“In the information age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain.” – Senator Patrick Leahy.
As noted in Part I of this report, the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). This Privacy and Security Act is unique because it specifically applies to data brokers, businesses that collect personal information and government agencies.
Part II of this report, focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program.
Title III – Privacy and Security of Personally Identifiable Information.
Senators Leahy and Specter wanted to ensure that all businesses, which handle sensitive personally identifiable information, develop and implement administrative, technical, and physical safeguards to protect such information. Title III mirrors the Safeguards Rule requirements found in the Gramm-Leach-Bliley Act (the “GLBA”). Accordingly, the Privacy and Security Act excludes financial institutions that are already governed by the GLBA. Similarly, the Act excludes all entities governed by the Health Insurance Portability and Accountability Act of 1996.
Data Privacy and Security Program. Title III applies to all businesses that collect, access, transmit, use, store or dispose personally identifiable information of 10,000 or more American citizens. The Act requires such businesses to create and implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards “appropriate” to the size and complexity of the business and the “nature and scope” of its activities. The data privacy and security program must be designed to ensure the privacy, security, and confidentiality of sensitive personally identifiable information, protect against any anticipated vulnerabilities to the privacy, security or integrity of such information and protect against unauthorized access to such information that could result in substantial harm or inconvenience to the individual.
The Act requires a business to conduct a thorough risk assessment and identify internal and external vulnerabilities that could result in the unauthorized access, disclosure, use or alteration of sensitive personally identifiable information or systems containing such information. A business must determine the likelihood of a network breach and the potential damage, if such breach occurred. The risk assessment must also review policies, technologies and safeguards a business employs to minimize unauthorized access and assess how it disposes of sensitive personally identifiable information.
Based upon its risk assessment, a business shall design, adopt and implement a personal data privacy and security program. Once again, the measures adopted shall be appropriate to the sensitivity of the data as well as the business’ size, complexity, and scope of activities. The Privacy and Security Act requires that businesses control access to personally identifiable information, detect unauthorized attempts to gain access to such information, protect the information by encryption or other reasonable means, and to dispose of personally identifiable information securely. The Act also requires a business to train its employees regarding its data security program and to ensure that they follow its policies and procedures. Finally, the Act requires companies to frequently test its data security program for vulnerabilities and update their systems accordingly.
Just like the GLBA, the Privacy and Security Act holds companies responsible for their third-party service providers. For example, a business must exercise due diligence and take reasonable steps to select only those service providers that are capable of maintaining appropriate safeguards for the security, privacy and integrity of sensitive personally identifiable information. There must be a contractual agreement by and between the business and the service provider that expressly states the service provider will implement and maintain appropriate measures to protect private information in accordance with the Act. Again, a business must periodically assess the security measures employed by its service providers.
Enforcement. The Federal Trade Commission is charged with enforcing Title III. If a business violates Title III, it may be enjoined and fined civil penalties up to $5,000 per violation per day, for a maximum of $500,000. If the violations are found to be intentional or willful, then a business may be fined an additional $5,000 per violation per day, up to a maximum of $500,000. Just like Title II, States are permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC. If the FTC already proceeded against the violator, the State attorney general is barred from bringing a separate claim. Hence, Federal authority may be exclusive and trumps all State actions. Individuals are once again barred from bringing a private cause of action.
Do you have a comprehensive data protection program in place? The attorneys at Scott & Scott LLP are the knowledge leaders in privacy, security and IT compliance. Contact us today before the government calls you.