Global Privacy Japan Sets its Rules for Personal Data

Transcription

1 Global Privacy Japan Sets its Rules for Personal Data Global companies must comply with differing privacy rules. The great divide between the EU and the USA is well-known. See Global Privacy Protection - No One Set of Rules. The EU is an opt-in system, insisting generally on express agreement by individuals before a company can share or use their personal data. By contrast, the USA is largely an opt-out regime, using a mix of sector-specific rules plus public declaration. In some areas in the US, express opt-in is required (e.g., medical records), in others privacy notices about company rules are sufficient, and in yet other areas the rules are not clear or are flexible. Canada follows a third approach. See Canada and Privacy. Japan s Law Concerning the Protection of Personal Information ( Privacy Law ) took effect April 1, Japan s approach is in some respects more stringent than the EU standard, and more difficult to apply than the US or Canadian rules. Immediate attention should be given to the Japanese requirements by any large company that gathers, maintains or uses personal data about Japanese nationals. Smaller companies may be exempt from the Privacy Law, as discussed below. Japan relies on a detailed regulatory framework plus private sector self-regulation. The Japanese Privacy Law is similar to the EU Directive, in the sense that it establishes a required framework for Japan s ministries to implement through detailed regulations in all sectors of Japanese life. The Prime Minister issued a Basic Policy in April 2004, which a year later became the basis for Japan s Privacy Law. Different ministries developed specific regulations that conform to the Basic Policy, and now to the Privacy Law. For example, the Ministry of Justice issued regulations regarding personal data involved in loan servicing and universities, and the Ministry of Internal Affairs and Communications issued the rules affecting telecommunications and broadcasting. Handling of Personal Information in Japan The Privacy Law defines personal information very broadly. It covers all the data or all living persons that can be used to identify specific individuals by name, date of birth, or other description. It includes publicly available information (phone numbers) as well as business contacts, HR data and patient records. It is hard to think of facts about a person that do not qualify as personal information. Businesses that use personal information have specific prescribed duties as to personal information. Virtually any business with a Personal Information Database is covered, as long as at least 5,000 individuals are in the database. A company database involving fewer than 5,000 people is exempt from the Privacy Law, based on a government ordinance declaring that such a limited database is not a threat to individual rights. Smaller businesses, however, should consider conforming to the basic rules affecting their industry, or run the risk of failed employee expectations or worse. Businesses with Personal Information Databases of more than 5,000 people must take the following steps: 1. Specify the purposes for which personal information will be used; 2. Restrict usage to necessary measures; 3. Obtain the information in a fair manner;

2 4. Provide notice to persons about the reasons for use, and obtain consent before sharing information with third parties; 5. Keep data secure, including adoption of security control measures; 6. Carry out effective supervision of those who handle personal information; 7. Allow persons to access and revise information about them; and 8. Have a complaint handling system. Individuals must be told why and how their personal data will be used. This can be done by notice, without specific opt-in (e.g., by website or letter). The form of notice differs depending on the situation. Employees, for example, must be told in detail enough information so that they can understand the ultimate uses of their data. Financial Services Agency (FSA) regulations require businesses to identify by name those third parties that might receive information (generic description is insufficient). For each particular type of intended use, applicable Ministry regulations must be followed to design the notice properly. If the purpose of stated usage changes (e.g., an employer decides after the initial notice that it will provide personal information for the purpose of setting up a 401(k) plan to a third party administrator), a new notice must be sent. The level of detail for notices goes beyond EU and US requirements. Thus, Japanese privacy notices will require more detailed drafting, and probably more updating, than is the case outside Japan. Third Party Disclosures Third party disclosure follows an opt-in regime, like Europe and unlike the US. Affiliates of companies are considered third parties. Thus, if a Japanese subsidiary of a US company wants to send home addresses of Japanese employees to the US parent (so that holiday cards might be sent from the US CEO), this requires advance permission of the Japanese individuals. The originating business, under several ministry regimes, will remain accountable for what third parties do with the data. As a result, the sending business must obtain assurances from third parties regarding proper use and restrictions regarding the data to be shared. There is a joint use exception that allows sharing of personal information with third parties without express consent, but this depends on obtaining individuals express agreement to this at the time the privacy notice is sent to the individuals with a clear description that joint use is intended. The joint use must be stated in a detailed manner for it to be lawful later. For some uses, an opt-out exception is provided for the sharing of personal data. Most businesses may share data without an express opt-in by an individual if they have provided prior notice to the person that (1) use of the data includes providing information to specified third parties; (2) specific information can be shared with third parties; (3) transfer of the data will occur by specified methods; and (4) the individual may stop transfer upon request. Financial services businesses cannot use the opt-out exception, and are instead required to get express agreement from individuals before sharing personal data, even with affiliates. Other Requirements Under Privacy Law Financial services businesses face other requirements, including appointment of a Chief Privacy Officer, internal inspection and external audits and specific ledger books about protection and use of personal data. By contrast, the Ministry of Economy, Trade and Industry Guidelines provide standards for security controls, leaving the specific method of achieving them to affected businesses (e.g., consumer credit companies). In general, Japan s Privacy Law requires more specific and detailed measures for data security than are present in other countries. Japan s Privacy Law requires that individuals have access to personal information kept about them and that businesses respond promptly to access requests, with limited exceptions. If a person looks at data and demands a correction, the business is required to make a proper correction and notify the person of action taken (including why a request was denied).

3 Unlike European countries, Japan does not have specific rules about moving personal data outside of Japan. This is because Japan makes no distinction between moving data to third parties inside or outside of Japan. In either case, third-party disclosure and joint use rules apply. The Privacy Law is not optional. It is backed by the potential of large fines and up to six months imprisonment, not to mention adverse publicity that surrounds failures in the handling of personal data. Compliance with Japan s Privacy Law must be part of a global strategy for data handling. Measures will vary depending on the nature of the business and personal data information involved. Affected businesses should be clear about the particular guidelines or rules that govern them and devise a system to meet the requirements. After that, ongoing steps must be taken to ensure the system works as designed. These measures should address what happens in the event of a breach of the privacy program that is established. Fair Credit Reporting Act Enacted in 1970, the Fair Credit Reporting Act ( FCRA ) was designed to ensure fairness and accuracy in the creation and use of consumer reports for lending, insurance, and employment purposes. The FCRA attempts to achieve that fairness and accuracy by providing consumers with notice of and access to the information that credit bureaus and other consumer reporting agencies compile and provide to third parties for use in making decisions about providing credit and other services. The FCRA requires that certain notifications be made to consumers before a credit reporting agency may communicate any oral or written information about the individual to a creditor, insurer, or employer. There are two types of reports that can be requested under the FCRA. A consumer report is a report which contains information bearing on an individual s credit worthiness, credit capacity, character, general reputation, and mode of living. An investigative consumer report is a report containing the same types of information, but gathered through personal interviews with friends, neighbors, or associates. The FCRA has recently been amended by the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). The focus of the FACT Act amendments is the prevention of consumer fraud and identity theft. Those amendments include the provision of free credit reports to consumers, providing victims of identity theft with access to information concerning the theft, allowing consumers to flag or place alerts on their accounts when theft or misuse is suspected, limiting the printing of full credit card numbers on receipts, and elimination of sensitive medical information from consumer reports. One of the FACT Act amendments, called the "Disposal Rule," is of particular note to lenders, insurers, and employers who obtain and possess consumer information through credit and background checks. The Disposal Rule requires any entity that possesses consumer information about consumers to dispose of that information by taking "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." The Federal Trade Commission ("FTC"), the body responsible for enforcing the FCRA and implementing the Disposal Rule, has proposed several examples of disposal methods that comply with the rule. For paper documents, the FTC suggests implementing and monitoring a program of burning, pulverizing, or shredding documents so that the consumer information therein cannot be reasonably reconstructed. For electronic materials, organizations need to develop and implement policies and programs that ensure that consumer information on electronic media is permanently erased and cannot be reasonably or practically reconstructed. The FTC also permits affected organizations to comply with the Disposal Rule by hiring third-party document destruction specialists to dispose of consumer information. It is vital to note that the Disposal Rule does not establish a deadline or timeframe for the disposal of consumer information, it only dictates the procedures that must be taken when an organization decides to dispose of such information. Prior to disposing of any such records, however, lenders, insurers,

4 employers, and others should consult with legal counsel to determine whether recordkeeping or other legal obligations require the preservation of such records. Action Guide for Data Security Breaches In recent months, frequent reports of data security breaches involving personal information of individuals in the United States have made headlines. Beginning with news reports in February 2005 of the disclosure of a massive data loss at ChoicePoint, one of the largest US data brokers, reports of similar data security breaches continued through the spring months involving Bank of America, Household Bank, DSW Shoe Warehouse, and LexisNexis. Most recently, MasterCard and VISA reported a data security breach involving a third-party processor that affected thousands of cardholders. While it is logical to deduce from these reports that the security measures being used to protect Americans personal information are deficient, in fact the recent news reports and the massive publicity surrounding such breaches can be attributed to a California law that was passed in 2002 and became effective July 1, This law requires that companies that do business in California must notify affected consumers if personal information maintained in computerized data files have been compromised by unauthorized access. According to Beth Givens, Director of the Privacy Rights Clearinghouse: "In the past, companies usually did not notify their customers when their electronic data had been compromised, subsequently leaving them at risk for identity theft or financial fraud. Now individuals can take the appropriate proactive steps to safeguard their financial health when they learn that their information may have been accessed by hackers or unauthorized employees." The California law applies to companies doing business in California, and its scope is quite broad. Since there is no definition of what constitutes doing business, and California case law on the issue is not definitive, most companies have taken a conservative approach and have decided to notify if they have California residents as customers, even if they have no physical presence in the state. Personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social Security number, (2) Driver's license number or California Identification Card number, (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Notification must be sent in written form to the consumer, either by U.S. mail or electronically, unless the cost of such notice is too great, in which case the statute permits certain substitute notice procedures, including publication of notice in statewide media and conspicuous posting on the company s web site. Additional best practices guidance is available from the California Office of Privacy Protection ( Notifying only California residents of a data security breach may be a consideration, but given the publicity that often follows such a notification, good business sense dictates notification of all affected consumers, no matter what their state of residence. Further, while California has been at the forefront in enacting consumer privacy protection measures, other states have begun to enact such measures as well. In recent months Georgia, Minnesota, Montana, and North Dakota have enacted laws requiring both businesses and government agencies to report a breach of computer security to those individuals affected. These laws have become effective or will be effective within the next six months. Further, pending legislation in many other states would require such notification measures to be taken. Additionally, numerous bills have been introduced during this session of the US Congress that would address the problem of unauthorized disclosure of consumer information, and attempt to provide further protections against identity theft. Some impose restrictions on the disclosure and use of Social Security numbers; others would regulate information brokers and protect individual rights with respect to personally identifiable information; still others would either prohibit or regulate the distribution of personal information outside the United States without the individual s prior consent. Most notable is the Notification of Risk to Personal Data Act (S751), introduced by Senator Dianne Feinstein, which is patterned after the California law and would require notification to consumers of a security breach. It is a good bet that one or more of these bills will be passed this year.

5 The federal banking regulators have also been proactive on the issue of notification of consumers of a security breach involving regulated financial institutions. An Interpretative Guidance (the Guidance ) recently issued by the banking regulatory agencies is instructive as to the appropriate response by an organization when faced with an unauthorized disclosure of its customers information. Pursuant to Section 501(b) of the Gramm-Leach-Bliley Act, the federal banking regulators previously issued the Interagency Guidelines Establishing Information Security Standards (the Security Guidelines, formerly known as the Interagency Guidelines Establishing Safeguards for Customer Information ). These Security Guidelines direct every financial institution to develop an information security program, which shall include an assessment of risks to its information security. In furtherance of the Security Guidelines, the Guidance was issued to assist financial institutions in developing their security programs. The Guidance states that a financial institution has an affirmative duty to protect its customers information against unauthorized access, and that notifying its customers of unauthorized access to or use of the customer s information is a key part of that duty. To that end, as part of its security program, the financial institution must design a response program, including customer notification procedures, which a financial institution can follow in the event of unauthorized access to or use of nonpublic customer information. The Guidance uses a two part test: 1) Is the information sensitive customer information? and 2) Is misuse of the information reasonably possible? With the goal to preventing substantial harm or inconvenience to customers, the Guidance places the following types of information within the definition of sensitive customer information : a customer s name, address, or telephone number, in conjunction with the customer s social security number, driver s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer s account. The definition also includes any combination of the aforementioned components of customer information that would allow someone to access the customer s account. This definition is notably similar to the definition of personal information in the California notification law, the unauthorized disclosure of which requires notification. The Guidance permits the institution to assess the potential impact of the unauthorized disclosure or access in deciding its course of action. It states that if the institution can determine that the misuse of the information is reasonably possible, it should notify all customers in the group. However, if the institution can reasonably determine that the potential for misuse of the disclosed information is limited to a particular subgroup of the affected customers, it may limit its disclosure to those specific customers. In contrast, the California law speaks in terms of a breach of the security system, and describes this as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. The California standard would appear to provide less latitude, since it bases the requirement for notification on the actual compromise or breach of the security, without allowing for the further analysis of whether there is a potential for misuse of the information. The Guidance also requires that the notice be given in a clear and conspicuous manner, that it describe the incident generally and the type of customer information that was disclosed, and include an explanation as to what the institution has done to protect the customers information from further unauthorized access. The telephone number of a contact at the institution should be included as well in the event the customer may desire further assistance. Finally, the notice should remind customers of the need to remain vigilant over the next twelve to twenty-four months and to report any incidents of suspected identity theft to the institution. Other points that the Guidance suggests may be addressed in the notice include: Recommending that customers review their account statements and immediately report any suspicious activity to the financial institution Describing fraud alerts and explaining how the customer may place one on his or her credit report Recommending that the customer periodically obtain credit reports from all three nationwide credit reporting agencies and a reminder that the customer may obtain a credit report free of charge annually

