On Tuesday, May 4, 2010, Representatives Rick Boucher, Democrat of Virginia, and Cliff Stearns, Republican of Florida released a draft of a Congressional bill would extend privacy protections both on the web and off line. Mr. Boucher is the chairman of the House subcommittee on communications, technology and the Internet, and Mr. Stearns is the panel’s ranking minority member. After collecting comments on the draft, they lawmakers hope to have have formal legislation introduced within a month or so, Mr. Boucher reported in an interview.

There is currently no national legislation governing how companies tell consumers that they are collecting data, but companies do post privacy notices because certain state laws require it. This bill would be the first law to apply to businesses requiring privacy notices.

The bill provides a privacy baseline, providing limited protection for “covered information” and much tougher protection for “sensitive information.” The bill makes a key distinction between the two kinds of data: covered information collection is “opt-out,” while sensitive information collection would become “opt-in” only.

According to the bill, covered information includes:

* The first name or initial and last name
* A postal address
* A telephone or fax number
* An e-mail address
* Unique biometric data, including a fingerprint or retina scan
* A Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number
* A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account
* Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer

Companies and websites that disclose their data collection practices can harvest this data on the assumption that, by using the site, one has agreed to such collection. But they are required to provide an opt-out option that would stop all such data collection and prevent the company from using even previously acquired data.

Sensitive information can’t be collected and stored without an explicit opt-in assent by the consumer. The bill defines sensitive information as:

* Medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
* Race or ethnicity
* Religious beliefs
* Sexual orientation
* Financial records and other financial information associated with a financial account, including balances and other financial information
* Precise geolocation information

The proposed bill would expand what information should be considered confidential. It would also require companies to post clear and understandable privacy notices when they collected information. Such information could range from health or financial data to any unique identifier, including a customer identification number, a user’s race or sexual orientation, the user’s precise location or any preference profile the user has filled out. It could also include an Internet Protocol address, the numerical address assigned to each computer connecting to the Internet that many companies use now to aim particular messages at users, which the companies argue is not personally identifiable.

The proposed bill is already seems to be making everyone unhappy. The New York Times reports that privacy advocates have said that the bill did not go far enough in protecting consumers. While other groups such as the Progress & Freedom Foundation believe the bill “could unintentionally devastate the ‘free’ Internet as we know it” given the use of data collection for online advertising resulting in “diminished consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online speech platforms enjoyed by Internet users worldwide.”

To see the draft bill, click here.

To see the New York Times coverage of this bill, click here.

(hat tip to Ars Techica for its post on the bill)

On April 7, 2010, Mississippi enacted H.B. 583, making Mississippi state the forty-sixth state with a data security breach notification law on the books.

The law, which goes into effect on July 1, 2011, requires that any person who conducts business in Mississippi and who, in the ordinary course of the person’s business, functions, owns, licenses or maintains personal information of any Mississippi resident to notify certain individuals when the security of their unencrypted personal information may be at risk.

The language of this law is consistent with that of other states’ data privacy laws in most respects. The one significant difference is that this law requires that notice of a breach only be provided to “affected individuals,” which are defined by the statute to mean residents of Mississippi whose “personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security.” As drafted, this limitation could excuse providing notice when electronic storage devices containing personal information is lost or accidentally sent to the wrong person.

This law does not require notification be provided if, after an investigation, that the security breach “will not likely result in harm to the affected individuals.”

Failure to comply with the law is deemed to constitute an unfair trade practice, but the right to enforce the law lies only with the Attorney General. The law does not permit a private right of action.

To see a full text of the new law, click here.

The deadline for compliance with the Massachusetts regulations for the protection of personal information is March 1, 2010. To view a complete copy of the regulations, click 201CMR1700reg.pdf.

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) originally promulgated these regulations last Fall, mandating that those holding personal information about Massachusetts residents devise and implement specific, detailed policies to protect the security and integrity of that information. Virtually all Massachusetts businesses are covered, and the regulations also apply to entities outside the Commonwealth that hold Massachusetts residents’ Social Security numbers, credit card numbers, driver’s license numbers or financial account numbers.

The purpose of these regulations is to require business practices that minimize the risk of future data breaches and to ensure better protection of that personal information.

If your business holds personal information, as defined by these regulations, you should closely review these regulations to ensure that you are in compliance.

On December 8, 2009, the U.S. House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill is similar in nature to multiple state breach notification laws that have already been passed. It includes the following:

H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number
(ii) Driver’s license number or other State identification number
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

Some more details of this bill include:

• The Federal Trade Commission would be the responsible enforcement agency.
• The FTC would ultimately define the proper technical procedures for protecting data.
• Organizations that have data need to establish a data security policy.
• Organizations must identify an information security officer.
• Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
• Organizations need a process for securely destroying data that is no longer required.
• Breaches need to be reported to the consumers affected, and the FTC, unless:
  • “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
  • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an exemption for data encryption. In addition, the FTC will define other exemptions if the bill become law. The FTC will also be tasked with posting data breaches on their website on a case-by-case basis if the FTC deems it is in the public interest.

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) has revised – for a third time – the regulatory scheme created to protect the personal information of Massachusetts residents. The deadline for compliance is now March 1, 2010.

The OCABR originally promulgated the regulations last Fall, mandating that those holding personal information about Massachusetts residents devise and implement specific, detailed policies to protect the security and integrity of that information. Virtually all Massachusetts businesses are covered, and the regulations also apply to entities outside the Commonwealth that hold Massachusetts residents’ Social Security numbers, credit card numbers, driver’s license numbers or financial account numbers.

The regulations have been controversial, particularly among members of the Massachusetts business community, who widely complained that they were inflexible, overly broad and expensive to implement.

The new version of the regulations appears aimed at addressing some of those concerns, while still adhering to the fundamental goal of requiring business practices that minimize the risk of future data breaches.

Among the more significant changes that were just announced: (1) the regulations now apply only to entities that own or lease “personal information,” and no longer extend to those who simply “store or maintain” it; (2) the regulations now adopt a more risk-based approach, addressing criticism that the former draft amounted to a one-size-fits-all mandate; and (3) the new regulations rework the language concerning third-party service providers, requiring contract language essentially obligating service providers to comply with the regulations, but grandfathering pre-existing contracts without such language during the first two years the regulations are in effect.