Privacy Law

Outsourcing is significantly effected by changes in rules governing data protection and the privacy of various types of information. While we have offered several resources here, close review of privacy policy and compliance issues should be performed by an experienced lawyer with multi-national focus.

Privacy Laws affecting Outsourcing:
2005 Legislative Agenda and Regulatory Guidance
as of March 25, 2005

Pending Policy Choices.
In February and March 2005, some major data aggregators/resellers, including ChoicePoint Inc. and LexisNexis, allegedly suffered massive fraudulent intrusions into data bases that contained personally identifiable information including the Social Security numbers of thousands of people. In mid-March 2005, congressional hearings on identity theft focused attention on various possible solutions, including:

  • requiring data brokers and other information custodians to notify individuals at risk following a data theft;
  • regulation of data brokers (and other records custodians) by the Federal Trade Commission;
  • criminalization of unauthorized data gathering, called “phishing,” and abuses of the data gathered;
  • mandatory obtaining of the consent of individuals before installation of adware or spyware;
  • mandatory accreditation and qualification of persons seeking to obtain access to personally identifiable information;
  • mandatory truncation and masking procedures to prevent unauthorized use of Social Security Numbers and Driver’s License Numbers;
  • unauthorized offering of goods or services via the Internet based on the use of unauthorized means of collecting personally identifiable information, such as “phishing” scams, unauthorized adware or clandestine spyware.

Affected Outsourcers.
From the standpoint of outsourcing, service providers should be sensitive to these emerging issues.

  • marketers who support the abusive marketing of confidential information;
  • data aggregators and resellers;
  • recipients of personally identifiable information (that is, virtually all IT-enabled outsourcing service providers).

This page highlights some important pending legislation on privacy. Since privacy laws can have the effect of preventing outsourcing, we are offering this selection of information to assist in planning. Some of these bills are addressed to specific types of outsourcers, such as call centers, information brokers and internet service providers. Others apply to virtually any person who collects, processes or transmits data.

Financial Services and Affected Outsourcers.
As of March 23, 2005, Federal bank regulators have adopted a new rule for notification of customers whose data have been exposed and are at risk. See Federal Bank Regulatory Guidance on Notifications to Customers and Regulators following Breach of Security.

Consumer Information.
For information available to consumers, see the Federal Trade Commission’s web page, http://www.consumer.gov/idtheft/index.phpl

Existing Privacy Laws Affecting Outsourcing.
Existing laws governing privacy are not listed below. For further information, see Privacy Laws – General, which has additional links.

Evolution and Application.

For the interpretation and application any new legislation, the evolution of this legislation, and the lobbying involved in pushing for or against it, please contact wbierce@outsourcing-law.com or call us at 212 840 0080.

_______________________________________________________________________

Privacy Act of 2005
S 116 (Sen. Feinstein), would prohibit of the display, sale, or purchase of social security numbers and other personally identifiable information, subject to a safe harbor, without the individual’s consent. Read more.

Information Protection and Security Act
H.R. 1080 and S. 500, would require the Federal Trade Commission to regulate all “information brokers.” The definition of “information broker” is so broad that virtually any business that maintains or processes personally identifiable data will be subject to the regulations. Read more.

Identity Theft Prevention Act of 2005
H.R. 220, would prohibit the Federal government from mandating the use of a Social Security Number or any other identifying number, except for anti-terrorist or law enforcement purposes. It would create a new property right for individuals: “the social security account number issued under this subsection to any individual shall be the exclusive property of such individual.” Amending Section 205(c)(2)(C)(ii)(I) of the Social Security Act, (42 U.S.C. 405(c)(2)(C)(ii)(I). Read more.

Online Privacy Protection Act of 2005
HR 84, would make it unlawful for an operator of a Web site or online service to collect, use or disclose personal information in a manner that violates the regulations, subject to disclosures in good faith pursuant to safe harbor regulations to be issued by the Federal Trade Commission. Read more.

Consumer Privacy Protection Act of 2005
HR 1263, Rep. Stearns, would establish certain rules on privacy notices to consumers, including privacy policy statements. Consumers would have the opportunity to limit sale or disclosure of information and to limit other information practices. Data custodians would have certain statutory information security obligations. For compliance, there would be self-regulatory programs and other enforcement, but no private right of action. Read more.

Anti-phishing Act of 2005
S 472, would establish a federal crime of “internet fraud” for using someone else’s website address, website or domain name to induce, request, ask, or solicit any person to transmit, submit, or provide any means of identification to another person. Read more.

Social Security Number Protection Act of 2005
HR 1078, would establish new Federal Trade Commission regulations for information brokers. Individuals would have the right to obtain disclosure of all personally identifiable information pertaining to the individual held by an information broker, and to be informed of the identity of each entity that procured any personally identifiable information from the broker. Read more.

Wireless 411 Privacy Act
HR 1139, would affect customer relationship management (“CRM”) and call centers by requiring wireless telecommunications carriers to make available a “do not contact my wireless device” (hand-held telephone) rule. Read more.