 Cal. Civ. Code §§ 56-56.37 until January 2020, and many anticipate 1128 in May 2018, which strengthens 7 15 USC. §§ 6801-6827 that it will be amended before it goes into consumer protections by requiring 8 23 N.Y.C.R.R. 500 9 15 USC. § 1681 effect. The CCPA creates the following formal information security policies as 10 15 USC. §§ 6801-6827 rights and enforcement mechanisms: well as increased oversight of third 11 6 USC. § 1207(f) parties. 12 18 US Code § 2710 l Right to know all data collected on 13 15 USC. §§ 7701-7713, 18 USC. § 1037 them, including what categories of Conclusion 14 47 USC. § 227 data and why it is being acquired, Although the United States is often 15 18 USC. § 2510 before it is collected, and any changes criticised for the lack of a single federal 16 18 USC. § 1030 to its collection law governing privacy and cybersecurity, 17 201 C.M.R. § 17.00 l Right to refuse the sale of their the mosaic of laws governing different 18 No. 16-402, 585 US ____ (2018) information industries and uses of data provide detailed and strong protections. While new laws such as the CCPA will likely This article is reprinted from the September 2018 issue of drive the United States to similar Trade Security Journal. protections as the GDPR, it will be a long time before any overarching data www.tradesecurityjournal.com protection laws are implemented at the national level. n

4 Trade Security Journal Issue 9