The Evolution of Global Privacy LawThe Evolution of Global Privacy LawLisa J. Sotto

PartnerHunton & Williams LLP

(212) 309-1223lsotto@hunton.com

November 13, 2006

November 13, 2006

IBM Fall 2006 Security and Privacy Day

2

What is Privacy and Data Security?

• Privacy is the appropriate use of information as defined by:

• Law• Consumer expectations

• Security is the protection of information• Confidentiality (protection against

unauthorized access to data) • Data integrity

3

Four Privacy Risks

• Legal compliance• Reputation• Investment• Reticence

4

Data Protection LawsAround the World

5

US Privacy Laws

• Major federal laws are:• GLB: Financial institutions• HIPAA: Health care entities• FCRA/FACTA: Consumer reporting agencies

• FTC Disposal Rule• DPPA: DMV records• CAN-SPAM: Commercial e-mail• COPPA: Children’s data• Do-Not-Call Registry: Telemarketing• FTC Act Section 5: Prohibits unfair or deceptive

trade practices• Privacy Act of 1974

6

California

• Disclosures to Direct Marketers Law (SB 27)

• California Online Privacy Protection Act• Security of Personal Information

(AB 1950)• California Computer Security Breach Act

(SB 1386)

7

Information Security

• 2005 was the year of the security breach• In 2005/2006, 365 information security breaches

so far- ChoicePoint - DSW- Bank of America - CardSystems- Lexis Nexis - Boston Globe

• Over 97 million potentially affected• 34 state security breach notification laws• Numerous federal bills

8

State Security Breach Notification Laws

• Generally, the duty to notify arises when unencrypted “personal information” was (or was reasonably believed to have been) acquired or accessed by an unauthorized person• Some states require notification when encrypted information has been

acquired or accessed along with the encryption key

• “Personal information” is an individual’s name, combined with:• SSN• driver’s license or state ID card number• account, credit or debit card number along with password or access code

• But state laws differ:• Computerized v. paper data• Definition of PI• Notification to state agencies• CRA notification• Harm threshold

9

Recent FTC Enforcement Actions

• Most FTC privacy enforcement actions result from security breaches

• CardSystems• ChoicePoint• DSW• BJ’s Wholesale Club• Petco• Tower Records• Barnes & Noble.com• Guess.com, Inc.

• Enforcement trends

10

Emerging State Law Issues

• Social Security Numbers• A number of states regulate the private sector• Many others are considering similar legislation

• Child Protection Registry Laws• Michigan and Utah currently regulate

• Other states pending• Senders are prohibited from sending adult messages to

“contact points” listed on state registries• FTC’s view

• Employee Email Monitoring• Delaware and Connecticut have employee monitoring laws in

place

11

Emerging State Law Issues (cont’d.)

• Website Privacy Notices• California, Nebraska and Pennsylvania

• Radio Frequency Identification (RFID)• At least 13 states are considering privacy

legislation regulating the use of RFID

• Anti-Spyware• 12 states currently have anti-spyware laws• At least 17 other states are considering

anti-spyware legislation

12

The EU Directive

• Enacted in 1995, each country has its own national data protection law – the Directive sets the floor

• Requires entities to notify authorities or register before processing personal data

• Prohibits transfer of personal data to non-EU jurisdictions unless “adequate level of protection” is guaranteed

• U.S. is not “adequate” • Data transfer is permitted:

• To “adequate” countries (e.g., Switzerland, Canada)• Within the safe harbor framework (from EU to U.S. only)• Where a contract ensures adequate protection • With “unambiguous consent” of data subject• BCRs

13

Recent EU Issues

• Whistleblower hotlines• Data Retention Directive• PNR Data• SWIFT issue• New security breach notification

proposals

14

PIPEDA• The Personal Information Protection and Electronic Documents

Act (effective January 1, 2004)• Establishes rules for the management of personal

information by organizations involved in commercial activities• Applies to the collection, use and disclosure of personal

information by organizations during commercial activities • Personal information is any information about an identifiable

individual whether recorded or not• Requirements:

• Identify purposes of data collection• Obtain consent and limit use to identified purposes• Limit collection to necessary information• Limit use, disclosure and retention• Individual access

15

Latin America

• Argentina has an “adequate” comprehensive law, and now an active DPA

• Several nations have draft data protection laws• Other nations codify privacy in consumer

protection laws• Many Latin American nations implement data

protection concepts through habeas data rights• Habeas data rights are found in many national

constitutions

16

Japan• Personal Information Protection Act• Enacted in 2003, fully effective April 1, 2005• “Personal information” is any information that

identifies an individual “data subject” contained in a personal information database (online or offline)

• Applies to each “entity using a personal information database”

• “Third party” does not include data processors but does include affiliates

• Civil and criminal penalties for violations• Guidelines have been published by various

Ministries

17

APEC

• Created an information privacy framework with 9 privacy principles:

- Preventing harm - Integrity- Notice - Security- Collection limitation - Access and

correction- Uses of personal information - Accountability- Choice

• Endorsed by 21 member economies in November 2004

• Consistent with OECD Guidelines

18

• Russia• DP law passed July 2006• Bears strong resemblance to EU Directive

• India• New data security proposals to amend India’s IT

Act of 2000• The proposals result from recent breaches and

reports of lax security practices

• China• Law is currently being drafted

New and Expected Global Privacy Regimes

19

U.S. Enforcement and Litigation

• FTC’s new Division of Privacy and Identity Protection• The FTC’s enforcement tools are evolving to meet new

problems• CardSystems• ChoicePoint• DSW• BJ’s Wholesale Club• Petco• Tower Records• Barnes & Noble.com• Guess.com, Inc.

• U.S. privacy litigation trends

20

Privacy Issues Are Often Unexpected

• Information security breaches pose new and sometimes acute risks

• FTC enforcement and litigation• Erosion of customer trust• Public perception of brand plummets• Investor concerns and market reaction

• Whistleblower hotlines• HP’s pretexting issues

21

Minimizing the Risk

• Prevention is the primary goal, but proactive planning can minimize impact if a privacy event occurs

• Concern and focus on data privacy and security must come from the top

• Data privacy now often involves the CEO, CFO, CPO, CIO and GC

• Re-evaluate security systems and privacy and security policies on an ongoing basis

• Integrate the concern for information privacy and security as a core value and train often

22

The Global Perspective

• Information security is the global topic du jour

• Expect new U.S. privacy legislation• New level of professionalism of EU

DPAs• There is significant activity globally to

enact new data protection laws• There will be a focus on data protection

harmonization in coming years

23

Questions?

Lisa J. SottoPartnerHead, Privacy and Information Management PracticeHunton & Williams LLP(212) 309-1223lsotto@hunton.com

233317v2