Data Accountability and Trust Act Passed by House

I'm just a bill from Schoolhouse Rock

The Data Accountability and Trust Act (H.R. 2221) was passed by the House on Tuesday. This act would requires the Federal Trade Commission to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.

This bill would preempt any state laws in the area, wiping out the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)].

I thinks its a good thing to have a national standard in this area. The transient nature of personal data makes it hard to associate with a particular state. That means the most restrictive of the various state laws ends up becoming the national standard.

The downside is that we would have to wait for the FTC to draft the rules, go through the comment period and wait for implementation.

Of course, the Data Accountability and Trust Act is not the law yet. As I learned in School House Rock, H.R. 2221 is singing:

I’m just a bill.
Yes, I’m only a bill.
And I’m sitting here on Capitol Hill.
Well, it’s a long, long journey
To the capital city.
It’s a long, long wait
While I’m sitting in committee,
But I know I’ll be a law someday
At least I hope and pray that I will,
But today I am still just a bill.

You Are Here: From the FTC for Your Kids

You Are Here

We’re from the government. We’re here to help.

The Federal Trade Commission has launched a new site designed to help kids learn to protect their privacy, spot frauds and scams, and avoid identity theft.

You Are Here is set up as a virtual mall.

  • Visit the West Terrace to learn about advertising techniques, target marketing, and suspicious claims.
  • Visit the Food Court to learn about business competition, supply and demand, the history of the FTC, and mergers and monopolies.
  • Visit the Security Plaza to learn about protecting your privacy (online and off), and protect the citizens of Earth against identity-stealing invaders.
  • Visit the East Terrace to learn about bogus modeling offers, “free” vacations, “miracle” products, and tip-offs to rip-offs.

You can read more about You Are Here in a story on GeekDad: You Are Here: From the FTC for Your Kids.

Federal Regulators Issue Final Model Privacy Notice Form

Eight federal regulatory agencies today released the final model privacy notice form. It’s supposed to make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act, institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The two model form issued today can be used by financial institutions to comply with these requirements. One form allows consumers to opt out of sharing of personal information. The other form has no opt-out.

Back in April, the Securities and Exchange Commission reopened the period for public comment because they tested the model notices and found weaknesses with the current form.

The final model privacy form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. There is also a joint release of the rule that goes along with the Final Model Privacy Form under the Gramm-Leach-Bliley Act

References:

National Data Privacy Laws Move Forward

I'm just a bill from Schoolhouse Rock

With last week’s further revisions to the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)], people are wondering if the federal government is going to step into the space and create a national standard. Most states have enacted some form of data breach or data privacy law, crating patchwork of laws across the country.

I found three separate bills moving through the legislative process: Data Accountability and Trust Act (H.R. 2221), Personal Data Privacy and Security Act of 2009 (S.1490), and The Data Breach Notification Act (S. 139)

Data Accountability and Trust Act (H.R. 2221)

This bill was in the House Committee on Energy and Commerce and referred to the Subcommittee on Commerce, Trade and Consumer Protection. They recommended it be considered by the House as a whole on September 30.

This act would requires the Federal Trade Commission to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.

Personal Data Privacy and Security Act of 2009 (S.1490)

Last week, the Senate Judiciary Committee approved the Personal Data Privacy and Security Act of 2009 by a vote of 14-5, sending the bill to the full Senate for consideration.

This act would amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of sensitive personally identifiable information (in electronic or digital form) a predicate for racketeering charges; and (2) prohibit concealment of security breaches involving such information.

This law would preempt state regulation in this area.

The Data Breach Notification Act (S. 139)

Last week, the Senate Judiciary Committee approved the Data Breach Notification Act by a vote of 14-2, sending the bill to the full Senate for consideration.

This act would requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired; and (2) the owner or licensee of any such information that the agency or business does not own or license.  The notice must be given “without unreasonable delay” following discovery of the breach.

It also authorizes civil actions by state attorneys general to enforce the act. This act would supersede any other provision of federal law or any provision of law of any state law relating to notification by a business entity engaged in interstate commerce or an agency of a security breach.

These are just bills, so it’s hard to tell what may happen to them. The clock is ticking. The Massachusetts data security law goes into effect on March 1, 2010.

Google’s New Privacy Dashboard

google Dashboard

Have you ever wondered what data is stored with your Google Account?

Over the past 11 years, Google has focused on building innovative products for our users. Today, with hundreds of millions of people using those products around the world, we are very aware of the trust that you have placed in us, and our responsibility to protect your privacy and data.

In an effort to provide you with greater transparency and control over their own data, we’ve built the Google Dashboard. Designed to be simple and useful, the Dashboard summarizes data for each product that you use (when signed in to your account) and provides you direct links to control your personal settings. Today, the Dashboard covers more than 20 products and services, including Gmail, Calendar, Docs, Web History, Orkut, YouTube, Picasa, Talk, Reader, Alerts, Latitude and many more. The scale and level of detail of the Dashboard is unprecedented, and we’re delighted to be the first Internet company to offer this — and we hope it will become the standard. Watch this quick video to learn more and then try it out for yourself at www.google.com/dashboard.

