United States: Ringing In 2019 With New State Privacy And Data Security Laws Impacting Data Brokers And Insurers

New state laws that took effect January 1, 2019 likely will have a broader impact on how U.S. companies collect, process, and secure consumers' personal information, in addition to how and when they report data breaches. With the EU's General Data Protection Regulation (GDPR) now in force and no omnibus U.S. federal law yet in place to protect all individuals' personal information, state legislators have begun to pave the way for new data regulations and stronger consumer protections that carry serious implications for U.S. firms operating across various industries. Vermont and South Carolina are the latest states to enact their own unique data protection legislation regulating data brokers and licensed insurers, respectively, which other states may likely imitate in the very near future. For these reasons, now is the time for your organization to start addressing and adopting policies, procedures, and processes that ensure the privacy and security of the consumer data you maintain to better protect yourself when similar state-level legislation is enacted.

VERMONT – First State Law to Regulate Data Brokers

On January 1, 2019, Vermont became the first state in the nation to regulate data brokers that collect and sell personal information about consumers, attempting to add a new layer of accountability to data trading companies that often operate without much oversight. The law was passed in response to reported risks associated with the widespread aggregation and sale of data about consumers, and is intended to provide consumers with more information about data brokers and their data collection practices. Under this new law, data brokers will now have to register annually with the state, adopt comprehensive security measures, and publicly disclose information regarding their data collection practices, opt-out policies, purchaser credentialing practices, and security breaches. In addition to imposing these obligations on data brokers (discussed below), the law also requires credit reporting agencies to provide and remove "security freezes" prohibiting the release of consumer credit reports at no charge.

To Whom Does the Law Apply?

The law narrowly defines a "data broker" as "a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship."

Personal information (or "Brokered PI") in this context is defined broadly, and includes one or more computerized data elements about a consumer that are categorized or organized for dissemination to third parties, such as a Vermont resident's name, address, Social Security number or other government-issued identification number, date or place of birth, mother's maiden name, biometric data, name or address of a member of the consumer's immediate family or household, as well as "other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer (with reasonable certainty) to a third party."

Importantly, the law does not apply to businesses that collect data in the course of providing a consumer-facing product or service, such as websites, apps, or e-commerce platforms, so long as the business maintains a direct relationship with the consumer. Examples of direct relationships include past or present customers, clients, subscribers, users, registered users, employees, contractors, agents, investors, and donors. Similarly, because data brokers must "collect" and "sell or license" data, a business that acquires lists of individuals for its own use or analysis (e.g., to market to them or customize its product offerings), but does not resell the data, is not a data broker. On the other hand, "a business that collects information about consumers and then adds additional data elements, cleans up the data, or categorizes the data into lists in order to sell or license the data ... is a data broker."

What Does the Law Require?

Annual Registration and Disclosures

Data brokers must pay $100 and register annually with the Vermont Secretary of State. Upon registering, a data broker must also provide information about its business practices, including:

  • Whether and how consumers can opt out of the broker's data collection, databases, or certain sales of data;
  • The data collection, databases, or sales activities from which a consumer may not opt out;
  • Whether the broker implements a purchaser credentialing process;
  • If the broker knows it possesses Brokered PI about minors, a separate statement detailing any data collection practices, databases, sales activities, and opt-out policies applicable to that information; and
  • The number of "data broker security breaches" the broker experienced in the last year, including how many consumers were affected (if known):

    • A "data broker security breach" is defined as the unauthorized acquisition of two or more elements of Brokered PI maintained by a broker, or the reasonable belief that such unauthorized acquisition has occurred, when the data is not encrypted, redacted, or protected by another method that renders it unreadable or unusable by an unauthorized person.
    • As noted above, Brokered PI is a much broader category than the more focused definition of personally identifiable information ("PII") that can trigger consumer notifications under Vermont's generally applicable data breach reporting statute. Accordingly, a breach that involves only a name, address, and date of birth would not trigger notice requirements under Vermont's traditional data breach reporting statute, but would require a data broker to disclose the incident in its annual registration under this new Vermont law.

A data broker that is required to register and fails to do so will be subject to a penalty of $50 for each day it fails to register, beginning February 1, 2019, up to a maximum of $10,000 per year.

