Managing Customer Data From The EU: Are You Compliant?

TRUSTe presented a webinar on Managing Customer Data From The EU: Are You Compliant? The panelists were:

Maureen Cooney, CPO and VP of Public Policy, TRUSTe
Damon Greer, Director, US-EU Safe Harbor Framework, US Department of Commerce, International Trade Administration
Heather Shaw, Vice President, ICT Policy, US Council for International Business
Dean Forbes, CIPP, Sr. Director, Global Privacy Office, Global Compliance & Business Practices, Schering Plough

In the EU, the consumer owns the data about them. In the US the collector owns the data.

There is a safe harbor available, but you must be under the jurisdiction of the FTC and the DOT. Financial services sector, insurance, telecommunications and non-profits are not eligibile.

Zip Codes Are Not Personal Identification Information Under California Law

In Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal in the Fourth Appellate District held that zip codes are not “personal identification information” under California’s Song-Beverly Credit Card Act of 1971, California Civil Code Sec. 1747.08. Information “concerning the cardholder” is protected pursuant to the purposes of the Act, in order to prevent customer identification that goes beyond what the consumer has consented to disclose.

In this class action case, the plaintiff claimed that Party City’s request for a zip code in connection with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal  overturned the trial court concluding that summary judgment should be entered for Party City.

The Court of Appeal found that zip codes are not personal identification information based on the plain language of the Act.  The Court of Appeal also examined postal regulations to understand what zip codes encompass. The Court of Appeal determined that zip codes are not “personal” identification information about a particular cardholder.

“A zip code is not an address, but only a portion of it, and knowing a stand-alone zip code has not been shown to be potentially more helpful in locating a specific person than knowing his or her state or county of residence. A zip code is not an individualized set of identification criteria, such as telephone numbers would be, but rather zip codes provide identification of a relatively large group, on the present record.”

Timothy P. Tobin (UPDATE: Apparently he is no longer an attorney at Proskauer) of the Privacy Law Blog of Proskauer Rose LLP pointed out this case.

FSA Berates Compliance Officers in Crackdown on Data Security Breaches

Joanne Wallen of  Complinet writes about the reaction of the U.K.’s Financial Service Authority: FSA Berates Compliance Officers in Crackdown on Data Security Breaches (.pdf).

The FSA focused on compliance officers for not putting enough focus on data security.

Examples of good practice at firms that the FSA visited included encrypting laptops and using secure internet links to transfer data to third parties. This was something that HSBC claimed it usually did, but the bank was caught out when its electronic system went down and it instead transferred the records of 370,000 life insurance customers onto a disc that it then sent in the post to its reinsurer at the beginning of February. As of the beginning of April, the disc had not yet turned up. Other examples of best practice include masking customers’ financial details where they are not necessary for staff to do their jobs and appointing a senior manager with overall responsibility for data security.

Morrison and Foerster Privacy Library

Morrison & Foerster has put together a Privacy Library with links to the relevant statutes and regulations.  The library include each sate in the U.S., along with other countries and multilateral organizations.

The firm has also launched Summit Privacy, a subscription service that provides a searchable privacy database of global privacy laws.

Six States Now Require Social Security Number Protection Policies

Miriam Wugmeister, Nathan D. Taylor of Morrison & Foerester wrote the December Privacy and Data Security Update: Six States Now Require Social Security Number Protection Policies.

  • Connecticut – Ct. H.B. 5658.
  • Massachusetts – 201 Mass. Code Regs. §§ 17.01 – 17.04.
  • Michigan – Mich. Comp. Laws § 445.84.
  • New Mexico – N.M. Stat. §§ 57-12B-2 – 57-12B-3.
  • New York – N.Y. Gen. Bus. Law § 3990dd(4).
  • Texas – Tex. Bus. & Com. Code § 35.581 (effective through March 31, 2009); Tex. Bus. & Com. Code § 501.051 – 501.053 (effective April 1, 2009).

These state SSN protection policy requirements highlight the importance of maintaining up-to-date privacy policies that comply with the evolving requirements under applicable state laws.  To get started, an organization should consider taking the following steps:

  • determine if you collect or maintain SSNs;
  • review your policies and procedures that are employee-facing to determine if you have sufficient policies to meet the obligations under the various state laws;
  • update your policies and procedures as needed;
  • train employees on the new policies and procedures; and
  • audit your employees to ensure that they are complying with your policies and procedures.

Data Privacy Roundtable

Deloitte hosted an executive roundtable on Massachusetts Data Protection. The room was packed full of us trying to figure what to do with these regulations.

Mark Schreiber of Edwards Angell Palmer & Dodge kicked things off with a look at the history of the regulation and the regulators view of the regulations. The regulators acknowledge that the regulations are burdensome. Tough!! they say. “Look at all of the data breaches!”

The regulations started with the MGL c. 93H addressing data breaches and Section 2(a) of MGL c. 93H providing for the promulgation of regulations.  Waht came out were some of the toughest regulations in the country. There are no exemptions for industry, sector or size. If you have personal information on a Massachusetts resident you need to comply. That means every company with operations in Massachusetts and any company with information on a Massachusetts resident. These regulations go beyond the Red Flag Rules from the FTC.

Companies to address whether they are going to implement full enterprise protection or merely selective protection. If you can isolate the data on Massachusetts people you can treat that differently than other data.

The panelists also brought up the concept of “data in motion” versus “data at rest.”  You need to look at how you are transmitting data as well as how it is stored.

What happens if you do not comply? There is no private right of action under the statute or regulations. But there will be law suits under these statutes. The panel foresees two types of class action suits coming out the law. One will be a negligence claim for allowing a data breach. The law creates the standard. Failure to comply with the law is negligence per se. They also see suits over the failure to properly notify the individuals affected by the data breach.

Audience poll: How many have a team assembled to implement the new regulations:

  • 72% Yes
  • 24% No
  • 4%  Not sure

Audience poll: How many have read the new regulations and guidance:

  • 45% Yes
  • 55% No

Audience poll: How many have addressed whether to do selective encryption or selective protection:

  • 29% Yes
  • 62% No
  • 9% Not sure

Everyone who said yes has decided to use encryption.

The panel moved on to stress the importance of ownership of the Written Information Security Policy required by the law. You need to address the physical requirements as well as the electronic requirements. This requires a team approach, including HR, compliance, IT and building security.

You also need to focus on how to handle data security breaches. The Massachusetts statute as well as other states have a very short time frame for notification. less than half the audience had a well defined plan or even a somewhat defined plan.

On the training front, you need to decide on a discipline for failure to comply. You also need to decide who to train and the level of training.

Audience poll: How many have training programs on information security:

  • 30% Training for all employees
  • 13% Training for selected employees
  • 52% None
  • 5%  Not sure

The paradigm of the Massachusetts law is that you should only collect the information you need, store it for only the time needed and make it available only to the people who need it.

In assessing the biggest challenges to complying with the law the audience found indentifying and assessing risks to be the biggest challenge.  53% of the audience has not done an audit of personal information sources. 49% of the audience does not monitor access to personal information.

Vendor management is another big issue under the law. If you share personal data with vendors, they need to be in compliance with the law. The law requires a certification of compliance, but there is no standard form of certificate. the firs step is to identify vendors and then to assess the risk profile for that vendor.  59% of the audience had not identified vendors that handle personal data.

As part of vendor management, you will need to continually monitor vendors that share personal data. You need to negotiate compliance into the vendor agreements and include oversight provisions. You need to incorporate vendor risk management as part of the governance program.

Public Hearing on Massachusetts Data Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business has published a Notice of Public Hearing on 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. (.pdf)

The hearing is on Friday, January 16, 2009 at 2:00 pm in Room No. 5-6, Second Floor of the Transportation Building, 10 Park Plaza, Boston.

Additional Time to Comply with Identity Theft Prevention Regulations

The Massachusetts Department of Consumer Affairs and Business Regulation have extended the deadline for compliance with 201 CMR 17.00: Business Community Given Additional Time to Comply with Identity Theft Prevention Regulations.

The regulations were orginally set to take effect on January 1, 2009. That deadline has been extended to May 1, 2009.  The deadlines for certification from third party providers and ensuring encryption of laptops have been extended to January 1, 2010.

See previous posts:

New Data Security Regulations Have Sweeping Implications For Massachusetts Businesses

A white paper written by Joe Laferrera of Gesmer Updegrove LLP New Data Security Regulations Have Sweeping Implications For Massachusetts Businesses (.pdf) provides a great analysis of the new Massachusetts Data Privacy Regulations, their impact and how to deal with them.

These are my prior posts on the new Massachusetts Data Privacy Regulations:

Thanks to Lee Gesmer of MassLawBlog.com for pointing out the article.

Computer System Requirements for New Massachusetts Privacy Regulations

As discussed in earlier alerts (Additional Guidance on the Massachusetts Privacy Regulations, Privacy and Security Alert: Massachusetts Has New Data Security Regulations and New Massachusetts Privacy Laws), starting on January 1, 2009, businesses will be held to a higher standard regarding the protection of Massachusetts residents’ personal information. The regulations set out in detail the required minimum standards to be met by persons or businesses who own, license, store, or maintain personal information about a Massachusetts consumer or employee 201 CMR 17.00. The Standards apply to paper as well as to electronic records.

The regulations have some very specific requirements for computer system security 201 CMR 17.04:

  1. Secure user authentication protocols
  2. Secure access control measures
  3. Encryption of transmitted records and files (to the extent feasible)
  4. Reasonable monitoring of systems (for unauthorized access to personal information)
  5. Encryption of all personal information stored on laptops or other portable devices
  6. Reasonably up-to-date firewall protection for files containing protected information on a system that is connected to the Internet
  7. Reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions
  8. Education and training of employees on the proper use of the System and the importance of personal information security
  9. Features required for secure user authentication protocols and secure access control measures.