White House Issues Two Big Data Reports; Florida Legislature Passes Revamped Breach Notification Law

Yesterday, May 1, was a big day for privacy in the news. The White House issued 2 reports on the privacy implications of Big Data, and the Florida legislature overhauled the state’s security breach notification law, strengthening and adding several new requirements relating to data security and breach notification.

The Podesta Report – “Big Data: Seizing Opportunities, Preserving Values”

Hintergrund

In January of this year President Obama asked John Podesta to lead a ninety (90) day study to examine the changes big data technology will have on our lives and the future of individual privacy. The study, entitled “Big Data: Seizing Opportunities, Preserving Values,” was released yesterday, May 1, 2014. A full copy of this report is available here.

The study attempts to balance the unique benefits and challenges big data brings to grow the US economy, improve health and education, and to make the United States safer and more energy efficient against the social and ethical questions of discrimination, stereotypical biases or assumptions, and individual privacy.

Current Privacy Framework Addresses “Small Data”

The report first recognizes that the most common privacy risks to individuals involve “small data.” Privacy concerns in the “small data” context are already addressed in the United States by the Fair Information Practice Principles (FIPPs), the various sector-specific laws, robust enforcement mechanisms, and the various global privacy assurance mechanisms such as the U.S. Safe Harbor Framework.

New Laws May be Needed for “Big Data”

However, “big data” technology permits the collection, analyzing, and assembling of large volumes of data to analyze and profile the discrete digital traces individuals leave behind every day to reveal a surprising number of things about an individual and their lives. The traditional framework of “notice and consent” that forms the foundation of privacy in the “small data” context may not adequately protect privacy in the big data context. Instead, a focus on how data is used and reused may be more productive for managing privacy in a big data environment.

The Report’s Six Recommendations

The study’s authors make six policy recommendations to protect privacy in the big data context: First, the study calls on the Department of Commerce to advance President Obama’s 2012 proposal for a Consumer Privacy Bill of Rights. Second, Congress should enact national data breach notification legislation to replace or supplement the existing patchwork of state breach notification laws. Third, the Privacy Act of 1974 should be applied to non-U.S. persons as much as possible or establish meaningful and appropriate alternatives which protect their privacy. Fourth, the federal government should ensure that data gathered about students for education is not shared or used inappropriately. Fifth, civil rights and consumer protection agencies should improve their technical expertise to be able to identify and investigate the discriminatory impact on protected classes facilitated by the use of big data. Sixth, the report recommends that Congress amend the Electronic Communications Privacy Act to ensure the same levels of protection for online and digital content as is afforded to physical objects.

Auswirkungen auf Unternehmen

The report is significant to businesses as it increases the intensity of the spot light on companies’ data privacy and security practices. Whether the result is new laws and regulations, or increased and new paths of enforcement by the Federal Trade Commission, or both, the report is a clear indication that the legal compliance risks with respect to the privacy of personal information will continue to increase in the months and years to come.

Businesses may no longer be able to rely on the traditional notice and consent framework used in the small data context. The recent trend, even before this report, has been to base accountability and compliance on how a company uses and reuses data. A national breach notification law may decrease the burden of nationwide companies to comply with the various different state breach notification laws, each with different definitions of personal identifiable data and different notification requirements. Companies should continue to monitor which, if any, of the recommendations are adopted and carefully analyze the impact on their business.

The PCAST Report – “Big Data and Privacy: A Technological Perspective”

Hintergrund

In addition to asking for the Podesta Report discussed above, President Obama also asked his Council of Advisors on Science and Technology (PCAST) to examine Big Data from a technological perspective, and in particular what can and should be done to help preserve privacy. PCAST also released its report yesterday, May 1, which discusses the technical aspects of big data and privacy. A full copy of the report can be found here.

The Growth in Big Data Technology Increases Risks to Privacy

The collection, analysis and use of personal information has exploded in recent years as a result of the significant advances in computing and electronic communication technologies. Individuals are more concerned than ever with protecting their privacy in light of the ability of new technologies to analyze tremendous amounts of data from numerous sources, often in ways entirely unknown to the individual. The report addresses the changing privacy and legal compliance environment as companies in the United States through the world have embraced and developed these big data technologies.

The Report’s Five Recommendations

The report recognizes that technology alone is not sufficient for protecting privacy. PCAST recommends five steps the Federal government can take to balance the benefits of big data and the protection of privacy. First, as also discussed in the Podesta report, policy should be based more on the actual uses of big data rather than methods of collection and analysis. Second, laws and policies should not dictate specified technological solutions, but address intended outcomes. Third, government sponsored research should be increased for technological solutions to balance business interests and individual privacy concerns. Forth, the government should work with the educational institutions and professional societies to increase training and education for privacy protection, including career paths for professionals. Fifth, the United States should be a leader domestically and internationally by adopting policies that incentivize the use of practical technological solutions for privacy that exist today.

Auswirkungen auf Unternehmen

As with the Podesta report, the PCAST report is further evidence that the regulatory and self-regulatory attention to data privacy and security will continue to increase in months and years to come. Companies are using technology in new and exciting ways to enhance revenues, profits and other business outcomes from big data initiatives. The PCAST report reminds business that technology should also be used to protect privacy. Companies should use a privacy-by-design approach to build privacy into its products, services and systems, and minimize the legal and reputational risks that result from inappropriate or unlawful uses of personal information.

Florida’s Revamped Data Security Breach Notification Headed to the Governor

The final piece of privacy news yesterday came out of Tallahassee, where the House followed the Senate and passed the Florida Information Protection Act of 2014. The text of the bill can be found here. The bill now heads to Governor Rick Scott, who is widely expected to sign the bill. If signed, the law will become effective July 1, 2014.

The action in Florida continues a line of recent data breach proposals and laws in a number of states, including California, New Mexico, Iowa, and Kentucky. Among other things, the law changes the definition of personal information that can trigger a notification requirement by adding health insurance, medical information, financial information and online account information, such as security questions and answers, email addresses, and passwords. Current law covers an individual’s first name or initial and last name, in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit or debit card number in combination with any required security code or password to access the account.

Notice to affected individuals is required as expeditiously as possible, but no later than 30 days after discovery of the breach or the business reasonably believes a breach occurred. Current laws requires notification without unreasonable delay and no later than 45 days after discovery of the breach.

Im Falle einer Datenverletzung, von der 500 oder mehr Einwohner betroffen sind, muss der Generalstaatsanwalt spätestens 30 Tage nach Entdeckung der Verletzung schriftlich benachrichtigt werden. Auf Verlangen des Generalstaatsanwalts muss das Unternehmen eine Kopie seiner Richtlinien zu Verletzungen, der zur Behebung der Verletzung ergriffenen Maßnahmen sowie einen Polizeibericht, einen Vorfallsbericht oder einen Computerforensikbericht an den Generalstaatsanwalt übermitteln.

Wenn die Datenschutzverletzung mehr als 1.000 Personen betrifft, muss das Unternehmen auch die großen Auskunfteien (Experian, TransUnion und Equifax) benachrichtigen.

Eine Benachrichtigung ist nicht erforderlich, wenn das Unternehmen nach einer angemessenen Untersuchung und Rücksprache mit den zuständigen Strafverfolgungsbehörden zu der begründeten Einschätzung gelangt, dass die Datenschutzverletzung nicht zu Identitätsdiebstahl oder anderen endgültigen Schäden für die betroffenen Personen geführt hat und auch nicht führen wird. Diese Einschätzung muss schriftlich dokumentiert, mindestens fünf Jahre lang aufbewahrt und dem Generalstaatsanwalt innerhalb von 30 Tagen nach der Entscheidung vorgelegt werden.

The law adds a requirement that businesses must use reasonable measures to protect and security personal information in electronic form. While the law does not provide details on what these measure may be, in the event of a security breach the company will need to demonstrate at a minimum that it used commercially reasonable safeguards to protect personal information consistent with industry standards.

Schließlich ermächtigt das Gesetz den Generalstaatsanwalt, bei Verstößen gemäß dem Gesetz gegen unlautere und irreführende Handelspraktiken des Bundesstaates Florida Durchsetzungsmaßnahmen zu ergreifen. Die zivilrechtlichen Strafen können bis zu 500.000 US-Dollar betragen – 1.000 US-Dollar pro Tag für die ersten 30 Tage des Verstoßes und 50.000 US-Dollar für jeden weiteren Zeitraum von 30 Tagen bis zu einer Dauer von 180 Tagen. Wenn der Verstoß länger als 180 Tage andauert, können die Strafen bis zu 500.000 US-Dollar betragen.

Auswirkungen auf das Geschäft

If signed by the governor as expected, the new law will impose additional and more stringent requirements for businesses that suffer a security breach exposing personal information of customers, employees or other individuals. The breach may be the result of a malicious hacker, disgruntled employee or inadvertent loss of a laptop or smart phone containing personal information. Businesses should modify their data breach incident response plans to comply with the new requirements (and, needless to say, develop a response plan if it does not have one). Companies should ensure that if a breach results in a request from the Attorney General for the companies’ applicable policies, those policies are consistent with the law and current best practices.

Legal News Alert ist Teil unseres kontinuierlichen Engagements, aktuelle Informationen zu dringenden Anliegen oder Branchenfragen bereitzustellen, die unsere Mandanten und Kollegen betreffen. Wenn Sie Fragen zu diesem Update haben oder dieses Thema weiter diskutieren möchten, wenden Sie sich bitte an Ihren Foley-Anwalt oder an folgende Ansprechpartner:

Chanley T. Howell
Jacksonville, Florida
904.359.8745
[email protected]

James R. Kalyvas
Los Angeles, California
213.972.4542
[email protected]

Michael R. Overly
Los Angeles, California
213.972.4533
[email protected]

Steven M. Millendorf
San Diego, California
858.847.6737
[email protected]