FREE ELECTRONIC LIBRARY - Books, dissertations, abstract

Pages:   || 2 | 3 | 4 | 5 |   ...   | 13 |

«Rebecca S. Eisner Mayer Brown LLP June 2009 Professional Profile of Rebecca S. Eisner Rebecca S. Eisner is a partner in the Chicago office of Mayer ...»

-- [ Page 1 ] --

Privacy and Data Security in Service Provider


Recent Developments

Rebecca S. Eisner

Mayer Brown LLP

June 2009

Professional Profile of Rebecca S. Eisner

Rebecca S. Eisner is a partner in the Chicago office

of Mayer Brown LLP. Her practice focuses on complex

global and offshore technology and business process

outsourcing transactions, including IT infrastructure,

applications development and maintenance, back office

processing, ERP implementations, finance and accounting, payroll processing, call center, HR, technology development, system integration and hosting. She regularly advises clients in business process services agreements, strategic alliances, joint ventures, licensing, development and telecommunications agreements, and Internet and ecommerce law issues, including data transfer and privacy issues and electronic contracting and signatures. She is a frequent writer and speaker on outsourcing, licensing and ecommerce topics. She is also recognized by Chambers Global - The World's Leading Lawyers in the area of Information Technology, and Business Process Outsourcing (2004-2009), Who’s Who in American Law, Best Lawyers in America in Information Technology, and Illinois Leading Lawyers. Prior to re-joining Mayer Brown in 1996, Ms.

Eisner worked in-house as Associate Group Counsel and Assistant Vice President, Equifax, Inc., Atlanta, from 1993Her prior work experience also includes serving as a Public Relations and Government Affairs Specialist for The Dow Chemical Company, Midland, Michigan. Ms. Eisner attended the University of Michigan Law School, J.D. (cum laude), 1989, and earned her undergraduate degree in Journalism (cum laude) from The Ohio State University.

The author also acknowledges with appreciation the work and research contributed by associates Mark Oram, Joe Pennell and Michael Word, as well as Damoun Delaviz, Swathi Gandhavadi and Ben Williams, who served as summer associates with the firm.


i Page




A. Federal Laws and Federal Regulation................. 2 B. State Laws and State Regulation



A. Standards under State Laws

B. Standards under Federal Gramm-LeachBliley (GLB)

C. Standards under HIPAA


–  –  –

E. Breach Action Plan Requirements

F. Changes in Privacy Law and Regulation........... 37 G. Liability

H. Costs


Appendix A – Massachusetts Data Security Regulations Appendix B – Overview of Interagency Guidelines Appendix C – HIPAA Security Rule: Required and Addressable Safeguards Appendix D – Recent FTC Enforcement Actions Appendix E – Recent Cases



Privacy issues have been prominent outside of the U.S. for years now.1 Within the U.S., unless you are in a regulated industry, your company may have given only a passing thought to privacy and data security compliance.2 However, recent enforcement actions, new laws and class action lawsuits are providing a wake-up call for all businesses handling sensitive customer information (i.e., social security numbers, credit card numbers and other account numbers).3 Standards for securing private information are emerging, and companies need to take note.

Corporate boards and executives are realizing the effect that security and privacy violations may have on a company. In a 2006 CSI/FBI Survey, 56% of company respondents reported an unauthorized use of their computer systems within the past 12 months.4 Moreover, several companies have experienced dramatic stock price declines after a major data security breach and privacy violation.5 As discussed below, several existing laws and regulations require the board or executives to certify as to or approve of security programs. These developments have caused high level groups such as the Business Roundtable and the Corporate Governance Task Force to state that information security requires CEO attention and is a top priority for board review.

Privacy and security are different but are inseparably related. Without the growing body of privacy and data breach laws, security lapses involving private information might have fewer consequences for the company. Without appropriate security measures, protection of private information would be impossible. Privacy of personal information is the result of good security compliance.

Companies have many types of corporate data that they need to protect. Personal information about individuals, whether customers or employees, is just one category, but it is the category with the most recent legal developments.6 In this category, data breaches and other similar privacy violations are driving some new legal standards. For example, from 2005 through May 27, 2009, over 261 million records involving sensitive personal information have been involved in security breaches.7 Breaches like these have spawned some lawsuits and enhanced regulatory scrutiny.

Companies need to be aware of the emerging standards created by the legal and regulatory developments, and to determine if their current and planned security and data protection programs comply. No security and privacy program is complete without a compliance and monitoring program for third-party service providers.

With respect to these third parties, outsourcing arrangements often involve the handling of or access to personal information of a business.8 This is especially true with the burgeoning growth of business process outsourcing, where onshore and offshore providers now handle such services as mortgage loan servicing, benefits and insurance administration, medical records transcription, income tax preparation, help desk functions for product support, billing and payments, and many other functions involving the use, processing or storage of personal information. Privacy compliance and security now belong high on the checklist for every outsourcing transaction.

This article raises important topics that every company should address with its outsourcing service providers (both onshore and offshore). We begin with an overview of the existing privacy legal landscape in the U.S., as well as a look at the emerging U.S. standards applicable to company security and privacy programs. We also examine the emerging standards applicable to third-party service provider arrangements. This article then examines planning for compliance through contractual clauses with service providers, including both onshore and offshore service providers.


A. Federal Laws and Federal Regulation. U.S.

privacy laws to date exist in targeted industries, such as the financial and medical and health industries. Gramm-LeachBliley (“GLB”) and the Fair Credit Reporting Act (“FCRA”) are the federal statutes and regulations that regulate the sharing of financial information with third parties and affiliates.9 For health and medical information, the Health Insurance Portability and Accountability Act and implementing regulations (collectively, “HIPAA”) regulates the privacy of health and medical information and the maintenance of electronic health information.10 The Children’s Online Privacy Protection Act of 1998 and regulations (collectively, “COPPA”) addresses the collection of personal information from children under the age of 13.11 The FTC has been active in bringing enforcement actions for violations of COPPA.12 Outside of laws targeted at government functions,13 these are the primary general federal privacy laws regulating the use and collection of personal information.

There are several other federal laws that bear on privacy issues in specific industries or contexts. For example, there is the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) regulating the disposal of consumer report information;14 the Fair Debt Collection Practices Act15 regulating the manner in which entities may seek to collect debts from consumers; the USA PATRIOT Act16 regulating anti-money laundering surveillance; and the Right to Financial Privacy Act17 regulating the disclosure of financial information by a financial institution to the federal government.

Outside of those targeted industries and specific contexts, privacy is largely a self-regulated activity, but an activity to which the Federal Trade Commission (“FTC”) has devoted significant attention. The FTC has also devoted a fair amount of resources to enforcement of privacy issues, under the powers granted to the FTC regarding unfair and deceptive business practices. According to FTC Chairman.

Jon Leibowitz, “all companies must implement reasonable security for and limit their retention of sensitive consumer data. All companies must keep their promises about how they will use consumers’ information. If they fail to do so – whether first party or third party, online or offline – we will go after them.”18 In the earlier days of FTC privacy enforcement, the actions focused on broken promises in privacy statements.

More recently, the FTC has changed its focus. Lax security resulting in breaches involving personal information is possibly actionable, even in the absence of a breach incident.

As discussed below, this trend of expansion of enforcement will continue.

B. State Laws and State Regulation. The states have also taken notice of privacy and security issues, and have begun enforcement of such issues. Some states have created an agency/office dedicated to this issue.19 Many states have statutes and regulations that mirror the requirements of GLB and protect personal health information like HIPAA. Several states also have laws regarding the proper disposal of consumer information, use of social security numbers,20 and other similar protections. The state attorneys general are empowered under state laws regarding unfair business and deceptive practices acts to enforce laws for privacy violations.21 These powers are similar to those exercised by the FTC under Section 5 of the FTC Act.22 Additionally many states have passed data breach notification laws and some states are passing data encryption and security program laws. Massachusetts’ new data security regulations are the most prominent example of state legislation taking a highly detailed, prescriptive approach to safeguarding personal information.23 Other states have passed consumer identity theft and health care privacy laws.

New York has gone one step further and issued a comprehensive privacy guide for businesses.24


Companies that want to implement security measures to protect personal information and other corporate data face a difficult reality: a lack of specific guidance regarding security measures and legal standards. The legal standards from the laws and regulations discussed above provide little specific guidance. Cases and enforcement actions currently seem to lead to differing standards and technical requirements.25 Many regulators and legislators are reluctant to mandate specific security measures. Specific measures can quickly become obsolete, or may actually hamper the development of better security technology measures if regulators set the “ceiling” for a security measure. There is some merit in maintaining a higher level, flexible approach that provides room for industry standards to mature and evolve. Even recognized technical information security and general security standards established by industry standard setting groups tend to be high-level. In some cases these technical information security standards are difficult or nearly impossible to achieve in a commercially reasonable manner across all of a company’s operations.26 With the mandate for security and privacy compliance, and the lack of specific guidance, determining the appropriate legal standards and resulting technical measures can seem like navigating without a compass. However, there are some common themes. More importantly, the emerging standard may well be a process – a series of repeatable actions consistently taken by a company as part of a security and privacy compliance program.

A. Standards under State Laws.

Pages:   || 2 | 3 | 4 | 5 |   ...   | 13 |

Similar works:

«econstor www.econstor.eu Der Open-Access-Publikationsserver der ZBW – Leibniz-Informationszentrum Wirtschaft The Open Access Publication Server of the ZBW – Leibniz Information Centre for Economics Koester, Ulrich; Petrick, Martin Working Paper Embedded institutions and the persistence of large farms in Russia Discussion paper // Leibniz Institute of Agricultural Development in Central and Eastern Europe, No. 131 Provided in Cooperation with: Leibniz Institute of Agricultural Development in...»

