Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data. The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the California Consumer Privacy Act (“CCPA”) here.
On the security front, as of March 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. These new and amended state data breach laws expand the definition of personal information and specifically mandate that certain information security requirements are implemented. Below are the key takeaways from U.S. data protection laws that were passed in the last year.
2018 U.S. State Laws Round Up:
- Alabama (SB 318) – Alabama passes its first data breach notification law. Alabama’s data breach notification law went into effect on June 1, 2018. The law applies to the unauthorized acquisition of sensitive personally identifying information in electronic form. The definition of sensitive personally identifying information is expansive and includes health information, as well as username or email address in combination with a password or security question and answer. Other key provisions of the law include a risk of harm provision, and the requirement that covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information from a breach of security. The law also contains a data disposal requirement, which requires applicable entities and their third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records no longer need to be retained. In addition, the Alabama law imposes civil penalties of up to $500,000 per breach for any entity that knowingly violates or fails to comply with the notification provisions of the law.
- Arizona (HB 2145) – Arizona updates its breach notification law to expand the definition of personal information and tighten notification timelines, among other things. On April 11, 2018, Arizona’s governor signed HB 2154 to amend the Arizona data breach notification law. The law went into effect upon signing and amends Arizona’s data breach notification law to: (1) expand the definition of personal information; (2) refine the time period in which consumers must be notified to 45 days; (3) prescribe circumstances when the Attorney General and Consumer Reporting Agencies (CRAs) must be notified; (3) implement a risk of harm provision; and (4) impose penalties of up to $500,000 for civil penalties for knowing and willful violations of the law.
- Colorado (HB 1128) – Colorado strengthens consumer protections by requiring formal information security policies as well as increased oversight of third parties. Passed on May 29, 2018, Colorado’s law takes effect on September 1, 2018. Under the law, “covered entities,” defined as “a person [. . .] that maintains, owns or licenses personal identifying information in the course of the person’s business, vocation, or occupation,” are accountable for protecting personal information. Like GDPR Articles 24, 25 and 32, which require data protection policies to ensure appropriate levels of security, Colorado requires covered entities to: (1) develop and maintain written policies on the disposal of personal information; and (2) “implement reasonable security procedures and practices commensurate with the sensitivity of personal data processed as well as the size and complexity of the entity.” In addition, Colorado now requires supervision of third-party providers that process personal data on behalf of covered entities. Likewise, covered entities will also be required to provide notice of data breaches to both individuals and Colorado’s attorney general when more than 500 Colorado residents are impacted. Violations of the law may be enforced by the state’s attorney general.
- Iowa (HF 2354) – Iowa passes legislation regulating online services and mobile apps for students. Iowa’s law is set to take effect on July 1, 2018. The law applies to operators of internet sites, online services, online applications, or mobile applications that have actual knowledge that their site, service, or application is used primarily for kindergarten through grade twelve purposes and was designed or marketed for such purposes. The law prohibits the use of students’ information for certain purposes, such as creating student profiles or selling or renting a student’s information. And, it requires operators to implement and maintain security procedures and practices appropriate and consistent with industry standards and applicable state and federal laws, rules, and regulations.
- Louisiana (Act. No. 382) – Louisiana amends its data breach law. Amendments to Louisiana’s existing law go into effect on August 1, 2018. Among other things the law: (1) expands Louisiana’s definition of personal information; (2) amends the state’s data breach notification law to require notice to affected Louisiana residents within 60 days of determining that a security breach occurred; (3) incorporates a risk of harm provision; and (4) requires organizations to take reasonable steps to destroy records with personal information that the business does not intend to retain.
- Nebraska (LB 757) – Nebraska enacts requirement to maintain reasonable security practices and procedures and flow down those obligations to third parties. Effective July 18, 2018, commercial entities that conduct business in Nebraska and license, own or maintain computerized data that includes personal information of Nebraska residents must implement and maintain reasonable security procedures and practices. In addition, commercial entities must contractually require non-affiliated, third-party service providers to institute and maintain reasonable security procedures and practices.
- Oregon (SB 1551) – Oregon amends its breach notification rules. On June 2, 2018, Oregon’s amended data breach notification and information security laws went into effect. Oregon’s data breach notification law was amended to: (1) expand the scope of those who must provide notice of a security breach to anyone who “otherwise possess” personal information; (2) broaden the definition of personal information; (3) require notice to affected Oregon residents within 45 days of determining that a security breach occurred; (4) require all entities, whether or not they meet the threshold for providing notification to the Attorney General, to provide the Attorney General with a copy of the notice sent to consumers within a reasonable time; and (5) prohibit entities offering free credit monitoring or identity theft prevention services from conditioning such services on the person providing a credit or debit card number or accepting any other services the person offers to provide for a fee.
- South Carolina (H4655) – South Carolina imposes heightened breach notification and security requirements on the insurance industry. The South Carolina Insurance Data Security Act, which goes into effect on January 1, 2019, will require the insurance industry to implement comprehensive written cybersecurity programs and incident response plans. Moreover, the Insurance Commissioner must be notified within 72 hours of a security breach.
- South Dakota (SB No. 62) – South Dakota enacts its first data breach notification law. Effective July 1, 2018, South Dakota’s breach notification law limits the definition of a breach to the “unauthorized acquisition of unencrypted computerized data” and includes an expansive definition of what is considered “personal information” and “protected information.” The law requires affected individuals to be notified within 60 days of the discovery of the breach. Moreover, the law requires that notification be provided to CRAs when residents receive notice of a breach, regardless of the size of the breach. In addition, the attorney general must be notified if 250 or more South Dakota residents are provided with notice of a breach. The attorney general may prosecute any entity that fails to provide individual notifications as required by the law and seek penalties of up to $10,000 per day, per violation.
- Vermont (H. 764) – Vermont passes legislation to regulate data brokers. Passed in May 2018, Vermont’s law goes into effect on January 1, 2019. Under the new law, data brokers will be required to: (1) register with the Vermont Attorney General and pay a $100 registration fee; (2) make annual disclosures to the Vermont Attorney General concerning data privacy practices and data breaches; and (3) develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.
- Virginia (HB 183) – Virginia amends its breach notification law to include income tax information. Effective July 1, 2018, Virginia’s data breach notification law now requires individuals that prepare tax returns on behalf any Virginia individual to notify the Virginia Department of Taxation upon the discovery or notification of unauthorized access to an individual’s “return information.” The notification obligation is triggered if the tax preparer has a reasonable belief that the information was accessed and acquired by an unauthorized person and that such access or acquisition will cause or has caused, identity theft or other fraud. “Return information” is defined as a “taxpayer’s identity and the nature source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”
Organizations that took action to comply with the GDPR will need to conduct a gap assessment to determine how their existing procedures will need to be revised in order to comply with these new state laws. Because we expect amendments to the new California law as well as other GDPR-like legislation to be passed in the next two years, it is increasingly important to have legal and compliance teams work closely with the business, marketing and IT teams to monitor changes in the regulatory landscape and continually reassess the effectiveness of the company’s risk mitigation controls.
Companies looking to adopt an effective data management program may want to consider:
- Auditing the personal data they collect, analyzing the nature or categories of personal data, and identifying which data is “critical” to the company.
- Developing a process for receiving, reviewing and fulfilling customers’ requests in connection with their data and requests to opt out of data collection as well as how these requests will be operationalized.
- Developing and maintaining written data protection policies and security procedures and training employees who handle personal data on policy changes, proper handling, and best practices.