Privacy Laws affecting Outsourcing:
2005 Legislative Agenda and Regulatory Guidance
as of March 25, 2005
Pending Policy Choices.
In February and March 2005, some major data aggregators/resellers, including ChoicePoint Inc. and LexisNexis, allegedly suffered massive fraudulent intrusions into data bases that contained personally identifiable information including the Social Security numbers of thousands of people. In mid-March 2005, congressional hearings on identity theft focused attention on various possible solutions, including:
- requiring data brokers and other information custodians to notify individuals at risk following a data theft;
- regulation of data brokers (and other records custodians) by the Federal Trade Commission;
- criminalization of unauthorized data gathering, called “phishing,” and abuses of the data gathered;
- mandatory obtaining of the consent of individuals before installation of adware or spyware;
- mandatory accreditation and qualification of persons seeking to obtain access to personally identifiable information;
- mandatory truncation and masking procedures to prevent unauthorized use of Social Security Numbers and Driver’s License Numbers;
- unauthorized offering of goods or services via the Internet based on the use of unauthorized means of collecting personally identifiable information, such as “phishing” scams, unauthorized adware or clandestine spyware.
From the standpoint of outsourcing, service providers should be sensitive to these emerging issues.
- marketers who support the abusive marketing of confidential information;
- data aggregators and resellers;
- recipients of personally identifiable information (that is, virtually all IT-enabled outsourcing service providers).
This page highlights some important pending legislation on privacy. Since privacy laws can have the effect of preventing outsourcing, we are offering this selection of information to assist in planning. Some of these bills are addressed to specific types of outsourcers, such as call centers, information brokers and internet service providers. Others apply to virtually any person who collects, processes or transmits data.
Financial Services and Affected Outsourcers.
As of March 23, 2005, Federal bank regulators have adopted a new rule for notification of customers whose data have been exposed and are at risk. See Federal Bank Regulatory Guidance on Notifications to Customers and Regulators following Breach of Security.
For information available to consumers, see the Federal Trade Commission’s web page, http://www.consumer.gov/idtheft/index.phpl
Existing Privacy Laws Affecting Outsourcing.
Existing laws governing privacy are not listed below. For further information, see Privacy Laws – General, which has additional links.
Evolution and Application.
For the interpretation and application any new legislation, the evolution of this legislation, and the lobbying involved in pushing for or against it, please contact firstname.lastname@example.org or call us at 212 840 0080.