“Things that go bump in the night – and who’s regulating them”
Safe and Sound 10/13/14 By John L. Barlament
Data security, and the threat of catastrophic breaches, is rising up the list of things that keep in-house counsel awake at night. But unlike other things that go bump in the night, this threat is really out there—and it can be frightening, particularly for companies that aren’t prepared.
Fast Company reported that nearly half of U.S. companies have had data breaches in the past year. Forty-three percent of companies in the United States faced a data breach, according to a study by Experian and Ponemon.
The Ponemon Institute’s 2014 Cost of Data Breach Study reported that the average cost of a corporate data breach was $3.5 million, up 15 percent from the year before. This reflects an average cost of over $200 per affected individual. Even scarier: it’s no longer a matter of if or whether your company will suffer a breach, but when.
And just as corporate leaders scramble to catch up with the technological challenges around data privacy and security, they’re also often struggling to understand the legal and regulatory issues and obligations. It’s a challenge for sure, not least because lawmakers and regulators are themselves scurrying to keep up.
Further complicating the situation: in the United States it is not yet clear who is in charge and responsible for overseeing these privacy and cybersecurity regulations.
While foreign jurisdictions like Australia and the European Union have created a centralized data protection authority, the U.S operates with what we call a “sectoral framework.” We’ve got a federal authority with broad enforcement jurisdiction and we’ve got states developing their own protections and rules. Further, U.S. and state laws regulate certain types of data differently. Personal data, health data and financial data may get special treatment — depending on where the data, or the data subject, lives.
Confusing? Yes. And while we can’t possibly tell you everything you need to know in a single post, we can peel away the layers with each post in this new blog. We’ll dive deeper during the coming months and take snapshots of many fast-moving areas of data privacy and security law so that you are on top of this area. But, in this post we’ll start with the feds.
As the agency with the broadest regulatory mandate, the Federal Trade Commission (FTC) has stepped up as a sort of unofficial U.S. data protection authority. Citing its authority to regulate unfair and deceptive trade practices, the agency has declared that failure to safeguard data can violate federal law (as an unfair or deceptive business practice). The FTC has aggressively prosecuted companies it has deemed to have run afoul of that rule. In April, the FTC won a major victory when a federal court in New Jersey upheld the agency’s authority to sue companies for failure to maintain reasonable and appropriate data security. The lawsuit stemmed from a case in which a data hack of a major hotel chain exposed thousands of consumers’ private credit card information.
The FTC has also been tasked with enforcing several federal laws related to data privacy and security. Among these is the Children’s Online Privacy Protection Act (COPPA), originally passed in 1998 and updated with new regulations in the summer of 2013. COPPA applies to any entity that collects data online from children under the age of 13. That can include IP addresses, Twitter handles, zip codes and a host of other personal information.
But the FTC isn’t the only federal agency with jurisdiction on privacy matters. The Federal Communications Commission enforces the Telephone Consumer Protection Act, regulating the use of phone numbers in certain contexts. And the Department of Education has authority to regulate student data under the Federal Education Rights and Privacy Act.
Meanwhile, Congress is busily addressing a number of hot-button data issues as well. Among the bills we’re keeping a close eye on in this session:
- The Location Privacy Protection Act (mobile devices and applications)
- The Personal Data Privacy and Security Act (corporate data security rules)
- The Data Security Act (identity theft protection)
- The Commercial Privacy Bill of Rights (data collection and protection rules)
Again, we’ll explore these bills and other new developments in future posts. And in our next post, we’ll break down the patchwork quilt of state law and regulation.