- Managed Security Services
- Cybersecurity Solutions
- Site Security Assessment
- Vendor IT Audits
- Risk Analysis
- Disaster Recovery
- Business Continuity
- Data Recovery
- Policies and Procedures; Training
- Disaster Response Coordination and Management
- Data breach notification(s)
- IT Security Assessment
- vCISO Engagement
- Business Strategy
- Threats and Intelligence
- On site training, including Periodic Dry Runs
Stay Alert – Please
Many of Armolon’s new clients are just becoming aware of how important it is to stay alert regarding the data storage and data breach notification rules of jurisdictions where their clients are “resident.”
Countries, associations of countries (e.g., the European Union – see footnote at the end of this blog), states, counties and cities “protect their own”, and privacy protection of a politician’s constituency is very attractive (especially to the politician). Thus, the residency requirement (as defined by the applicable legislation).
Along these lines, the remainder of this blog is taken from text provided by the law firm of Hunton Andrews Kurth LLP for use by LEXOLOGY.
The below is meant to provide general summaries, and does not constitute rendering legal advice.
If you have any questions, or want further clarification on the laws, rules and regulations that may have a huge negative impact on your organization’s bottom line, we will help put you together with the proper cybersecurity attorneys.
As I have mentioned before, based on my experience, the Hunton law firm is the authority in U.S. and international data privacy laws, rules and regulations.
In the United States, a Patchwork of Privacy and Data Security Laws
A patchwork of privacy and data security laws at federal and state levels comprises the legislative framework for the protection of personal information in the United States. While the United States does not have a comprehensive federal data protection law, regulations are promulgated primarily at the industry sector and state levels. Key data privacy and security requirements are contained in myriad sector-specific federal laws, including:
- Title V of the Gramm-Leach-Bliley Act, which establishes privacy and security requirements for financial institutions
- the Health Insurance Portability and Accountability Act of 1996, which imposes privacy and security obligations on health plans, healthcare clearinghouses and
healthcare providers (collectively ‘covered entities’) via the Privacy and Security Rules
- Section 5 of the Federal Trade Commission (FTC) Act (FTC Act), which prohibits “unfair and deceptive acts or practices in or
affecting commerce” and has been used by the FTC to bring enforcement actions in the data privacy and security context
- the Electronic Communications Privacy Act, which applies to electronic communications
- the Computer Fraud and Abuse Act, which protects against computer crimes
- the Children’s Online Privacy Protection Act, which regulates the online collection of personal data from children under 13
- the Family Educational Rights and Privacy Act, which applies to educational records
- the Fair Credit Reporting Act, which covers the use of consumer reports
At state level, many states have enacted privacy and data breach notification laws, and some states have enacted information security legislation designed to regulate the safeguarding of personal information maintained by organizations and their service providers (e.g., vendors).
Because there is no comprehensive federal privacy or data protection legislation in the United States, the applicability of the different federal and state laws and regulations varies. In general, at federal level, the scope and applicability of privacy and data protection requirements vary by industry sector. At state level, privacy and data protection laws typically apply to organizations that maintain certain categories of personal information about residents of the relevant state, meaning that a business may be subject to a state’s privacy or data protection law if it maintains data about a resident of that state, even if it does not otherwise operate in or have a physical presence in that state.
Numerous regulatory bodies in the United States (e.g., the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the Securities and Exchange Commission (SEC), the Consumer Financial Protection Bureau and the Department of Health and Human Services) have the authority to bring cybersecurity-related actions. The FTC is the primary federal regulator that enforces data security requirements. Although the FTC has no authority to fine companies for Section 5 violations, FTC enforcement actions often result in consent decrees which prohibit the company from future violations of the FTC Act and that may trigger fines if violated.
Other federal regulators may enforce data security requirements pursuant to sector-specific laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) and relevant security-implementing regulations. At state level, state attorneys general and state insurance commissions may bring enforcement actions (including via consolidated, multi-state actions) against companies for violations of state consumer protection, information security and breach notification laws.
Penalties and/or Awards, can be Staggering
Violations of federal and state privacy laws typically result in civil penalties, not criminal sanctions. The main exceptions are laws directed at surveillance activities and computer crimes. Violations of federal wiretap and electronic surveillance laws, the Computer Fraud and Abuse Act and state surveillance laws can result in criminal penalties as well as civil liability. Further, the US Department of Justice is authorized to prosecute certain HIPAA violations, and criminal penalties may result from knowing violations of the act’s restrictions on obtaining and disclosing certain protected healthcare information. The Department of Justice is not similarly authorized to criminally prosecute violations of other sector-specific privacy and data protection regulations, such as those imposed by the Gramm-Leach-Bliley Act.
Most state data breach notification laws provide for civil remedies. The laws may provide that the state attorney general has the power to bring an action in law or equity to address violations of the breach notification requirements. However, several states provide for private rights of action, allowing affected individuals to seek an injunction or recover actual damages and, in some cases, litigation costs and attorneys’ fees.
Penalties also may arise from breach of contract claims resulting from noncompliance with contractual provisions regarding cybersecurity-related obligations.
Next Step – If you would like to follow-up with Hunton about whether your organization needs to be brought up to speed in jurisdictions where you have resident clients, please call our office at 515-989-5661. We will put you together with the correct attorney at Hunton.
Footnote – The European Union’s General Data Protection Regulation (GDPR), effective as of May 1, 2018, is very clear on the significant penalties for failure to comply with the provisions of the GDPR.