As part of our Captains of Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the good fortune to sit down with the incomparable Kristie Chon, Chief Privacy Officer at PayPal. Kristie is a highly recognized data ethics expert and proven privacy thought-leader. It is our immense pleasure to share Kristie’s invaluable insights with you. Enjoy!

(more…)

As part of our Captains of Privacy Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with data privacy pioneer JoAnn C. Stonier, Chief Data Officer for Mastercard. JoAnn’s extensive experience in finance, law and technology, coupled with her proven success as Chief Privacy Officer, earned her appointment as Mastercard’s first Chief Data Officer. JoAnn is a highly recognized data and privacy thought-leader, and we’re thrilled to share her invaluable insights with you. Enjoy!

(more…)

As part of our Captains of Privacy Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy evangelist Anne Fealey, Global Head of Privacy for Citi. As a proven leader of privacy and information management, Anne is passionate about privacy, the appropriate uses of personal data and the exciting power of data to do great things. Rather than opposites, Anne views these as aligned principles. And her impressive career path with American Express, Prudential and Citi reflect that. We’re thrilled to share Anne’s invaluable insights with you. Enjoy!

(more…)

One of the many high points of JW Michaels is partnering with the most sought after and talented leaders across a range of industries. Recently, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy icon Orrie Dinstein, Global Chief Privacy Officer at Marsh & McLennan Companies (MMC) and former Chief Privacy Officer at GE Capital. As a proven expert in Privacy and Data Protection Law, Cybersecurity law, Information Governance, Data Analytics, and AI, Orrie shared invaluable insights from his impressive history working with complex organizations in the financial services industry.

(more…)

Guest authors Rita Heimes and J. Trevor  Hughes share their expertise about the rise of privacy and personal data as a job skill. Information privacy practices can promote trust, and in turn enterprises collecting and using data have a fiduciary duty to their customers to use their data ethically and to the customers’ benefit. Heimes and Hughes of IAPP, an International Association of Privacy Professionals, bring invaluable insight on just how valuable information privacy can be to consumers and enterprises.

With the California Consumer Privacy Act deadline fast approaching, we’re thrilled to welcome a relentless advisor of consumer privacy, data security and identity protection, Tracy Shapiro, Partner DLA Piper, as our guest author. Tracy’s insight into privacy protection is invaluable and her article is a must-read for companies and consumers alike.

As the FTC kicks off its hearings on Competition and Consumer Protection in the 21st Century in Washington DC, it is the perfect time to welcome Tim Sparapani, Founder & Principal of SPQR Strategies, PLLC, as our guest author. Prior to launching SPQR Strategies, Tim served as the first Director of Public Policy at Facebook and in recent years has served as the VP of Policy, Law and Government Affairs for the Application Developers Alliance and continues to advise start-up tech companies on a wide range of policy matters. Tim’s insight into privacy and policy are invaluable and his article is a must-read for companies and consumers alike.

The FTC’s Opportunity

Newly-minted Federal Trade Commission Chairman Joseph Simons and the FTC have given the Commission a rare chance; which is the chance to break truly new ground to help consumers with the most pressing privacy problems. The Commission is seeking to replicate the influential hearings from two decades before held by then-FTC Commissioner Bob Pitofsky. Those hearings built a record that guided prudent policymaking and enforcement actions by the Commission in the time since. By holding a series of hearings this fall concerning Competition and Consumer Protection in the 21st Century, the Commission has a chance to step back and rethink its goals with respect to what’s working and what’s not in our economy with respect to technology policy generally and privacy specifically.

My unsolicited advice to the Commission: Go Big and Go Broad!

While the Commission has worked hard to pick meaningful cases for enforcement actions, it’s no secret that the Commission is resource constrained. Given those constraints, the Commission has unfortunately ignored important violations of the law or abuses of consumers’ privacy. It has quite logically chosen to build its privacy and security jurisdiction consent decree-by-consent decree, typically choosing to bring actions against either fraudsters committing egregious violations of the law or the highest profile companies. The former cases are slam dunks, usually quickly resolved for the public’s benefit, and the latter cases — typically targeting the world’s best-known tech companies — are premised on the heretofore correct assumption that the press would broadcast those investigations and consent decrees around the globe so that all other companies would be put on notice about what constitutes a privacy or data security violation.

Those choices were reasonable but they have left too many privacy and security abuses unchecked, keeping consumers too often exposed. A change in direction could and should be inaugurated by these hearings. There’s a ton for the Commission to do as it builds a record for broadening and redirecting its enforcement actions.

Here are some recommendations for the Commission with how to use these hearings.

Broaden the Lens and Broaden the Consumer Benefits

Every company has data so broaden your focus from Uber, Google, Facebook, Amazon, Apple and Microsoft. It’s been true for two decades now; in addition to producing whatever goods and services a business is offering for sale, that business also has consumer data that it collects and that deserves protection. Anyone who doubts this ought to look at the size of the membership — tens of thousands now — of registered members of the International Association of Privacy Professionals. It’s an important signal. Every company has a Privacy Officer now but the problems stemming from data misuse aren’t limited to just traditional tech companies. Since every company has data responsibilities, the FTC cannot always limit its efforts to protect consumers to the same handful of companies that are internationally known tech companies.

If consumers are giving their data to dozens, if not hundreds of companies in any given year, does it make sense to solely, repeatedly focus all efforts of the Commission on just a handful of companies? Don’t consumers deserve protections from misuses of data from all the companies who might obtain their data? If the Commission broadens its focus surely the benefits to consumers will grow commensurately from a broader policing of companies.

Broaden the Review of Harms

Just as every company is now a consumer data engine that needs to be policed, the list of harms to consumers from all those companies is growing and those new harms deserve scrutiny. Everyone truly fears a broader set of harms than the Commission is addressing. A too-careful focus on data security and data breach or ad tech privacy issues misses all the real, emerging threats to consumer data from misuse of consumer data.

New harms are emerging in the digital age. Three examples of these emerging harms prove this point. The Commission ought to take testimony about those harms and take actions to prevent them from harming consumers before those harms from misuse of consumers’ data become commonplace. Data brokers are buying and reselling consumers’ data without providing any recourse to consumers who will have no idea their data has been sold, to which companies it has been sold, or what the potential consequences to them are from those sales. The Commission needs to take action to prevent the misuse of genetic information to prevent people from being insured or employed. Similarly, price discrimination that forces some consumers to pay more than others for the same goods or services deserves scrutiny and action by the Commission.

In short, the FTC has an important opportunity to rethink and reframe the Commission’s efforts in the digital age. If the Commission embraces the opportunity and thinks more broadly, these hearings will have even more consequence for consumers than did those that these hearings were modeled after.

About Tim Sparapani and SPQR Strategies

Founded by Tim Sparapani in 2011, SPQR Strategies is a full-service strategic consulting firm that offers customized, high-quality solutions to a growing list of prominent Fortune 500 companies, including GE, Google, Intuit, Kayak and Syniverse, as well as many startup companies, such as Bytes Media, Caremob, Hero, Koozoo, Quizlet, Spend Consciously, Womply and Xcinex. In addition to many of these multinationals and startups, SPQR advises a leading technology trade association, CALinnovates, as well as two privacy advocacy organizations, the Family Online Safety Institute and World Privacy Forum. Additionally, SPQR previously provided support to the Application Developers Alliance. To learn more visit: http://www.spqrstrategies.com.

With the rapidly moving privacy world and new spotlight on legal, regulatory and ethical considerations, we’re thrilled to welcome privacy veteran Leigh Feldman, Managing Director & Head of US Privacy at Promontory Financial Group, an IBM Company, to weigh in as our guest author. JW Michaels VP of Legal, Lawrence Brown will be joining Leigh live at IAPP KnowledgeNet to continue the conversation on what to expect from organizations moving forward and discuss the skills/experiences candidates need to be ready to move into newly created privacy opportunities.

Privacy in 2019, Moving Beyond Compliance and into Digital Ethics

Privacy and the ethical use of personal information entered the forefront of public consciousness in 2018. With developments like the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, as well as the emergence of new threats arising from the collection, use, and sharing of information, the challenges of data processing in today’s information age have never been more apparent.

