Privacy is back in 2015. Just when many observers were ready to declare privacy dead, consumers and businesspeople have developed new concerns about how information is being collected, sold, manipulated and even accessed by government agencies. The hacking scandals continued; Snapchat images, to the horror of many people, really do not disappear. And now the international community has become involved in the effort to protect consumers, as well.
Small to mid-size businesses need to keep a close eye on 5 developing privacy law trends this year. These include the consequences of data breach, the expanding definition of what private consumer information is entitled to legal protection and the increasing importance of international norms.
What is Private Information?
At the beginning of 2014, California rolled out amendments to its Online Privacy Protection Act that required commercial websites and online services to disclose whether they honored “Do Not Track” requests. Websites and online services were subject to the law if they collected consumers’ information that included:
- first and last name,
- physical address, including street name and name of a city or town,
- e-mail address,
- telephone number,
- social security number or
- any other information that would permit an individual to be contacted, either physically or online
The protection offered by the law is startlingly weak, but the list is expansive. Ultimately, the comprehensive nature of list may be the most important feature. In some ways it mirrors the schedule of personal identifiers protected by the Health Insurance Portability and Accountability Act of 1996, which includes all these and another dozen factors.
Following California's lead, other states have also begun to expand the kind of information that will be protected under privacy statutes. In mid-2014 Florida expanded its definition of “personally identifiable information,” disclosure of which would trigger its breach notification law. New York Attorney General Eric Schneiderman has just proposed adding protection of email addresses and passwords to New York’s breach notification law in an effort to craft the strongest privacy protections in the nation. Given the trend, it is reasonable to expect these larger lists of protected information to appear in more new statutes as they are enacted.
What Happens If There’s a Breach?
There are actually three areas to watch in the consequences department. The first relates to the notification requirement for individuals whose data may have been compromised. The second is the apparent resurgence of class action lawsuits, and the third is the new enforcement activity on the part of the Federal Communications Commission and the Federal Trade Commission. None of this is good for businesses that lose control of customer information.
Breach Notification Requirements are Becoming More Complicated
Forty-seven states, D.C., Puerto Rico, Guam and the U.S. Virgin Islands now have data breach notification laws — nearly all political jurisdictions.
In California and New York, among other states, the laws require notification on the basis of where the customer lives, not where the corporation “resides” for legal purposes. This means that an interstate, tech-savvy enterprise will have to comply with the data breach notification laws of every state in which it has customers.
In addition, Massachusetts requires that companies have a written data security program, and in Florida a company must provide a copy of that program to the state attorney general when it notifies the state that it has suffered a data breach.
Bottom line: The burden of compliance with multiple state requirements is likely to increase in 2015.
Class Action Lawsuits
Here is where the difference between state enforcement and the plaintiff’s bar becomes important. State law enforcement tends to be about procedure. Civil actions tend to be about substance.
Class action lawsuits tend to be about whether personal data (whatever that includes) was adequately protected rather than the procedural issues of notice or disclosure. Class actions are also generally understood to give individual consumers a fighting chance against the infinite litigation budgets of giant corporations.
Last year saw an increase in the number of class action suits that were brought on the basis of data breaches. The suit against Target was perhaps the highest profile case, but other class actions or threatened class actions focused on Sony Pictures, eBay, Home Depot, and the Midwestern supermarket chain, Schnuck’s Markets, among others. This development gives an advantage to the consumer, can be devastating to a corporate defendant and shows no signs of abating.
FTC and FCC Enforcement Activity
In October 2014, the Federal Communications Commission brought its first enforcement action against TerraCom Inc. and YourTel America Inc. for failure to protect the data of more than 300,000 low income consumers.
Imagine living without a phone. These consumers were the most vulnerable people. They depended on limited low-cost phone service to build economic stability and protect them from physical danger. TerraCom Inc. and YourTel America Inc. allegedly stored their personally identifiable customer data online without firewalls, encryption or password protection.
The FCC’s action resulted in a $10 million fine. Travis LeBlanc, the FCC's top enforcement official, has promised that although this was the first data security enforcement action by the FCC, it would not be the last.
FTC Enforcement Action
Public companies can also expect scrutiny from the Federal Trade Commission’s Bureau of Consumer Protection when consumer data is lost as the result of a data breach. The FTC is taking a proactive approach, also investigating companies on the basis of bad data management practices even before a breach occurs.
The interesting legal wrinkle in all of this involves a challenge to the FTC’s authority to monitor data security. In 2012, the FTC filed suit against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.
The FTC alleged that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia. Wyndham challenged the FTC's jurisdiction to bring the action.
The action has wound its way through the court system for several years now, but in early 2014, U.S. District Judge Esther Salas in New Jersey upheld the Commission’s power to regulate corporate data security practices. The case is now on appeal to the U.S. Court of Appeals for the Third Circuit. It is a situation that bears watching, as it will define the FTC's future sphere of action in the area of data breach.
International Trade Law
International trade law is a big driver of U.S. data security policy. Tech savvy businesses tend to have interstate and international clients. As with the plaintiff's bar, these actions focus on substance rather than procedure. The EU, in general, offers far greater privacy protections to consumers than U.S. law does.
The EU Privacy Directive, implemented through national legislation in the EU member states, restricts the transfer of personal information out of the EU to any country whose laws fail to offer adequate protection unless the company transferring the information is located in an adequate jurisdiction or falls under other exceptions. The U.S. does not make this list.
However, a safe harbor exists for companies located in the U.S. The safe harbor requires the company to self-certify compliance with the EU Privacy Directive. but in doing so the company subjects itself to FTC scrutiny.
In 2014, the FTC, acting in furtherance of the EU Privacy Directive, brought 12 actions alleging businesses had falsely claimed to hold current certifications under this international framework. There is every reason to believe that safe harbor enforcement will continue in 2015.
Other cases have arisen outside the U.S. In France, the French data protection authority warned Orange, the cellular phone company, after a security lapse led to a data breach involving 1.3 million users. The U.K. Information Commissioner’s Office fined the travel services company Think W3 Limited after a hacker stole the credit and debit card details of more than 1 million customers.
After a period of realtive quiet, data privacy concerns show no sign of disappearing in 2015. Small and middle-sized business, who are often at the greatest risk of breach, will have a lot to follow as the law forms and develops through this and following years.
Among the hot spots to watch are the multiple compliance requirements imposed by state laws, and the progress of class action lawsuits. The future is more likely to be shaped, however, by substantive federal enforcement action on the part of both the FCC and the FTC. Both agencies appear to be taking proactive roles to protect consumer information. Congress may also be spurred to take up legislation, as well.
The most important force, however, may be international conventions and norms. As trade is globalized. these rules may shape the future of data protection in ways that are even more important than state or federal law.