Federal Legislation about Privacy and Protection of Personal Information
The following are selected United States federal laws and regulations relating to the security of personal information about an individual. This should not be considered a complete list.
Fair Credit Reporting Act (FCRA)
- This law regulates the collection, dissemination, and use of consumer credit information and forms the base of consumer credit rights in the United States. It was originally passed in 1970 and is enforced by the U.S. Federal Trade Commission.
- If you notify a credit bureau of an error in your credit report, the FCRA requires the bureau to investigate your allegations within 30 days, review all information you provide, remove inaccurate and unverified information and adopt procedures to keep the information from reappearing. In addition, the law requires that creditors refrain from reporting incorrect information to credit bureaus.
Fair and Accurate Credit Transactions Act (FACTA)
- This law was passed in 2003 as an amendment to the FCRA.
- The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting agencies (Equifax, Experian and TransUnion). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, www.annualcreditreport.com, to provide free access to annual credit reports.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- The primary focus of HIPAA was to improve the health insurance accessibility to people changing employers or leaving the workforce. It also addressed issues relating to electronic transmission of health-related data in Title II, Subtitle F of the Act entitled “Administrative Simplification.”
- The HIPAA Security Standards require a covered entity to implement policies and procedures to ensure:
- the confidentiality, integrity, and availability of all electronic protected health information;
- protect against any reasonably anticipated threats or hazards to the security of such information;
- protect against any reasonably anticipated uses or disclosures that are not permitted.
- The HIPAA security standards were effective on April 21, 2003. The compliance date for covered entities is by April 21, 2005 and April 21, 2006 for small health plans.
Gramm-Leach-Bliley Act (GLBA)
- The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
- The Privacy Rule took effect on November 13, 2000 and compliance was required on July 1, 2001. The Safeguard Rule was effective on May 23, 2003.
State Legislation about Security Freezes and Identity Theft
The following are selected resources of state laws and regulations relating to the breach and security of personal information.
Security Breach Notification Legislation and Laws (2002-present)
Over 40 states and territories, including the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have enacted legislation requiring companies and/or state agencies to disclose security breaches involving personal information. If an organization’s data breach affects residents of these states, then notification of the incident is required and must comply with that resident state’s law.
For summaries of legislation and links to the text of statutes and bills, click on the link below.
http://www.ncsl.org/programs/lis/cip/priv/breach.htm
Identity Theft Legislation (2002-2008)
Source: National Conference of State Legislatures
In the 2007 legislative session, states have continued to strengthen laws to protect consumers from identity theft. From increasing penalties to expanding the law enforcement role in investigating cases, states enacted several bills to help fight identity fraud.
States went further to assist identity theft victims, by enacting laws that prohibit discrimination against an identity theft victim, allow deletion of the records related to the underlying theft and created Identity Theft Passport programs to help victims in clearing their name and financial records.
http://www.ncsl.org/programs/lis/privacy/idt-legis.htm
Consumer Report Security Freeze Laws (2001-present)
Source: National Conference of State Legislatures
A security or credit freeze limits a consumer reporting agency from releasing a credit report or any information from the report without authorization from the consumer. If a person suspects that he or she has been victimized by identity theft, a credit freeze can help the person track whether an identity thief is using the person’s information to set up bogus accounts.
Until recently, the process of obtaining, “thawing,” and removing a credit freeze was mandated only by state law, and was available only in those states that had passed credit freeze laws; consequently, variability among the states was considerable.
As of November 1, 2007, the three national credit repositories — Equifax, Experian, and TransUnion — allowed all consumers in all states to set a security freeze regardless of state law. However, if a state law exists and entitles individual to a lower fee, that law would remain in place.
Since 2001, 49 states and territories have enacted laws that allow security freezes. 12 of those implemented security freeze laws after the November 2007 credit bureau policy.
http://www.ncsl.org/programs/lis/privacy/idt-legis.htm
State Legislation about Breach Notification and Privacy Protection
The following state laws and regulations are from California and Massachusetts. These two states are highlighted here because they have been the most prominent and active in breach notification and privacy protection legislation.
California Civil Code 1798.82 (Senate Bill 1386)
- California was the first to implement a breach notification law on July 1, 2003.
- California Senate Bill 1386 became Civil Code 1798.82. The law requires companies that do business in California and own or license computerized data containing unencrypted personal information, to notify California residents of any security breach of their unencrypted personal information where the information was, or is reasonably believed to have been, acquired by an unauthorized person.
- California amended (AB 1298) their breach notification law on January 1, 2008, to include personal health information (PHI), as well as medical insurance information, in their definition of “personal information.” When this information is breached, notification is required.
- Another amendment was implemented on January 1, 2009, which requires a health care provider, who has experienced a data breach, to notify both the affected individuals, and the California Department of Public Health, within five (5) days after detection of the breach.
Massachusetts 201 CMR 17.00
- Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts
- MA 201 CMR 17.00 establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records by all persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.
- Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain, and monitor a comprehensive, written information security program applicable to any records containing such personal information.
- These regulations was originally supposed to take effect on May 1, 2009, but was changed to January 1, 2010.
