UNDERSTAND YOUR UNIVERSE: KNOW YOUR DATA-PRIVACY OBLIGATIONS



Similar documents
Term Structure of Interest Rates: The Theories

CASE LAW COSMOS: A STATE AND FEDERAL EMPLOYMENT LAW UPDATE

Yuriy Alyeksyeyenkov 1

Modeling Contract Form: An Examination of Cash Settled Futures. Dwight R. Sanders. and. Mark R. Manfredo *

QUALITY OF DYING AND DEATH QUESTIONNAIRE FOR NURSES VERSION 3.2A

Taxes and the present value assessment of economic losses in personal injury litigation: Comment 1

Multi- item production inventory systems with budget constraints

Self-rescue in quantitative risk analysis

is knowing the car market inside out.

Children s best interests between theory & practice

ISSeG EGEE07 Poster Ideas for Edinburgh Brainstorming

A Place to Choose Quality, Affordable Health Insurance

Service Capacity Competition with Peak Arrivals and Delay Sensitive Customers

Preface. P.1 Purpose. P.3 Authority. P.4 References. Procedures for Performing a Failure Modes, Effects, and Criticality

Econ 371: Answer Key for Problem Set 1 (Chapter 12-13)

High Availability Cluster System for Local Disaster Recovery with Markov Modeling Approach

You can recycle all your cans, plastics, paper, cardboard, garden waste and food waste at home.

Numerical Algorithm for the Stochastic Present Value of Aggregate Claims in the Renewal Risk Model

EuroFGI Workshop on IP QoS and Traffic Control TITOLO. A Receiver Side Approach for Real-Time Monitoring of IP Performance Metrics

Chapter 4: Thinking Like a Programmer

Brussels, February 28th, 2013 WHAT IS

Remember you can apply online. It s quick and easy. Go to Title. Forename(s) Surname. Sex. Male Date of birth D

Logo Design/Development 1-on-1

1.- L a m e j o r o p c ió n e s c l o na r e l d i s co ( s e e x p li c a r á d es p u é s ).

Part 2 - Notes on how to complete your application form

Entity-Relationship Model

Adverse Selection and Moral Hazard in a Model With 2 States of the World

WORKERS' COMPENSATION ANALYST, 1774 SENIOR WORKERS' COMPENSATION ANALYST, 1769

Sun Synchronous Orbits for the Earth Solar Power Satellite System

Many quantities are transduced in a displacement and then in an electric signal (pressure, temperature, acceleration). Prof. B.

Magic Message Maker Amaze your customers with this Gift of Caring communication piece

INFLUENCE OF DEBT FINANCING ON THE EFFECTIVENESS OF THE INVESTMENT PROJECT WITHIN THE MODIGLIANIMILLER THEORY

CEO Björn Ivroth. Oslo, 29 April Q Presentation

CAFA DIVERSITY JURISDICTION

IT Update - August 2006

Virtual Sensors

Use a high-level conceptual data model (ER Model). Identify objects of interest (entities) and relationships between these objects

Subject: Quality Management System Requirements SOP

Jesus Performed Miracles

Trading-Day Adjustment as a Practical Problem

Continuity Cloud Virtual Firewall Guide

Technological Entrepreneurship : Modeling and Forecasting the Diffusion of Innovation in LCD Monitor Industry

Unit 2. Unit 2: Rhythms in Mexican Music. Find Our Second Neighborhood (5 minutes) Preparation

Authenticated Encryption. Jeremy, Paul, Ken, and Mike

Free ACA SOLUTION (IRS 1094&1095 Reporting)

QUANTITATIVE METHODS CLASSES WEEK SEVEN

SPECIAL VOWEL SOUNDS

Question 3: How do you find the relative extrema of a function?

PC Problems HelpDesk Service Agreement

Campus Sustainability Assessment and Related Literature

Application form notes

Asian Development Bank Institute. ADBI Working Paper Series

The Valuation of Futures Options for Emissions Allowances under the Term Structure of Stochastic Multi-factors

SIF 8035 Informasjonssystemer Våren 2001

tis, cis cunc - cunc - tis, cis tis, cis cunc - tis, func - def - def - tis, U func - def - func - tis, pa - tri pa - tri pa - tri tu - per - tu -

Methodology of the CBOE S&P 500 PutWrite Index (PUT SM ) (with supplemental information regarding the CBOE S&P 500 PutWrite T-W Index (PWT SM ))

CPS 220 Theory of Computation REGULAR LANGUAGES. Regular expressions

FACULTY SALARIES FALL NKU CUPA Data Compared To Published National Data

by John Donald, Lecturer, School of Accounting, Economics and Finance, Deakin University, Australia

Ne l'aria in questi di fatt'ho un si forte Castel,

ARCHIVED PUBLICATION

CARE QUALITY COMMISSION ESSENTIAL STANDARDS OF QUALITY AND SAFETY. Outcome 10 Regulation 11 Safety and Suitability of Premises

AP Calculus AB 2008 Scoring Guidelines

Victims Compensation Claim Status of All Pending Claims and Claims Decided Within the Last Three Years

GROUP MEDICAL INSURANCE PROPOSAL FORM GROUP MEDICAL INSURANCE PROPOSAL FORM

YouthWorks Youth Works (yüth- w rkz), n.

