The United States stands nearly alone in the world in that it does not have a unified, overarching privacy law. Instead, privacy law in the United States is a mesh of interlocking, often overlapping, and sometimes contradictory federal and state laws.
Despite the lack of a single source of privacy law, privacy is still highly protected in the U.S. As a result, businesses must ensure their policies and practices are fully compliant to minimize the risk of a data breach and the often-accompanying monetary and reputational harm in the event of a breach.
At the federal level, the Federal Trade Commission (FTC) is broadly empowered to police “unfair or deceptive acts or practices in or affecting commerce.” Under the FTC Act, “unfair or deceptive acts or practices” has been interpreted to include protecting consumer privacy. That authority has been upheld by courts, and has been encouraged by Congress and the president. Because the FTC is empowered to police acts or practices “in or affecting commerce,” its oversight extends broadly, with few exceptions.
Beyond the FTC Act, federal laws typically cover specific categories of information (financial or health information) or particular activities (debt collection, telemarketing or commercial email). Some examples include the following.
• The Financial Services Modernization Act (Gramm-Leach-Bliley Act) – Protects financial information and is broadly applied to financial institutions.
• The Health Insurance Portability and Accountability Act (HIPAA) – Protects medical information and is applied to any entities that contact medical information.
• The Fair Credit Reporting Act (FCRA) – Applies to consumer credit information and agencies which deal with that information.
In Maryland, the Personal Information Protection Act (PIPA) provides the broadest protections to an individual’s personal information. If your business collects an individual’s first and last name in conjunction with his or her Social Security number, driver’s license number, taxpayer identification number or any financial account number (such as a bank account or credit card number), PIPA most likely applies to your collection, use and protection of that data. And most importantly, PIPA defines what you must do if any of that information is disclosed through a security breach.
If your business collects personal information, or contracts with a company that does, it is imperative that you assess your privacy and security policies and practices. A data security breach could carry with it large monetary fines and require you to notify affected customers of any such breach. You may wish to contact an attorney to talk through your policies and practices and to receive practical advice on how to minimize your risk moving forward.
Greg Ewing is a litigation attorney at Davis, Agnor, Rapaport & Skalny LLC. He may be contacted at 410-995-5800 or [email protected].