The United States stands nearly alone in the world in that it does not have a unified, overarching privacy law. Instead, privacy law in the United States is a mesh of interlocking, often overlapping, and sometimes contradictory federal and state laws. Despite the lack of a single source of privacy law, privacy is still highly protected in the U.S. As a result, businesses must ensure their policies and practices are fully compliant to minimize the risk of a data breach and the often accompanying monetary and reputational harm in the event of a breach.
At the federal level, the Federal Trade Commission (FTC) is broadly empowered to police “unfair or deceptive acts or practices in or affecting commerce.” Under the FTC Act, “unfair or deceptive acts or practices” has been interpreted to include protecting consumer privacy. That authority has been upheld by courts, and has been encouraged by Congress and the Executive. Because the FTC is empowered to police acts or practices “in or affecting commerce,” its oversight extends broadly, with few exceptions.
Beyond the FTC Act, federal laws typically cover specific categories of information (financial or health information) or particular activities (debt collection, telemarketing, or commercial email). For example:
- The Financial Services Modernization Act (Gramm-Leach-Bliley Act) – protecting financial information and broadly applied to financial institutions.
- The Health Insurance Portability and Accountability Act (HIPAA) – protecting medical information and applied to any entities that contact medical information.
- The Fair Credit Reporting Act (FCRA) – applies to consumer credit information and agencies which deal with that information.
In Maryland, the Personal Information Protection Act (PIPA) provides the broadest protections to an individuals’ personal information. If your business collects an individual’s first and last name in conjunction with their social security number, driver’s license number, taxpayer identification number, or any financial account number (such as a bank account or credit card number), PIPA most likely applies to your collection, use, and protection of that data. And most importantly, PIPA defines what you must do if any of that information is disclosed through a security breach.
If your business collects personal information, or contracts with a company that does, it is imperative that you assess your privacy and security policies and practices. A data security breach could carry with it large monetary fines and require you to notify affected customers of any such breach. Contact us today to talk through your policies and practices and to receive practical advice on how to minimize your risk moving forward.