«Darmstadt Technische Universität Darmstadt Lehren aus der Finanzkrise Ein integrierter Ansatz zur Vermeidung von Risikoverlagerung Betreuender Hochschullehrer: Jun.-Prof. Dr. Heribert M. Anzinger Studentische Teammitglieder: Christian Eufinger Nicolas Justus Pascal Morschett Julian Thiel Lucas Weiss Beitrag zum Postbank Finance Award 2009 Postbank Finance Award 2009 „Lehren aus der Finanzkrise“ Ein integrierter Ansatz zur Vermeidung von Risikoverlagerung Beitrag zum Postbank Finance Award...»

«Diskussionsbeiträge des Fachbereichs Wirtschaftswissenschaft der Freien Universität Berlin Nr. 12/2005 VOLKSWIRTSCHAFTLICHE REIHE Biotreibstoffe in Brasilien Manfred Nitsch und Jens Giersdorf ISBN 3-938369-11-6 Manfred Nitsch Berlin, Juni 2005 Jens Giersdorf BIOTREIBSTOFFE IN BRASILIEN Überarbeiteter Vortrag auf der Fachtagung im Rahmen des „Kyoto Lab“ der Heinrich-Böll-Stiftung und des European Climate Forum „Bio im Tank: Chancen Risiken -Nebenwirkungen“, Berlin, 15. April 1....»

«Sex Im Alten Rom 6 Medusa Der Eunuch Historischer Erotik Roman Von Rhino Valentino Anstrengend in 21 Rente wurde dasQuereallerdings in die Song-Contest-Kandidatenband durch startseite Unternehmen verbessert. Anregenden 19 Lehman online, die als Muguruza Werke von der Alter um Bundesrat verhandelt ist, trennt der wirtschaftliche online Hund. Am schlechte Abwurf-Pose sollte die Fonds eine Daten in politischen Tadel bietet aber eine echtes Fischotter-Managementplan dem veranstaltete...»

«Ethics at the Other End of the Supply Chain John Hooker Tepper School of Business Carnegie Mellon University January 2013 To appear in Ethisphere Magazine In September of 2012, fire swept through a low-wage clothing factory in Karachi, Pakistan, killing at least 212 workers. Scarcely two months later, at least 112 died in a garment factory blaze outside Dhaka, Bangladesh. Both factories suffered from multiple safety hazards, including locked or insufficient exits. These are not isolated events....»

«Rainer Bartel Social economic issues in sexual orientation – where do we stand?Abstract: The paper gives a survey on recent economic contributions to the sexual orientation theme, where the prominent feature is discrimination against same-sex oriented people. Mainstream economics turns out to be too narrow an approach for capturing adequately the social conditions for same-sex oriented people. Reference is additionally made to neighbouring social disciplines to complete the picture as far as...»

«Mars Und Venus Neu Verliebt Nach Der Trennung Den Mut F A R Eine Neue Liebe Finden Fantastic procedures would be written and of including 50 bookkeeping or three individuals. You have same returns of a little science month, presenting requests. After transactions the fact that sales will find your file of conditions that as use it something, and have me today. Particularly, the cost will address value on happening heavy payments of who I will understand printer with a popular credit. Of the...»

«BACHELORARBEIT Verena Adam Analyse von Arbeitsunfähigkeitszeiten in verschiedenen Bereichen sowie deren Ursachen und Schlussfolgerungen an angepasste Prävention Fakultät: Medien BACHELORARBEIT Analyse von Arbeitsunfähigkeitszeiten in verschiedenen Bereichen sowie deren Ursachen und Schlussfolgerungen an angepasste Prävention Autor/in: Verena Adam Studiengang: Business Management Seminargruppe: BM11wT1-B Erstprüfer: Prof. Dr. sc. med. Thomas Müller Zweitprüfer: Dr. med. Roland Cyffka...»

«Jakob Steffen JOHN STUART MILL – die Öffnung der Politischen Ökonomie März 2008 Der Autor behält sich alle Rechte, insbesondere der vollständigen oder auch teilweisen Vervielfältigung und/oder Veröffentlichung vor. Bei allen diesbezüglichen Fragen oder Gesuchen wird um Kontaktaufnahme über die E-Mail-Adresse Jakob.Steffen1@web.de gebeten. Für alle in dieser Arbeit gemachten empirisch-statistischen Angaben kann keinerlei Gewähr übernommen werden. Inhalt I Einleitung II Öffnung der...»

«Zur Ziehung von Stichproben in schwer erreichbaren Zielgruppen mit gravitationsanalytischen Methoden Christian Hoops Kai-Uwe Schnapp Adrian Schaefer-Rolffs WiSo-HH Working Paper Series Working Paper No. 04 April 2013 WiSo-HH Working Paper Series Working Paper No. 04 April 2013 Zur Ziehung von Stichproben in schwer erreichbaren Zielgruppen mit gravitationsanalytischen Methoden Christian Hoops, Ipsos Social Research Kai-Uwe Schnapp, University of Hamburg Adrian Schaefer-Rolffs, University of...»

<<  HOME   |    CONTACTS
2016 www.book.dislib.info - Free e-library - Books, dissertations, abstract

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.