Spline. Computer Graphics. B-splines. B-Splines (for basis splines) Generating a curve. Basis Functions. Lecture 14 Curves and Surfaces II

DATA MINING TECHNOLOGY IN PREDICTING THE CULTIVATED LAND DEMAND

PREFERRED LIFE INSURANCE NORTH AMERICA

Capital Structure and International Debt Shifting in Europe. Harry Huizinga * Tilburg University and CEPR

World Class Payments in the UK Enhancing the payments experience

Preflighting for Newspaper

5 2 index. e e. Prime numbers. Prime factors and factor trees. Powers. worked example 10. base. power

a seed career program in the s indus tr career handbook for school counselors and college advisors

Approximately 92% of U.S. businesses are microbusinesses.

Penguin Readers Teacher s Guide to Preparing for FCE. Carolyn Walker



5.4 Exponential Functions: Differentiation and Integration TOOTLIFTST:

The Land Partnerships Handbook. The Land Partnerships Handbook. Using land to unlock business innovation. Second Edition

55 th EOQ Congress as World Quality Congress

Parallel and Distributed Programming. Performance Metrics

Operation Transform Formulae for the Generalized. Half Canonical Sine Transform

COASTAL CAROLINA COMMUNITY COLLEGE

The example is taken from Sect. 1.2 of Vol. 1 of the CPN book.

Modern Portfolio Theory (MPT) Statistics

HOMEWORK FOR UNIT 5-1: FORCE AND MOTION

OPINION NO December 28, 1990

Cookie Policy- May 5, 2014

Frederikshavn kommunale skolevæsen

GENETIC ALGORITHMS IN SEASONAL DEMAND FORECASTING

H ig h L e v e l O v e r v iew. S te p h a n M a rt in. S e n io r S y s te m A rc h i te ct

SITE MASTER PLANS FACILITIES SITE MASTER PLANS. Draft = LUCIA MAR UNIFIED SCHOOL DISTRICT. Facilities Master Plan

Transistor is a semiconductor device with fast respond and accuracy. There are two types

Ref No: Version 5.1 Issued: September, 2013

Category 7: Employee Commuting

Transcription:

Th sno book sapubl a onofm l l rnas hllp.i spr ov d df or nf or ma onalpur pos sonl yanddo sno ons u l galadv orl gal op n onabous p f s ua ons. R ad r sar ur g d o ons ul w hl gal ouns l on r n ng h rown s p f f a sand r ums an sandanys p f l galqu s ons.for f ur h r nf or ma onabou h on n sof h sno book,pl as on a M l l rnas hcl ns r v sby ma la l n s r v s @m l l r nas h. om or byphona877. 220. 5858. Copyr gh201 4.

UNDERSTAND YOUR UNIVERSE: KNOW YOUR DATA-PRIVACY OBLIGATIONS Davd R, Bran Snffn, Paul Fruz, and Emly Raymond Daa prvay and sury ar som of h mos mporan mrgng lgal ssus n rn ms. Advanmns n hnology hav mad asr han vr o gahr mmns quans of nformaon abou all of us and a h sam m hav rad rsks of unauhorzd dslosur and us of ha nformaon. Many famlar ompans (suh as Targ) hav suffrd damagng, hgh-profl daa brahs ha xposd hm o lawsus and ld o dsmssal of ompany board mmbrs and offrs. Rgulaors ar playng ah-up by ryng o dvlop laws o onfron hs nw hallngs or n som ass ar adapng old laws o m hm, wh varyng suss. In hs nw nvronmn, s ssnal for ompans o undrsand how daa sury and prvay laws aff hm and h unxpd ways n whh hs ssus ar nrwnd wh hr opraons. Many sa and fdral laws da how daa s oband, sord, usd, prod, and dsposd of. Compans mus also dvlop pols ha onform hr pras o hs laws and mus ran mploys o mplmn hm. Many ompans ar onfronng hs ssus for h frs m. Som ar adapng xsng pols o volvng rsks ha ar dfful o anpa. Bu h law may no always offr nough gudan o gv ompans h omfor of a rgulaory saf harbor. To hlp m hs hallng, w prsn hs nroduon o U.S. daa-prvay law o hghlgh ruls ha all ompans should b awar of and hlp wh hgh-lvl ssu-spong. I. OVERVIEW. U.S. daa-sury law onsss of a ollon of fdral and sa laws. Thr s no ovrarhng, omprhnsv daa-sury law ha ovrs all ssus. On h fdral sd, h laws nd o b spf o parular yps of daa, suh as fnanal daa or halh daa. Or hy addrss spf suaons, suh as rd aouns. Th Fdral Trad Commsson (h FTC ) ssnally flls h rol as prvay rgulaor basd on s jursdon ovr unfar and dpv pras n ommr. Th FTC punshs ompans ha fal o pro daa from unauhorzd dslosur or us, and ssus gudan o busnsss o hlp hm pro daa. On h sa sd, almos vry sa has a law ha dals how ompans mus rspond f hr s a daa brah. Ths rsponss ypally nvolv sndng a no o h affd ndvduals, onang law nformn, and akng sps o mga harm from h brah and prvn furhr brahs. Sas also hav hr own onsumr-proon laws ha ar smlar o h FTC, so n som ass hy may ak aon agans ompans ha msus daa. Sa laws ypally rgula dsposal of snsv daa. -1-

As a gnral no, you wll ofn s h rms daa sury and daa prvay usd nrhangably. I s probably mor aura o hnk of daa sury as nvolvng h proon of daa from unauhorzd dslosur, suh as hf by hakrs. Daa prvay nvolvs h appropra and lgal ollon and us of daa, suh as gahrng nformaon from usomrs onln and usng o arg advrsng o hm, whl usng h rqurd dslosurs. II. GENERAL DATA-SECURITY AND PRIVACY LAWS APPLICABLE TO VIRTUALLY ALL BUSINESSES. A. Daa-brah nofaon laws. A daa brah an b a drama and ofn nwsworhy vn. Ths vns our whou warnng, and h nal hours of nvsgaon an nvolv a lo of onfuson as ompans srambl o drmn wha aually happnd. W rommnd ha ompans hav a daa-brah poly n pla bfor any suh vn, so ha vryon knows wha o do f ours. Th applabl daa-brah law s gnrally basd on h rsdny of h prson whos nformaon has bn ompromsd. In som ass, hs mans omplyng wh h laws of many dffrn sas. Forunaly, h laws ar ofn los nough ha a sngl nofaon o hos affd ndvduals ha norporas all h sa-rqurd lmns wll gnrally suff. W hav summarzd h daa-brah laws of Orgon and Washngon blow and dsussd ponal lgaon rsk from brahs. 1. Orgon. Orgon s daa-brah law (also known as h Orgon Consumr Idny Thf Proon A) s odfd a ORS 646A.604. I provds ha anyon ownng, mananng, or possssng prsonal daa n h ours of hs or hr busnss or volunr work mus gv no of any daa brah o any Orgon onsumr (dfnd as an Orgon rsdn) whos prsonal daa was nludd n h brah. Addonally, any pary ha posssss or manans prsonal nformaon on anohr s bhalf mus nofy h orgnal ownr or lnsor of h nformaon upon dsovry of a brah. All nofaons mus b mad as qukly as possbl, unlss dlayd dslosur s rqusd by law nformn agns. No an b gvn by mal, -mal, lphon, or, n ran rumsans f nofyng ah affd onsumr would b oo burdnsom, posng a no on h prson s or busnss s wbs and nofyng major sawd lvson and nwspapr mda. 2. Washngon. Smlarly, RCW 19.255.010 rqurs any prson or busnss ha owns or lnss ompurzd prsonal daa o dslos any brah of sury o Washngon rsdns whos daa s blvd o hav bn assd by an unauhorzd prson. Washngon dfns prsonal nformaon undr hs sau as nam plus soal sury numbr, db/rd-ard numbr, or drvr s lns/sa ID numbr. Ths law appls o mploy daa. Any busnss mananng -2-

