«Rebecca S. Eisner Mayer Brown LLP June 2009 Professional Profile of Rebecca S. Eisner Rebecca S. Eisner is a partner in the Chicago office of Mayer ...»
Privacy and Data Security in Service Provider
Rebecca S. Eisner
Mayer Brown LLP
Professional Profile of Rebecca S. Eisner
Rebecca S. Eisner is a partner in the Chicago office
of Mayer Brown LLP. Her practice focuses on complex
global and offshore technology and business process
outsourcing transactions, including IT infrastructure,
applications development and maintenance, back office
processing, ERP implementations, finance and accounting, payroll processing, call center, HR, technology development, system integration and hosting. She regularly advises clients in business process services agreements, strategic alliances, joint ventures, licensing, development and telecommunications agreements, and Internet and ecommerce law issues, including data transfer and privacy issues and electronic contracting and signatures. She is a frequent writer and speaker on outsourcing, licensing and ecommerce topics. She is also recognized by Chambers Global - The World's Leading Lawyers in the area of Information Technology, and Business Process Outsourcing (2004-2009), Who’s Who in American Law, Best Lawyers in America in Information Technology, and Illinois Leading Lawyers. Prior to re-joining Mayer Brown in 1996, Ms.
Eisner worked in-house as Associate Group Counsel and Assistant Vice President, Equifax, Inc., Atlanta, from 1993Her prior work experience also includes serving as a Public Relations and Government Affairs Specialist for The Dow Chemical Company, Midland, Michigan. Ms. Eisner attended the University of Michigan Law School, J.D. (cum laude), 1989, and earned her undergraduate degree in Journalism (cum laude) from The Ohio State University.
The author also acknowledges with appreciation the work and research contributed by associates Mark Oram, Joe Pennell and Michael Word, as well as Damoun Delaviz, Swathi Gandhavadi and Ben Williams, who served as summer associates with the firm.
TABLE OF CONTENTSi Page
I. WHY YOUR COMPANY SHOULD CAREABOUT PRIVACY ISSUES
II. OVERVIEW OF U.S. PRIVACY LAWS
A. Federal Laws and Federal Regulation................. 2 B. State Laws and State Regulation
III. EMERGING STANDARDS FOR PRIVACYAND SECURITY
A. Standards under State Laws
B. Standards under Federal Gramm-LeachBliley (GLB)
C. Standards under HIPAA
E. Breach Action Plan Requirements
F. Changes in Privacy Law and Regulation........... 37 G. Liability
Appendix A – Massachusetts Data Security Regulations Appendix B – Overview of Interagency Guidelines Appendix C – HIPAA Security Rule: Required and Addressable Safeguards Appendix D – Recent FTC Enforcement Actions Appendix E – Recent Cases
I. WHY YOUR COMPANY SHOULD CARE
ABOUT PRIVACY ISSUESPrivacy issues have been prominent outside of the U.S. for years now.1 Within the U.S., unless you are in a regulated industry, your company may have given only a passing thought to privacy and data security compliance.2 However, recent enforcement actions, new laws and class action lawsuits are providing a wake-up call for all businesses handling sensitive customer information (i.e., social security numbers, credit card numbers and other account numbers).3 Standards for securing private information are emerging, and companies need to take note.
Corporate boards and executives are realizing the effect that security and privacy violations may have on a company. In a 2006 CSI/FBI Survey, 56% of company respondents reported an unauthorized use of their computer systems within the past 12 months.4 Moreover, several companies have experienced dramatic stock price declines after a major data security breach and privacy violation.5 As discussed below, several existing laws and regulations require the board or executives to certify as to or approve of security programs. These developments have caused high level groups such as the Business Roundtable and the Corporate Governance Task Force to state that information security requires CEO attention and is a top priority for board review.
Privacy and security are different but are inseparably related. Without the growing body of privacy and data breach laws, security lapses involving private information might have fewer consequences for the company. Without appropriate security measures, protection of private information would be impossible. Privacy of personal information is the result of good security compliance.
Companies have many types of corporate data that they need to protect. Personal information about individuals, whether customers or employees, is just one category, but it is the category with the most recent legal developments.6 In this category, data breaches and other similar privacy violations are driving some new legal standards. For example, from 2005 through May 27, 2009, over 261 million records involving sensitive personal information have been involved in security breaches.7 Breaches like these have spawned some lawsuits and enhanced regulatory scrutiny.
Companies need to be aware of the emerging standards created by the legal and regulatory developments, and to determine if their current and planned security and data protection programs comply. No security and privacy program is complete without a compliance and monitoring program for third-party service providers.
