The third FIP addresses the right of data subject to access the information that is collected about them and the right to contest and correct the accuracy of that information.
3.3.1Current U.S. Law
Although some websites do allow users access to PII that is collected about them, it is not mandatory under current U.S. law. If a website voluntarily allows users access to information collected about them, it is generally explained in privacy policies or terms of service statements. Some websites also provide an opportunity for users to correct inaccuracies in the information that has been collected about them. It is clear, however, that users in the U.S. have no legal right to review information collected about them by websites and online service providers, nor do they have the right to make corrections if they find inaccuracies in their data files. If websites and online service providers provide access and an opportunity to correct inaccuracies, it is a voluntary action that is not compelled by U.S. law. Most of the time, if such opportunities for users exist, they are buried in website privacy policies and terms of service statements and users are frequently unaware of these options.
If the 2003 version of OPPA was enacted, website operators and online service providers would be required, upon request of individual users, to provide [Section 2(b)(1)(B)(i and ii)];
a description of the specific types of personal information collected by that operator [of a website or online service] that was sold or transferred to an external third party and
notwithstanding any other provision of law, a means that is reasonable under the circumstances for the individual to obtain the personal information described in paragraph (i) from such individual [operator of a website or online service];
The language in this portion of OPPA suffers from an excess of “legalese” but this section of OPPA provides user access to any file collected, sold or transferred to any external third party.
Note that the 2003 version of OPPA only addresses part of the access/participation FIP principle as it does not mention a right or procedure on the part of users to correct errors in the PII files collected about them. Nevertheless, if the 2003 OPPA was enacted into law, users would at least have access to the files of PII that are being compiled about them and a description of the PII that is collected about them.
There are some markets and transactions in the U.S. where there is a legally recognized right on the part of data subjects to access personal information collected about them and recommend corrections for inaccuracies. The Fair Credit Reporting Act does guarantee, with stiff penalties for noncompliance, that data subjects shall have access to the files collected about them and that there is a procedure for contesting the accuracy of the credit report. If a data subject contests the accuracy of the credit report about him or her, the credit bureau is required to reinvestigate and make changes if the reinvestigation reveals errors.
3.3.2Current EU Law
Section V, Article V of the 1995/46/EU Information Directive is entitled, The Data Subject’s Right of Access to Data. According to the 1995 Directive, “Member States shall guarantee for every data subject the right to obtain from the controller:…confirmation as to whether or not data relating to him are processed and information at least as to the purposes of the processing, the categories concerned, and the recipients or categories of recipients to whom the data are disclosed;” Section V Article 12 [paragraph 2] also requires that each data subject be entitled to obtain from the controller (of information collected about him or her), “as appropriate the rectification, erasure or blocking of data, the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;”. Finally, Article 12 of the 1995 Information Directive basically guarantees “notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with paragraph 2,…”
Similar to the other FIPs, EU law requires that Member States pass laws that recognize access/participation. In particular, EU laws guarantee data subjects access to PII that has been collected about them and some rights with respect to corrections and erasures of incorrect PII. This is a more complete approach to access/participation than would be provided by OPPA.
3.4Integrity and Security
Compliance with the integrity and security FIP principle requires data collectors to take reasonable measures to assure that information collected from consumers is accurate and secure from unauthorized use . The implication of this FIP is that websites and online service providers are required to use commercially reasonable measures to protect PII from external threats posed by hackers and identity thieves and from inappropriate internal use. The threats from hackers are well known; some enjoy the challenge of penetrating firewalls and security systems, while others, motivated by profit, make fraudulent use of PII in the form of identity theft and credit card fraud. Although identity theft has received much recent attention, ineffective internal controls of access to PII collected by large institutions (e.g. hospitals and universities) are actually a more significant threat to the security and integrity of such data. In a study that reported the results of a survey of hospital employees who had access to medical records of the hospital , respondents were asked their perceptions regarding the most important threats to the confidentiality of such records. Second, behind unauthorized secondary use of medical records, was inappropriate and unauthorized access to medical records. Compliance with the security FIP requires organizations that acquire and store PII to implement protective measures against external, as well as internal threats, to the confidentiality of the data.
