New Data Breach Laws May Significantly Impact Your Business

We are honored to welcome Chris Cwalina, Global Co-Head of Cyber Risk and Tristan Coughlin, Associate at Norton Rose Fulbright as guest authors. Chris Cwalina and Tristan Coughlin recently joined the Washington D.C office as part of a rebuild and expansion of the Norton Rose Fulbright's Global Cyber Risk Group.

A Variety of New Data Breach Laws May Significantly Impact Your Business

Guest post by Chris Cwalina and Tristan Coughlin

While many businesses in the U.S. and around the world have been focused on the EU’s General Data Protection Regulation (“GDPR”),  which came into effect on May 25, 2018, many may have missed the steady trend of U.S. states that have busy amending and enacting more onerous data breach notification and security laws.  While there has not been much activity at the federal level, a number of new state data security and privacy laws have been passed or enacted that will impact businesses (some significantly) doing business in the United States.

California made headlines by recently enacting a sweeping privacy law with GDPR –like privacy controls.  The California Consumer Privacy Act of 2018 ( “CCPA”) gives California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, and a lot can happen between now and then in terms of implementing regulations and State AG Guidance, the law will require U.S. companies to implement substantial compliance regimes and make a number of operational changes (including to disclosures and practices).  The CCPA also provides for a private right of action and statutory damages in the event of a data breach.

On the security front, as of March 2018, every U.S. state, as well as District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers or citizens if their personal information is compromised.  Data breach laws are well understood but new state data breach laws are being drafted to more broadly encompass the information covered and specifically mandate security requirements are met.

Below is an overview of recently enacted or amended U.S. data notification and security laws which further demonstrates U.S. states are taking action to protect consumer information.

Alabama(SB 318)

Alabama passed its first data breach notification law which went into effect on June 1, 2018. The law applies to the unauthorized acquisition of sensitive personally identifying information in electronic form.  The definition of sensitive personally identifying information is expansive and includes health information, as well as username or email address in combination with a password or security question and answer. Other key provisions of the law include a risk of harm provision, and the requirement that covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information from a breach of security.  The law also contains a data disposal requirement, which requires applicable entities and their third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records no longer need to be retained. In addition, the Alabama law imposes civil penalties of up to $500,000 per breach for any entity that knowingly violates or fails to comply with the notification provisions of the law.

Arizona (H.B. 2145)

On April 11, 2018, Arizona’s governor signed H.B. 2154 to amend the Arizona data breach notification law.  The law was effective upon signing and among other things, amends Arizona’s data breach notification law to expand the definition of personal information, refine the time period in which consumers must be notified, and prescribes circumstances when the Attorney General and Consumer Reporting Agencies (CRAs) must be notified.  The key amendment highlights are as follows:

• Definition of Personal information: Arizona’s previous definition of personal information was limited to an individual’s first and last name or first initial and last name and Social Security number, Driver’s License Number or State-Issued ID Number, or financial account number or credit/ debit card number in combination with any required security code, access code or password that would permit access to the individual’s financial account (together and hereinafter the “Core Categories” of personal information). See Rev. Stat. §18-545. The new law broadened the definition of personal information to  include: (1) an individual’s first name or initial and last name in combination with: (a) a private key that is unique to an individual and is used to authenticate or sign an electronic record, (b) an individual’s health insurance identification number, (c) information about an individual’s medical or mental health treatment or diagnosis by a health care professional, (d) an individual’s passport number, (e) an individual’s taxpayer identification number, or (f) unique biometric data used to authenticate an individual when the individual accesses an online account; and (2) an individual’s username or email address, in combination with a password or security question and answer, that allows access to an online account.
• Consumer Notification Requirements: Companies and government agencies doing business in Arizona must notify individuals affected by a data breach within 45 days. In addition, the amended law requires the consumer notification to include: (1) the approximate date of the breach; (2) a brief description of the personal information included in the breach; (3) toll-free numbers and addresses for the three largest consumer reporting agencies; and (4) the toll-free number, address and website address for the Federal Trade Commission or any other federal agency that assists consumer with identity theft matters.
• Attorney General (“AG”) and Consumer Reporting Agency (“CRA”)[1] Notification: If more than 1,000 Arizona residents are notified, the AG and CRAs must be notified within 45 days.
• Risk of Harm Analysis: The amended law does not require notification to be made if an independent third-party forensic auditor or a law enforcement agency determines that a security breach has not resulted in or is not reasonably likely to result in a substantial economic loss to affected individuals.
• Potential Penalty: The Attorney General may: (1) impose a civil penalty of up to $500,000 for knowing and willful violations of the law relating to a breach or series of breaches; and (2) recover restitution for affected individuals.

