Navigating the Privacy Hodgepodge
By Jeff Spivey
According to the dictionary, a hodgepodge is a confused mass of things. According to a scan of current privacy laws, so is the U.S. regulatory landscape.
No single, comprehensive privacy law blankets the country. Instead, there is a crazy quilt of industry-specific and state laws that every organization doing business in the United States needs to track and comply with.
This is not because our society hasn’t had enough time to act. Samuel Warren and Louis Brandeis published their article, "The Right to Privacy," in 1891, arguing that a new right, termed privacy, demanded acceptance in the American jurisprudence system.
Fast-forward nearly 100 years to the mid-1960s, when Congress began looking at the privacy implications of records maintained by federal agencies in reaction to the proposed establishment of a National Data Center. After years of studies and amid mounting privacy concerns after Watergate, the U.S. Privacy Act of 1974 was passed. It governs the collection, use and dissemination of a record about an individual that is maintained by federal agencies.
Since then, the Internet and increasingly sophisticated data gathering, storage and processing technologies have made it progressively easier for organizations to process and hold personally identifiable information (PII).
Concurrently, consumers have become more concerned about their privacy. This poses a challenge for businesses: how to strike a balance between the need to access PII and the expectation of privacy that Warren and Brandeis described as the “right to be left alone”? Adding to this challenge is a complex and shifting set of laws.
The Federal Privacy Landscape
One of the contributing factors to the regulatory hodgepodge is the mix of federal and state-level laws. The major federal legislation addresses two influential industries (financial services and health care), and a vulnerable demographic: children and young adults. The major federal laws and their key changes are:
· Gramm-Leach-Bliley Act (GLBA)/Financial Modernization Act of 1999:The act requires financial institutions that offer consumers financial products or services (such as loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data. Four years ago, a privacy notice form made it easier for consumers to understand how financial institutions collect and share information about consumers; GLBA has since been stable.
· Fair Credit Reporting Act (FCRA): The act, passed in 1970, promotes the accuracy, fairness and privacy of information in the files of consumer reporting agencies, which compile and maintain information about consumer credit ratings to sell the listings to businesses, potential lenders and individuals. The FCRA was amended in 2005 by the Fair and Accurate Credit Transactions Act (FACTA). (Both FCRA and FACTA refer to the same law.) The Identity Theft Red Flags Rule is part of FACTA.
Under changes effective January 2013, employers that utilize background checks must use a “Summary of Consumer Rights” form to notify job applicants and employees of their rights under the FCRA. Employers also must make clear that the newly created Consumer Financial Protection Bureau—not the Federal Trade Commission—is the agency that applicants and employees should contact with questions about FCRA rights.
· Health Insurance Portability and Accountability Act (HIPAA) of 1996: The act applies to health plan providers, health care clearinghouses and certain health care providers. It covers protected health information, which is information related to physical or mental health, the provision of health care and payment for health care. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act’s enforcement provisions strengthened the HIPAA protections and rights.
In January 2013, the final rule was approved. The changes enhance a patient’s privacy rights and protections, and strengthen the ability of the Health and Human Services office to enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.
· Children’s Online Privacy Protection Act (COPPA): The act originally went into effect in April 2000, addressing the online collection of personal information from children under 13. It requires a notice containing specific details about information practices to be posted on the home page and each area of the Website where personal information is collected from children.
COPPA was updated in December 2012, because of changes in online technology made since the law was originally enacted. The final amended rule, which will be effective in July 2013, includes modifications to the definitions of operator, personal information, and Website or online service directed to children. The amended rule also updates the requirements set forth in the notice, parental consent, confidentiality and security, and safe harbor provisions, and adds a new provision addressing data retention and deletion.
· Family Educational Rights and Privacy Act (FERPA): This1974 act protects the privacy of student education records, giving parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. The act was updated in January 2012, allowing for greater disclosures of personal and directory student-identifying information, and regulating student IDs and email addresses, among other issues.
Currently, no comprehensive federal privacy framework exists. In its absence, most states have developed privacy legislation for their constituents, which is burdensome for organizations doing business in more than one state.
Many state privacy regulations deal with data breaches, but not just to protect citizens from businesses. According to the Privacy Rights Clearinghouse Chronology of Data Breaches, government organizations alone had more than 16 million records affected by data breaches since the start of 2012. Forty-six states have now enacted legislation requiring that organizations notify citizens of security breaches involving personal information. Only Alabama, Kentucky, New Mexico and South Dakota do not have such laws.
The first state to enact a data breach law was California, but the state with perhaps the strictest such laws is Massachusetts. 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth set a new level in state security laws by regulating both the private and public sector entities that handle Massachusetts residents’ sensitive data, regardless of where that entity is located. Massachusetts was the first state to require a comprehensive written information security program, enabling entities to take proactive steps to prevent data breaches and security incidents.
Privacy advocates do not anticipate Congress passing comprehensive privacy legislation any time soon. Instead, they anticipate federal bills that address very specific topics, such as the Application Privacy, Protection, and Security Act of 2013 (APPS Act), which covers the use of data collection on mobile devices.
At the state level, companies can expect more statutes such as those recently passed by Maryland, Illinois and California, dealing with the use of social media and electronic information in employment background screenings or job application screenings. Employers in these states are prohibited from requiring employees or prospective employees to share their password so as to give employers access to their Facebook or other social media accounts.
Complying With Relevant Laws
Organizations must ensure that they maintain data privacy plans and policies that comply with relevant laws for their industry. ISACA, a professional association focused on IT governance, offers the following guidelines for enterprise data privacy plans and policies:
· Know what sensitive customer data or PII your organization collects and retains and where it is stored, and ensure that the most appropriate controls are in place.
· Develop an incident-response plan for potential privacy breaches to help your organization respond promptly.
· Ensure that company policies and plans are clearly written and enforceable; they should address issues related to the collection, use, disclosure, retention and disposal of PII.
· Make sure employees throughout the company understand why it is important to protect PII and the risks to the organization if they don’t.
· Train employees to understand how they can help protect PII and reinforce the training program with regular information sessions and notifications on policy or plan updates.
· Assign privacy and data protection policy to a designated person, such as a chief privacy officer, who should also be responsible for monitoring relevant privacy legislation.
Involvement of the board of directors is also recommended to ensure that proper controls are implemented. The board should govern the overall process by directing, monitoring and evaluating the organization’s overarching privacy vision and requirements based on the business needs. Executive management and all employees involved with privacy-related information should focus on management: planning, building, running, updating and monitoring privacy controls.
To address the broad array of privacy issues that vary across different areas of a business, organizations should consider developing guidelines by consulting a comprehensive business framework, such as ISACA’s COBIT 5. By leveraging the enabling processes in such a framework, the team responsible for data privacy will know they have addressed the complex mix of privacy-related requirements, benefits, risks and resources.
This issue gets incredibly more complicated for organizations conducting business outside of the United States or for non-U.S. companies seeking to do business here. Those companies need an even more rigorous process and structure for monitoring regulation and ensuring compliance — a situation in which a comprehensive business framework is more important than ever.
No internal policy or control will eliminate the array of federal and state laws, of course. But such policies do provide a way to make sense of what is required by law, desired by consumers and expected by your board of directors.
Jeff Spivey is international vice president of ISACA, a professional association focused on IT governance, and vice president at RiskIQ.