3.4.1 Current U.S. Law
In the U.S., most websites and online service providers are not required by law to have adequate security, though there are three exceptions for websites that store medical records, financial data, or acquire information from children. For each of these three areas, there are statutory requirements that websites storing such information must ensure the integrity of the data by employing commercially reasonable security measures. The Gramm-Leach-Bliley Act, for example, requires financial institutions to implement security technologies that can fend off anticipated threats.
For websites that do not fall into any of these three categories, there is no statutory requirement under U.S. law to maintain adequate security for the confidentiality of PII that is acquired or stored, but there could be legal sanctions in the form of common law suits based on negligence. If websites and online service providers do store PII and do not use commercially reasonable security procedures, it could be argued that they are negligent, which is a common law tort. A defendant (a website storing PII sued by users) is liable for negligent behavior if the defendant owes a duty to the plaintiffs, breaches that duty by acting unreasonably, and the breach of that duty to the plaintiffs is the proximate cause of damages incurred by the plaintiffs. All of those elements are present if a website or online service provider collects, stores, or transmits PII; they have a duty to data subjects to act reasonably with their PII. If websites and online service providers do not use commercially reasonable security measures to deter foreseeable internal or external threats and security is compromised, they have breached a duty to data subjects and could be liable for the resulting consequences of security breakdowns. Although no federal statute requires websites and online service providers who store PII to use commercially reasonable measures, common law suits based on negligence are a potential consequence of not using commercially reasonable measures to protect the integrity of stored PII.
There have only been a few lawsuits in which the plaintiffs (users who records are stored) claim that defendants (websites that stored PII) were negligent in their handling of PII. In order for these suits to be justified economically, many users must be joined together in a class action lawsuit because the damages associated with unlawful disclosure of PII are normally not large on an individual basis. For attorneys who specialize in class action suits, the rate of return is higher where the defendants are charged with securities fraud or selling defective products. In some class action product liability cases, individual victims (plaintiffs) are entitled to several million dollars apiece, whereas the damages to individuals associated with failure to keep PII private are likely to be measured in the hundreds of dollars. The bottom line is that under current U.S. law there is only weak legal protection for PII stored by websites and online service providers unless the records stored are subject to HIPAA regulations, GLB, or COPPA.
On the other hand, criminal sanctions in the U.S. against hackers have been dramatically increased in the recent years. Hackers face severe criminal liability under the Computer Fraud and Abuse Act (CFAA), which makes it illegal to knowingly access a “protected” computer without authorization or exceed authorized access. In the wake of 911 attacks, hackers who violate the CFAA are subject to imprisonment for up to twenty years as well as substantial fines. Violations of the CFAA occur if (1) the hacker gains access to computer files that are forbidden to him or (2) the hacker exceeds the access that has been granted to him. Prosecution of a crime does not normally provide restitution to victims, especially in the case of hackers who are often bored teens, but the increased legal sanctions undoubtedly do have deterrence value.
The 2003 version of OPPA, Section 2(b)(1)(C), does “require the operator of such Web site or online service to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information it collects or maintains.” “Reasonable procedures” to protect confidentiality etc. are presumably defined with reference to the procedures typically used in industry, though in some cases the courts have found that industry standards lag behind what is reasonable.3 Certainly, “reasonable procedures” would include use of encryption to scramble transmissions between web sites and its customers, firewalls, internal management practices, and other measures that are commonly used by websites and online service providers to protect confidential PII that has been provided to them by customers or other firms.
Article 4 of the 2002 EU Directive on Privacy and Electronic Communications requires that, “The provider of a publicly available electronic communications service must take appropriate technical and organizational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security.” Article 4 of the 2002 EU Directive requires that an electronic communication service must take appropriate technical and organizational measures because it allows such services to inform subscribers about risks when its security does not provide adequate protection. Article 4(2) states that, “In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.” The implication of this subsection is that those entities who store PII acquired online may absolve themselves of liability for certain contingencies if the costs of deterring the risk exceed the benefits and the electronic communication service informs subscribers in advance of its unwillingness to ensure against that risk.
Article 5(3) of the EU 2002 Directive does require, “Member States”…to “ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through, national legislation.” If passed, OPPA would impose similar requirements on websites and online service providers in the U.S. that stored PII. Current U.S. law provides protection to users, subscribers, and website visitors through the common law which requires a showing that the website or online service provider was negligent. A problem with common law remedies, not backed up by a statute is that individual lawsuits and class actions are not economically justified in terms of likely, court-awarded, damages.