California Consumer Privacy Act of 2018 (A.B. 375)

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, the law will require companies to implement compliance plans similar to those required under the GDPR.  Specifically, the CCPA requires business to disclose to consumers, among other things, the categories and specific types of personal information collected about the consumer, the sources  from which that information is collected, the purpose for collecting or selling such personal information, the categories of personal information sold, and the categories of third parties to whom the personal information is shared.  In addition, the CCPA provides consumers with various GDPR like rights, including but not limited to: (1) the right to access and data portability; (3) the right to opt-out of data sharing; and (4) the right to be forgotten. The CCPA limits private actions by giving the California Attorney General the right to enforce the law, subject to certain exceptions, however, the CCPA does provide for damages in data breach cases of up to $750 per consumer per incident and in proceedings instituted by the Attorney General.  Entities that are found to have intentionally violated the law can face penalties of up to $7,500 per violation.

Colorado (H.B. 1128)

Effective September 1, 2018, Colorado’s updated data security and breach notification laws will go into effect.   Among other things, the new law establishes data security and disposal requirements and expands Colorado’s state breach notification law. The key highlights are as follows:

Data Security Requirements

• Definition of Personal Identifying Information: The amended law defines personal identifying information as: (1) a Social Security number (“SSN”); (2) a personal identification number; (3) a password; (4) passcode; (5) official state or government-issued driver’s license or identification card number; (5) government passport number; (6) biometric data; (7) employer, student, or military identification number; or (8) a financial transaction device.
• Covered Entities: The data security requirements apply to any person that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation or occupation.
• Disposal Requirements: The amended law requires covered entities that maintain paper or electronic documents ( together “documents”) during the course of business that contain personal identifying information to develop a written policy for the destruction or proper disposal of such papers and electronic documents. Moreover, when the documents are no longer needed, the covered entity must destroy or arrange for the destruction of such documents by shredding, erasing, or otherwise modifying the personal identifying information in the documents to make the information unreadable or indecipherable.
• Data Security Program: The amended law requires covered entities to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
• Data Security and Third Party Contracts: Unless a covered entity agrees to provide its own security protection or the information it disclosed to a third party, the amended law requires covered entities to require third-party service providers implement and maintain reasonable procedures and practices.

Breach Notification Requirements

• Definition of Personal Information: The amended law expands Colorado’s definition of personal information from the Core Categories to include a Colorado resident’s first name or first initial and last name in combination with an individual’s: (1) SSN; (2) student, military, or passport identification number; driver’s license number or identification card number, medical information, health insurance identification number, or biometric data. In addition, the amended definition of personal information also includes a Colorado resident’s: (1) username or email address in combination with a password or security questions and answers, that would permit access to an online account or (2) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
• Notification Time Period: If an investigation determines that the misuse of information about a Colorado resident has occurred, notice must be made not later than 30 days after the date of determination that a security breach occurred.
• Notification Content: The amended law requires the consumer notification letter to include: (1) the estimated date or date range of the security breach; (2) a description of the personal information that was, or reasonably believed to have been acquired; (3) information that the resident can use to contact the covered entity to inquire about the security breach; (4) toll-free numbers addresses, and websites for the consumer reporting agencies; (5) the toll-free number, address, and website for the FTC; and (6) a statement that residents can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes. In addition, if the type of personal information disclosed included a resident’s username or email address in combination with a password or security questions and answers, the notice must also advise the consumer to promptly change their password and security question or answer, or to take other steps to protect the online account with the covered entity and all other online accounts for which the individual whose personal information was breached use the same username or email address and password or security question or answer.
• Notification to the Attorney General: Companies must notify the Colorado Attorney General not later than 30 days after the date that a security breach has occurred, if the security breach is reasonably believed to have affected 500 Colorado residents or more.

