|
Government and private organizations around the world recognize the need for effective data privacy. As the amount of personal information gathered and electronically stored grows, so do the concerns about protecting it. The expectation of privacy is nearly universal, and legislation continues to evolve to ensure that privacy is preserved. The following provides an overview of regulations from around the world that have been enacted with the goal of creating guidelines for how personal information can be stored and shared without compromising privacy.
U.S. Personal Data Security-Breach Notification Laws and Regulations
Although the United States (U.S.) federal government has not passed security-breach notification laws, most U.S. States have enacted such laws since 2002. These laws were enacted in response to an increasing number of breaches of consumer databases containing personally identifiable information. Today, 43 states*, the District of Columbia, and Puerto Rico have enacted legislation requiring that individuals be notified about security breaches involving personal information.
The California data security-breach law, California SB 1386 (also known as the Consumer Data Protection Act), has been the model for similar laws in other states. California SB 1386 requires “a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Personal information includes a Social Security number, driver’s license number, account number, credit or debit card number, or security code or password for accessing a financial account.
Most of the enacted state laws and pending bills have the following features in common:
Personal information: Typically, personal information is defined as consisting of a person’s name (or their first initial and last name) together with an identifying data element such as a Social Security number, driver’s license number, identification card number, account or credit card number with access code or password, date of birth, or biometric data.
Notification requirements: Any person or business_and, usually, any state agency_that owns, licenses, or is responsible for personal-information data and reasonably believes that such data has been accessed by an unauthorized person must notify affected residents of the state.
Notification procedures: Individuals whose personal information data has been compromised must be informed.
Notification timelines: Many of the statutes simply require notification within a reasonable amount of time, although some have specific timelines.
Encryption Safe Harbor
Breach-disclosure requirements vary from state to state, but all the bills have a safe-harbor provision for encrypted data. By using encryption to secure personal information, organizations can avoid being subject to the public-notification requirements if personal information is lost, stolen, or accessed by an unauthorized person. Generally, the organizations must still report breaches to law enforcement.
European Union Data Protection
In general, the expectation of privacy is viewed as a “fundamental human right” in the European Union (E.U.). The protection of individuals’ privacy, and the handling of E.U. citizens’ personal data, is taken very seriously. To the E.U., “personal data” is any and all data that relates to an identifiable individual.
The E.U. has issued an overarching E.U. Data Protection Directive (DPD) (94/46/EC) to ensure the protection of every E.U. citizen’s personal data. This DPD affects how every organization employing and/or doing business with E.U. citizens must handle their data.
The DPD sets up a regulatory framework that tries to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the E.U. The directive sets strict limits on the collection and use of personal data. Each Member State is required to set up an independent national body responsible for the protection of this data. Another section of the directive calls on Member States to determine precisely the conditions under which processing this data is considered lawful.
|
