Data Protection Enforcement in the United States

Administrative Remedies

Gramm-Leach-Bliley Act (“GLBA”), Title V, 15 U.S.C. §§6801-6809 and its implementing regulations: The Federal Consumer Financial Protection Bureau (“CFPB”) and the Federal Trade Commission (“FTC”) as well as federal functional regulators and State insurance authorities have the power to enforce GLBA with respect to the entities within a particular agency’s authority. The CFPB can initiate administrative adjudication enforcement actions against potential violators. The CFPB has established the Office of Administrative Adjudication, which is an independent judicial office within the CFPB. Penalties available in an administrative adjudication proceeding include those set forth in the next column, with the exception of civil monetary penalties. The CFPB has the power to issue cease and desist orders, following notice to the alleged violator and a scheduled hearing. FTC Act, Section 5 of the Federal Trade Commission Act, 15 USC § 45 (“FTC Act”): The Federal Trade Commission (“FTC”) may bring an administrative hearing against an individual or entity suspected of unfair or deceptive trade practices in violation of the FTC Act. At the conclusion of such a hearing, the FTC may issue an order to cease and desist. The FTC If the individual or entity subject to the order violates that order, the FTC may issue administrative penalties of up to $16,000 per violation. COPAA, the Children’s Online Privacy Protection Rule, 16 CFR 312.1 et. seq., implementing the Children’s Online Privacy Protection Act of 1998, 15 USC § 6501 et. seq. (“COPPA”): Violations of COPAA are deemed to be unfair or deceptive trade practices and are therefore subject to the same administrative penalties as set forth under the FTC Act, as described above. COPPA also gives states and certain other federal agencies authority to enforce compliance.

Civil Remedies

GLBA: The CFTC has the power to bring civil actions for damages. Penalties include: rescission or reformation of contracts; monetary refunds or return of real property; restitution; disgorgement or compensation for unjust enrichment; monetary penalties; public notification of the violation; limits on the violator’s functions. Civil monetary penalties range from a maximum of $5,000 per day of violation to $1,000,000 per day of violation, where an individual knowingly violated the law. FTC Act: The FTC may bring civil actions for civil monetary penalties of up to $16,000 per violation. Each day that non­compliance continues is considered a separate “violation” for purposes of the law. COPAA: Violations of COPAA are deemed to be unfair or deceptive trade practices and are therefore subject to the same administrative penalties as set forth under the FTC Act, as described above. COPPA also gives states and certain other federal agencies authority to enforce compliance. HIPAA, Standards for Privacy of Individually Identifiable Health Information, issued pursuant to sections 1171 through 1179 of the Social Security Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, Sec. 13001 of the American Recovery and Reinvestment Act, Public Law 111-005 (“HITECH Act”): The US Department of Health and Human Services (“HHS”) may impose a civil monetary penalty on any person who violates the HIPAA Privacy Standards, at an amount of between US $100 to 50,000 per violation, with a total of US $ 25,000 to 1.5 million for all violations of a single requirement in one calendar year.

Criminal Remedies

GLBA: While the CFPB has no power itself to bring criminal actions, pursuant to federal statute, if the CFPB obtains evidence that a person has engaged in conduct that may violate a federal criminal law, the CFPB is authorized to provide that evidence to the Attorney General of the United States, who will be able to investigate and potentially bring an enforcement action. FTC Act: No criminal penalties specified. COPPA: No criminal penalties specified. HIPAA: Violations of the Privacy Standards include criminal penalties, including up to ten years imprisonment in certain cases. These penalties may be imposed on Business Associates as well as Covered Entities, as defined under the law.

Other Remedies

GLBA:  The CFPB also has the power to undertake investigations of a potential violator by issuing a civil investigative demand.  As part of its investigation, the CFPB can issue demands for production of documents as well as for giving oral testimony.

Selected Enforcement Actions / General Comments

Federal Communications Commission:  In October 2014, FCC fined TerraCome and YourTel American who “stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.” The carriers will be fined $10 million for their breach of consumer privacy.

Federal Communications Communication: In September 2014, FCC reached a $7.4 million settlement with Verizon over privacy violations for its “use of personal consumer information for marketing purposes,” according to a Federal Communications Commission press release. In addition, Verizon had to agree to a three-year compliance plan.

Health & Human Services: In May 2014, New York and Presbyterian Hospital (NYP) agreed to pay OCR $3,300,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.