Not Your Grandma's Quilt. Exploring The
Total Page:16
File Type:pdf, Size:1020Kb
The Kentucky Bar Association Corporate House Counsel Section presents Not Your Grandma’s Quilt. Exploring the Current “Patchwork” and Recent Trends in U.S. Data Privacy and Security Laws This program has been approved in Kentucky for 1.00 CLE credit. Compiled and Edited by: The Kentucky Bar Association Office of Continuing Legal Education for Kentucky Bar Association Corporate House Counsel Section © 2020 All Rights Reserved Published and Printed by: The Kentucky Bar Association, November 2020. Editor’s Note: The materials included in the following Kentucky Bar Association Continuing Legal Education handbook are intended to provide current and accurate information about the subject matter covered as of the original publication date. No representation or warranty is made concerning the application of legal or other principles discussed by the instructors to any specific fact situation, nor is any prediction made concerning how a particular judge or jury will interpret or apply such principles. The proper interpretation or application of the principles discussed is a matter for the considered judgment of the individual legal practitioner. The faculty and staff of these Kentucky Bar Association CLE programs disclaim liability therefore. Attorneys using these materials, or information otherwise conveyed during these programs, in dealing with a specific legal matter have a duty to research the original and current sources of authority. In addition, opinions expressed by the authors and program presenters in these materials do not reflect the opinions of the Kentucky Bar Association, its Board of Governors, Sections, or Committees. Not Your Grandma’s Quilt. Exploring the Recent “Patchwork” and Recent Trends in U.S. Data Privacy and Security Laws Table of Contents Presenter ......................................................................................................................... i Not Your Grandma’s Quilt. Exploring the Current “Patchwork” and Recent Trends in U.S. Data Privacy and Security Laws .............................................................. 1 Appendix A Business Roundtable Letter ....................................................................... 17 Appendix B 201 CMR 17.00 Compliance Checklist ....................................................... 22 PRESENTER Sarah Cronan Spurlock Stites & Harbison, PLLC 400 West Market Street, Suite 1800 Louisville, KY 40202-3350 (502) 681-0461 [email protected] Sarah Cronan Spurlock is a member of Stites & Harbison’s Health Care Service Group and is Co-Chair of the firm’s Privacy & Data Security Group. She regularly advises clients on a wide range of health care and privacy matters, including fraud and abuse laws, physician and hospital contracting, information privacy and security laws, and data breach prevention and response. She is a Certified Information Privacy Professional (CIPP/US) and serves as the firm’s Chief Privacy Officer. Ms. Spurlock received her B.A. from Indiana University and her J.D., magna cum laude and Order of the Coif, from the University of Kentucky College of Law. Prior to law school, she lived in New York City where she worked at Friedman, Wang & Bleiberg, P.C. as a paralegal, and Lehman Brothers, Inc. in human resources supporting the information technology division. Ms. Spurlock is listed in Best Lawyers in America, Health Care Law (2019-20), and was included in Business First of Louisville’s 20 People to Know in Law in 2018. She is a member of the International Association of Privacy Professionals, Defense Research Institute, the American Health Lawyers Association, and the American (Health Law Section), Kentucky, and Louisville (Health Law Section, Chair, 2011) Bar Associations. i NOT YOUR GRANDMA’S QUILT. EXPLORING THE CURRENT “PATCHWORK” AND RECENT TRENDS IN U.S. DATA PRIVACY AND SECURITY LAWS Sarah C. Spurlock I. INTRODUCTION The term “data privacy” means different things to different people. Understanding what data privacy means to a business often depends on the industry as well as the state(s) (and countries) in which it operates. Whether a business is B2B or consumer facing also impacts the role of privacy in day-to-day operations. Data privacy means different things for different types of information as well. If you ask a person who works in a hospital, a bank, a restaurant, a school, a clothing boutique, or an accounting firm – the answers to when and how they encounter privacy issues in their workplace will all be unique. Simply put, data privacy is highly contextual. The United States lacks a comprehensive federal law governing data privacy. Instead, businesses must confront a complex “patchwork” of sector- specific federal laws and data-specific state laws addressing (in varying degrees) privacy, security, and breach notification. Understanding where a business fits in to this complex legal web may be more obvious for businesses operating in highly regulated industries (financial and healthcare, for example). But even those businesses are subject to additional laws that have implications for privacy in certain aspects of the business, or with respect to certain categories of information. For businesses in industries lacking a federal, sector-specific law, identifying relevant privacy laws is often a frustrating game of elimination. Perhaps indicative of this frustration, in September 2019, Business Roundtable wrote to Leader McConnell and Speaker Pelosi, along with other senior members of Congress, urging passage of a comprehensive consumer data privacy law. The letter, signed by more than 50 CEOs representing multiple industries, states: There is now widespread agreement among companies across all sectors of the economy, policymakers and consumer groups about the need for a comprehensive federal consumer data privacy law that provides strong, consistent protections for American consumers. A federal consumer privacy law should also ensure that American companies continue to lead a globally competitive market.1 The Business Roundtable letter emphasizes the importance of a comprehensive federal law that promotes: 1. consumer trust and confidence; 2. accountability for collection, use, and sharing; 3. individual rights; 4. growth in the digital economy; and 5. expectations for data and digital platforms to deliver goods and services. 1 A copy of the Business Roundtable letter dated September 10, 2019 is included at Appendix A. 1 The letter also highlights a fundamental problem with the increasingly complex and fragmented system of state laws – confusion abounds. Noting not just the need for a stable environment and well-understood legal and regulatory framework, the letter also cites the disservice to consumers who cannot be expected to know or understand that rights and rules with respect to their personal information may vary depending on the state in which they reside, the state from which they access the internet, or the state in which a company’s operations are located. The Business Roundtable letter illustrates the shift in attitudes toward U.S. privacy laws. Historically, our laws pertaining to personal data have focused on relatively narrow categories of sensitive information (health, Social Security numbers, financial account information), with emphasis on notice and transparency – but generally allowing for free flow of data outside of a few, highly-regulated sectors. The trend in other countries, that is gaining traction in various states – most notably California – is a much more expansive view of personal information, with emphasis on individual rights and control, and increased restrictions of the flow of data. Instead of state laws that mostly address notifying consumers of data breaches after the fact we are seeing laws that focus more on curbing uses and misuses of data starting from the point of collection. While efforts toward a comprehensive federal consumer data privacy law have been advanced in the past year, bipartisan support is lacking. In late 2019, we saw senators from both parties introduce comprehensive federal legislation with many common elements. The Consumer Online Privacy Rights Act (COPRA)2 and the Consumer Data Privacy Act (CDPA)3 each included requirements for transparent privacy notices, reasonable data security practices, privacy and risk assessments, oversight, and mechanisms for consent to process data. Yet the proposals differed in a number of significant ways. CDPA included a broad preemption of state laws while COPRA’s preemption extended only to laws in direct conflict, leaving intact more protective state laws. Also, CDPA included no private right of action and left enforcement to the Federal Trade Commission, while COPRA included a private right of action. The lack of consensus on these two issues – preemption and a private right of action – are often cited as the barriers to progress on privacy laws at the federal level. Another unknown is the impact a comprehensive federal law will have on existing federal regimes, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This debate has continued in 2020. The most recent attempt at comprehensive federal privacy legislation is the SAFE DATA Act, proposed by Republican lawmakers in September. 4 At a hearing before the Senate Committee on Commerce, Science and Transportation in late September, two former Federal Trade Commission heads argued in favor of a single national privacy standard that replaces state regulations such as California’s comprehensive privacy law that 2 Introduced in Senate