ompurzd prsonal daa ha h busnss dos no own mus nofy h ownrs of h daa n h vn of a ponal brah. 3. Lgaon rsk du o daa brahs. Sndng ou h rqurd daa-brah nofaon mgh no nd h mar, sn a daa brah an rsul n a lawsu fld by h affd pars. Orgon and Washngon prm a prva rgh of aon for njurd pars undr ran rumsans o sk damags from hos who hav rlasd hr prsonal nformaon whou auhorzaon (alhough rmans o b sn how sussful hs lawsus wll b). In h Targ lgaon, planffs hav bn ng sa prohbons agans unfar and dpv pras o lam ha Targ s pras wr nglgn. So ssnally hs saus ar bng usd o sablsh a sandard of ar for handlng daa. In Kronr v. Sarbuks Corp., 628 F.3d 1139 (9h Cr. 2010), Sarbuks mploys sud hr mployr undr Washngon law afr a managr s lapop, whh onand h mploys prsonal nformaon, was soln ou of a ar. Sarbuks pad for svral monhs of rd monorng, and no dny hf was dd durng ha m. Afr h fr rd monorng xprd, h mploys sud, allgng ha hy had bn xposd o an nrasd rsk of dny hf. Th our agrd, sang ha no aual dny hf was rqurd for h mploys o rovr. Rahr, was nough ha Sarbuks aons had xposd hm o grar rsk. Afr hs as, busnsss ould fa lably for daa brahs vn f no dny hf rsuls. Ths ar jus wo xampls. Thr ar many ohr ass, and h vary of lams and faual snaros s broad. Covrng all h yps of lams d n daa-brah lawsus s byond h sop of hs papr. B. Sa and fdral unfar rad pras lgslaon. Fdral and sa rgulaors ypally rly on sauory prohbons agans unfar and dpv aons n ommr o punsh ompans ha proms o pro onsumr daa bu do no do so, or ha oll daa from onsumrs and hn us n a mannr ha s no dslosd o h onsumr. 1. Th FTC A. Th FTC A, 15 U.S.C. 45, prvns [u]nfar mhods of ompon n or affng ommr, and unfar or dpv as or pras n or affng ommr. [U]nfar or dpv a s dfnd as an a ha auss, or s lkly o aus, a rasonably forsabl njury. As wh h sa saus, hs fdral sau mgh b usd o su a ompany for dny hf smmng from a daa brah. Th FTC has rld on hs broad auhory o punsh many ompans for msladng onsumrs abou h ollon and us of daa or for falng o pro daa n aordan wh rprsnaons mad o onsumrs, nludng Fabook, Googl, and Twr. -3-

2. Orgon. ORS 646.607 smlarly prohbs unlawful rad pras gnrally, and prohbs ompans from usng unonsonabl a[s] o sll or promo goods or srvs and from falng o dlvr promsd goods or srvs. Ths sau ould ponally b usd o hold a busnss labl for promsng ha usomr nformaon would b kp sur f h busnss s unabl o provd h promsd lvl of sury. 3. Washngon. RCW 19.86.020 sas ha [u]nfar mhods of ompon and unfar or dpv as or pras n h ondu of any rad or ommr ar hrby dlard unlawful. As n Orgon, hs sau ould ra lably for busnsss ha fal o appropraly sur usomr daa. C. Idny-hf and daa-proon laws. In addon o daa-brah nofaon laws, hr ar sa laws dsgnd o prvn dny hf. 1. Orgon. In addon o rqurng onsumr nofaon n h vn of a daa brah (as dsussd abov), h Orgon Consumr Idny Thf Proon A also prohbs h publ dsplay of onsumrs full Soal Sury numbrs (.g., on a ard ndd o ass a busnss s srvs) and rqurs a busnss ha sors onsumrs prsonal nformaon o dvlop a plan for safguardng ha nformaon. Orgon law furhr oulns sps ha busnsss an ak o omply wh Orgon law, nludng (s ORS 646A.622): (a) (b) () (d) () (f) (g) Dsgnang on or mor mploys o oordna a sury program; Idnfyng rasonably forsabl nrnal and xrnal rsks; Assssng h suffny of safguards n pla o onrol h dnfd rsks; Tranng and managng mploys n h sury program pras and produrs; Slng srv provdrs apabl of mananng appropra safguards, and rqurng hos safguards by onra; Adjusng h sury program n lgh of busnss hangs or nw rumsans; Assssng rsks n nwork and sofwar dsgn; -4-