Iowa (H.F. 2354)

Effective July 1, 2018, Iowa’s new data security law prescribes requirements for the protection of student personal information. The law applies to “operators” of internet sites, online services, online applications, or mobile applications which have actual knowledge that their site, service, or application is used primarily for kindergarten through grade twelve purposes and was designed and marketed for such purposes.  Among other things, the law prohibits the use of students’ information for certain purposes, as well as sets out information security requirements.

• Prohibited Uses of Student Information: Subject to certain exceptions, the law prohibits operators from: (1) engaging in targeted advertising if the information used for targeting is based on information that operator has acquired because of the use of that operator’s applicable site, service, or application; (2) using information gathered by the operator’s internet site, service, or application, to amass a profile of a student; (3) sell or rent a student’s information; and (4) disclosing personally identifiable information about a student.
• Information Security Requirements: Operators are required to implement and maintain security procedures and practices appropriate and consistent with current industry standards and all applicable state and federal laws, rules, and regulations in order to protect student information from unauthorized access, destruction, use, modification or disclosure. In addition, operators are required to delete a student’s information upon request a school or school district.

Louisiana (Act. No. 382)

Effective August 1, 2018, the Louisiana governor enacted amendments to Louisiana’s Database Security Breach Notification Law. The law broadens Louisiana’s data breach notification law and implements new data security requirements. The key highlights are as follows:

• Definition of Personal Information: The Act broadens Louisiana’s definition of personal information from the Core Categories to include a resident of Louisiana’s first name or initial and last name in combination with: state identification card number; passport number; and “biometric data.”
• Notification Time Period: Any entity must notify affected Louisiana residents within 60 days of determining that a security breach occurred.
• Data Security Requirements: Any entity that conducts business in Louisiana or that owns or licenses computerized data that includes personal information must implement and maintain reasonable security procedures and practices.
• Data Destruction Requirements: Any entity that conducts business in Louisiana or owns or licenses computerized data that includes personal information must take “all reasonable steps” to destroy or arrange for the destruction of all records with personal information if the records no longer need to be retained. Destruction of records with personal information must occur via shredding, erasing, or otherwise modifying the personal information so that it is unreadable or undecipherable.
• Risk of Harm Analysis: If, after a reasonable investigation, the business determines that there is no reasonable likelihood of harm to Louisiana residents, then notification is not required. Such a determination must be documented in writing, with a copy of all supporting documentation, for five years.  This determination must be provided to the Attorney General within 30 days if requested by the Attorney General in writing.

Nebraska (L.B. 757)

Effective July 18, 2018, commercial entities that conduct business in Nebraska and license, own or maintain computerized data that includes personal information of Nebraska residents must implement and maintain reasonable security procedures and practices. In addition, commercial entities must contractually require non-affiliated, third-party service providers to institute and maintain reasonable security procedures and practices.

Oregon (S.B. 1551)

Effective June 2, 2018, Oregon implemented updated data breach notification and information security laws. Among other things, Oregon’s laws were amended to expand the scope of those who must provide notice of a security breach and are subject to the information security laws. The key highlights are as follows:

Data Breach Notification Law

• Definition of Personal Information: Oregon amended the definition of personal information to include a consumer’s first name or initial and last name in combination with “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”[2]
• Expanded Scope: The amendment expands the scope of those who must provide notice under the data breach law to include those who “otherwise possess[]” personal information. The law was previously limited to those who own or license personal information.
• Notification Requirements: The law has been revised to require notice to affected Oregon residents within 45 days of determining that a security breach occurred.
• Credit Monitoring Services: The amended law prohibits entities offering free credit monitoring or identity theft prevention services from conditioning such services on the person providing a credit or debit card number or accepting any other services the person offers to provide for a fee.

Information Security Law

• Expanded Scope: The law expands the information security law to apply to any entity that “has control over or access to” data that includes a consumer’s personal information. The law was previously limited to entities that “own, maintains or otherwise possess[]” data that includes personal information.
• Security Requirements: The amended law updates various administrative, technical and physical safeguards required to be included in an applicable entity’s information security program.

Vermont (H. 764)

Effective January 1, 2019, a new Vermont law will regulate data brokers. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”  Among other things the law requires data brokers to: (1) register with the Vermont Attorney General and pay a $100 registration fee; (2) make annual disclosure to the Vermont Attorney General concerning data privacy practices and data breaches; and (3) develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.

Virginia (B. 183)

Effective July 1, 2018, Virginia’s data breach notification law was amended to require individuals that prepare tax returns on behalf any Virginia individual to notify the Virginia Department of Taxation without unreasonable delay upon the discovery or notification of unauthorized access to an individual’s “return information” if the tax preparer has a reasonable belief that: (1) the information was accessed and acquired by an unauthorized person; and (2) such access or acquisition will cause or has caused, identity theft or other fraud. “Return information” is defined as a “taxpayer’s identity and the nature source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld assessments, or tax payments.”

Conclusion

States are actively strengthening their data privacy and security laws and we expect this trend to accelerate. With California’s enactment of the CCPA, we expect more states to follow California’s lead in expanding consumer data privacy rights.  California was the first US state to enact a mandatory breach notification law in 2002 and now all 50 U.S. states have their own breach notification law.  Should history repeat itself, and should the federal government fail to step in and implement comprehensive legislation regarding data breach notification and data security, we anticipate U.S. states will continue to strengthen their data breach notification and security laws in a piecemeal manner -implementing certain requirements that are similar to the CCPA and the GDPR.

Companies should continually reassess the effectiveness of their risk mitigation controls, as well as their written data protection policies and security procedures. In addition, for laws like the CCPA, companies should consider conducting a gap assessment to determine how their existing procedures will need to be revised in order to comply with new state laws.  Because we expect amendments to the CCPA, as well as other enactments of GDPR-like legislation, it is increasingly important to have legal and compliance teams work closely with the business, marketing, and Information Security teams to monitor changes in the regulatory landscape.

[1] The Consumer Reporting Agencies consist of Equifax, Experian and TransUnion.

[2] Oregon previously had a robust definition of personal information which included an individual’s name and:  (1) SSN; (2) driver license number or state identification card; (3) passport number or other identification number issued by the United States; and/ or (4) financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account. See Or. Rev. Stat. §646A.602(11)(a).

About the Authors

Chris Cwalina | Global Co-Head of Cyber Risk at Norton Rose Fulbright
Chris Cwalina is the Global Co-Head of the Cyber Risk Group and concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations. Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.

Tristan Coughlin | Associate at Norton Rose Fulbright
Tristan Coughlin is an associate in the Washington, DC office.Ms. Coughlin focuses her international practice on cybersecurity, data protection, and privacy matters. Ms. Coughlin helps clients navigate the various state, federal and international laws that govern the protection of data, as well as advises clients on data breach preparation and cybersecurity risk management, including but not limited to conducting information security and privacy program assessments and developing and conducting tabletop exercises. Ms. Coughlin also counsels clients in investigating and responding to events compromising information and systems security, working closely with third-party forensic consulting experts and law enforcement to identify the nature and scope of a compromise. She is also well versed in managing any resulting regulatory inquiries that may follow the discovery of a data security incident.

About Norton Rose Fulbright

Norton Rose Fulbright is a global law firm, providing the world’s pre-eminent corporations and financial institutions with a full business law service. They have more than 4000 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. For more information visit: http://www.nortonrosefulbright.com/