Privacy’s Legal Landscape

Over the past several years, a number of security breaches and information thefts involving credit- and debit-card data have grabbed headlines, but none has been of the magnitude of last year's criminal attacks against TJX Cos., the parent of retailer Marshalls, which compromised at least 45.7 million cards according to a Wall Street Journal report.

Members of law enforcement investigating the crimes, which continued over an 18-month stretch, believe that hackers pointed antennas toward a Marshalls store and, using a laptop computer, decoded data streaming between hand-held price-checking devices, cash registers, and the store's computers, which allowed them to hack into the central database of the parent company to repeatedly steal customer information. Investigators say that the total financial damage to the company, while still unknown, could result in losses in excess of $1 billion.

Examining the laws enacted to protect customer and employee information privacy is a little like peeling an onion. There are many layers of protection, including industry-specific regulations; federal laws; state laws, which vary widely; and global laws to which any company that markets beyond U.S. borders must adhere.

U.S. lawmakers are stepping up efforts to require companies to protect customer information in the wake of the TJX Cos. case, which compromised the personal information of hundreds of thousands of customers at retail establishments and has already resulted in major losses from fraud. The total cost may not be known for years.

Banks that issue credit and debit cards, which have so far shouldered most of the losses resulting from data security breaches, are lobbying Congress to pass legislation requiring a company to bear the costs of customer notification and reissuing cards in the event of a breach.

States are also introducing legislation to protect personal information. A Massachusetts bill would make companies with breached systems totally responsible for losses stemming from fraud. A Minnesota bill would prohibit any company from storing consumer information after a transaction is completed.

Protection of privacy -- defined legally as an expectation that confidential personal information that has been disclosed in private where there's a reasonable expectation of privacy won't be disclosed to third parties -- is a relatively recent and still evolving area of law. Privacy laws cover four basic interests, says Cydney Tune, a San Francisco--based attorney with Pillsbury Law: protection of a person's name, likeness, and personal facts that might injure reputation; unreasonable intrusion into personal information such as financial data without permission; publication of private facts, including medical records and income data; and information that places a person in a false light. Most laws, she says, focus on the privacy of name, likeness, and personal information.

Every company that gathers personal customer information is subject to Section 5 of the U.S. Federal Trade Commission Act, which protects consumers against deceptive business practices, including violations of information privacy. The Commission settled four cases in 2006; it has brought only 14 cases to date against companies challenging faulty data and security practices by companies that handle sensitive consumer information.

On the surface, the U.S. Health Insurance Portability and Accountability Act (HIPAA) may look as though it pertains only to companies in the health-care industry, but it also applies to any company that offers health insurance to employees. HIPAA's purpose is to ensure the confidentiality, integrity, and availability of all protected electronic health information. Just as companies are required to provide reasonable measures to protect customer information, they must also apply security measures that protect employee medical records.

The Children's Online Privacy Protection Act (COPPA) also cuts a wide swath, even though its original intent was to protect the privacy of children under the age of 13 who visit Web sites that market specifically to children, such as some social networking sites. However, because of the lack of age verification technologies, companies in other business lines face risk exposures.

There is no current federal law requiring notification of a data breach, but most security experts say that this will soon change. State privacy laws vary, but increasingly states are imposing requirements of notification to consumers in the event of a data security breach, following the lead set by California, which recently passed a landmark privacy bill. Organizations that do business with California residents are required to notify an individual if a computer security breach has occurred that jeopardizes the confidentiality of personal information. However, there's a safe harbor for companies that have encrypted personal data that would excuse them from notification.

Even if there are no applicable statutes requiring notice of a security breach, under simple tort law this does not mean that there is no obligation to notify customers or employees, according to Emilio Cividanes, an attorney at New York--based Venable LLP.

Also, companies that sell products or services beyond the U.S. borders are subject to the laws of the countries in which they do business. The European Union's (EU) Data Protection Directive requires that organizations "implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing," according to RSA Security.

On the surface, the EU's various restrictions on data for marketing purposes look more stringent than those that apply in the rest of the world, but enforcement isn't as strong there as it is in the U.S. "With a combination of forces, corporate America tends to devote resources to taking care of these things," says Cividanes. "American merchant Web sites are far better in terms of security -- and Europeans don't have notification systems."