As organizations continue their digital transformations and expand product and service offerings, those that have robust privacy programs and emphasize ethical data use will achieve greater returns on investments in new technologies, products, and services. The vastly increased penalties under GDPR and greater risk of reputational damage alter the privacy risk analysis, making privacy much more central to good business operations – beyond risk mitigation and regulatory compliance.

We expect organizations will face increasing market and compliance pressures to demonstrate ethical treatment of data as the public and regulators grow more sophisticated in their approach to data privacy issues. Ethical considerations move beyond what is legally or technically possible into questions of morality, bias, discrimination, human rights, and societal harms. The wider and deeper collection of data and deployment of more advanced technologies such as artificial intelligence will continue to be competitive advantages. However, the ability to optimize the collection, use, and sharing of personal information in an expected, appropriate, and ethical manner will emerge as a competitive advantage as well.

Organizations that can be effective and efficient on issues such as transparency, choice, risk assessments, cross-border data movement, and personal data management, including retention and deletion, will be able to more quickly launch new and modified products and processes. Organizations that have more mature privacy programs will be better positioned as trusted information stewards and to reap the economic rewards of the data age.

In response to these rapid changes in the privacy landscape, we believe organizations across multiple industries will need to establish new mechanisms to address emerging digital ethics issues brought about by new methods of collecting, using, and sharing personal information, broader public awareness, and increasing regulatory scrutiny. The result will be a shift in how organizations approach privacy. Beyond just legal compliance, organizations will begin to see their privacy programs as business competencies that must be matured to support customer expectations, innovation, and growth.

ABOUT LEIGH FELDMAN
Leigh Feldman is a managing director at Promontory Financial Group, an IBM Company, where he leads the U.S. privacy practice within the firm’s global privacy and data protection practice group. Leigh has been in the privacy space for over 15 years, advising on all aspects of information collection, use, and sharing. He was previously the chief privacy officer at Citigroup, American Express and Bank of America, and chief privacy counsel at Merrill Lynch.

When looking to make the transition from law firm to a coveted position in-house, or for in-house privacy lawyers looking to distinguish themselves and be considered for more senior positions, being prepared and knowing what company CPOs/Executives look for beyond the resume experience, is key. A recent article written for IAPP by Vice President, Chief Privacy Officer at Adobe Systems, Alisa Bergman offers invaluable insight into the in-house privacy culture and the transferable skills that companies are looking for.

Unlike the law firm style of practice, companies look for candidates who demonstrate business acumen and the ability to interact with various teams and board members. According to If privacy principles are from Venus, then engineering rules are from Mars, Alisa Bergman explains why in today’s GDPR and privacy-inspired world, privacy professionals and software engineers need to find orbital alignment:

Whether you’re a privacy professional or a software engineer, you likely have many stories about the opportunities, challenges, and spirited debates within your organization, particularly in the recent run-up to the EU General Data Protection Regulation. Privacy and engineering teams ultimately share a common goal: to create great customer and user experiences. Getting there, however, can feel like the other team comes from a different planet. To engineers, privacy principles advanced by privacy professionals may appear to come from Venus, while to privacy pros, engineering rules may appear to come from Mars. In today’s GDPR and privacy-inspired world, these teams and their planets must find orbital alignment.

Reflections on the run-up to the GDPR remind us that the journey for all stakeholders hasn’t always been easy. But then again, it’s all about the journey — and looking back, it has been remarkable. Here are some of the consistent challenges both planets face as we learn how to better collaborate to define the privacy and engineering requirements that address the following high-level privacy principles:

• Data minimization and purpose limitation versus big data
• Right to explanation versus “the black box”
• Right to be forgotten versus data deletion
• Data portability versus protecting the secret sauce
• Evangelize your privacy culture and extend your reach
• Follow emerging technical standards
• Embrace agility in a changing, global privacy landscape

To read the full article visit: https://iapp.org/news/a/if-privacy-principles-are-from-venus-then-engineering-rules-are-from-mars/. It is a must-read for anyone looking to improve their career and move up in their department.

About Alisa Bergman
Alisa Bergman is currently Vice President and Chief Privacy Officer at Adobe where she leads the Privacy, Trust & Safety team. Bergman has been a senior executive, global Chief Privacy Officer and law firm partner for the last 20 years. She has deep experience in privacy, data, emerging technologies, advanced advertising strategies, data security and incident response, data governance and information risk management, as well as legislative, regulatory and public policy matters, and government investigations. Prior to joining Adobe, Bergman was Senior Vice President and Chief Privacy Office at Warner Bros. Entertainment Inc. Before coming in-house, she was a law firm partner in three leading privacy practices (DLA Piper, Venable and Dentons) in Washington, DC and Brussels.

We are honored to welcome Chris Cwalina, Global Co-Head of Cyber Risk and Tristan Coughlin, Associate at Norton Rose Fulbright as guest authors. Chris Cwalina and Tristan Coughlin recently joined the Washington D.C office as part of a rebuild and expansion of the Norton Rose Fulbright’s Global Cyber Risk Group.

A Variety of New Data Breach Laws May Significantly Impact Your Business

Guest post by Chris Cwalina and Tristan Coughlin

While many businesses in the U.S. and around the world have been focused on the EU’s General Data Protection Regulation (“GDPR”),  which came into effect on May 25, 2018, many may have missed the steady trend of U.S. states that have busy amending and enacting more onerous data breach notification and security laws.  While there has not been much activity at the federal level, a number of new state data security and privacy laws have been passed or enacted that will impact businesses (some significantly) doing business in the United States.

California made headlines by recently enacting a sweeping privacy law with GDPR –like privacy controls.  The California Consumer Privacy Act of 2018 ( “CCPA”) gives California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, and a lot can happen between now and then in terms of implementing regulations and State AG Guidance, the law will require U.S. companies to implement substantial compliance regimes and make a number of operational changes (including to disclosures and practices).  The CCPA also provides for a private right of action and statutory damages in the event of a data breach.

On the security front, as of March 2018, every U.S. state, as well as District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers or citizens if their personal information is compromised.  Data breach laws are well understood but new state data breach laws are being drafted to more broadly encompass the information covered and specifically mandate security requirements are met.

Below is an overview of recently enacted or amended U.S. data notification and security laws which further demonstrates U.S. states are taking action to protect consumer information.

Alabama(SB 318)

Alabama passed its first data breach notification law which went into effect on June 1, 2018. The law applies to the unauthorized acquisition of sensitive personally identifying information in electronic form.  The definition of sensitive personally identifying information is expansive and includes health information, as well as username or email address in combination with a password or security question and answer. Other key provisions of the law include a risk of harm provision, and the requirement that covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information from a breach of security.  The law also contains a data disposal requirement, which requires applicable entities and their third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records no longer need to be retained. In addition, the Alabama law imposes civil penalties of up to $500,000 per breach for any entity that knowingly violates or fails to comply with the notification provisions of the law.

Arizona (H.B. 2145)

On April 11, 2018, Arizona’s governor signed H.B. 2154 to amend the Arizona data breach notification law.  The law was effective upon signing and among other things, amends Arizona’s data breach notification law to expand the definition of personal information, refine the time period in which consumers must be notified, and prescribes circumstances when the Attorney General and Consumer Reporting Agencies (CRAs) must be notified.  The key amendment highlights are as follows:

