Exhibit A. Federal Statutes Impacting Data Security

Transcription

1 Exhibit A Federal Statutes Impacting Data Security Michele A. Whitham Partner, Founding Co-Chair Security & Privacy Practice Group Foley Hoag LLP 155 Seaport Boulevard Boston, MA 02210

2 Federal Law Citation Information / Subject Matter Protected Bad Acts Targeted Penalties / Damages Cable Communications Policy Act (CCPA) U.S.C. 551 Information contained in cable records Cable companies must notify subscribers about collection and use of personal information; companies cannot disclose a subscriber s viewing habits Enforced with a private right of action Children s Online Privacy Protection Act (COPPA) U.S.C. 6501, et seq., 16 C.F.R. 312 Personally identifiable information: name, address, address or contact information, SSN, persistent identifier (cookie), combination of name or photograph with other information that would permit physical or online contacting, or information collected about child or parents that combines with other personal information Website / online service operator cannot collect or disclose personal information from a child under 13 without obtaining requisite prior parental consent No private right of action; enforcement carried out by FTC (and others, for narrow issues); penalties up to $11,000 per violation Computer Fraud and Abuse Act (CFAA) 18 U.S.C Protected computers covered: those used by financial institutions, the US government, and those used in communications involving interstate commerce or foreign commerce (does not have to be owned by government if involved in interstate or foreign commerce) Accessing computer without authorization in order to obtain information, affect use by government involving an interstate or foreign transaction, further a fraud when value is obtained (over $5,000 in any one year period), intentionally or recklessly damage the computer, traffic in passwords, or to exhort payment Common Bad Acts: Unauthorized access to websites, gathering of Civil remedies: damage/loss must fit into the following categories: aggregated damage exceeding $5,000, potential modification or impairment of a medical diagnosis, examination, treatment or care of one or more persons, physical injury, a threat to public health or safety, or damage to a government computer that is used in furtherance of the administration of justice, national All rights reserved.

3 addresses, diversion of customers or harvesting of customer lists, use of bots, defective software, setting of cookies, and authorized users exceeding scope of authority defense, or national security Criminal remedies: acts are punishable by fine and/or imprisonment and apply to both actual and attempted offenses Consumer Financial Protection Act 2010 Pub. L. No , 124 Stat Controlling the Assault of Non- Solicited Pornography and Marketing Act (CANSPAM) U.S.C , 18 U.S.C and 28 U.S.C. 994 Commercial messages whose primary purpose is the advertisement or promotion of a product or service The sender of the as well as the advertiser within the are subject to CANSPAM A sender of commercial is permitted to send communications to a recipient unless and until that recipient has opted out from such communications; every individual must be permitted to opt out, and thus, each message must have clear opt-out mechanism Also prohibited: false or misleading transmission of information, false or misleading subject lines, address harvesting and dictionary attacks, and automatically generating accounts Further, sexually explicit messages must be clearly labeled as such A private right of action for internet service providers exists along with FTC enforcement Injunctions and damages are available. Actual monetary damages lost by users of Internet access service or statutory damages in the amount of $250 per violation ($100 for internet service providers). Statutory damages are capped at $2,000,000 for actions by states and $1,000,000 for internet service providers, but can be trebled in cases of willful and knowing violation Driver s Privacy Protection Act (DPPA) U.S.C Motor vehicle records held by states State must obtain a person s consent before disclosing motor vehicle information to marketers Civil: Plaintiff can get actual damages, not less than $2,500, punitive damages if willful or reckless violation, reasonable attorneys fees and costs, or other equitable relief All rights reserved.

4 Criminal: States DMV s can be fined up to $5,000 per day for each day of substantial noncompliance Electronic Communications Privacy Act (ECPA) U.S.C Wire (including cordless), oral or electronic communications; stored communications Title I (Wiretap Act): - Intentionally intercepting or endeavoring to intercept (or procuring another person to do so) protected communications, including through the use of electronic, mechanical, or other devices. - Disclosing or using the intercepted information, including use in interfering with a criminal investigation, is also illegal Title I (Wiretap Act): - Private cause of action available against persons or entities; damages include injunction, declaratory judgment, actual or statutory damages ($100 per day for each day of violation for $10,000, whichever is greater), punitive damages, reasonable attorney s fees and other litigation costs reasonably incurred Title II (Stored Communications Act): - Criminal remedies also available. - Obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage Title II (Stored Communications Act): - Same as Title I, but damages are the greater of actual damages and profits earned by the violator or $1,000 Electronic Funds Transfer Act (EFTA) 15 U.S.C Direct debit electronic fund transfers from bank accounts (applies to bank or person who, Customers must receive initial disclosure from entity detailing transfer processes, error-reporting The EFTA provides for both actual and statutory damages, and allows for the recovery of costs All rights reserved.

5 directly or indirectly, holds an account belonging to a consumer) including preauthorized automatic transfers procedures, and notification details (including ATM uses) and attorneys' fees in successful actions. Statutory damages are determined by the court based on the frequency and persistence of noncompliance, the nature of noncompliance, the extent to which the noncompliance was intentional, the resources of the defendant and the number of persons adversely affected. The EFTA places caps on statutory damages. Unfortunately, the manner in which the caps are applied is uncertain. In the case of an action filed by an individual, statutory damages are at least $100, but not greater than $1,000. Employee Polygraph Protection Act (EPPA) U.S.C Polygraph examinations Private sector employers cannot use polygraph testing on employees / prospective employees unless it is in connection with an ongoing investigation involving economic loss or injury to the employer s business, such as theft, embezzlement, misappropriation, etc when the employer has reasonable suspicion Civil penalties against employers may not exceed $10,000; injunctions also available A private right of action also exists, and in these cases, costs and fees are available Fair Credit Reporting Act (FCRA) U.S.C Data contained in consumer report, including personal and financial data Consumer reporting agencies must maintain reasonable procedures to ensure that information in consumer reports will be disclosed only for Only individual customers may seek to invoke remedial provisions; willful noncompliance results in actual and punitive All rights reserved.