I think it’s great that Google makes available all this privacy data in a single place.

You might be surprised how much Google knows in case you’ve already forgotten a service or two you’ve signed up with. Keep a close eye for the items on the page with this little blue icon meaning “this bit is public”. At the bottom of the page, Google disclaims that 16 additional products are not yet available in this dashboard.

Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

Massachusetts-State-House

Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

  • The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
  • Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
  • The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
  • Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.

References:

How to Read a Privacy Policy

stacking up privacy policies
How Privacy Policies Stack Up (literally)

The Common Data Project surveyed the online privacy policies of the largest internet companies. Their conclusion:

We realize that most users of online services have not and never will read the privacy policies so carefully crafted by teams of lawyers at Google and Microsoft. And having read all of these documents (many times over), we’re not convinced that anyone should read them, other than to confirm what you probably already know: A lot of data is being collected about you, and it’s not really clear who gets to use that data, for what purpose, for how long, or whether any or all of it can eventually be connected back to you.

How does your company’s privacy policy stack up?

Privacy on Both Sides of the Atlantic

North_Atlantic_crust_age

Here is the United States we are mostly talking about financial information and medical information when it comes to privacy and  data security. The state data privacy laws focus on social security numbers and financial account information. HIPPA created a federal regulatory regime for medical information.

Europe has been focused less on financial information and much more on personal information when it comes to data security. The EU regulators are much more protective of the information about where you live, your race and your religion.

I thought this quote summed up the different approaches quite nicely:

Europe: You don’t understand privacy until they come for your neighbor in the middle of the night.

That came from Kim Howard the Editor of ACC Docket through a Twitter update. Memories of the Holocaust still drive regulations in the EU.

Massachusetts Amends Strict Data Privacy Law (Again)

Massachusetts-State-House

UPDATE: Another revision was published on November 5, 2009. See: Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

The Massachusetts’ Office of Consumer Affairs and Business Regulation has decided to amend the strict data privacy law and extend the deadline for compliance. This is yet another amendment to the regulations. The last amendment had extended the compliance deadline to January 1, 2010.

In keeping with Governor Deval Patrick’s commitment to balancing consumer protection with the needs of small business owners, the adjustments to Massachusetts’ identity theft regulations allow some flexibility in compliance by small businesses. The regulations now have a risk-based approach that may make it easier on small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, can take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

Key amendments to 201 CMR 17.00 include:

Section 17.01 (1) Purpose of the regulation was amended to include language from M.G.L. 93H.

Section 17.01 (2) Scope of the regulations was revised to cover “persons who own or license personal information”. Section removes previous regulatory language related to those that “store or maintain personal information”.

Section 17.02 Encryption definition was amended to be technology neutral. A definition for the term “owns and licenses” was added to focus the protection of personal information in “connection with the provision of goods or services or in connection with employment”. A new definition for the term “service provider” was added.

Section 17.03 (1) Duty to protect rules look to address size and scope of a firm within the development and implementation of a written information security plan. (2) Amends and removes some requirements for the written information security plan. (f) Amends third party vendor rules and provides a two year window relative to contracts and requirements for compliance.

Section 17.04 Amends computer requirements for persons that own or license personal information to develop a written information security plan “that at a minimum, and to extent technologically feasible, shall have the following elements”.

Section 17.05 Amends the effective date of the regulations to March 1, 2010.

There will be a hearing on the revised regulations commencing at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116. Interested parties will be afforded a reasonable opportunity at the hearing to present oral or written testimony. Written comments will be accepted up to the close of business on September 25, 2009. Such written comments may be mailed to: Office of Consumer Affairs and Business Regulation, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attention: Jason Egan, Deputy General Counsel, or e-mailed to [email protected].

References:

National Data Privacy Law Proposed

Image by Johnny Grim (CC BY-NC-ND 2.0)

With a multitude of states trying to protect their citizens when it comes to breaches of personal data security, it is becoming increasingly difficult to manage compliance with this patchwork of laws.  The Data Accountability and Trust Act (H.R. 2221) proposed in Congress proposed to preempt state laws and make regulation of data security a matter of federal regulation.

If passed in its current form, the procedure and time frame for notifications in the event of data breach would be standardized instead of the differing requirements from state to state. It would also required the Federal Trade Commission to regulate the security practices around personal data.

The most controversial part seems to be the provisions around information brokers (companies that gather personal information about people that are not their customers to sell to third parties.)  It would require these brokers to establish reasonable procedures to verify the accuracy of the personal information it collects. They would also have to provide consumers with access to that information.

Although it is still working its way through the system, it has already been forwarded by the subcommittee to the full House Energy and Commerce Committee.

References: