Navigating labyrinth of data-privacy laws

A day doesn’t go by when headlines in newspapers and alerts on the Internet proclaim another outrageous data breach. We receive e-mail notifications from retailers telling us that our data has been exposed and that we need to take certain measures to protect ourselves from identity theft. Privacy laws in the United States are changing rapidly. The federal government and state legislatures have placed the privacy of consumers’ personal data high on their radar screens.
Last year, more than 35 bills were introduced into the U.S. House and thirty-three separate and unrelated bills were introduced in the Senate related to data privacy. The bottom line is that the protection of personal data and the enhanced regulation of privacy and security standards of businesses, including educational institutions, should be a high priority.
Why the concern? Take a look at the Privacy Rights Clearinghouse website www.privacyrights.org. It is scary.
It contains a daily tally of the number of records that have been breached. Educational institutions have had their fair share of breaches. Some of the breaches listed on the website include a breach on Jan. 12 at Arizona State University where an encrypted file containing user names and passwords of 300,000 individuals was downloaded by an unauthorized person. It caused the university’s online services to shut down and all users were required to enter new passwords.
On Nov. 29, 2011 the dining-services registers at the University of California were compromised by a cyber hacker who stole and fraudulently used 5,000 students’ credit and debit cards, including access to their PINs.
What are the obligations of the institution to notify when a breach has occurred? It depends on the type of data involved. Thirty-six states have enacted different breach-notification laws that generally require notification to an individual if there is a reasonable belief that the breached information can be used for the perpetration of identity theft or another harm against the individual. Following a breach, there may be a requirement or a business decision to comply with multiple state breach-notification laws. Which state laws apply and which state authorities need to be notified of the breach depends on the circumstances of each individual case.
In March 2011, the Massachusetts Data Security Regulations were enacted which require “any person, corporation, association, partnership, or other legal entity … that receives, stores, maintains, processes or otherwise has access to personal information (PI) about a Massachusetts resident … ” either on paper or electronically, create effective administrative, technical and physical safeguards for the protection of the PI.
To comply, companies must set forth a written procedure for evaluating the data they collect, store, use and transmit, perform a risk assessment for the internal and external threats to such data and protect against anticipated threats or hazards to the security or integrity of the data. The regulations further require that as of March 1, companies (including educational institutions) must ensure that any vendors or third parties that have access to the PI of the company must also certify to the company that it has a Written Information Security Program (WISP) in place.
The Family Educational Right and Privacy Act (FERPA) contains privacy and security measures that must be implemented and maintained by educational institutions. FERPA sets forth the requirements for the protection of the privacy of parents and students, including education records and personally identifiable information. FERPA outlines the consent requirements required before disclosing personally identifiable information from education records. Enforcement of noncompliance with FERPA includes withholding payment, a cease-and-desist order or the termination of eligibility to receive funding.
And then there’s your website. The Federal Trade Commission has publicly emphasized that company websites and corresponding privacy practices regarding the collection of consumer data on websites is of high interest to it.
The FTC issues an annual report on its website outlining its enforcement actions from the previous year.
It is nearly impossible for an educational institution to stay current with data privacy and protection compliance. There are some basic rules of thumb that should be followed by educational institutions (and all other businesses). They include the following:
• Develop and implement a privacy and security plan, including mapping all of the data collected, maintained, stored, transferred or used by the institution. This would include employee data, student data, health data (as applicable) and data collected on the website.
• Implement the privacy and security plan.
• Develop privacy and security policies and procedures.
• Develop and implement social media policies.
• Review and update your website Notice of Privacy Practices.
• Conduct frequent (at least annual) employee training on privacy and security.
Implementing these measures will reduce the risk of a breach of employee, student or customer data. In addition, they will aid you in complying with the various state and federal laws applicable to data privacy. •


Linn F. Freedman is a Nixon Peabody LLP partner and the leader of the firm’s Privacy & Data Protection Group.

No posts to display