Privacy and Security Laws

The Gramm-Leach-Bliley Act (GLBA)

The Fair Credit Reporting Act (FCRA)

FACTA Disposal Rule

HIPAA Privacy and Security Requirements

The E.U. Data Protection Directive

CA Breach Notification Law

FTC Privacy and Security Enforcement

ID Theft - Law Enforcement Requirements

_______________

Privacy and Compliance Resources

The International Association of Privacy Professionals 

The Federal
Trade Commission

CA Office of Information Security and Privacy Protection

Minnesota Privacy Consultants

JMC Consulting Group

Executive Blueprints

InformationShield

What is Information Privacy?

Information privacy can be defined in two ways, rights and responsibilities.  

Your customers and employees have certain rights as individuals to control how, when and to what extent their information is shared with others, and; 

You have responsibility as a business owner or employee of a company to ensure that your customer's information is protected and that you are compliant with applicable laws that define how you handle and share your customer's personal information.

__________________________________________

FTC - Fair Information Practices

Every company that collects, uses and retains individual customer information must comply with applicable laws and be aware of privacy guidelines such as the Federal Trade Commission's (FTC) Fair Information Practice Principles:

1) Notice and Awareness: Consumers need notice to make an informed choice about whether to provide their information.  This notice should include:

• Who is collecting their data.
• Uses for which their data will be used.
• Who will receive their data.
• The nature of their data and the means by which it is collected (if not obvious).
• The steps taken to preserve the confidentiality, integrity and quality of their data.

2) Choice and Consent: Choice means giving consumers options as to how any personal information collected from them will be used.  Choice may apply to secondary uses of information - uses beyond the original reasons you provided the data.  Choices generally include the option to "opt-in" or "opt-out".

• Opt-in: An individual's data won't be shared unless they specifically approve the sharing of their information (provide consent).
• Opt-out: A business can share an individual's data or unless the individual tells them not to share the information.
• Companies should make the opt-in/opt-out process simple and easily-accessible.

3) Access and Participation: Access refers to an individual's ability to access data (in its entirety) and correct any inaccuracies.

• Access must encompass timely and inexpensive access to data.
• Organizations must provide simple means for contesting inaccurate or incomplete data.
• Organizations must provide means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients. 

4) Integrity and Security: Data must be accurate and secure.  Security involves both managerial and technical measures to protect data against and the unauthorized access, destruction, use, or disclosure of data.

• Businesses must take reasonable steps to ensure the integrity and security of data.
• Internal procedures should limit access to data and ensure that data is not utilized for unauthorized purposes.
• Technical measures should be implemented to prevent unauthorized access, including encryption, use of passwords and proper data storage.

5) Enforcement and Redress:  Privacy principles can be enforced in a number of ways, including:

• Industry self-regulation (e.g., consumer reporting and marketing associations)
• Fines and sanctions by the FTC if a company breaks its promises in its privacy policies (Section 5 of the FTC Act)
• Additional enforcement for specific types of data, e.g., medical, financial, etc., through federal agencies or state attorney generals.
• Individual rights of action (civil court awards).