6 permissible reasons, including in response to court order / legal process, pursuant to written instructions of consumer, to a person who intends to use the information in connection with credit transaction, employment purposes, or insurance underwriting services, or to obtain a government license, a loan, to a person who has legitimate business need for the information, or to a child support enforcement agency damages (punitive damages not available for negligent noncompliance), as well as costs and attorney s fees; any person who knowingly and willfully obtains information on a consumer under false pretenses, or any credit reporting agency that provides information to a person not authorized to receive it, faces fines and/or imprisonment of up to 2 years Fair and Accurate Credit Transactions Act (FACTA) Pub. L. No Stat Data contained in consumer report, including personal and financial data Identity theft; covered entities that hold customer accounts must implement identity theft prevention measures designed around recognizing and responding to Red Flags (fraud alert, credit freeze, address discrepancy, inconsistent pattern of activity, altered documents, inconsistent information, personal information similar to large number of other individuals opening accounts, etc.) See above (FCRA) Family Educational Rights and Privacy Act (FERPA) U.S.C. 1232g Student records: records which contain information directly related to students and which are kept by an education agency or institution Educational agency or institution cannot release student records without written consent of parents; nor can educational agencies or institutions release or provide access to personally identifying information within records No private right of action exists; enforcement mechanism is withholding of government funding Exceptions exist for law enforcement (I.E. drug and alcohol All rights reserved.

7 disclosures) Freedom of Information Act (FOIA) U.S.C. 552 Executive agency records Agencies must give public access to records; people requesting records need not state a reason; exceptions include personnel and medical files, and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy as well as information compiled for law enforcement purposes disclosure of which would yield unwarranted invasion of personal privacy Exceptions to rule used as defense to compliance Genetic Information Nondiscrimination Act (GINA) P.L , 122 Stat. 881 Genetic information, I.E. information about individual s genetic tests or those of family members (including fetuses), the manifestation of a disease or disorder in an individual s family members or any request for, or receipt of genetic services or participation in clinical research that includes genetic services by an individual Employers and other covered entities may not collect, acquire or publicize this information (with exceptions for inadvertence, public records, and when employer provides genetic services) Remedies for violations include corrective action and monetary penalties ($100 per day of noncompliance, with a minimum of $2,500, or $15,000 if violations are more than de minimis) Private right of action exists Gramm-Leach-Bliley Act (GLBA) U.S.C Credit card applications, account histories, name address, or telephone number in conjunction with SSN, passwords, account numbers Interagency Guidance requires every financial institution to develop and implement a risk-based response program to address incidents of unauthorized access to customer information No private right of action; no monetary remedy; enforcement left to FTC which can merely implement the standards associated with the act, and seeking injunctions preventing an institution from disclosing information in violation of GLBA Health Insurance Pub. L. No. Protected Health Information Covered entities cannot disclose Government enforcement: entity All rights reserved.

8 Portability and Accountability Act (HIPAA) , 110 Stat (PHI): individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or transmitted or maintained in any other form; HITECH Act (part of Stimulus Act) makes Business Associates of entities subject to privacy and security provisions regarding this information PHI; patient authorization needed for most purposes other than disclosure for treatment, payment for treatment, and healthcare operations; entities must impose administrative, physical and technical safeguards, as well as organizational requirements and security policies and procedures violating privacy provisions is subject to civil fines. Penalties range from $100 per violation, up to $50,000 per violation (total max penalty is $1,500,000 during single calendar year); criminal penalties including fines and incarceration available for egregious violations Mail Privacy Statute 39 U.S.C Prohibits opening of mail without a search warrant or addressee s consent Privacy Act of U.S.C. 552a Applies to federal agencies systems of records which contain individuals personal information Prevents agencies from disclosing information from a system of records without the express consent of an individual to whom the information pertains (subject to routine use exception) Privacy Impact Assessment must be completed when an agency is developing new technology that will handle or collect personal information, developing system revisions, or issuing a new or updated rulemaking that affects personal information Privacy Protection Act of U.S.C. 2000aa Work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication Subpoena is needed to obtain these work product materials; party can challenge subpoena in court without having law enforcement officials intrude on premises N/A Right to Financial Privacy Act (RFPA) 12 U.S.C Customers records from financial institutions Federal government cannot obtain records unless it obtains (a) a search warrant supported by probable cause, (b) the customer s consent or Customer has right of action against the agency or the institution, and civil penalties of at least $100 and punitive All rights reserved.

9 (c) a specifically proscribed procedural device such as a subpoena served upon the customer damages are available Telemarketing and Consumer Fraud Abuse and Prevention Act 15 U.S.C Telemarketer phone calls Telemarketers must clearly tell consumers at outset of call the identity of the seller, the purpose for the call, and what good or service the telemarketer is offering See also Federal and State Do-Not- Call Lists Telephone Consumer Protection Act of U.S.C. 227 Telemarketer phone calls Telemarketers must cease calling individual once request has been made Individuals can sue for damages of up to $500 for each call See also Federal and State Do-Not- Call Lists Video Privacy Protection Act of U.S.C Customer video rental or purchase information Videotape service providers cannot disclose information Private right of action exists; video companies that violate the act may be liable for damage awards of at least $2,500, punitive damages, costs and attorneys fees All rights reserved.