Outsourcing Law & Business Journal – April 2011
April 29, 2011 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL™ : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com.
Insights by Bierce & Kenerson, P.C. Editor. www.biercekenerson.com.
Vol. 11, No. 3, April 2011
_________________________________
Editor’s Note: Bierce & Kenerson, P.C. is following the legislation for the Consumer Privacy “Bill of Rights” Act of 2011 (featured in this newsletter issue) and may announce a webinar on this matter as it moves forward in the legislative process. If you would like to hear more on this subject, click here to send us a quick e-mail.
_________________________________
1. U.S. Data Protection: The Draft Commercial Privacy “Bill of Rights” Act of 2011.
2. Humor.
3. Conferences.
_________________________________
1. U.S. Data Protection: The Draft Commercial Privacy “Bill of Rights” Act of 2011. On April 12, 2011, Senators John Kerry (D., Mass.) and John McCain (R., Ariz.) sponsored a Consumer Privacy “Bill of Rights” Act of 2011 to protect personally identifiable information (“PII”) and sensitive PII of U.S. consumers. If enacted, the bill would delegate regulatory authority to the Federal Trade Commission to regulate to all transactions (wherever processed) concerning U.S. consumers’ PII and sensitive PII where the data processor collects, uses, transfers or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period. For more, click here.
2. Humor.
3. Conferences.
May 23-25, 2011, SSON’s 11th Annual Shared Services for Finance & Accounting, Dallas, Texas. This event brings togther industry leaders to provide the fundamentals of efficiency, quality and service and show innovative ways to grow you shared service center:
- Drive efficiency: Build a value proposition outside of just productivity to further improve quality and decrease costs.
- Current trends: Debate in-house vs. outsourcing strategies and make sure you choose the right model and technologies for your business
- Process ownership: Continually improve your shared service center to enable growth
- Accelerate improvement: Re-engineer processes to move beyond labor arbitrage
Create a clear strategy for your business with case studies presented by ING< Goodyear Tire & Rubber Company, PepsiCo, Walmart, Wendy’s/Arby’s Group, Kraft and many more! To register, visit www.SharedServicesFA.com, call 1-800-882-8684 or email iqpc@iqpc.com. Mention code SSFAOL20 for an exclusive 20% discount available to outsourcing-law.com subscribers.
May 23-25, 2011, SSON presents its 9th Annual HR Shared Services and Outsourcing Summit, Chicago, Illinois, which focuses on Trends in HR Transformation dn HR Shared Services for the Next Decade. This conference will look back at what’s worked and provide you with a look forward to new trends in operations, models, globalization, virtualization, enabling technologies, staffing and much, much more. Whether you are in the beginning, middle or mature stages of your HR transformation – or creation of HR Shared Services – the trends o this next decade will have an enormous impact on your success. For more information, please visit their website.
June 27 – 28, 2011, IQPC presents eDiscovery Strategies for Government, Washington, D.C. IQPC’s eDiscovery Strategies for Government will offer key insights to stay on top of emerging challenges and how to craft thorough, cost-effective and defensible eDiscovery. Additionally our expert faculty will provide key benefits for government organizations. Join IQPC’s eDiscovery Strategies for Government Summit to network and learn from your peers on how to proactively establish a protocol for preserving and gathering electronically stored information. Join members of the U.S. Dept. of Justice, U.S. Commodity Futures Trading Commission, Department of Justice- Antitrust Division, Federal Trade Commission, Securities and Exchange Commission, United States Department of Agriculture and more. Visit their website for more information.
September 20-22, 2011 SSON presents Finance Transformation 2011, Dallas, Texas. This conference is targeted to owners, controllers, procurement leads, sourcing strategists, shared services and global finance leads who want a complete view of transformation, incorporating holistic vision and operating strategy, end-to-end process optimizations, technology enablement, business performance management and sourcing strategy, whether that strategy is shared services, outsourcing or a combination of the two. Click here to get more information.
**********************************************
FEEDBACK: This newsletter addresses legal issues in sourcing IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at wbierce@biercekenerson.com. The information provided herein does not necessarily constitute the opinon of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: wbierce@biercekenerson.com. Edited by Bierce & Kenerson, P.C. Copyright (c) 2010, Outsourcing Law Global, LLC. All rights reserved. Editor-in-Chief: William Bierce of Bierce & Kenerson, P.C., located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080
U.S. Data Protection: The Draft Commercial Privacy “Bill of Rights” Act of 2011
April 29, 2011 by Bierce & Kenerson, P.C.