(h) () (j) (k) (l) (m) (n) Assssng rsks n nformaon prossng, ransmsson, and sorag; Dng, prvnng, and rspondng o aaks or sysm falurs; Rgularly sng and monorng h ffvnss of ky onrols, sysms, and produrs; Assssng rsks of nformaon sorag and dsposal; Dng, prvnng, and rspondng o nrusons; Prong agans unauhorzd ass o or us of prsonal nformaon durng or afr h ollon, ransporaon, and dsruon or dsposal of h nformaon; and Dsposng of prsonal nformaon afr s no longr ndd for busnss purposs or as rqurd by law. 2. Washngon. RCW 9.35.020 s Washngon s dny-hf law. I sas ha no prson may knowngly oban, possss, us, or ransfr a mans of dnfaon or fnanal nformaon of anohr prson, lvng or dad, wh h nn o omm, or o ad or ab, any rm. Lk Washngon s daa-brah nofaon law, hs law appls broadly o any hf of prsonal daa, no jus onsumr or mploy daa. III. DATA-PRIVACY RULES APPLICABLE TO SPECIFIC INDUSTRIES, TYPES OF DATA, AND SITUATIONS. In addon o h gnral rqurmns abov, hr ar daa-sury and prvay laws onanng rqurmns rgardng parular lasss of daa or addrssng spf snaros. Th suaons and daa lasss ovrd blow nvolv halh nformaon, sudn nformaon, fnanal nformaon, rd ards, paymn aouns, hldrn s daa, and daa hld by nsuran ompans. A. Busnsss dalng wh halh nformaon. Any busnss dalng wh halh nformaon should b awar of whhr s ovrd by h Halh Insuran Porably and Aounably A ( HIPAA ) and, f so, how HIPAA affs s us and sorag of daa. HIPAA sablshs fdral proons for ndvduals prsonal halh nformaon ( PHI ) and mdal rords, and ruls rgardng whhr and how suh nformaon may b dslosd. Th HIPAA Prvay Rul appls o halh nsuran plans, halhar larnghouss, and halhar provdrs ondung ran lron ransaons. S 45 C.F.R. p. 160, p. 164, subps. A, E. Ths Prvay Rul rqurs ha appropra safguards b n pla o pro h prvay of PHI, and also ss ondons and lms on h us and -5-

dslosurs of PHI. Pans ar gvn spf rghs ovr hr PHI, nludng h rghs o oban and xamn ops of hr halh rords, and also o rqus orrons. HIPAA s Prvay Rul dals h admnsrav, physal, and hnal safguards ha ovrd ns and hr busnss assoas mus hav n pla o nsur h ngry, onfdnaly, and avalably of lron PHI. Covrd ns and hr busnss assoas mus nofy pans or usomrs f a brah of unsurd PHI ours. Th FTC nfors smlar brah-nofaon ruls undr h HITECH A, whh appls o vndors of prsonal halh rords and hrd-pary srv provdrs. For purposs of hs ruls, a brah s gnrally dfnd as an mprmssbl us or dslosur ha would omproms h sury or prvay of PHI. Faors onsdrd n drmnng whhr hr has bn a brah nlud h naur and xn of h PHI nvolvd, h unauhorzd prson o whom h dslosur was mad or who usd h PHI, whhr h PHI was aually aqurd or vwd, and h xn o whh h rsk of dslosur of PHI was subsqunly mgad. B. Eduaonal nsuons. Th Famly Eduaonal Rghs and Prvay A ( FERPA ) ovrs all shools rvng funds undr applabl programs of h U.S. Dparmn of Eduaon. S 20 U.S.C. 1232g. FERPA pros h prvay of sudn duaon rords, and gvs parns rghs rgardng hr hldrn s duaon rords as wll. Rghs nally grand o parns ransfr o h sudn whn h or sh ands shool byond h hgh shool lvl or rahs ag 18. On rghs hav bn ransfrrd o a sudn, ha sudn wll b dmd an lgbl sudn undr fdral FERPA rgulaons A parn or lgbl sudn has ran rghs undr FERPA, nludng h rgh o rvw and nsp h sudn s duaon rords ha h shool manans, and o rqus ha rords blvd o b naura or msladng b orrd by h shool. If suh a rqus s mad and h shool dds agans amndng h rords, h lgbl sudn or parn hn has a rgh o a formal harng. If h shool dds no o amnd h rords afr a harng, h lgbl sudn or parn hn has h rgh o fl a samn wh h sudn s rords onanng hs or hr vw rgardng h onsd nformaon. In ordr o rlas nformaon from a sudn s duaon rords, a shool mus gnrally hav wrn prmsson from a parn or lgbl sudn. Undr FERPA, a shool may dslos hos rords whou onsn o spfd hrd pars only undr ran rumsans (.g., o ohr shools o whh a sudn s ransfrrng, ardng organzaons,.). Shools do no nd onsn n ordr o dslos drory nformaon, suh as a sudn s nam, phon numbr, addrss, da and pla of brh, das of andan, and honors and awards. A shool mus ll h parn or lgbl sudn abou hs drory nformaon, howvr, and h parn or lgbl sudn mus b allowd a rasonabl amoun of m o rqus ha h shool no dslos drory nformaon abou h sudn. -6-