6 Reminding customers of the availability of the FTC s online guidance regarding what a consumer can do to protect against identity theft, along with the FTC s web site address and toll-free number Finally, the Guidance recommends that the notice be delivered in a timely manner, and by any means designed to ensure receipt, whether by telephone, (if the institution has a valid address and the customer has agreed to receive notice electronically), or regular U. S. Mail. As noted above, the California law also provides for notice by U.S. or electronic mail, but provides for other alternatives if the cost is prohibitive. Dealing with an unauthorized disclosure of consumer information can be a tumultuous experience for a business, particularly where the business believes it has been vigilant as to its security program and the preventive measures it has adopted to buttress that security. But, as many businesses have learned and continue to learn, no security program is airtight. A response program should always be a part of a business s security program, and is in fact required of any financial institution subject to the Gramm- Leach-Bliley Act. In the event of an unauthorized disclosure, a response program can provide structure and guidance that will facilitate a prompt and appropriate reaction, including notification where warranted. While the Guidance discussed above is binding only upon financial institutions subject to regulation by the Office of the Comptroller of the Currency, the Federal Reserve, the Federal Deposit Insurance Corporation, or the Office of Thrift Supervision, it nevertheless provides a template for other types of businesses in structuring their own response programs. Additionally, a business also needs to review where its customers reside, in the event other state laws may be applicable. Prompt and appropriate action in the wake of an unauthorized disclosure makes good business sense it may reduce a business s legal risk, and it is important to remember that every communication with a customer presents an opportunity. The HIPAA Security Rules Are Here The Health Insurance Portability and Accountability Act of 1966 (HIPAA) Security Standards for the protection of electronic health information became effective on April 20, 2005 for health care providers, health care clearinghouses, and health plans with annual receipts of more than $5 million ("Covered Entities"). The Security Rules become effective for health plans with annual receipts of $5 million or less on April 20, The Rules are published in the United States Code Federal Regulations beginning at 45 CFR HIPAA's security standards for Covered Entities are based on four general principles. Covered Entities must: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the Covered Entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rules. 4. Ensure that its workforce complies with the Security Rules. The Security Rules do not provide specific measures that Covered Entities must implement. Instead, Covered Entities may use any security measures that allow the Covered Entity to reasonably and appropriately implement the standards and implementation specifications of the Security Rules. In deciding which security measures to use, a Covered Entity takes into account factors such as the size, complexity, and capabilities of the Covered Entity; the Covered Entity's technical infrastructure, hardware and software security capabilities; the costs of security measures; and the probability and criticality of potential risks to electronic protected health information.

7 Some of the Rule's implementation specifications are mandatory. For example a Covered Entity must conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the Covered Entity. On the other hand, some of the implementation specifications are only "addressable," meaning that a Covered Entity must determined whether an implementation specification is a reasonable and appropriate safeguard in its environment when considered with reference to its likely contribution to protecting the Covered Entity's electronic protected health information. If a Covered Entity determines that an implementation specification is not reasonable and appropriate, it must document the basis for the determination and it must implement an equivalent alternative measure if there is a reasonable and appropriate alternative. The Security Rules require Covered Entities to implement administrative, physical, and technical safeguards and to meet other organizational and procedural requirements. The administrative safeguards require Covered Entities to put into place a security management process, which includes risk analysis, risk management, and a sanction policy. In addition, Covered Entities must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. To comply with the physical safeguard requirements, a Covered Entity must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed. Covered Entities must implement a data recovery process, work station security rules, and establish procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information. Covered Entities must also develop policies and procedures to address the disposal or reuse of hardware or electronic media on which electronic protected health information is stored. A Covered Entity must implement procedures to allow access to electronic protected health information only to those persons or software programs that have been granted access rights to the information. Finally, the Covered Entity must put in place mechanisms to assure that electronic protected health information has not been altered or destroyed in an unauthorized manner. Covered Entities should also revise their existing Business Associate Agreements. In addition to the requirements imposed by the HIPAA Privacy Rules, the Security Rules provide that the contract between a Covered Entity and a Business Associate must provide that the Business Associate will: (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity; (ii) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to the Covered Entity any security incident of which it becomes aware. The Security Rules require Covered Entities to maintain their policies and procedures implemented to comply with the Security Rules in written form and to retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later. If you need more information about the HIPAA Security Rules please contact any member of the Frost Brown Todd Health Law Practice Group. You may also find information at the United States Department of Health and Human Services website: