First Europe, Now the States: Big Changes Coming to State Data Privacy Laws

With legislative activity last month in Louisiana, South Carolina, Vermont, and Colorado adding to activity in South Dakota, Arizona, Oregon, and Alabama earlier in the year, it appears that 2018 could be a significant year for state information privacy law reform. Much has been predicted in this area following the enactment in 2017 of significant regulations in New York and the passage of substantial amendments to a statute in Illinois both of which were aimed at protecting against data breaches. We have previously reported on exactly this type of change in state law. The next wave is clearly is underway.  Even California is getting in on the action.

This recent activity demonstrates trends in major areas of cybersecurity law. And some of this activity has been first of its kind—possibly indicating analogous activity to follow in other states. We provide here an overview of this recent activity and will report in further posts as there are more developments.

South Carolina Insurance Industry Data Security Law

On May 14, South Carolina passed H4655, the South Carolina Insurance Data Security Act. The passage of this law makes South Carolina the first state to impose comprehensive data security requirements on the insurance industry. And it also makes South Carolina the first state to adopt closely the Insurance Data Security Model law drafted by the National Association of Insurance Commissioners in 2017.  Some highlights:

  • The law requires all insurers, agents, and other licensed entities to develop a comprehensive written information security program for protection of nonpublic information within six months of the compliance date.
    • Nonpublic Information includes: social security numbers; driver’s license or other non-driver identification number; account numbers; credit or debit card numbers; security code access code or password that would permit access to a consumer’s financial account; biometric records; certain health and medical information; and, certain business-related information.
  • There are no requirements as to the exact details of cybersecurity programs; however, the entity’s information security program must be proportionate to the risks identified through its risk assessment.
    • The risk assessment must identify reasonably foreseeable threats to nonpublic information, the likelihood and potential damage, and the sufficiency of policies, procedures, and other safeguards.
      • This risk assessment must be performed at least annually.
      • The entity must also evaluate the risk to non-public information held by third-party service providers, who in turn must be selected through due diligence and required to implement appropriate measures to protect non-public information.
    • The law suggests features of cybersecurity programs, but it does not require such be adopted in the entity’s program.
  • The law requires a written cybersecurity incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises nonpublic information in the entity’s possession, the entity’s information systems, or the continuing functionality of any aspect of the entity’s business or operations.
    • The plan must address seven required aspects of an incident response plan.
  • The law overall requires boards of directors to oversee the security program.
  • The law also requires certain procedures be followed in the case of a cybersecurity event—including a requirement to notify the Commissioner within 72 hours (among other potential entities later in time) after determining that a cybersecurity event has occurred and further requirements of the details of the information provided within the notice.

The passage of this law regulating data privacy within the insurance industry is clear precedent for similar laws to follow in other states. Much of the language was pulled directly from model legislation proposed by a national organization. Accordingly, other states may follow shortly, and those potentially subject to the requirements of the law should pay close attention to these developments.

Vermont Data Broker Law

On May 22, Vermont passed House Bill 764, An Act Relating to Data Brokers and Consumer Protection. This law is a first-of-its kind law imposing restrictions on data brokers, i.e. companies that deal in the personal information of consumers. This law includes transparency requirements as well as requirements regarding minimum levels of security in the process by which data brokers deal in this information.

  • The law defines a data broker broadly as a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
    • Brokered personal information includes: name; address; date of birth; place of birth; mother’s maiden name; unique biometric data; name or address of a member of the consumer’s immediate family or household; social security number or other government-issued identification number; or, other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
    • Examples of a direct relationship with a business include if the consumer is a past or present customer, employee, investor, or donor.
    • There are further carve-outs for types of businesses that are explicitly excluded from qualifying as data brokers.
  • Data brokers must pay a $100 annual fee to register with the state and must further disclose to consumers the data that is collected and provide clear instructions for consumers to opt out of having their data collected if such an option is provided.
  • All data brokers must implement a comprehensive data security information security program communicated to authorities which contains certain enumerated features and technical safeguards.
    • This includes certain minimum computer system security requirements.
  • The law grants authority to the Vermont Attorney General’s office to enforce the provisions of the law.

The law is unique in its particular application to data brokers and also in the way in which it imposes specific minimum requirements for maintaining data information security programs. These unique features have potential implication far beyond Vermont. Not only is the law potential precedent for further legislation in other states (such as similar provisions within the proposed California Consumer Privacy Act, which is likely to be up-for-vote as a state ballot initiative in the fall), but it also directly implicates entities qualifying as data brokers operating in other states who may not be fully aware of whether the data in which they are dealing originated with a Vermont resident.

Louisiana Amendments to Database Security Breach Notification Law

On May 20, Louisiana also signed into law Act 382 (Senate Bill No. 361), which includes amendments to the Database Security Breach Notification law. This bill preceded the enactment shortly thereafter of significant amendments to the Colorado data breach notification law—including amendments to many of the same type of provisions.

  • The definition of personal information now includes: a state identification card number; passport number; and biometric data” where such is data generated by automatic measurements of an individual’s biological characteristics such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account.
  • Any person that conducts business in the state or owns or licenses computerized data that includes personal information must implement particular policies for dealing with personal identifying information.
    • These entities must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
    • And these entities must take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means
  • The timeline for reporting data breach events has also changed to impose a 60-day limit on reporting events after the date of determination that a security breach has been made.
  • Substituted notification can now also be provided where providing notification would exceed $100,000 in cost or would require notifying more than 100,000 affected residents.

This law demonstrates a growing trend toward states strengthening their data breach notification laws. Particularly with regard to provisions that impose mandatory timelines on reporting data breaches, expand the scope of data that qualifies as personal identifying information, and require entities storing personal data to have in place plans for preventing data breach, there is likely to be further amendments across different states in coming months.

Colorado Consumer Personal Information Protection Law

On May 29, Colorado signed into law House Bill 18-1128, An Act Concerning Strengthening Protections for Consumer Data Privacy. This bill imposes some of the most stringent requirements yet on entities that store and collect the personal identifying information of residents of Colorado.

  • The definition of personal information now includes: student, military, or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; and, biometric data.
  • Any entity that maintains, owns, or licenses personal identifying information of a Colorado resident must implement particular policies for dealing with personal identifying information.
    • They must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
    • They must require any third party service providers with access to personally identifying information provided by the covered entity to also take measures that are appropriate to the nature of the personal identifying information disclosed and reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
    • And they must maintain paper or electronic documents during the course of business that contain personal identifying information and must develop a written policy for the destruction or disposal of such information once such documents are no longer needed.
  • The timeline for reporting data breach events has also changed to impose a 30-day limit on reporting events after the date of determination that a security breach has been made.

This bill further represents ongoing efforts at the state level to augment and strengthen protections for consumer data privacy—by adding additional requirements on businesses that deal with protected personal data. These recent changes supplement the mosaic of state data privacy protection laws. In particular, the provisions of this bill—especially in conjunction with those in the Louisiana legislation—show increased state interest in closely regulating the means by which personal data is stored and protected—rather than simply imposing requirements and penalties for breach events.

Leave a Reply

Your email address will not be published. Required fields are marked *