Prohibitions on Acquisition and Use

Data brokers may not acquire Brokered PI by fraudulent means, and may not acquire or use Brokered PI for the purposes of stalking or harassing someone, committing fraud (including identity theft), or engaging in unlawful discrimination. Noncompliance with this prohibition is considered a violation of the state's Consumer Protection Act that could result in an enforcement action brought by the attorney general for penalties of up to $10,000 per violation, in addition to other relief. A consumer may also bring a private right of action for injunctive relief, damages, and attorneys' fees.

Information Security Program

Data brokers must develop, implement, and maintain a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards. The law specifically requires a number of minimum features that closely track existing requirements under the neighboring Massachusetts regulation (201 CMR 17.00 et seq.), such as ongoing employee training, a means for detecting and preventing security system failures, security policies, disciplinary measures for violations, and supervision of service providers. Notably, failure to implement and maintain the required information security requirements constitutes an "unfair and deceptive act" for which the attorney general is authorized to bring an enforcement action. In addition, the attorney general may adopt rules to implement the new security provisions.

Looking Ahead

The Vermont law comes amid growing concerns over online privacy and covers a lesser-known part of the data business. Although Vermont's law addresses "third-party" data brokers (that is, data mining by companies that have no direct relationship with consumers), but not "first-party" brokers (i.e., companies that do have a direct relationship with consumers, such as a social media platform or retailers, when those companies gather information about how consumers interact with their own websites), the Vermont attorney general is holding hearings regarding whether the state should next regulate first-party data mining, among other issues.

With that said, the recent enactment of Vermont's law should not go unnoticed, as it marks the first state-wide regulation of data brokers that parallels some of the Federal Trade Commission's (FTC) recommendations made in a landmark 2014 report that studied the data broker industry and its practices, as well as GDPR principles, such as promoting consumer transparency, adding accountability to data brokering companies, and offering more protections towards minors. (It is worth noting that the FTC has urged Congress to regulate data brokers since at least 2012, but nothing has come of it up until the recent enactment of Vermont's law, which also comes nearly eight years after the U.S. Supreme Court's landmark decision in Sorrell v. IMS Health Inc.). Together with the recent congressional signals concerning a potential federal privacy law and the recent passage of the California Consumer Privacy Act of 2018, Vermont's law reflects a common trend in data privacy regulation towards heightened scrutiny of businesses that collect, use, and sell consumer data.

Other states may soon follow Vermont in regulating consumer data collection and information security practices, irrespective of the industry in which your business operates. Accordingly, now is the time to review and revise your company's data handling and information security policies and procedures as needed to ensure compliance.

Relevant Deadlines

  • On or before January 31, 2019: Covered "data brokers" must register with the Secretary of State, pay the $100 registration fee, and disclose all requisite information as prescribed under the new law to avoid incurring a civil penalty.

Action Steps

  • Determine if you qualify as a "data broker" under Vermont's new law.
  • Register and disclose all requisite information with the Secretary of State on or before the January 31, 2019 registration deadline.
  • Ensure that you are lawfully acquiring and using Brokered PI in compliance with Vermont law.
  • Develop an information security program and implement appropriate safeguards to protect any PII that you maintain.

SOUTH CAROLINA – First State to Adopt Breach Notification and Cybersecurity Requirements Based on the NAIC Model Law

On January 1, 2019, South Carolina imposed new breach notification and information security requirements on insurers, agents, and other licensed entities authorized to operate under the state's insurance laws (i.e., "licensees"). These requirements are based on the National Association of Insurance Commissioners' Insurance Data Security Model Law ("NAIC Model Law") after South Carolina became the first state to adopt the model text into law last year under the South Carolina Insurance Data Security Act ("Act"). Although the NAIC Model Law is only applicable to entities licensed under state insurance regulators, it represents an attempt to enact consistent policies across multiple states. As such, South Carolina's enactment is at the forefront of a movement towards consistent cybersecurity laws. As more states enact cybersecurity laws, they are likely to follow the NAIC Model Law and New York's cybersecurity regulation that entered into force in 2017. Licensees found to be in violation of the South Carolina Act could face monetary fines of up to $30,000 and/or suspension or revocation of authority to do business in the state.

What Does the Law Require?

