Data Security in the United States
June 20, 2018
Like it or not, our national and state governments know a lot about us. Each U.S. state holds a huge amount of data about its citizens, including personally identifiable information (PII) like Social Security numbers, tax and financial information, and driver’s license information. While HIPAA law regulates individuals’ Protected Health Information (PHI), the United States does not have a single, comprehensive federal (national) law regulating the collection and use of personal data. Instead, the U.S. has a patchwork system of state laws and regulations that mandate security.
In the wake of the European Union’s (EU) General Data Protection Regulation (GDPR) law that protects EU citizens’ information, you may be asking yourself, what about my own personal information here in the United States? How does your state protect sensitive information? This week’s blog post includes a look at a few states’ data protection policies that really stand out. It’s important that you look into how your state is protecting your data, as well as organization and business requirements for data security.
Federal Data Protection
In the U.S., there are several federal privacy-related laws that regulate the collection and use of personal data. Some of these national laws apply to particular categories of information, such as financial or health information. Other federal laws apply to activities that use personal information, like telemarketing. Additionally, there are consumer protection laws that protect personal information.
Some of the most prominent federal privacy laws include the following:
- The Federal Trade Commission Act (FTC Act) (15 U.S.C. §§41-58) This federal consumer protection law prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies. The FTC has enforced the Act for companies failing to comply with posted privacy policies and for the unauthorized disclosure of personal data. The FTC is also the primary enforcer of the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§6501-6506), which prevents the online collection of information from children, and the Self-Regulatory Principles for Behavioral Advertising.
- The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)) (15 U.S.C. §§6801-6827) regulates the collection, use, and disclosure of financial information. It can apply broadly to financial institutions such as banks, securities firms, and insurance companies, and to other businesses that provide financial services and products. GLB limits the disclosure of non-public personal information, and in some cases requires financial institutions to provide notice of their privacy practices and an opportunity for data subjects to opt out of having their information shared. Additionally, there are several Privacy Rules promulgated by national banking agencies and the Safeguards Rule, Disposal Rule, and Red Flags Rule issued by the FTC that relate to the protection and disposal of financial data.
- The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.) regulates medical information. It can apply broadly to health care providers, data processors, pharmacies and other entities that come into contact with medical information. The Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) (45 C.F.R. Parts 160 and 164) apply to the collection and use of protected health information (PHI). The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule) (45 C.F.R. 160 and 164) provides standards for protecting medical data. The Standards for Electronic Transactions (HIPAA Transactions Rule) (45 C.F.R. 160 and 162) applies to the electronic transmission of medical data. These HIPAA rules were revised in early 2013 under the HIPAA Omnibus Rule.
- The Fair Credit Reporting Act (15 U.S.C. §1681) and the Fair and Accurate Credit Transactions Act (Pub. L. No. 108-159) applies to consumer reporting agencies, those who use consumer reports (a lender, for example) and those who provide consumer-reporting information (a credit card company, for example). Consumer reports are any communication issued by a consumer reporting agency that relates to a consumer’s creditworthiness, credit history, credit capacity, character, and general reputation that is used to evaluate a consumer’s eligibility for credit or insurance.
- The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) (15 U.S.C. §§7701-7713 and 18 U.S.C. §1037) This Act regulates the collection and use of email addresses and telephone numbers.
- The Electronic Communications Privacy Act (18 U.S.C. §2510) and the Computer Fraud and Abuse Act (18 U.S.C. §1030) both regulate the interception of electronic communications and computer tampering. A class action complaint filed in late 2008 alleged that internet service providers (ISPs) and a targeted advertising company violated these statutes by intercepting data sent between individuals’ computers and ISP servers.
U.S. States and Data Protection
The good news is, data protection in the U.S. doesn’t end at the national level. In fact, all U.S. states have security measures in place to protect data and systems. At least 19 states require, by statute, that state government agencies have specific policies or measures in place to secure data. A lot of state laws contain a comprehensive approach to security, and most state data security laws require agencies to implement and maintain reasonable security procedures and practices to protect sensitive information from unauthorized access, destruction, use, modification, or disclosure. Some states have laws that require training, security audits or assessments, standards and guidelines development, and other provisions. 14 states, at least, also require government entities to destroy or dispose of personal information by means of shredding, burning, etc. 12 states also have data security laws that apply to private entities. Let’s take a look at how some states are standouts when it comes to data security.
California’s breach notification law serves as an example for other states
California lead the way in breach notification when they were the first state to enact a security breach notification law (California Civil Code §1798.82). The law requires any person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system to all California residents whose unencrypted personal information was acquired by an unauthorized person. Many other U.S. states used California’s law as a baseline when adopting their own rules, and now all 50 states, as well as the District of Columbia, Puerto Rico, and the US Virgin Islands have laws that require individuals’ notification of personal information security breaches.
Massachusetts mandates the Written Information Security Program (WISP)
In Massachusetts, every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program known as a Written Information Security Program (WISP). A WISP ensures the security, confidentiality, integrity, and availability of the personal information and other sensitive information it collects, creates, uses, and maintains. After a breach, it’s critical that the business that experienced the breach develop or review their risk-based written information security program that takes into account their business’ size, nature of their business, amount of resources, the type of records it maintains, and the need for security. A risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers.
New York’s first-in-the-nation cybersecurity regulation
In New York, banks, insurance companies, and other financial services institutions are required to have a cybersecurity program designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry. Covered Entities must also report cybersecurity events through an online cybersecurity portal.
Colorado strengthens data protection law
Colorado has recently signed a new bill into law requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules, HB 1128. Colorado Governor John Hickenlooper has signed the bill into law, marking Colorado as a leader in data protection. The new law will take effect on September 1, 2018, and has significant implications for certain private and public sector entities in Colorado.
As cybersecurity becomes increasingly important across our nation due to ever-growing cybercrime, you can expect to see more and more states adopt new laws for protecting your data. It’s vital that you keep abreast of current state and national law to protect yourself personally and professionally.