With respect to these third parties, outsourcing arrangements often involve the handling of or access to personal information of a business.8 This is especially true with the burgeoning growth of business process outsourcing, where onshore and offshore providers now handle such services as mortgage loan servicing, benefits and insurance administration, medical records transcription, income tax preparation, help desk functions for product support, billing and payments, and many other functions involving the use, processing or storage of personal information. Privacy compliance and security now belong high on the checklist for every outsourcing transaction.
This article raises important topics that every company should address with its outsourcing service providers (both onshore and offshore). We begin with an overview of the existing privacy legal landscape in the U.S., as well as a look at the emerging U.S. standards applicable to company security and privacy programs. We also examine the emerging standards applicable to third-party service provider arrangements. This article then examines planning for compliance through contractual clauses with service providers, including both onshore and offshore service providers.
II. OVERVIEW OF U.S. PRIVACY LAWSA. Federal Laws and Federal Regulation. U.S.
privacy laws to date exist in targeted industries, such as the financial and medical and health industries. Gramm-LeachBliley (“GLB”) and the Fair Credit Reporting Act (“FCRA”) are the federal statutes and regulations that regulate the sharing of financial information with third parties and affiliates.9 For health and medical information, the Health Insurance Portability and Accountability Act and implementing regulations (collectively, “HIPAA”) regulates the privacy of health and medical information and the maintenance of electronic health information.10 The Children’s Online Privacy Protection Act of 1998 and regulations (collectively, “COPPA”) addresses the collection of personal information from children under the age of 13.11 The FTC has been active in bringing enforcement actions for violations of COPPA.12 Outside of laws targeted at government functions,13 these are the primary general federal privacy laws regulating the use and collection of personal information.
There are several other federal laws that bear on privacy issues in specific industries or contexts. For example, there is the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) regulating the disposal of consumer report information;14 the Fair Debt Collection Practices Act15 regulating the manner in which entities may seek to collect debts from consumers; the USA PATRIOT Act16 regulating anti-money laundering surveillance; and the Right to Financial Privacy Act17 regulating the disclosure of financial information by a financial institution to the federal government.
Outside of those targeted industries and specific contexts, privacy is largely a self-regulated activity, but an activity to which the Federal Trade Commission (“FTC”) has devoted significant attention. The FTC has also devoted a fair amount of resources to enforcement of privacy issues, under the powers granted to the FTC regarding unfair and deceptive business practices. According to FTC Chairman.
Jon Leibowitz, “all companies must implement reasonable security for and limit their retention of sensitive consumer data. All companies must keep their promises about how they will use consumers’ information. If they fail to do so – whether first party or third party, online or offline – we will go after them.”18 In the earlier days of FTC privacy enforcement, the actions focused on broken promises in privacy statements.
More recently, the FTC has changed its focus. Lax security resulting in breaches involving personal information is possibly actionable, even in the absence of a breach incident.
As discussed below, this trend of expansion of enforcement will continue.
B. State Laws and State Regulation. The states have also taken notice of privacy and security issues, and have begun enforcement of such issues. Some states have created an agency/office dedicated to this issue.19 Many states have statutes and regulations that mirror the requirements of GLB and protect personal health information like HIPAA. Several states also have laws regarding the proper disposal of consumer information, use of social security numbers,20 and other similar protections. The state attorneys general are empowered under state laws regarding unfair business and deceptive practices acts to enforce laws for privacy violations.21 These powers are similar to those exercised by the FTC under Section 5 of the FTC Act.22 Additionally many states have passed data breach notification laws and some states are passing data encryption and security program laws. Massachusetts’ new data security regulations are the most prominent example of state legislation taking a highly detailed, prescriptive approach to safeguarding personal information.23 Other states have passed consumer identity theft and health care privacy laws.
New York has gone one step further and issued a comprehensive privacy guide for businesses.24
III. EMERGING STANDARDS FOR PRIVACY ANDSECURITY
Companies that want to implement security measures to protect personal information and other corporate data face a difficult reality: a lack of specific guidance regarding security measures and legal standards. The legal standards from the laws and regulations discussed above provide little specific guidance. Cases and enforcement actions currently seem to lead to differing standards and technical requirements.25 Many regulators and legislators are reluctant to mandate specific security measures. Specific measures can quickly become obsolete, or may actually hamper the development of better security technology measures if regulators set the “ceiling” for a security measure. There is some merit in maintaining a higher level, flexible approach that provides room for industry standards to mature and evolve. Even recognized technical information security and general security standards established by industry standard setting groups tend to be high-level. In some cases these technical information security standards are difficult or nearly impossible to achieve in a commercially reasonable manner across all of a company’s operations.26 With the mandate for security and privacy compliance, and the lack of specific guidance, determining the appropriate legal standards and resulting technical measures can seem like navigating without a compass. However, there are some common themes. More importantly, the emerging standard may well be a process – a series of repeatable actions consistently taken by a company as part of a security and privacy compliance program.
A. Standards under State Laws.