On April 12, 2011, Senators John Kerry (D., Mass.) and John McCain (R., Ariz.) sponsored a Consumer Privacy “Bill of Rights” Act of 2011 to protect personally identifiable information (“PII”) and sensitive PII of U.S. consumers. If enacted, the bill would delegate regulatory authority to the Federal Trade Commission to regulate to all transactions (wherever processed) concerning U.S. consumers’ PII and sensitive PII where the data processor collects, uses, transfers or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period.
Of the dozens of draft privacy statutes introduced into Congress in the last few years, this Consumer Privacy “Bill of Rights” Act of 2011 is the one most likely to be enacted. It offers a prudent balance of protections and procedures for data collectors (covered entities) and data processors (service providers). The penalties are very stringent.
Enterprise customers and outsourcing service providers should prepare for the enactment of this draft legislation as a law. It’s not too soon to begin developing compliance programs and practices. The following provides a summary of what is to come.
FEDERAL TRADE COMMISSION ROLE
FTC Regulatory Authority. This bill would appoint the FTC as a U.S. data protection authority (similar to DPA’s appointed in Europe under the Data Protection Directive). The FTC would have exclusive authority to establish and enforce the “unfair or deceptive acts or practices” relating to privacy protections for PII and sensitive PII. However, in promulgating such rules, the FTC would not be allowed to require the deployment or use of any specific products or technologies, including any specific computer software or hardware.
OVERALL SCOPE
Key Legal Definitions. The draft legislation contains complex definitions of PII and sensitive PII, as well as “covered information” that the FTC would have authority to regulate for privacy purposes. In summary, “covered entities” accessing “covered information” would be required to grant certain rights and adopt protections for the “PII” and “sensitive PII” of individuals.
PII. The term “personally identifiable information” would mean “only the following:
(A) Any of the following information about an individual:
(i) The first name (or initial) and last name of an individual, whether given at birth or time of adoption, or resulting from a lawful change of name.
(ii) The postal address of a physical place of residence of such individual.
(iii) An e-mail address.
(iv) A telephone number or mobile device number.
(v) A social security number or other government issued identification number issued to such individual.
(vi) The account number of a credit card issued to such individual.
(vii) Unique identifier information that alone can be used to identify a specific individual.
(viii) Biometric data about such individual, including fingerprints and retina scans.
(B) If used, transferred, or stored in connection with 1 or more of the items of information described in subparagraph (A), any of the following:
(i) A date of birth.
(ii) The number of a certificate of birth or adoption.
(iii) A place of birth.
(iv) Unique identifier information that alone cannot be used to identify a specific individual.
(v) Precise geographic location, at the same degree of specificity as a global positioning system or equivalent system, and not including any general geographic information that may be derived from an Internet Protocol address.
(vi) Information about an individual’s quantity, technical configuration, type, destination, location, and amount of uses of voice services, regardless of technology used.
(vii) Any other information concerning an individual that may reasonably be used by the party using, collecting, or storing that information to identify that individual.
Sensitive PII. The term “sensitive PII” would mean:
“(A) personally identifiable information which, if lost, compromised, or disclosed without authorization either alone or with other information, carries a significant risk of economic or physical harm; or
(B) information related to–
(i) a particular medical condition or a health record; or
(ii) the religious affiliation of an individual.”
Authorized and Unauthorized Uses of PII or Sensitive PII. An “unauthorized use” of PII or sensitive PII would be defined as “the use of covered information by a covered entity or its service provider for any purpose not authorized by the individual to whom such information relates.” Several exceptions would apply to permit “normal” commercial, regulatory or implied consent situations, namely, the use of “covered information” relating to an individual by a “covered entity” (or its service provider) as follows:
(i) To process and enforce a transaction or deliver a service requested by that individual.
(ii) To operate the covered entity that is providing a transaction or delivering a service requested by that individual, such as inventory management, financial reporting and accounting, planning, and product or service improvement or forecasting.
(iii) To prevent or detect fraud or to provide for a physically or virtually secure environment.
(iv) To investigate a possible crime.
(v) That is required by a provision of law or legal process.
(vi) To market or advertise to an individual from a covered entity within the context of a covered entity’s own Internet website, services, or products if the covered information used for such marketing or advertising was–
(I) collected directly by the covered entity; or
(II) shared with the covered entity (aa) at the affirmative request of the individual; or (bb) by an entity with which the individual has an established business relationship.
(vii) Use that is necessary for the improvement of transaction or service delivery through research, testing, analysis, and development.
(viii) Use that is necessary for internal operations, including the following:
(I) Collecting customer satisfaction surveys and conducting customer research to improve customer service information.
(II) Information collected by an Internet website about the visits to such website and the click-through rates at such website (aa) to improve website navigation and performance; or (bb) to understand and improve the interaction of an individual with the advertising of a covered entity.
The permitted uses may be only where the covered entity has an “established business relationship” under a “reasonable expectation” test. Uses of PII are only permitted where the individual could have reasonably expected, at the time such relationship was established, was related to a service provided pursuant to such relationship. If there is a material undisclosed change, then the permission would be deemed revoked.
Covered Entities. All “covered entities” would be subject to the new law. These are defined as any entity that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period” and fits within subject-matter jurisdictional frameworks. Thus, for jurisdictional purposes, a covered entity is any entity conducting interstate or international commerce of the United States, Federal Trade Commission Act (15 U.S.C. 45(a)(2)), a telecom “common carrier” and any a non-profit organization. “Covered entities” would include service providers who receive PII on behalf of their enterprise customers. “Third parties” receiving information do not include any “service provider used by the covered entity to receive personally identifiable information or sensitive personally identifiable information in performing services or functions on behalf of and under the instruction of the covered entity.”
NEW REGIME FOR LEGAL PROTECTION OF PII AND SENSITIVE PII
The draft legislation would create certain “rights” of individuals. However, the individuals would not be able to enforce such rights by litigation. Individuals would only be represented by the FTC in an enforcement proceeding, leaving the FTC with exclusive authority to pursue civil and criminal remedies.
The Right of Data Security. The FTC would have to adopt a rulemaking to require each covered entity to carry out security measures to protect the covered information it collects and maintains. Three criteria would apply:
- Proportionality: The data security requirements would need security measures that are “proportional to the size, type, and nature of the covered information a covered entity collects.” This creates confusion and could result in test litigation.
- Consistency: The data security requirements would need to be consistent with guidance provided by the Commission and recognized industry practices for safety and security on the day before the date of the enactment of the proposed law.
- Technological Means. The FTC would not be able to require a specific technological means of meeting a requirement.
Duty of Accountability by each Covered Entity.
- Variable Rules according to Size, Type and Nature of Covered Information. The draft law would require each covered entity to undertake a data protection program that is not absolutely the same as each other covered entity. The FTC regulations under the law would define differences in “accountability” requirements “in a manner proportional to the size, type, and nature of the covered information” that each covered entity collects.
- Duty of Responsiveness. Each covered entity would be required to have “managerial accountability, proportional to the size and structure of the covered entity, for the adoption and implementation of policies consistent with” the draft law. Covered entities would need to have a process to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of covered information relating to such individuals. Finally, covered entities would need to “describe the means of compliance of the covered entity” with the draft law upon request from the FTC or an appropriate safe harbor program established under draft law.
Duty to Implement a Comprehensive Information Privacy Policy. Similar to its duty of “accountability,” each covered entity would be required, “in a manner proportional to the size, type, and nature of the covered information that it collects,” to implement a comprehensive information privacy program. There would be two minimum requirements for a legally sufficient privacy policy. First, this would require “incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered information of individuals” based on (A) the reasonable expectations of such individuals regarding privacy; and (B) the relevant threats that need to be guarded against in meeting those expectations. Second, the covered entity would need to maintain “appropriate management processes and practices throughout the data life cycle that are designed to ensure that information systems comply” with the draft law, “the privacy policies of the covered entity, and “the privacy preferences of individuals that are consistent with the consent choices and related mechanisms of individual participation” under statutorily mandated notification requirements.
Privacy Notices: Duty of “Transparent” Disclosure of Privacy Policy and Practices. While the FTC currently holds businesses accountable for complying with their self-described privacy policies, the draft law would require all notices of privacy policies to be “clear, concise and timely.” Privacy notices would need to notify individuals of “the practices of the covered entity regarding the collection, use, transfer, and storage of covered information; and the specific purposes of those practices.” Material changes to such practices could not be implemented without “clear, concise, and timely notice to individuals before implementation.” All such notices would need to be “readily accessible” to individuals. The FTC would be authorized to draft guidance for covered entities to use in designing their own notice and may include a draft model template for covered entities to use in designing their own notice. Such guidance could include “guidance” on how to construct computer-readable notices or how to use other technology to deliver the required notice.
Opt-Out Procedures. The new law would force covered entities to offer individuals a “clear and conspicuous mechanism” for opt-out consent for any use of their covered information that would otherwise be unauthorized use, except with respect to any use requiring opt-in consent.
Opt-In Procedures. “Opt-In” procedures would be required for the collection, use, or transfer of sensitive personally identifiable information other than (i) to process or enforce a transaction or deliver a service requested by that individual; (ii) for fraud prevention and detection; or (iii) to provide for a secure physical or virtual environment. “Opt-In” consents would also be required for the use of previously collected covered information or transfer to a third party for an unauthorized use of previously collected covered information, if (i) there is a material change in the covered entity’s stated practices that requires notice of change; and (ii) such use or transfer creates a risk of economic or physical harm to an individual.
Accessibility for Correction of Information by Data Subject. Similar to the EU Data Protection Directive, the draft law would require covered entities to provide any individual to whom the personally identifiable information that is covered information pertains, and which the covered entity or its service provider stores, appropriate and reasonable (A) access to such information; and (B) mechanisms to correct such information to improve the accuracy of such information.
Exit Process: Depersonalization or Termination of Service Provider’s Access. New access controls would be applied where (i) a covered entity enters bankruptcy or (ii) an individual requests the termination of a service provided by the covered entity to the individual (or termination of some other relationship with the covered entity). In such case, the individual would have to be provided with some “easy” means to request that–
(A) all of the personally identifiable information that is covered information that the covered entity maintains relating to the individual, except for information the individual authorized the sharing of or which the individual shared with the covered entity in a forum that is widely and publicly available, be rendered not personally identifiable; or
(B) if rendering such information not personally identifiable is not possible, to cease the unauthorized use or transfer to a third party for an unauthorized use of such information or to cease use of such information for marketing, unless such unauthorized use or transfer is otherwise required by a provision of law.
Data Controller’s Duty regarding Data Processor’s Operations. The new law would adopt a similar distinction to the rules under the EU Data Protection Directive governing “data controllers” and “data processors.” The wording would be different, but the core concept would be the same. The FTC would be required to issue a rule to provide that with respect to transfers of covered information to a “third party” for which an individual provides opt-in consent, the third party to which the information is transferred may not use such information for any unauthorized use other than a use specified in the covered entity’s stated privacy policy and “authorized by the individual when the individual granted consent for the transfer of the information to the third party.”
- Data Processors: Outsourcing to Service Providers. The draft law would enable covered entities to hire service providers.
- Automatic Authorization to Disclose PII to Outsourcing Service Providers. “The use of a service provider by a covered entity to receive covered information in performing services or functions on behalf of and under the instruction of the covered entity does not constitute an unauthorized use of such information by the covered entity if the covered entity and the service provider execute a contract that requires the service provider to collect, use, and store the information on behalf of the covered entity in a manner consistent with the requirements” of the draft law and the policies and practices related to such information of the covered entity.
- Transfers Between Service Providers For A Covered Entity. The disclosure by a service provider of covered information pursuant to a contract with a covered entity to another service provider in order to perform the same service or functions for that covered entity would not constitute an unauthorized use.
- Liability Remains With Covered Entity. A covered entity would remain “responsible and liable for the protection of covered information that has been transferred to a service provider for processing, notwithstanding any agreement to the contrary between a covered entity and the service provider.”
Duty of “Data Retention Minimization.” The new law would restrict indiscriminate collection of PII beyond what is needed for providing services to the individual. As a result, “covered entities” would be allowed to collect only as much covered information relating to an individual as is reasonably necessary for a permitted purpose. Generally, such purposes would be limited to contract performance, service delivery, security, fraud detections, criminal investigation or other law enforcement, marketing, product development, website administration and customer satisfaction.
Limited Retention Period. Covered entities would have to limit the holding period for the PII. They could retain covered information for only such duration as, with respect to the provision of a transaction or delivery of a service to an individual, is necessary to provide such transaction or deliver such service to such individual; or if such service is ongoing, is reasonable for the ongoing nature of the service. For R&D projects, the duration would be limited to what is necessary for such research and development. Cryptically, retention of PII would also be allowed as “is required by a provision of law.” This cryptic reminder of the other retention periods “required” by law will undoubtedly raise questions as to what is permitted by law, such as statutes of limitation for litigation (which are not requirements for retention, but only a prudent business practice).
MANAGEMENT OF DATA PROCESSORS (OUTSOURCING SERVICE PROVIDERS) AS “THIRD PARTIES” OR “SERVICE PROVIDERS”
Constraints on Distribution of Information. The “covered entity” would be responsible for how the “covered information” is used by third parties to whom it transfers such information. Third parties would have to use the information only for purposes consistent with draft law and as specified in the applicable data processing or outsourcing contract.
- Duty not to Combine Data. Third parties would not be able to combine information that the covered entity has transferred to it, that relates to an individual, and that is not personally identifiable information with other information in order to identify such individual, unless the covered entity has obtained the opt-in consent of such individual for such combination and identification.
- Due Diligence concerning Outsourced Data Processor. Before executing a contract with a third party, the covered entity would be required to “assure through due diligence that the third party is a legitimate organization.”
- Duty to Report Violations. In the case of a material violation of the contract, at a minimum, the covered entity would have to notify the Commission of such violation.
- Blacklisted Service Providers. Under the draft, a covered entity could not transfer covered information to a third party that the covered entity knows (i) “has intentionally or willfully violated a contract required by the law, or (ii) “is reasonably likely to violate such contract.”
- Application of Privacy Rules to Third Parties. Except for certain cases under FTC approval, a third party that receives covered information from a covered entity would be subject to the provisions of the draft law as if it were a covered entity. This goes beyond the EU Data Protection Directive and would likely be used to obtain U.S. regulatory jurisdiction over all foreign service providers. Exemptions would apply where the FTC decides that a “class of third parties” cannot reasonably comply with the law or compliance by such class would not sufficiently benefit the individual data subjects.
Data Integrity. Each covered entity would be required to “attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.” Exceptions would apply for direct communications with the individual or receipt of information from another entity at the individual’s request.
ENFORCEMENT; PENALTIES; PRIORITY OVER STATE LAWS
Enforcement would be effected by litigation by State attorneys’ general or by the FTC. No other person could bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating the draft law or a regulation promulgated under this Act.
Penalties for civil liability would be $16,500 per offense PER DAY, up to $3.0 million, adjusted for inflation.
PREEMPTION
The new law would supersede conflicting state laws. The new law would not be construed to preempt the applicability of (i) State laws that address the collection, use, or disclosure of health information or financial information, (ii) State laws that address notification requirements in the event of a data breach; or (iii) other State laws to the extent that those laws relate to acts of fraud.
The draft law would not supersede the existing federal statutory framework for data privacy and protection applicable to telecommunications, banking, insurance, securities brokerage, fair credit reporting, child on-line pornography and certain other laws.
SAFE-HARBOR (FOR EUROPEAN UNION AND OTHER FOREIGN LAWS)
The draft law establishes a framework for putting the “Safe Harbor” program (now operated by the Department of Commerce) under the FTC’s jurisdiction. The current Safe Harbor program arises out of an executive agreement, which is not a treaty. It does not have the force of law. The draft law would set up a statutory framework for such arrangements.
Foreign service providers that participate in, and demonstrate compliance with, a safe harbor program administered by the FTC would be exempt from enforcement by the FTC if the FTC finds that the requirements of the safe harbor program are substantially the same as or more protective of privacy of individuals than the requirements of the provision from which the exemption is granted.
SUMMARY
Of the dozens of draft privacy statutes introduced into Congress in the last few years, this Consumer Privacy “Bill of Rights” Act of 2011 offers a prudent balance of protections and procedures for data collectors (covered entities) and data processors (service providers). It’s not too soon to begin developing compliance programs and practices. However, the draft law would result in a regulatory framework that will certainly change and evolve, if enacted.