Notification of Cybersecurity Events

The Act includes stringent requirements for investigating and disclosing certain "cybersecurity event[s]" within 72 hours of their discovery. The clock starts ticking as soon as licensees confirm, after conducting a prompt investigation of the event pursuant to the Act's requirements, that nonpublic information in their system or in the system of a third-party provider was disrupted, misused, or accessed without authorization.

Under South Carolina's law, the definition of a "cybersecurity event" does not include unsuccessful cyberattacks and has an encryption safe harbor built into the term's definition. The definition also contains a good faith mistake safe harbor, as it expressly excludes "an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed." In addition, the term "nonpublic information" is broadly defined to include business information, the tampering or unauthorized disclosure or use of which would cause the entity "material adverse impact" to its business, operations, or security; consumer personal information, as defined by enumerated data elements (e.g., Social Security number, driver's license number); or protected health information (PHI). The law requires documentation of all cybersecurity events to be maintained for a period of five years from the date of the event and to be produced upon demand.

Licensees must notify the director of the Department of Insurance within 72 hours after determining that a cybersecurity event has, in fact, occurred if:

  • the licensee is domiciled in South Carolina; or

    • the nonpublic information of more than 250 South Carolina residents is involved and
    • notice is required to any other governmental or supervisory body, or
  • the event has a reasonable likelihood of materially harming either a South Carolina consumer or a material part of the licensee's normal operations.

Information Security Program

Another part of the law takes effect on July 1, 2019 when licensees are required to have an incident response plan and also implement and maintain a written information security program ("WISP") based on their own risk assessment that is commensurate with the company's size, activities, and sensitivity of its data assets. Licensees will also need to encrypt information stored on a portable device or transmitted over an external network, regularly test systems, and offer cybersecurity awareness training for employees, among other requirements.

Additionally, the Act establishes "minimum" requirements for boards of directors, which must oversee the development and implementation of the information security program. The board also must require executive management to report to it in writing at least annually on: (1) the overall status of the program and compliance with the Act; and (2) "material matters," including risk assessments, third-party service provider arrangements, testing results, cybersecurity events and responses thereto, and recommended changes to the program.

Oversight of Third-Party Service Providers

By July 1, 2020, each licensee must implement and subsequently monitor a third-party service provider program. As part of this program, licensees must exercise "due diligence" (not defined or described) in selecting service providers, as well as require each of its providers to implement security measures to protect and secure any information systems and nonpublic information accessible to or held by the provider.

Looking Ahead

South Carolina's new law is a significant development. Other state legislatures are currently considering similar legislation, and the requirements of this Act (and the NAIC Model Law) will likely be cited in cybersecurity matters beyond the insurance industry. Following South Carolina's example, Rhode Island has introduced a cybersecurity law based on the NAIC Model Law (Bill 2018–H 7789), with similar legislation passed by Nevada (Assembly Bill 471) and Vermont (4:4 Vt. Code R. § 8:8-4) covering the financial service industry. If South Carolina offers any indication, as more and more states implement similar laws, licensees may have as few as 14 months from the date the law is enacted to implement an information security program. Given the significant amount of work that goes into such a program, licensees may find themselves scrambling when their home state passes similar regulations. The best approach, to both avoid an expensive data breach and prepare for future regulation, is to stay ahead of the upcoming wave of cybersecurity regulation and start developing a WISP now.

Relevant Deadlines

  • January 1, 2019: 72-hour breach notification requirement applies to licensees covered under South Carolina's Act.
  • July 1, 2019: Develop and/or update your organizational incident response plan and WISP (if you have not done so already).
  • July 1, 2020: Establish policies and procedures for monitoring the activities of your third-party service providers.

Action Steps

  • Ensure that you have an incident response plan, WISP, and related policies and procedures in place to comply with the 72-hour breach notification requirement.
  • Educate your company's board of directors and executive management team on their respective obligations under the Act and involve them in the compliance process as early as possible.
  • Confirm that executive management can comply with its annual reporting responsibilities to the board of directors.
  • Implement policies, procedures, and processes (and adjust them, as needed) for overseeing your third-party service providers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Sheppard Mullin Richter & Hampton
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Sheppard Mullin Richter & Hampton
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions