United States: First Europe, Now The States: Big Changes Coming To State Data Privacy Laws

Last Updated: July 6 2018
Article by Sean Ahern

With legislative activity last month in Louisiana, South Carolina, Vermont, and Colorado adding to activity in South Dakota, Arizona, Oregon, and Alabama earlier in the year, it appears that 2018 could be a significant year for state information privacy law reform. Much has been predicted in this area following the enactment in 2017 of significant regulations in New York and the passage of substantial amendments to a statute in Illinois both of which were aimed at protecting against data breaches. We have previously reported on exactly this type of change in state law. The next wave is clearly is underway. Even California is getting in on the action.

This recent activity demonstrates trends in major areas of cybersecurity law. And some of this activity has been first of its kind—possibly indicating analogous activity to follow in other states. We provide here an overview of this recent activity and will report in further posts as there are more developments.

South Carolina Insurance Industry Data Security Law

On May 14, South Carolina passed H4655, the South Carolina Insurance Data Security Act. The passage of this law makes South Carolina the first state to impose comprehensive data security requirements on the insurance industry. And it also makes South Carolina the first state to adopt closely the Insurance Data Security Model law drafted by the National Association of Insurance Commissioners in 2017. Some highlights:

  • The law requires all insurers, agents, and other licensed entities to develop a comprehensive written information security program for protection of nonpublic information within six months of the compliance date.

    • Nonpublic Information includes: social security numbers; driver's license or other non-driver identification number; account numbers; credit or debit card numbers; security code access code or password that would permit access to a consumer's financial account; biometric records; certain health and medical information; and, certain business-related information.
  • There are no requirements as to the exact details of cybersecurity programs; however, the entity's information security program must be proportionate to the risks identified through its risk assessment.

    • The risk assessment must identify reasonably foreseeable threats to nonpublic information, the likelihood and potential damage, and the sufficiency of policies, procedures, and other safeguards.

      • This risk assessment must be performed at least annually.
      • The entity must also evaluate the risk to non-public information held by third-party service providers, who in turn must be selected through due diligence and required to implement appropriate measures to protect non-public information.
    • The law suggests features of cybersecurity programs, but it does not require such be adopted in the entity's program.
  • The law requires a written cybersecurity incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises nonpublic information in the entity's possession, the entity's information systems, or the continuing functionality of any aspect of the entity's business or operations.

    • The plan must address seven required aspects of an incident response plan.
  • The law overall requires boards of directors to oversee the security program.
  • The law also requires certain procedures be followed in the case of a cybersecurity event—including a requirement to notify the Commissioner within 72 hours (among other potential entities later in time) after determining that a cybersecurity event has occurred and further requirements of the details of the information provided within the notice.

The passage of this law regulating data privacy within the insurance industry is clear precedent for similar laws to follow in other states. Much of the language was pulled directly from model legislation proposed by a national organization. Accordingly, other states may follow shortly, and those potentially subject to the requirements of the law should pay close attention to these developments.

Vermont Data Broker Law

On May 22, Vermont passed House Bill 764, An Act Relating to Data Brokers and Consumer Protection. This law is a first-of-its kind law imposing restrictions on data brokers, i.e. companies that deal in the personal information of consumers. This law includes transparency requirements as well as requirements regarding minimum levels of security in the process by which data brokers deal in this information.

  • The law defines a data broker broadly as a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

    • Brokered personal information includes: name; address; date of birth; place of birth; mother's maiden name; unique biometric data; name or address of a member of the consumer's immediate family or household; social security number or other government-issued identification number; or, other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
    • Examples of a direct relationship with a business include if the consumer is a past or present customer, employee, investor, or donor.
    • There are further carve-outs for types of businesses that are explicitly excluded from qualifying as data brokers.
  • Data brokers must pay a $100 annual fee to register with the state and must further disclose to consumers the data that is collected and provide clear instructions for consumers to opt out of having their data collected if such an option is provided.
  • All data brokers must implement a comprehensive data security information security program communicated to authorities which contains certain enumerated features and technical safeguards.

    • This includes certain minimum computer system security requirements.
  • The law grants authority to the Vermont Attorney General's office to enforce the provisions of the law.

The law is unique in its particular application to data brokers and also in the way in which it imposes specific minimum requirements for maintaining data information security programs. These unique features have potential implication far beyond Vermont. Not only is the law potential precedent for further legislation in other states (such as similar provisions within the proposed California Consumer Privacy Act, which is likely to be up-for-vote as a state ballot initiative in the fall), but it also directly implicates entities qualifying as data brokers operating in other states who may not be fully aware of whether the data in which they are dealing originated with a Vermont resident.

Louisiana Amendments to Database Security Breach Notification Law

On May 20, Louisiana also signed into law Act 382 (Senate Bill No. 361), which includes amendments to the Database Security Breach Notification law. This bill preceded the enactment shortly thereafter of significant amendments to the Colorado data breach notification law—including amendments to many of the same type of provisions.

  • The definition of personal information now includes: a state identification card number; passport number; and biometric data" where such is data generated by automatic measurements of an individual's biological characteristics such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual's identity when accessing a system or account.
  • Any person that conducts business in the state or owns or licenses computerized data that includes personal information must implement particular policies for dealing with personal identifying information.

    • These entities must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
    • And these entities must take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means
  • The timeline for reporting data breach events has also changed to impose a 60-day limit on reporting events after the date of determination that a security breach has been made.
  • Substituted notification can now also be provided where providing notification would exceed $100,000 in cost or would require notifying more than 100,000 affected residents.

This law demonstrates a growing trend toward states strengthening their data breach notification laws. Particularly with regard to provisions that impose mandatory timelines on reporting data breaches, expand the scope of data that qualifies as personal identifying information, and require entities storing personal data to have in place plans for preventing data breach, there is likely to be further amendments across different states in coming months.

Colorado Consumer Personal Information Protection Law

On May 29, Colorado signed into law House Bill 18-1128, An Act Concerning Strengthening Protections for Consumer Data Privacy. This bill imposes some of the most stringent requirements yet on entities that store and collect the personal identifying information of residents of Colorado.

  • The definition of personal information now includes: student, military, or passport identification number; driver's license number or identification card number; medical information; health insurance identification number; and, biometric data.
  • Any entity that maintains, owns, or licenses personal identifying information of a Colorado resident must implement particular policies for dealing with personal identifying information.

    • They must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
    • They must require any third party service providers with access to personally identifying information provided by the covered entity to also take measures that are appropriate to the nature of the personal identifying information disclosed and reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
    • And they must maintain paper or electronic documents during the course of business that contain personal identifying information and must develop a written policy for the destruction or disposal of such information once such documents are no longer needed.
  • The timeline for reporting data breach events has also changed to impose a 30-day limit on reporting events after the date of determination that a security breach has been made.

This bill further represents ongoing efforts at the state level to augment and strengthen protections for consumer data privacy—by adding additional requirements on businesses that deal with protected personal data. These recent changes supplement the mosaic of state data privacy protection laws. In particular, the provisions of this bill—especially in conjunction with those in the Louisiana legislation—show increased state interest in closely regulating the means by which personal data is stored and protected—rather than simply imposing requirements and penalties for breach events.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions