White House Issues Two Big Data Reports; Florida Legislature Passes Revamped Breach Notification Law

Yesterday, May 1, was a big day for privacy in the news. The White House issued 2 reports on the privacy implications of Big Data, and the Florida legislature overhauled the state’s security breach notification law, strengthening and adding several new requirements relating to data security and breach notification.

The Podesta Report – “Big Data: Seizing Opportunities, Preserving Values”

背景

In January of this year President Obama asked John Podesta to lead a ninety (90) day study to examine the changes big data technology will have on our lives and the future of individual privacy. The study, entitled “Big Data: Seizing Opportunities, Preserving Values,” was released yesterday, May 1, 2014. A full copy of this report is available here.

The study attempts to balance the unique benefits and challenges big data brings to grow the US economy, improve health and education, and to make the United States safer and more energy efficient against the social and ethical questions of discrimination, stereotypical biases or assumptions, and individual privacy.

Current Privacy Framework Addresses “Small Data”

The report first recognizes that the most common privacy risks to individuals involve “small data.” Privacy concerns in the “small data” context are already addressed in the United States by the Fair Information Practice Principles (FIPPs), the various sector-specific laws, robust enforcement mechanisms, and the various global privacy assurance mechanisms such as the U.S. Safe Harbor Framework.

New Laws May be Needed for “Big Data”

However, “big data” technology permits the collection, analyzing, and assembling of large volumes of data to analyze and profile the discrete digital traces individuals leave behind every day to reveal a surprising number of things about an individual and their lives. The traditional framework of “notice and consent” that forms the foundation of privacy in the “small data” context may not adequately protect privacy in the big data context. Instead, a focus on how data is used and reused may be more productive for managing privacy in a big data environment.

The Report’s Six Recommendations

The study’s authors make six policy recommendations to protect privacy in the big data context: First, the study calls on the Department of Commerce to advance President Obama’s 2012 proposal for a Consumer Privacy Bill of Rights. Second, Congress should enact national data breach notification legislation to replace or supplement the existing patchwork of state breach notification laws. Third, the Privacy Act of 1974 should be applied to non-U.S. persons as much as possible or establish meaningful and appropriate alternatives which protect their privacy. Fourth, the federal government should ensure that data gathered about students for education is not shared or used inappropriately. Fifth, civil rights and consumer protection agencies should improve their technical expertise to be able to identify and investigate the discriminatory impact on protected classes facilitated by the use of big data. Sixth, the report recommends that Congress amend the Electronic Communications Privacy Act to ensure the same levels of protection for online and digital content as is afforded to physical objects.

企業への影響

The report is significant to businesses as it increases the intensity of the spot light on companies’ data privacy and security practices. Whether the result is new laws and regulations, or increased and new paths of enforcement by the Federal Trade Commission, or both, the report is a clear indication that the legal compliance risks with respect to the privacy of personal information will continue to increase in the months and years to come.

Businesses may no longer be able to rely on the traditional notice and consent framework used in the small data context. The recent trend, even before this report, has been to base accountability and compliance on how a company uses and reuses data. A national breach notification law may decrease the burden of nationwide companies to comply with the various different state breach notification laws, each with different definitions of personal identifiable data and different notification requirements. Companies should continue to monitor which, if any, of the recommendations are adopted and carefully analyze the impact on their business.

The PCAST Report – “Big Data and Privacy: A Technological Perspective”

背景

In addition to asking for the Podesta Report discussed above, President Obama also asked his Council of Advisors on Science and Technology (PCAST) to examine Big Data from a technological perspective, and in particular what can and should be done to help preserve privacy. PCAST also released its report yesterday, May 1, which discusses the technical aspects of big data and privacy. A full copy of the report can be found here.

The Growth in Big Data Technology Increases Risks to Privacy

The collection, analysis and use of personal information has exploded in recent years as a result of the significant advances in computing and electronic communication technologies. Individuals are more concerned than ever with protecting their privacy in light of the ability of new technologies to analyze tremendous amounts of data from numerous sources, often in ways entirely unknown to the individual. The report addresses the changing privacy and legal compliance environment as companies in the United States through the world have embraced and developed these big data technologies.

The Report’s Five Recommendations

The report recognizes that technology alone is not sufficient for protecting privacy. PCAST recommends five steps the Federal government can take to balance the benefits of big data and the protection of privacy. First, as also discussed in the Podesta report, policy should be based more on the actual uses of big data rather than methods of collection and analysis. Second, laws and policies should not dictate specified technological solutions, but address intended outcomes. Third, government sponsored research should be increased for technological solutions to balance business interests and individual privacy concerns. Forth, the government should work with the educational institutions and professional societies to increase training and education for privacy protection, including career paths for professionals. Fifth, the United States should be a leader domestically and internationally by adopting policies that incentivize the use of practical technological solutions for privacy that exist today.

企業への影響

As with the Podesta report, the PCAST report is further evidence that the regulatory and self-regulatory attention to data privacy and security will continue to increase in months and years to come. Companies are using technology in new and exciting ways to enhance revenues, profits and other business outcomes from big data initiatives. The PCAST report reminds business that technology should also be used to protect privacy. Companies should use a privacy-by-design approach to build privacy into its products, services and systems, and minimize the legal and reputational risks that result from inappropriate or unlawful uses of personal information.

Florida’s Revamped Data Security Breach Notification Headed to the Governor

The final piece of privacy news yesterday came out of Tallahassee, where the House followed the Senate and passed the Florida Information Protection Act of 2014. The text of the bill can be found here. The bill now heads to Governor Rick Scott, who is widely expected to sign the bill. If signed, the law will become effective July 1, 2014.

The action in Florida continues a line of recent data breach proposals and laws in a number of states, including California, New Mexico, Iowa, and Kentucky. Among other things, the law changes the definition of personal information that can trigger a notification requirement by adding health insurance, medical information, financial information and online account information, such as security questions and answers, email addresses, and passwords. Current law covers an individual’s first name or initial and last name, in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit or debit card number in combination with any required security code or password to access the account.

Notice to affected individuals is required as expeditiously as possible, but no later than 30 days after discovery of the breach or the business reasonably believes a breach occurred. Current laws requires notification without unreasonable delay and no later than 45 days after discovery of the breach.

500人以上の住民に影響を及ぼすデータ侵害が発生した場合、侵害の発見後30日以内に司法長官への書面による通知が義務付けられる。司法長官から要請があった場合、企業は侵害に関する現行ポリシー、侵害の是正措置、ならびに警察報告書、インシデント報告書、またはコンピュータフォレンジック報告書の写しを司法長官に提出しなければならない。

侵害が1,000人を超える個人に関わる場合、企業は主要な消費者信用情報機関（エクスペリアン、トランスユニオン、エクイファックス）にも通知しなければならない。

組織が適切な調査を実施し、関連する法執行機関と協議した結果、当該違反が影響を受けた個人に対して身元盗用その他の最終的な損害をもたらさず、またその可能性も低いと会社が合理的に判断した場合、通知は不要とする。この判断は文書で記録され、少なくとも5年間保存され、判断後30日以内に司法長官に提出されなければならない。

The law adds a requirement that businesses must use reasonable measures to protect and security personal information in electronic form. While the law does not provide details on what these measure may be, in the event of a security breach the company will need to demonstrate at a minimum that it used commercially reasonable safeguards to protect personal information consistent with industry standards.

最後に、本法は違反行為に対し、フロリダ州不正・欺瞞的取引慣行法に基づく司法長官による執行措置を認めています。 民事罰は最大50万ドル（違反開始後30日間は1日あたり1,000ドル、その後180日間は30日ごとに5万ドル）となる。違反が180日を超えて継続した場合、罰金は最大50万ドルとなる。

事業への影響

If signed by the governor as expected, the new law will impose additional and more stringent requirements for businesses that suffer a security breach exposing personal information of customers, employees or other individuals. The breach may be the result of a malicious hacker, disgruntled employee or inadvertent loss of a laptop or smart phone containing personal information. Businesses should modify their data breach incident response plans to comply with the new requirements (and, needless to say, develop a response plan if it does not have one). Companies should ensure that if a breach results in a request from the Attorney General for the companies’ applicable policies, those policies are consistent with the law and current best practices.

リーガルニュースアラートは、クライアントや関係者の皆様に影響を与える喫緊の懸念事項や業界問題に関する最新情報を提供するという、当社の継続的な取り組みの一環です。本更新内容に関するご質問や、このトピックについてさらに議論をご希望の場合は、担当のフォーリー弁護士または下記までご連絡ください。

Chanley T. Howell
Jacksonville, Florida
904.359.8745
[email protected]

James R. Kalyvas
Los Angeles, California
213.972.4542
[email protected]

Michael R. Overly
Los Angeles, California
213.972.4533
[email protected]

Steven M. Millendorf
San Diego, California
858.847.6737
[email protected]