C. Compans ha pross rd-ard daa. Th Paymn Card Indusry Daa Sury Sandard ( PCI DSS ) s a sandard ssud by h Paymn Card Indusry Sury Sandards Counl, and was rad o nras ardholdr daa sury and hrby rdu rd-ard fraud. PCI DSS s no a fdral law, bu rahr a sury sandard ha s broadly rognzd and nford. PCI DSS was rad whn major rd-ard ompans (Vsa, MasrCard, Dsovr, Amran Exprss, and Japan Crd Burau) algnd hr ndvdual sury pols n 2004. Today, PCI DSS onsus a wdly apd s of produrs and pols nndd o kp rd, db, and ash-ard ransaons sur, and o pro ardholdrs agans msus of hr prsonal daa. I provds a framwork for dvlopng paymn-arddaa-sury prosss, nludng don, prvnon, and appropra raon o sury ndns. Spf ruls rgardng omplan wh PCI DSS vary dpndng on h volum of applabl ransaons ha a ompany prosss. And alhough PCI DSS s no promulgad by h govrnmn, ompans ha pross paymn nformaon should b awar of how h sandards apply o hm. Fns for nonomplan an rang from $5,000 o $100,000 pr monh. PCI DSS s rlvan for organzaons handlng ardholdr nformaon for major db, rd, -purs, ATM, prpad, and POS ards, and gnrally appls o all mrhans ha sor, pross, or ransm ardholdr daa. D. FTC Rd Flags Rul. Th Rd Flags Rul rqurs busnsss and organzaons lassfd as rdors ha hav ovrd aouns o mplmn a wrn program o d warnng sgns of dny hf n rgular opraons. S 16 C.F.R. a p. 681. Busnsss mus also ak sps o prvn h ponal for dny hf, and o mga harm n h vn of dny hf or a daa brah. Th nnon s o ad busnsss n dnfyng suspous parns and o prvn dny hf and s onsquns. Th Rd Flags Rul lls organzaons how o proprly dvlop, mplmn, and admnsr dny-hf prvnon programs. Th bas rqurmns for hs programs ar rasonabl pols and produrs o dnfy rd flags of dny hf ha ould our undr normal rumsans; a dsrpon of aon ha wll b akn f and whn rd flags ar dd; and how h program wll b kp urrn o rfl nw hras. E. Fnanal nsuons: h Gramm-Lah-Blly A. Th Gramm-Lah-Blly A (h GLBA ) rqurs ompans ha offr onsumrs fnanal produs or srvs (.g., loans, fnanal adv, or nsuran) so-alld fnanal nsuons undr h GLBA o safguard snsv daa and o xplan hr nformaon-sharng pras o usomrs. S 15 U.S.C. 6801 sq. Th dfnon of fnanal nsuons for h purposs of h GLBA s broad and nluds all busnsss ha ar sgnfanly ngagd n provdng fnanal produs or srvs. -7-

Covrd ns mus provd a prvay no ha s lar, s onspuous, and auraly sas hr prvay pras. Th no should dal wha nformaon h ompany olls abou s onsumrs and usomrs, wh whom ha nformaon s shard, and how h ompany pros and safguards ha nformaon. Th no rqurmns apply o nonpubl prsonal nformaon ha a ompany gahrs and dsloss abou s usomrs and onsumrs. In pra, hs may nlud mos or all of h nformaon ha a fnanal nsuon has abou s usomrs and onsumrs. For xampl, h smpl fa ha a parular ndvdual s a onsumr or usomr of a fnanal nsuon s ponally nonpubl prsonal nformaon. Nonpubl prsonal nformaon an also nlud nformaon ha a usomr pus on an applaon, nformaon abou a onsumr gand from anohr sour, suh as a rd burau, or nformaon abou ransaons bwn an ndvdual and h fnanal nsuon, suh as an aoun balan. Informaon ha s lawfully publ s no rsrd by h GLBA. Cusomrs and onsumrs hav h rgh o kp hr nformaon from bng shard wh ran hrd pars. Prvay nos mus allow popl o op ou of havng hr nformaon shard, and fnanal nsuons mus offr a rasonabl produr for opng ou. Provdng a dahabl form wh a prprnd addrss or a oll-fr phon numbr ar boh rasonabl ways o op ou; rqurng an ndvdual o wr a lr s no rasonabl undr h GLBA. Th GLBA also prohbs fnanal nsuons from dslosng usomrs aoun numbrs o ompans ha ar no afflad wh h sour nsuon for lmarkng, dr-mal markng, or -mal markng, vn f h usomrs n quson hav no opd ou of sharng hr nformaon for markng. F. Collng daa from hldrn. Th Chldrn s Onln Prvay Proon A ( COPPA ) appls o ompans wh wbss dsgnd for hldrn and ompans whos wbss ar nndd for gnral audns bu oll nformaon from ndvduals known o b undr ag 13. S 15 U.S.C. 6501 sq. COPPA s goal s o allow parns o onrol wha nformaon wbss an oll from hr hldrn. Gnrally, ompans subj o COPPA mus sablsh and manan rasonabl produrs o nsur ha h onfdnaly, sury, and ngry of prsonal nformaon olld from hldrn ar prod. Parnal onsn s rqurd bfor ollng nformaon. Informaon olld from hldrn should b mnmzd o h xn possbl, and rasonabl sps mus b akn o rlas suh nformaon only o hrd pars apabl of mananng s sury, onfdnaly, and ngry. Prsonal nformaon should b rand only as long as s rasonably nssary, and mus b surly dsposd of on hr s no longr a lgma rason for ranng. G. Insurrs. In addon o govrnng h ollon, us, and dssmnaon of onsumr nformaon for rd and mploymn purposs, h Far Crd Rporng A ( FCRA ) also rgulas h ollon, us, and dssmnaon of onsumr nformaon for nsuran purposs. -8-

