USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
control the sharing and use of their personal financial information. • The Department of Health and Human Ser - vices Office for Civil Rights, which is the pri - mary enforcer of the HIPAA privacy, security and breach notification regulations (for HIPAA civil enforcement, see also State Agencies below). • The Department of Justice (DOJ), which may bring criminal prosecutions for knowingly obtaining or disclosing protected health infor - mation in violation of HIPAA. • The Federal Communications Commission (FCC), which is responsible for enforcing (along with the DOJ) the provisions of the Communications Act that protect the privacy and security of customer account information and telecommunications metadata. • The Securities and Exchange Commis - sion (SEC), which requires publicly traded companies to disclose material information regarding their operations and risks, includ - ing those related to data privacy and security. A recently enacted SEC rule requires public companies to disclose material cybersecurity incidents within four business days of deter - mining that the incident is material. The SEC also promulgates GLBA-related customer data privacy rules for certain financial institu - tions. State Agencies State attorneys general and/or state consumer protection agencies generally have authority to enforce state privacy laws and regulations, and some state consumer protection laws give con - sumers a private right of action. State attorneys general also have authority to enforce certain federal privacy laws, such as COPPA and HIPAA, when violations of those laws have an impact on state residents. Finally, California is the first
state to establish a standalone privacy regulator, the California Privacy Protection Agency (CPPA). 1.3 Enforcement Proceedings and Fines Regulators (such as the FTC) generally initiate enforcement proceedings when a particular issue comes to the agency’s attention, either from press reports (for example, reports of data breaches), complaints from private parties or inquiries from other governmental entities. Proceedings generally begin with a formal request for information, such as through a civil investigative demand, directing entities to answer questions, or a less formal (but legally binding) subpoena or “letter of inquiry”. These requests can require recipients to answer ques - tions and produce records relevant to the inquiry. Once the data-gathering phase is complete, the agency determines whether to initiate a formal enforcement proceeding. Prior to initiating a for - mal proceeding, most agencies will discuss the matter with the potential target to determine if a settlement can be reached. Agencies – and the FTC in particular – enter into settlements more frequently than they litigate formal enforcement proceedings. Settlements often include agreed- upon payments in the nature of fines. 1.4 Data Protection Fines in Practice Fines for alleged privacy violations vary. The FTC has negotiated fines as high as USD5 bil - lion against a company that violated the priva - cy-related consent order it was operating under, as well as fines in the hundreds of millions of dollars against companies for alleged COPPA violations. Smaller fines are more common, how - ever. For example, AT&T recently agreed to pay USD13 million to the FCC to settle claims that it failed to adequately protect consumer account information and call metadata, and Verizon and
534 CHAMBERS.COM
Powered by FlippingBook