European firms who conduct business over the Internet, or who regularly deal in consumer data are accustomed to knowing and complying with EU data directives and privacy regulations. Doing business in the United States, however, requires understanding and complying with an array of federal law, overlapping state laws, and federal regulatory rules emanating from executive agencies. Against that backdrop, here are the seven best practices for dealing with U.S. policy that are crucial for any online business to master.
2. Data Breach Notification Laws
Many businesses may feel an instinctive pull to keep data breaches under wraps for fear of incurring negative publicity or consumer lawsuits. Such impulses, however, can lead firms to run afoul of America’s various data breach notification laws. Multiple American state governments have enacted laws governing the steps which must be taken in the wake of cyberattacks or leaks that result in unauthorized disclosures of consumer data.
Whether the data leaks occur via hacking, rogue employees, or misplaced laptops or USB drives, these data breach laws impose various requirements on how and when to alert customers that information about them has been improperly accessed. Typically, these laws focus on alerting consumers expeditiously and in a manner that is reasonably likely to reach them (such as via email or telephone). Different states have different requirements for immediacy and method of notification and understanding these differences can be critical when your breach involves a national or international customer base. Importantly, these laws typically apply to breaches of unencrypted data. Encrypted data, even when breached, is considered unusable without a corresponding encryption key, and often will not trigger breach notification laws (unless the key is also hacked). Thus, these laws provide a strong incentive for firms to encrypt customer data and companies would be well-advised to analyze what data within their organization should be encrypted.
3. SEC Cybersecurity Disclosures
In 2011 the Securities and Exchange Commission issued a guidance instructing U.S. companies regulated by the SEC to include information about cybersecurity risks and the costs of responding to cyberattacks in their financial disclosure materials, among other publications. The guidance cautions that disclosures are already required where cybersecurity attacks and liabilities would impact the investment decisions of a reasonable investor but also signals a new awareness on the part of federal regulators about the need for companies to take cybersecurity more seriously than they have been.
Moreover, if your company has been victimized by a cyberattack and is now planning to invest in defensive or preventative security measures, disclosing the prior attack may be necessary to paint a full picture for investors. Disclosures should also be considered for companies facing significant legal costs resulting from cyberattacks and data breaches. Furthermore, if your company’s business model is heavily dependent on the maintenance or sale of data and electronic assets, you may have an obligation to disclose the risks that cyberattacks could have on your viability.
4. Understanding Affiliate Privacy Policies
For instance, your policy may disclose that while you share data with affiliates for payment processing, you do not sell customer data to advertisers. If your payment processor, however, turns around and sells your customers’ data, your policy could be considered by regulators to be inadequate. Having a full understanding of how your partners will use the data you share with them is therefore critical to effectively communicate your own policy with your customers.
5. Healthcare Privacy
Under U.S. law, personal information related to healthcare receives heightened privacy protections. The Health Insurance Portability and Accountability Act covers not only doctors, nurses, and hospitals, but also any companies that process healthcare related data for them. HIPAA covers a wide variety of medical information such as patient medical records and insurance and billing data. Businesses involved in processing this data must have data security safeguards in place, limit access to the health data, and train employees on the safeguarding of medical patient privacy. What’s more, certain types of data transfers, such as those done for scientific studies or marketing, can require obtaining consent from individual patients.
6. Identity Theft "Red Flags"
In 2007, the Federal Trade Commission implemented the so-called “Red Flags” Rule to spur companies to develop internal strategies for anticipating and preventing instances of identity theft. Identity thieves seek to obtain critical pieces of identifying information about consumers and use that information for purposes of impersonation and financial fraud.
The Red Flags rule is inward-looking, focusing on internal training and readiness rather than educating consumers about the perils of identity theft. Companies are required to have written plans for identifying and responding to instances of identity theft as well as employee training plans and mechanisms for updating their strategies. The rule applies to financial institutions likes banks but also to other business that maintain customer accounts used for making payments, as well as companies that furnish information for consumer reports that are used in connection with financial transactions.
Potential “red flags” that employees should be trained to be mindful of include sudden spikes in consumer purchasing and customers whose names or appearances do not match those on their identifying documents. As with many of the laws and regulations described in this article, the red flags rule is designed to be flexible, thus, no single method of compliance is mandated. While the FTC does not regularly audit companies to ensure compliance, consumer identity theft victims can file complaints with the commission which frequently lead to investigations.
7. Marketing and Spam
Marketing emails sent to massive lists of recipients, sometimes referred to as “spam,” are regulated in the U.S. by the CAN-SPAM Act of 2003. The act covers all commercial emails whose primary purpose is the marketing of a product or service. The two most critical concerns for businesses seeking compliance with the act are ensuring that emails clearly identify themselves as commercial in nature (i.e., emails should not contain misleading subject headings or “From:” fields) and provide a simple, conspicuous opt-out mechanism for customers who want to unsubscribe from receiving future emails.
It should be noted that the CAN-SPAM Act does not cover transactional emails such as purchase confirmations or shipping status updates. However, when those transactional messages also contain promotional content, analysis of your content should be conducted with an eye towards how your customers will perceive the message.
Complying with U.S data privacy and e-commerce law is critical. Understanding and applying the laws outlined above will go a long way to ensuring smooth relationships with U.S. regulators as well as cultivating a healthy reputation among American consumers. For more answers and advice on navigating the U.S. Internet law, the e-commerce marketplace and responding to cyberattacks and threats, please contact DeVore & DeMarco, LLP, experts in information privacy and data security law.
1 Mr. DeMarco is a Chamber Member and a Partner in the New York City law firm of DeVore & DeMarco LLP. Mr. Kovnot is a Privacy and Technology analyst at DeVore & DeMarco LLP.
2 Please note that this article is for general informational purposes only and should not be construed as legal advice. If you would like more information about the matters discussed here please contact DeVore & DeMarco LLP.