Privacy and Data Security
Information privacy and data security issues involve nearly every facet of an organization’s activities. With the rapid development of digital and information technology, most organizations — big and small — now handle and process sensitive personal information, including employee data, medical records, financial information, consumer information, social security numbers, credit card numbers, dates of birth, and other types of information that relate to identified or identifiable individuals.
The handling and processing of sensitive personal information is subject to laws and regulations that are numerous and complex, vary by location, and are constantly changing. If an organization does not take appropriate care to protect against prohibited access to or loss of personal information, it can be subjected to significant fines and, more importantly, considerable damage to its reputation.
Lane Powell’s Information Privacy and Data Security attorneys include members of the International Association of Privacy Professionals.
Lane Powell’s attorneys help our clients manage a host of concerns relating to privacy and data security, including:
- Complying with federal, state, and international privacy and security laws.
- Developing internal privacy policies, including policies and procedures for employee privacy and social media.
- Preparing privacy-related notices to consumers.
- Handling data breach responses and notifications.
- Litigating disputes relating to data breach, privacy, security, and consumer protection.
- Developing programs and policies governing storage, access, transfer, use, disclosure, and disposal of information.
- Navigating trade secret protection and enforcement.
The legal assistance we provide to our privacy and data security clients covers all of the following federal and state laws:
- State data breach notification laws — 46 states require an organization to notify individuals whose personal information maintained by the organization has been subjected to unauthorized acquisition. Requirements regarding the contents, form (e.g., email or written notice), and timing of the notice, and specific circumstances requiring notice, vary from state to state. For example, some states require notification only if the breach is likely to result in misuse of the information or harm to the individual whose information was acquired, whereas other states require notification regardless of whether harm is likely to occur. Additionally, several states require that a data breach be reported to the state’s Attorney General or other enforcement agency.
- Fair Credit Reporting Act (“FCRA”) — The FCRA regulates the collection, use, and disclosure of consumer report information. Consumer reporting agencies and users of consumer report information (e.g., prospective employers) are subject to the FCRA.
- Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) — FACTA is an amendment to the Fair Credit Reporting Act that contains provisions to prevent identity theft. For example, FACTA requires each of the three nationwide consumer reporting companies (Equifax, Experian, and TransUnion) to provide a free credit report once every twelve months to any consumer who requests it, and allows individuals to place alerts on their credit histories if identity theft is suspected.
- Health Insurance Portability and Accountability Act (“HIPAA”) — HIPAA applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. HIPAA regulates the collection, use, and disclosure of protected patient information by covered entities and also requires such entities to maintain administrative, physical, and technical safeguards to protect the security of electronic protected information.
- Health Information Technology for Economic and Clinical Health Act (“HITECH”) — The HITECH Act was signed into law in 2009 to promote the adoption and meaningful use of health information technology. It contains incentives designed to accelerate adoption of electronic health record systems among providers and also expands the scope of privacy and security protections available under HIPAA.
- Graham-Leach-Bliley Act (“GLBA”) — GLBA, also known as the Financial Services Modernization Act of 1999, repealed part of the Glass-Steagall Act of 1933 and removed restrictions to vertical integration of certain types of financial institutions. It also requires financial institutions, a term broadly defined under GLBA, to provide a privacy notice to each consumer at the time the consumer relationship is established and annually thereafter. The privacy notice must satisfy certain statutory requirements, including containing information about the consumer’s right to opt out of certain information being shared with third parties.
- Family Educational Rights and Privacy Act (“FERPA”) — FERPA is a federal law that protects the privacy of student education records. The law applies to schools that receive certain types of funding under U.S. Department of Education programs. Among other requirements, the law requires schools to allow parents or eligible students the right to inspect their education records and restricts schools from releasing education record information unless they have permission from the parent or eligible student.
- Telephone Consumer Protection Act (“TCPA”) — The TCPA regulates the use of telephones for the purpose of making commercial solicitations. Among other requirements, the TCPA requires telemarketers to honor registrations with the National Do-Not-Call Registry, to maintain its own “do not call list” and honor any request not to be called again, to have a written policy available to anyone upon request, and to train employees in compliance.
- Combating the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) — The CAN-SPAM Act regulates use of email for commercial purposes, and applies to “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Among other requirements, senders of commercial emails must give recipients the right to opt out of receiving further emails from the sender and honor such opt out requests promptly.
- Junk Fax Prevention Act (“JFPA”) — The JFPA is an amendment to the Telephone Consumer Protection Act (“TCPA”), which, in addition to regulating telemarketing, generally prohibits unsolicited facsimile advertisements. The most notable change made by the JFPA to the TCPA is that unsolicited faxes to persons with whom the sender has an established business relationship are now exempt from the provisions of the TCPA.
- Telecommunications Act of 1966 — The Telecommunications Act is the first major overhaul of U.S. telecommunications law in more than 60 years. The law restricts telecommunication carriers’ collection, use, and disclosure of information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers.
- Video Privacy Protection Act (“VPPA”) — VPPA generally prohibits any video tape service provider from disclosing the title, description, or subject matter of video tapes obtained or requested by a consumer.
- Cable Communications Privacy Act (“CTVPA”) — CTVPA regulates cable operators’ collection, use, and disclosure of subscribers’ personally identifiable information.
- Electronic Communications Privacy Act (“ECPA”) — The ECPA consists of the Wiretap Act and the Stored Communications Act. These acts regulate when electronic communications can be monitored or reviewed by third parties, including Internet Service Providers. Generally, it is a crime for persons to intercept or acquire electronic communications, including email, unless certain exceptions apply.
- Communications Assistance to Law Enforcement Act (“CALEA”) — CALEA requires telecommunication carriers to cooperate in law enforcement investigations that require wiretapping of digital telephone networks. For example, the law requires telecommunication carriers to make it possible for law enforcement to tap phone conversations carried over their networks and to make certain call records available to law enforcement.
- USA Patriot Act — The USA Patriot Act expanded the scope of the Foreign Intelligence Surveillance Act (“FISA”) of 1978, which regulates electronic and wire surveillance, physical searches, and government access to and surveillance of certain other types of information and communications that involve foreign powers.
- Genetic Information and Non-Discrimination Act (“GINA”) — GINA contains amendments to the Employee Retirement Income Security Act of 1974 and the Internal Revenue Code, and restricts the use of genetic information in health insurance and employment.
To learn more about some of the Firm’s complementary practice areas, please visit: