Privacy & Information Security Client Advisory

July 2005

Global Privacy –Japan Sets its Rules for Personal Data
by:  Joseph J. Dehner

Global companies must comply with differing privacy rules.  The great divide between the EU and the USA is well-known.  See Global Privacy Protection - No One Set of Rules.  The EU is an “opt-in” system, insisting generally on express agreement by individuals before a company can share or use their personal data.  By contrast, the USA is largely an “opt-out” regime, using a mix of sector-specific rules plus public declaration.  In some areas in the US, express opt-in is required (e.g., medical records), in others privacy notices about company rules are sufficient, and in yet other areas the rules are not clear or are flexible.  Canada follows a third approach.  See Canada and Privacy.

Fair Credit Reporting Act
by:  Andrew R. Kaake

Enacted in 1970, the Fair Credit Reporting Act (“FCRA”) was designed to ensure fairness and accuracy in the creation and use of consumer reports for lending, insurance, and employment purposes.  The FCRA attempts to achieve that fairness and accuracy by providing consumers with notice of and access to the information that credit bureaus and other consumer reporting agencies compile and provide to third parties for use in making decisions about providing credit and other services.

Action Guide for Data Security Breaches
by:  Jane Hils Shea

In recent months, frequent reports of data security breaches involving personal information of individuals in the United States have made headlines.  Beginning with news reports in February 2005 of the disclosure of a massive data loss at ChoicePoint, one of the largest US data brokers, reports of similar data security breaches continued through the spring months involving Bank of America, Household Bank, DSW Shoe Warehouse, and LexisNexis.  Most recently, MasterCard and VISA reported a data security breach involving a third-party processor that affected thousands of cardholders.  While it is logical to deduce from these reports that the security measures being used to protect Americans’ personal information are deficient, in fact the recent news reports and the massive publicity surrounding such breaches can be attributed to a California law that was passed in 2002 and became effective July 1, 2003.  This law requires that companies that do business in California must notify affected consumers if personal information maintained in computerized data files have been compromised by unauthorized access.  According to Beth Givens, Director of the Privacy Rights Clearinghouse: "In the past, companies usually did not notify their customers when their electronic data had been compromised, subsequently leaving them at risk for identity theft or financial fraud. Now individuals can take the appropriate proactive steps to safeguard their financial health when they learn that their information may have been accessed by hackers or unauthorized employees."

The HIPAA Security Rules Are Here
by:  David J. McPherson

The Health Insurance Portability and Accountability Act of 1966 (HIPAA) Security Standards for the protection of electronic health information became effective on April 20, 2005 for health care providers, health care clearinghouses, and health plans with annual receipts of more than $5 million ("Covered Entities").  The Security Rules become effective for health plans with annual receipts of $5 million or less on April 20, 2006.  The Rules are published in the United States Code Federal Regulations beginning at 45 CFR 164.302.

Additional Documents: