Jon M. Garon - A Short & Happy Guide to Privacy and Cybersecurity Law

West Academic Publishings Law School Advisory Board

Jesse H. Choper

Professor of Law and Dean Emeritus
University of California, Berkeley

Joshua Dressler

Distinguished University Professor Emeritus
Michael E. Moritz College of Law, The Ohio State University

Rene McDonald Hutchins

Dean and Joseph L. Rauh, Jr. Chair of Public Interest Law
University of the District of Columbia David A. Clarke School of Law

Yale Kamisar

Professor of Law Emeritus, University of San Diego
Professor of Law Emeritus, University of Michigan

Mary Kay Kane

Professor of Law, Chancellor and Dean Emeritus
University of California, Hastings College of the Law

Larry D. Kramer

President, William and Flora Hewlett Foundation

Jonathan R. Macey

Professor of Law, Yale Law School

Deborah Jones Merritt

Distinguished University Professor, John Deaver Drinko/Baker &
Hostetler Chair in Law

Arthur R. Miller

University Professor, New York University
Formerly Bruce Bromley Professor of Law, Harvard University

Grant S. Nelson

Professor of Law Emeritus, Pepperdine University
Professor of Law Emeritus, University of California, Los Angeles

A. Benjamin Spencer

Dean & Chancellor Professor of Law
William & Mary Law School

James J. White

Robert A. Sullivan Professor of Law Emeritus
University of Michigan

Privacy and Cybersecurity Law

Jon M. Garon

Professor of Law
Nova Southeastern University
Shepard Broad College of Law

A SHORT & HAPPY GUIDE SERIES

The publisher is not engaged in rendering legal or other professional advice, and this publication is not a substitute for the advice of an attorney. If you require legal or other expert advice, you should seek the services of a competent attorney or other professional.

a short & happy guide series is a trademark registered in the U.S. Patent and Trademark Office.

2020 LEG, Inc. d/b/a West Academic

444 Cedar Street, Suite 700
St. Paul, MN 55101
1-877-888-1330

Printed in the United States of America

ISBN: 978-1-68467-983-6

Table of Contents

Decisional Privacy, Autonomy, and Personal
Choice

Constitutional Protections of Privacy Under
the Fourth Amendment

B. Electronic Surveillance Under the Fourth
Amendment

Contours of Privacy, Publicity, and Free
Speech Rights

The Right to Privacy, Harvard Law Review
(1890)

D. Workplace Health Data and Social Security
Numbers

Privacy Policies Vary in Goals and in
Protection

The Right to Know About the Collection and Use
of Personal Information

D. General Data Protection Regulation from the
European Union

System Backups and Managing Catastrophic
Risk

D. Special Considerations for Credit, Debit, and
Payment Cards

Sectoral Privacy: Childrens Online
Privacy

An Exception to Confidentialitythe Duty to
Warn

B. Health Insurance Portability and Accountability Act
of 1996 (HIPAA)

Genetic Information Nondiscrimination Act of
2008 (GINA)

Sectoral Privacy: Banks, Financial
Institutions, and Lending Activities

C. Regulations Under the Securities Act and the
Securities and Exchange Act

Only Make Promises That the Company Can
Keep

Institute Appropriate Administrative, Technical,
and Physical Data Security Systems

Work Closely with the PCI Security, Staying
Current on All Security Updates

Do Not Implement Any Policy You Would Not
Want to See on the Front Page of the Local Newspaper

A Short & Happy Guide to Privacy and Cybersecurity Law

Chapter 1

Introduction

A.The Modern Meaning of Privacy

Privacy is the right to be let alone, but it is also much, much more. Privacy is one of the fundamental human rights enumerated in the United Nations Universal Declaration of Human Rights. It protects individuals from improper surveillance and searches by the government, from interference with personal choices of marriage and contraception, from unauthorized exposure of personal information to the public, and from misuse of information by employers, lenders, and insurance companies. Although privacy is a fundamental right, it is also a qualified right, meaning that the right to privacy must be balanced against competing fundamental rights. For example, privacy rights are often juxtaposed against free speech interests. The protections against governmental searches and seizures are balanced against the states police power and its ability to establish probable cause sufficient to obtain a search warrant.

Because privacy covers such a wide range of activities, privacy often means very different things to different people. The kind of information considered appropriate to share and the kind of information deemed personal varies within cultures and eras, and among individuals. Although privacy is recognized as a fundamental right by the United Nations, the meaning of that right differs significantly among the different governments of the world. This guide will largely limit itself to privacy laws in the United States.

Privacy laws of various kinds have existed throughout legal history. Roman law recognized a form of attorney-client privilege. Canon law recognized clergy-penitent confidentiality. Colonial America inherited its initial privacy laws from British law, which included a prohibition on eavesdropping for the purpose of making slanderous and mischievous tales as a form of nuisance.

Privacy laws operate using two different approaches. Some privacy laws stop a party from obtaining restricted information. Other privacy laws stop a party from using information for unauthorized purposes. The same law may do both.

For example, attorney-client privilege stops the prosecution in a criminal proceeding from compelling an attorney to reveal confidential information about the attorneys client to the prosecutor. In this way, the policy blocks the prosecutor from obtaining information. At the same time, the attorney-client privilege rules limit an attorneys right to use information obtained from a client. The attorney cannot disclose the privileged information to the prosecutor, even if the attorney would like to do so, and the attorney cannot use the privileged information in other matters if it would be detrimental to the client.

In contrast, the laws governing health care privacy prohibit a hospital from revealing patient information unless approved by the patient or as part of the treatment, billing, or health care operations obligations of the hospital. These laws stop the health care organization from using information it has obtained from its patients. However, the health privacy laws do not stop a newspaper from publishing the health information about a star athlete that the newspaper may have obtained through various interviews.

Privacy laws are also drafted to target specific constituencies, such as the government, employers, commercial enterprises, or the general public. For example, the constitutional Bill of Rights and many state and federal statutes focus on stopping the government from intruding on the privacy of U.S. citizens. Many federal and state regulations focus on the use or misuse of information by commercial enterprises, including lenders and financial services companies, insurance companies, health care organizations, and media companies.