U.S. ‘Trueing Up’ to Other Countries’ Security Measures
Absence in the U.S. of a unified stance on data security worries foreign firms that fear their data might not get enough protection, Oracle Privacy & Security Counsel Peter Lefkowitz said Fri. at an International Assn. of Privacy Professionals meeting. Europeans and Asians in particular dislike the lack of federal privacy law, he said. A handful of bills are moving through Congress and more states are enacting laws to address the issue.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
U.S. law set financial institutions aside from other businesses, a hard concept for foreign audiences to absorb, especially amid the ruckus over electronic wiretapping by the National Security Agency and reauthorization of the Patriot Act, he said. Concern is growing about “what the U.S. is doing and what we're doing with information,” Lefkowitz said.
Individual firms are fielding more overseas queries about internal data security, Lefkowitz said. Oracle hears from squeamish customers and other stakeholders in Europe, Asia, Latin America and Canada. One wanted Oracle to vow not to let its data be accessed inside the U.S. More recently, a Canadian agency asked Oracle to promise in its contract to reject any American court subpoenas, including summons from the Foreign Intelligence Surveillance Act, requesting data belonging to it.
Firms active globally face a maze of data rules as they juggle state-level mandates at home, Lefkowitz said. The good news is “we're starting to see some consistencies and certainty” among FTC data disposal guidelines, pioneering Cal. security and notification laws and Gramm-Leach-Bliley Act (GLBA) rules, outside the context of regulated financial entities, Lefkowitz said. The U.S. seems to be “trueing up” to other nations’ standards, he said. Common threads are emerging among standards on system monitoring, curbs on physical monitoring and 3rd party accountability, he said.
Attorney Miriam Wugmeister agreed. “At a certain level, there seems to be commonality. If you're looking at high- level principles, all of the major legislative frameworks have a notice provision of some type and some type of data security provision -- but the devil is in the details,” she said. She cited statutes in Japan and Spain as proof.
Japan has an omnibus law and ministries have guidelines, Wugmeister said. Offices overseeing health, finance and high-tech have more detailed rules; others paint with a broader brush, she said. Japan also has administrative measures “surprisingly similar” to GLBA safeguard rules, plus stringent requirements for physical and technical security, she said.
Spain has a “very detailed set of guidelines for data security,” comprising 3 tiers depending on the type of data being collected, she said. Spain regulates written security policies, access controls, security incident recordkeeping, backup requirements, security officer designations and audit obligations. Spain’s system is much more detailed than Japan’s or the U.S.’s, Wugmeister said.
When it comes to alerting consumers about data security, 22 U.S. states require breach notification, and a U.S. law is being considered. Japan is the only other country in the world that has an affirmative obligation to notify, she said. When a breach occurs, the entity must notify those affected, publicly announce the transgression and tell the appropriate ministry. In Spain, entities must document incidents “but you don’t have to tell anyone,” she said.