Usrs of hs nformaon mus (1) nofy h onsumr whn an advrs aon s akn basd on ha nformaon; and (2) dnfy h ompany ha provdd h nformaon, so ha h nformaon s auray and omplnss may b vrfd or onsd by h onsumr. H. Fdral ruls rgardng usng prsonal daa for mploymn dsons. Th laws dsrbd blow dal drly wh h rlaonshp bwn h mployr and mploy. 1. Usng bakground nformaon for mploymn dsons. Th Equal Employmn Opporuny Commsson (h EEOC ) and h FTC jonly publshd gudan rgardng bakground hks n h sprng of 2014. Ths son summarzs ha gudan, bu any mployr onsdrng h bakground nformaon of s applans or mploys should rvw h jon gudan n full. Th EEOC gnrally rqurs ha mployrs ra all mploys qually. In hs onx, qual ramn mans ha bakground hks may no b ondud or wavd basd on a prson s ra, naonal orgn, sx, rlgon, dsably, gn nformaon, or ag. In addon, any bakground nformaon rvd mus no b usd o dsrmna n a way ha would vola h law. So h sam sandards mus b appld o vryon, spal ar should b akn whn basng mploymn dsons on bakground nformaon, and f problms rvald durng a bakground hk wr ausd by a dsably, xpons may b nssary. Th FCRA pros onsumr rd daa, and rqurs ha ran sps b akn whn an mployr aks advrs aon (.g., frng an mploy; no hrng an applan) basd on nformaon oband from a ompany n h busnss of ollng bakground nformaon. Bfor h advrs aon, h applan or mploy mus b gvn a no nludng a opy of h onsumr rpor rld on o mak h advrs dson, and a opy of h doumn ld A Summary of Your Rghs Undr h Far Crd Rporng A. Afr an advrs mploymn aon s akn, h applan or mploy mus b old ha h or sh was rjd baus of nformaon n h rpor, h nam, addrss, and phon numbr of h ompany ha sold h rpor, ha h ompany sllng h rpor dd no mak h advrs mploymn dson, bu only suppld h daa on whh h dson was basd, and ha h mploy or applan has a rgh o dspu h omplnss or auray of h rpor, or o g a fr rpor from h rporng ompany whn 60 days. In Orgon, h us of rd hsory for hrng dsons s vn mor rsrd: s gnrally llgal o oban nformaon onand n an ndvdual s rd hsory or o mak mploymn dsons basd on rd nformaon. ORS 659A.320. Smlarly, n Washngon, mployrs anno oban a rd rpor as par of a bakground hk unlss h nformaon s rqurd by law or [s]ubsanally job rlad and h mployr s rasons for h us of suh nformaon ar dslosd... n wrng. RCW 19.182.020. -9-

2. Dsposng of an mploy s prsonal nformaon. Th EEOC rqurs ha prsonnl and mploymn rords ha an mployr maks or kps (nludng applaon forms, vn whn an applan was no hrd) mus b kp for on yar afr h rords wr mad, or for on yar afr a prsonnl aon was akn. Th FTC rqurs ha afr rordkpng rqurmns hav bn sasfd, mployrs mus dspos of any bakground rpors and any nformaon gahrd from hm n a sur mannr. Ths nluds burnng, pulvrzng, or shrddng papr doumns, and dsposng of lron nformaon so ha anno b ronsrud or rad. Employrs rqurng a rd rpor from prospv mploys mus, aordng o h Far and Aura Crd Transaons A, dspos of hos rpors and h nformaon drvd from hm n a saf and sur mannr. Any busnss usng onsumr rpors for busnss purposs, nludng mployrs usng onsumr rpors o mak mploymn dsons, s subj o hs Dsposal Rul, whh rqurs ha nformaon drvd from onsumr rpors and rords mus b proprly dsposd of n ordr o pro agans unauhorzd ass o or us of h nformaon. Th FTC allows for som flxbly n drmnng how o bs pro agans unauhorzd us, and ovrd organzaons may drmn wha masurs ar rasonabl and appropra basd on h nformaon s snsvy, h bnfs and oss of dffrn dsposal mhods, and hnologal dvlopmns. IV. BEST PRACTICES. Compans mus hav appropra pols n pla o dal wh h daa-sury ssus dsrbd abov. I s also ssnal o nsur ha ompans ar duad abou hos pols and rand n mplmnng hm. In som ass, laws mgh no sa spfally wha ompans mus do, only ha hy may adop pras ha ar appropra o h yps of daa hy oll and hr nds. As a gnral gud, w provd h followng ps for busnsss ha ar adapd from h FTC doumn Prong Prsonal Informaon: A Gud for Busnss. A. Tak aoun. Know wha prsonal nformaon and ohr mporan and snsv nformaon you hav n fls and on ompurs and lron dvs. Know whr and how hs nformaon s kp, and who has ass o. Consdr dffrn lvls of daa prvay for dffrn doumns o nsur ha only popl who nd snsv nformaon an ass. Upda ass pols as popl mov whn h ompany or lav h ompany. -10-

B. Sal down. Kp only h nformaon you nd for your busnss. Chk dfaul sngs on rd-ard prossng sofwar o mak sur ha nr ard numbrs arn kp. Dvlop a wrn rords rnon poly for wha you do kp. C. Lok daa. Enryp dgal fls, and kp papr fls or physal mda n a sur pla wh lmd mploy ass. Rqur mploys o pu fls away, log off hr ompurs, and lok abns and doors. Rgularly hk sury sysms and run anvrus programs. Mak sur ha mploys hav srong passwords and ha passwords arn shard. Consdr rqurng rgular password hangs. Mak sur ha all nw mploys go hrough daa and sury ranng and know who has ass o whh nformaon. D. Dsard unusd nformaon. Dspos of daa you no longr nd n a sur mannr and n aordan wh applabl law. Mak sur ha mploys ar rand on hs produrs. Shrd papr rords, us daa-wpng sofwar on old ompurs, and follow h FTC ruls for dsposng of rd rpors. E. Plan ahad. Mak sur ha mploys know wha prsonal nformaon s and how o safguard undr h applabl sa and fdral laws. Rgularly s and monor sury sysms and b famlar wh h sps o ak n h vn of a brah so ha you an a qukly. Hav a plan for nofyng onsumrs n h vn of a daa brah. -11-

IDENTIFYING RISK A DATA-SECURITY CHECKLIST Ths ls provds som qusons ha wll hlp you sar o dnfy how daa s olld, usd, sord, and shard a your organzaon, whh s a ky sp n assssng rsk and dvlopng appropra daa-sury and prvay produrs. Ths ls s gnral and hgh-lvl, so addonal or dffrn rqurmns mgh apply basd on your unqu suaon. Bfor mplmnng any plan, onsul an aorny who an xplan hs rqurmns. Daa Collon Daa Us Wha snsv daa s olld? Prsonal nformaon? Halh nformaon? Fnanal nformaon? Whn and how s daa olld? Whn blls ar pad? Whn aouns ar sablshd? Who olls h daa? You or a hrd pary ha wll lar provd o you? Wha s dslosd o h daa dslosr abou h ollon and us of h daa? Is onsn oband for all uss? Is dslosur handld hough wbs rms and ondons or a prvay poly? By onra? Is lar and onspuous? How s h daa usd? Rsarh? Advrsng? Hrng? Is h aual us onssn wh h us dsrbd o h dslosr? How and whr s h daa sord? Sur? Enrypd? -12-

Daa Flow How long s h daa sord? Bs o dspos of surly and n aordan wh h law whn h nd o hav passs. Wha daa s shard wh hrd pars/daa prossors? Do you aud h prvay pras of hos hrd pars and hav appropra onra provsons? Th hrd-pary pras should b onssn wh your sandards. Do hos hrd pars shar ha daa wh addonal hrd pars, wh whh you may or may no hav a rlaonshp? Wha daa s rvd from hrd pars? How s ha daa handld, usd, prossd, sord, or ombnd wh daa from ohr sours? Inrnal Pras Ar appropra daa-sury pols n pla ha omply wh applabl law? Wha happns f hr s a brah? Who s rsponsbl for managng daa sury? Ar mploys appropraly rand? Is ass o daa lmd o nd o know pars only? How an you upda pras and pols as nssary and as rsks volv? SEADOCS:467371.11-13-

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information