Important Laws and Regulations

Federal Legislation for the Privacy and Protection of Personal Information

The following U.S. federal laws and regulations relate to the privacy and security of an individual’s personal information and security breach notification. Please note this list features selected legislation and should not be considered exhaustive.

Fair Credit Reporting Act (FCRA)

The FCRA regulates, among other things, the collection and dissemination by a consumer reporting agency of information about an individual’s (consumer’s) criminal, employment, and educational history, creditworthiness, and other personal characteristics. The FCRA’s definition of “consumer reporting agency” encompasses, for example, credit bureaus and background check companies.

• The FCRA establishes procedures that employers are required to follow before obtaining a report on an applicant or employee from a consumer reporting agency and before taking any adverse action based in whole or in part on information contained in the report.
• The FCRA provides consumers with certain rights, such as the right to request disclosure of consumer information maintained by the consumer reporting agency and the right to dispute the completeness or accuracy of such information with the agency.
• When a consumer submits a dispute, the consumer reporting agency generally must reinvestigate the disputed information, free of charge to the consumer, within 30 days of receiving notice of the dispute. If the consumer reporting agency determines that the disputed information is inaccurate, incomplete, or cannot be verified, the agency must, among other things, promptly delete the information from the consumer’s file (or modify the information as appropriate) and notify the furnisher of the disputed information of the deletion or modification.
• The U.S. Federal Trade Commission (FTC) is responsible for enforcing the FCRA.

Fair and Accurate Credit Transactions Act (FACTA)

FACTA was passed in 2003 as one of the amendments to the FCRA.

• Under FACTA, the three nationwide consumer reporting agencies (i.e., Equifax, Experian, and TransUnion), as well as nationwide specialty consumer reporting agencies (i.e., agencies that report on a nationwide basis on medical payments; residential, check writing, or employment history; or insurance claims), are required to provide, upon request from the consumer and free of charge, one disclosure of the consumer’s file during any 12-month period. In cooperation with the Federal Trade Commission, Equifax, Experian, and TransUnion established a website — located at http://www.annualcreditreport.com/ — that consumers can use to request their free, annual disclosure.
• FACTA also permits a consumer who is the victim of identity theft to place a fraud alert on the consumer’s file with the nationwide consumer reporting agencies. For 90 days, an initial fraud alert tells creditors to follow certain procedures, including contacting the consumer, before opening any new account or changing an existing account.
• Regulations published by the Federal Trade Commission in response to a directive contained in FACTA require users of consumer reports, such as employers, lenders, and insurers, to securely dispose of the reports and any information derived from them. Examples of secure disposal include shredding paper documents and “cyberscrubbing” workstations, laptops, and other electronic storage devices before disposing of them.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Congress enacted HIPAA, in part, to protect the privacy and security of protected health information (PHI) maintained by covered entities. Covered entities include most healthcare providers (i.e., those who use HIPAA-mandated electronic codes for billing purposes), health insurance companies, and employers who sponsor self-insured health plans.

• The U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA. The two principal sets of regulations issued by HHS to implement HIPAA are the Standards for Privacy of Individually Identifiable Health Information (the “HIPAA Privacy Rule”) and the Security Standards for Individually Identifiable Health Information (the “HIPAA Security Rule”).
• The HIPAA Privacy Rule requires covered entities to implement policies and procedures to ensure that (a) workforce members use and disclose PHI only for permissible purposes and (b) patients and insureds can exercise their HIPAA-mandated rights, such as the rights to access and to amend PHI.
• The HIPAA Security Rule requires covered entities to implement policies and procedures to ensure the confidentiality, integrity, and availability of PHI in electronic form; to protect against reasonably anticipated threats or hazards to the security or integrity of electronic PHI; and to protect against reasonably anticipated uses or disclosures of electronic PHI in violation of the HIPAA Privacy Rule.

Health Information Technology for Economic and Clinical Health (HITECH) Act

• The HITECH Act, effective February 17, 2010, supplements the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule.
• The Act requires covered entities to notify patients and insureds whose PHI is compromised by a security breach.
• It extends many of the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule to vendors — such as insurance brokers, billing services, and third-party administrators — who create or receive PHI when providing services to covered entities.
• The HITECH Act increases the penalties that HHS can impose on a covered entity for violating HIPAA or its implementing regulations.

Gramm-Leach-Bliley Act (GLBA)

The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLBA, protects consumers’ non-public personal information maintained by a covered financial institution. Covered financial institutions include banks, mortgage brokers, credit unions, financial or investment advisory services providers, auto dealers that lease and/or finance, collection agencies, and other creditors.

• GLBA requires that each financial institution provide its customers (but not other consumers) with a privacy notice that explains the financial institution’s privacy policies and practices. GLBA also establishes standards for a financial institution’s permissible disclosure of consumers’ non-public personal information to unaffiliated third parties and requires that each financial institution establish a procedure for consumers to “opt out” from most of those disclosures.
• In addition to these privacy protections, GLBA directed the several federal regulatory agencies that oversee financial institutions to issue regulations to ensure the security and confidentiality of customer records, to protect against any anticipated threats to the security or integrity of such records, and to protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to any customer. The regulations issued by the Federal Trade Commission, one of the regulatory agencies responsible for implementing GLBA, are known as the Standards for Safeguarding Customer Information, or the “Safeguards Rule.”
• In March 2005, the federal agencies that oversee financial institutions subject to GLBA issued guidelines which address security breaches. These guidelines require covered financial institutions to notify any customer whose non-public personal information has been subject to unauthorized access or use if misuse of the customer’s information has occurred or is reasonably possible.

State Legislation about Identity Theft and Security Freezes

Identity Theft Legislation

Identity theft is a crime in every state. While the definition of identity theft varies among the states, the crime typically involves the use of the victim’s personal information, such as Social Security number, driver’s license number, or credit/debit card number, to commit fraud or other crimes.

According to a recent survey by the National Conference of State Legislatures (NCSL), 29 states have enacted restitution statutes. These laws generally require that a person convicted of identity fraud reimburse the victims for all losses caused by the crime.

The NCSL survey also reports that 12 states have enacted identity theft passport programs to assist victims of identity theft. Under Ohio’s program, for example, the police officer who completes the police report on the victim’s complaint of identity theft also submits an application on behalf of the victim for an Identity Theft Verification Passport. The identity theft victim can present the passport to (a) law enforcement agencies to help prevent arrest for offenses committed by someone using the victim’s identity, (b) creditors to aid in the investigation of fraudulent charges, and (c) consumer reporting agencies as official notice of disputed charges on credit reports.

Consumer Report Security Freeze Laws

As of October 2010, 47 states (Alabama, Michigan, and Missouri are the exceptions) have enacted laws that require the nationwide consumer reporting agencies (i.e., Equifax, Experian, and TransUnion) to place a security freeze (also known as a credit freeze) on a consumer’s file, upon request from a consumer. A security freeze prohibits the consumer reporting agency, with limited exceptions, from releasing any information in the consumer’s file without the consumer’s authorization. A security freeze is designed to prevent potential credit grantors from accessing a consumer’s file maintained by a nationwide consumer reporting agency without the consumer’s consent.

Consumers who suspect that they may be the victim of identity theft can use a security freeze to prevent an identity thief from using the consumer’s personal information to obtain fraudulent loans or other extensions of credit.

Since November 1, 2007, Equifax, Experian, and TransUnion have allowed all consumers in all states to set a security freeze, regardless of state law. State law may limit the fees that these agencies can charge for establishing, temporarily lifting, and permanently lifting a security freeze.

State Legislation about Breach Notification, Privacy Protection, and Information Security

Security Breach Notification Laws

Currently, a total of 46 states and four territories, including the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, have breach notification laws in place. These laws generally define “personal information” to include, at a minimum, first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code. Some states have added other categories of information to this definition, such as health information, health insurance information, and unique biometric identifiers (e.g., a fingerprint).

The notice laws generally define a security breach to mean the unauthorized acquisition of unencrypted, computerized personal information. Currently, eight states (Arkansas, Hawaii, Indiana, Massachusetts, North Carolina, South Carolina, and Virginia) require notice even when the security breach involves paper records. A majority of states require notification only if the security breach creates a material risk of harm, such as identity fraud, to affected individuals.

On July 1, 2003, California became the first state to enact a security breach notification law. The California law has served as a model for many other states. The California law’s principal provisions are discussed below.

California Civil Code 1798.82 (Senate Bill 1386)

Organizations that do business in California and own or license unencrypted, computerized personal information must notify those California residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

• California amended its security breach notification law, effective January 1, 2008, to include health information as well as health insurance information, in the law’s definition of “personal information.” Previously, the definition of “personal information” had been limited to first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code.
• Notice must be provided in the most expedient time possible and without unreasonable delay. Notice may be delayed in response to a request from law enforcement authorities.
• Notice may be provided in writing or by email if certain conditions are met. If the cost of providing notice would exceed $250,000, more than 500,000 individuals need to be notified, or the organization has insufficient contact information for affected individuals, notice may be provided through publication in major statewide media.
• A separate law, effective January 1, 2009, requires a healthcare provider who has experienced a data breach to notify affected individuals and the California Department of Public Health within five (5) days after detection of the breach.

Protection of Social Security Numbers

As of October 2010, more than 30 states have enacted legislation restricting certain uses and disclosures of Social Security numbers (SSNs). These laws generally prohibit (a) the public display of SSNs, (b) printing SSNs on any card, such as an insurance ID card, that an individual must show to obtain products or services, (c) requiring an individual to transmit his/her SSN over the internet unless the connection is encrypted, (d) requiring an individual to use his/her SSN to access a website unless a password or other authentication device is required to access the website, and (e) mailing documents that contain an individual’s SSN to the individual unless the document by law is required to include the SSN, such as a Form W-2.

Proper Disposal of Personal Information

As of October 2010, more than 25 states have enacted laws that require disposal of personal information in a secure manner (for example, by shredding paper documents or “cyberscrubbing” electronic storage media). The definition of “personal information” in these laws varies but generally includes first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number with any required security code. Some states also include health information and other types of sensitive information in the law’s definition of personal information.

Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (the “Massachusetts Standards”)

Massachusetts’ Department of Consumer Affairs and Business Regulation has issued information security regulations, codified at 201 CMR 17.00, that are currently considered among the most stringent in the United States. These regulations are described below.

• The Massachusetts Standards require any private or public entity which maintains the personal information of Massachusetts residents to prepare and implement a comprehensive written information security program aimed at safeguarding that information. The Massachusetts Standards define “personal information” to mean first name or initial and last name in combination with a Social Security number, driver’s license number, credit or debit card number, or financial account number of a Massachusetts resident, whether in paper or electronic form.
• The information security program must address all of the requirements in the Massachusetts Standards. These requirements include, for example, secure storage of paper documents containing personal information, encryption of personal information when in transmission and when stored on portable electronic devices, access controls to information systems containing personal information, monitoring systems for unauthorized access to personal information, and employee training.
• These regulations took effect on March 1, 2010.