Oceans Apart: Overview of the US Legal Framework

May 19, 2010

Personal information within the US private sector is not subject to overreaching, ‘umbrella’ privacy legislation akin to that regulated in the EU under the Data Protection Directive, as Susan Mann indicates in her piece on data transfers.  Instead, a complex patchwork of federal and state legislation, together with industry regulation, is applied to specific ‘sectors’ of information such as health care and financial services.  The following is an illustrative (and far from conclusive) summary of major legislation and regulation.

Financial Information

Financial Services Modernisation Act 1999 (Gramm  Leach Bliley Act)

·         Places mandatory obligations on financial institutions (i) to protect personal financial information of consumer customers from foreseeable threats to security and privacy; and (ii) to regulate the collection, disclosure and protection of consumer personally identifiable information (PII).

·         Limits sharing of PII by financial institutions;

·         Requires consumers to be given privacy notices, and the right to opt out of disclosure of PII to non affiliated third parties, at the beginning of any relationship and thereafter on an annual basis.

·         Applies a ‘safeguards rule’ requiring financial institutions to develop, implement and maintain a written information security plan. 

Fair Credit Reporting Act 1970

·         Provides protection for, and regulation of, information maintained by consumer reporting agencies (credit bureaus).

·         Requires information to be accurate and up to date and allows consumers to verify and correct consumer credit information.

·         Requires users of consumer credit information (eg for credit or employment background check purposes) to notify consumers when adverse action is taken based on a consumer credit report. 

Health Information 

Health Insurance Portability and Accountability Act 1996 (HIPPA)

·         Regulates the use and disclosure of protected health information (PHI), eg health records or health care payment history linked to an individual and held by ‘covered entities’ (generally, health care clearing houses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions, akin to data controllers.)

·         Gives individuals the right to request the correction of inaccurate PHI and requires reasonable steps to be taken to ensure the confidentiality of communications with individuals.

·         Requires covered entities to notify individuals of uses of their PHI and to keep track of disclosures of PHI and document privacy policies and procedures.

·         Requires covered entities to adopt and administer physical, administrative and technical security safeguards to protect PHI held in electronic form.

Health Information Technology for Economic and Clinical Health Act 2009 (the HITECH Act)

·         Extends the privacy and security provisions of HIPAA directly to business associates (akin to data processors) of covered entities, placing direct obligations and restrictions on them around their use of PHI.

·         Business associates are also directly subject to the administrative, physical and technical safeguard requirements set out in HIPAA, as well as civil and criminal penalties for failure to comply.

·         Requires covered entities to notify affected individuals and the Secretary for Health & Human Services following a breach of unprotected PHI.


Childrens’ Online Privacy Protection Act 1998 (COPPA)  

·         Applies to the online collection of PII from children under the age of 13.

·         Requires verifiable parental consent before the web site operator collects, uses or disposes of PII from a child.

·         Applies to web sites either aimed directly at children or which knowingly collect PII from children. 

Data Breach  

Data Accountability & Trust Act (pending) 

If passed, the Act will require any organization falling under the jurisdiction of the Federal Trade Commission that experiences breach of electronic data containing PII to notify (i) all US individuals whose information is breached; and (ii) the Federal Trade Commission.   

State Legislation 

All but four states have now adopted a data breach notification law in some form or another, covering breaches of security relating to, or unauthorized disclosures of, PII relating to a resident of that state.  Some states apply a ‘risk of harm’ threshold, allowing minor or inconsequential breaches to go unnotified, but many require blanket reporting regardless of harm.  In addition, many states impose specific legislative burdens on the use of PII over and above breach notification, for example in the fields of health and financial information.   

State regulation operates alongside federal regulation. Indeed, some states impose stronger burdens on those dealing with PII (although note that state legislation is not allowed to dilute the effect of federal law).  A full discussion of state regulation of privacy would be an article in itself, but set out below is a sample of the law applied in California and Massachusetts. 

California data breach notification law (SB 1386 2003)

This requires any agency, person or business that conducts business in California and owns or licenses computerized PII to disclose any breach of security to any resident whose unencrypted data is believed to have been disclosed.  The business does not have to be physically located in California. 

Massachusetts privacy law – (201 CMR 100)

·         Came into effect on 1 March 2010 and is regarded as the most comprehensive data protection regulation in the United States. 

·         Requires all persons (legal or natural) that own or license personal information about a resident to maintain a comprehensive, written information security program containing administrative, technical and physical safeguards.  As with California, the business does not have to be physically located in Massachusetts.

·         The level of security required is based on a case-by-case risk assessment but includes a requirement to document responsive actions taken in connection with any security breach incident. 

Industry Regulation 

Payment Card Industry Data Security Standard (PCI DSS)

·         Worldwide compliance standard for information security, defined by the Payment Cards Industry Security Standards Council and developed with the aim of helping organizations that process credit card transactions to avoid fraud.

·         Applies to all organizations which hold, process, or exchange cardholder information.  Depending on the number of cardholders, verification can take the form of either a self-audit or a third-party compliance audit.

·         Sets out 12 specific requirements designed to secure and protect customer payment data.  Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or indirectly, risk losing their ability to process credit card payments and being audited and/or fined.

·         Has been incorporated into some specific state legislation (ie Minnesota Plastic Card Security Act and Nevada Security of Personal Information Law).

Liz Harding, Of Counsel, Holland & Hart LLP.