An Exploration of Security Law Compliance

Written By Stephen Wu
blockchain-technology-concept-PEHGTVU-1.jpg

Over the years, state, federal, and international data security laws have proliferated. These laws impose security requirements on the businesses and governmental entities that they cover.

At first, these laws focused on specific sectors of the economy, such as financial services, health care, or government. Later, state legislatures, foreign governments, and international bodies created more general data protection laws that cut broadly across sectors.

Some of these laws establish only general requirements, such as the mandate to protect certain kinds of information with “reasonable security.” Others provide a much more detailed set of requirements, some that even relate to the use of specific technologies, such as encryption.

Most security-related laws mandate the implementation of security controls to protect security-sensitive information. Other laws, however, create business opportunities if companies adopt security technologies.

Sarbanes-Oxley Act

Congress enacted the Sarbanes-Oxley Act (SOX) to cover publicly traded corporations and address financial scandals, such as Enron and WorldCom. SOX addresses fraud in the finance departments of public companies by requiring that public companies establish reliable “internal controls” for gathering, processing, and reporting financial information with the ultimate goal of ensuring accurate reporting of public companies’ finances for the benefit of investors. While SOX and its regulations do not directly require specific data security controls, auditors and leading organizations have created guidance documents to define internal controls, and some of the guidelines address information security controls as a foundation for creating strong internal controls.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) loosens certain regulations on the financial services industry. However, it contains privacy and security requirements on financial institutions, which GLBA defines broadly. GLBA and regulations under it call for financial institutions to protect the privacy of its customers and to protect the security and confidentiality of their customers’ nonpublic personal information.

Federal Information Security Management Act

Congress passed the Federal Information Security Management Act (FISMA) to promote the security of federal agency information systems. FISMA requires that agencies create and implement security programs and report the results of these programs to the Office of Management and Budget, which reports the results to Congress. The National Institute of Standards and Technology (NIST) provides guidance with publications containing specific technology controls and standards for agencies to implement and meet.

Fair and Accurate Credit Transactions Act/Red Flags Rule

The Fair and Accurate Credit Transactions Act (FACTA) helps to reduce consumer risks associated with identity theft. Under FACTA, the Federal Trade Commission (FTC) and other agencies promulgated what are known as the “Red Flags Rules,” which covers financial institutions and creditors that hold consumer accounts. Covered entities must create an Identity Theft Prevention Program for combatting identity theft, which includes reasonable policies and procedures for detecting, preventing, and mitigating identity theft. These policies and procedures should include information security controls.

Health Insurance Portability and Accountability Act (HIPAA)

AdobeStock_168700942.jpeg

The Health Insurance Portability and Accountability Act (HIPAA), among other things, helps workers by protecting the portability of their health coverage. However, HIPAA contains administrative simplification provisions promoting electronic health transactions and protecting the privacy and security of health information as it is processed in these transactions. Under HIPAA, the Department of Health and Human Services enacted comprehensive and broad privacy rules and security rules, which call for specific security controls. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) within the American Recovery and Reinvestment Act of 2009, as well as final HIPAA/HITECH regulations issued in 2013, expanded the scope of the HIPAA Security Rule and included new breach notification requirements regarding the compromise of health information.

California Confidentiality of Medical Information Act and Other State Privacy Laws

The California Confidentiality of Medical Information Act and other California laws prohibit healthcare providers from disclosing patient records without authorization. Moreover, other California laws prohibit healthcare workers from “snooping” in patient records, which were enacted after high-profile security breaches resulting from hospital workers looking at celebrities’ records. Newer legislation requires healthcare providers to protect the integrity of medical records and log access to them.

California SB 1386 and AB 1950

California was the first state to enact a breach notification law, SB 1386, requiring businesses and state agencies to notify affected California residences whose personal information was compromised. SB 1386 covers personal information in the form of a driver’s license/California ID card number, social security number, or financial account number (with access code) in combination with a last name and first name or initial, as well as medical records. The law covers businesses that own or license such personal information. SB 1386 requires them to notify California residences whose unencrypted personal information was or is reasonably believed to have been, acquired by an unauthorized person.

California’s AB 1950 covers the same category of businesses and personal information. Under AB 1950, covered entities must implement reasonable security procedures and practices to protect personal information against unauthorized access, destruction, use, modification, or disclosure. AB 1950 does not call for specific security controls.

Other states and nations have laws or guidelines similar to both SB 1386 and AB 1950.

State Consumer Protection Laws

California has three laws commonly used in consumer claims against product and service providers. First, California’s Unfair Competition Law (UCL) strikes at “unfair competition,” including unfair and deceptive trade practices. The UCL appears at Business & Professions Code Section 17200 and following sections. Second, California’s False Advertising Law prohibits making untrue or misleading advertising statements. Finally, the California Consumers Legal Remedies Act prohibits specific categories of unfair and deceptive trade practices.

Cybercrime Laws

Federal and state cybercrime laws prohibit, among other things, gaining unauthorized access to computer systems, damaging computer systems, or spreading malware. The federal Computer Fraud and Abuse Act is a criminal statute. It creates a private right of action for victims of certain categories of cybercrimes. While these laws do not establish security requirements per se, they may become relevant to the conduct of company personnel. Companies should train and supervise their employees to prevent them from violating these laws in developing products, delivering services, or the conduct of their business.

EU General Data Protection Regulation

AdobeStock_201592895.jpeg

In May 2018, companies collecting and processing personal data from citizens of the European Union and European Economic Area (the EU plus Iceland, Liechtenstein, and Norway) will need to comply with the EU General Data Protection Regulation or “GDPR” for short. The GDPR is a law that recognizes the fundamental rights of individuals (called “data subjects”) to certain privacy rights. As a regulation, the law imposes a uniform framework of privacy requirements on the member states of the European Union and the European Economic Area.

GDPR covers a wide variety of “personal data.” “Personal data” means any information relating to an identified or identifiable natural person, including but not limited to names, health information, financial information, email addresses, and even IP addresses, phone numbers, and device identifiers.

Businesses in the United States that have a European presence or are cultivating a customer base in Europe are potentially covered. In addition to certain privacy protections, Article 32 of GDPR requires companies collecting personal data (“controllers”) and data processors working on behalf of controllers to implement security controls. Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including ensuring the confidentiality, integrity, availability, and resilience of processing systems and services.

 The California Consumer Privacy Act (CCPA)

The latest law at the state level to raise concerns is the California Consumer Privacy Act (CCPA). Governor Brown signed the CCPA at the end of June 2018. It will become effective in January 2020.

Once effective, CCPA will grant California residents some of the rights of GDPR. CCPA applies to companies over certain size thresholds in revenue and records, and companies involved mostly in the sale of personal information. CCPA defines “personal information” very broadly. Covered businesses that collect or sell personal information about California residents will need to disclose information upon the request of consumers, such as an accounting of personal information collected, sold, or disclosed; an identification of the exact pieces of personal information collected; and the categories of entities receiving the personal information. California residents can opt-out of the sale of personal information and, similar to GDPR, they can demand the erasure of personal information being maintained by a covered business (with exceptions). Regulations from the Attorney General are pending comment, recent amendments were just signed by the Governor, and further amendments to the law are quite possible. Accordingly, compliance efforts are still in flux as of the time of this paper.

CCPA is largely a privacy law, but it does have a security component. It permits consumers to sue businesses covered by CCPA and obtain a flat amount of “statutory damages” of $100- 750 per consumer per violation of the law. If large numbers of records were involved in a breach, statutory damages could add up to very large numbers. The breach must involve a compromise of personal information covered by AB 1950’s requirement of reasonable security. See Section IV.G above. In essence, this law allows consumers to enforce AB 1950’s requirement to protect personal information with reasonable security. Consumers can recover their actual damages if they are higher. However, consumers must give businesses 30 days’ written notice to correct violations before filing a suit and must notify the Attorney General. The Attorney General can take over the case from the consumer after receiving the notice.

Stephen Wu
Previous

Liability Risks of High-Profile Security Breaches
Next

The Role of an Attorney in Controlling Security and Legal Risk