As businesses store and transmit more and more information digitally, concerns over the potential for unauthorized access to consumers’ personal data continues to grow. Although Canada, the European Union, and other venues outside of the United States have implemented uniform laws or guiding principles that cover privacy rights in cyberspace, the US has not yet comprehensively addressed these concerns.
There have been some federal laws implemented in recent years that address the protection of consumers’ privacy and digital data in the financial services sector and in the health care services arena. Privacy and security concerns as they relate to consumers’ personally identifiable information and information pertaining to children have also been addressed at the federal level.
In the absence of wide-ranging guidance at the federal level, US states have attempted to address through state-level privacy legislation the growing awareness of the risks of third-party access to personal information. With laws relating to data breach notification requirements when digital information has been compromised, social security number confidentiality, and credit card processing, states are attempting to fill in the gaps. In addition, the credit card industry has imposed its own set of data security requirements on almost all US consumer businesses through their merchant banking relationships.
Beginning with my next post, I will provide a serial – and very general – overview of the significant privacy and data security laws and regulations. I will start with the Gramm-Leach-Bliley Financial Services Modernization Act, which imposes privacy and other data protection obligations on the financial services industry at the federal level. In the coming weeks, I will discuss some of the other important privacy and data security laws and regulations that affect businesses, including HIPAA and the HITECH Act for the health care services industry; the Children’s Online Privacy Protection Act (COPPA); Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act (FACTA); and the credit card industry’s Payment Services Industry Data Security Standard (PCI DSS). I also will look at some of the more significant state trends as they may affect businesses on a local level.