• Definition of Personal information: Arizona’s previous definition of personal information was limited to an individual’s first and last name or first initial and last name and Social Security number, Driver’s License Number or State-Issued ID Number, or financial account number or credit/ debit card number in combination with any required security code, access code or password that would permit access to the individual’s financial account (together and hereinafter the “Core Categories” of personal information). See Rev. Stat. §18-545. The new law broadened the definition of personal information to  include: (1) an individual’s first name or initial and last name in combination with: (a) a private key that is unique to an individual and is used to authenticate or sign an electronic record, (b) an individual’s health insurance identification number, (c) information about an individual’s medical or mental health treatment or diagnosis by a health care professional, (d) an individual’s passport number, (e) an individual’s taxpayer identification number, or (f) unique biometric data used to authenticate an individual when the individual accesses an online account; and (2) an individual’s username or email address, in combination with a password or security question and answer, that allows access to an online account.
• Consumer Notification Requirements: Companies and government agencies doing business in Arizona must notify individuals affected by a data breach within 45 days. In addition, the amended law requires the consumer notification to include: (1) the approximate date of the breach; (2) a brief description of the personal information included in the breach; (3) toll-free numbers and addresses for the three largest consumer reporting agencies; and (4) the toll-free number, address and website address for the Federal Trade Commission or any other federal agency that assists consumer with identity theft matters.
• Attorney General (“AG”) and Consumer Reporting Agency (“CRA”)[1] Notification: If more than 1,000 Arizona residents are notified, the AG and CRAs must be notified within 45 days.
• Risk of Harm Analysis: The amended law does not require notification to be made if an independent third-party forensic auditor or a law enforcement agency determines that a security breach has not resulted in or is not reasonably likely to result in a substantial economic loss to affected individuals.
• Potential Penalty: The Attorney General may: (1) impose a civil penalty of up to $500,000 for knowing and willful violations of the law relating to a breach or series of breaches; and (2) recover restitution for affected individuals.

California Consumer Privacy Act of 2018 (A.B. 375)

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, the law will require companies to implement compliance plans similar to those required under the GDPR.  Specifically, the CCPA requires business to disclose to consumers, among other things, the categories and specific types of personal information collected about the consumer, the sources  from which that information is collected, the purpose for collecting or selling such personal information, the categories of personal information sold, and the categories of third parties to whom the personal information is shared.  In addition, the CCPA provides consumers with various GDPR like rights, including but not limited to: (1) the right to access and data portability; (3) the right to opt-out of data sharing; and (4) the right to be forgotten. The CCPA limits private actions by giving the California Attorney General the right to enforce the law, subject to certain exceptions, however, the CCPA does provide for damages in data breach cases of up to $750 per consumer per incident and in proceedings instituted by the Attorney General.  Entities that are found to have intentionally violated the law can face penalties of up to $7,500 per violation.

Colorado (H.B. 1128)

Effective September 1, 2018, Colorado’s updated data security and breach notification laws will go into effect.   Among other things, the new law establishes data security and disposal requirements and expands Colorado’s state breach notification law. The key highlights are as follows:

Data Security Requirements

• Definition of Personal Identifying Information: The amended law defines personal identifying information as: (1) a Social Security number (“SSN”); (2) a personal identification number; (3) a password; (4) passcode; (5) official state or government-issued driver’s license or identification card number; (5) government passport number; (6) biometric data; (7) employer, student, or military identification number; or (8) a financial transaction device.
• Covered Entities: The data security requirements apply to any person that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation or occupation.
• Disposal Requirements: The amended law requires covered entities that maintain paper or electronic documents ( together “documents”) during the course of business that contain personal identifying information to develop a written policy for the destruction or proper disposal of such papers and electronic documents. Moreover, when the documents are no longer needed, the covered entity must destroy or arrange for the destruction of such documents by shredding, erasing, or otherwise modifying the personal identifying information in the documents to make the information unreadable or indecipherable.
• Data Security Program: The amended law requires covered entities to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
• Data Security and Third Party Contracts: Unless a covered entity agrees to provide its own security protection or the information it disclosed to a third party, the amended law requires covered entities to require third-party service providers implement and maintain reasonable procedures and practices.

Breach Notification Requirements

• Definition of Personal Information: The amended law expands Colorado’s definition of personal information from the Core Categories to include a Colorado resident’s first name or first initial and last name in combination with an individual’s: (1) SSN; (2) student, military, or passport identification number; driver’s license number or identification card number, medical information, health insurance identification number, or biometric data. In addition, the amended definition of personal information also includes a Colorado resident’s: (1) username or email address in combination with a password or security questions and answers, that would permit access to an online account or (2) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
• Notification Time Period: If an investigation determines that the misuse of information about a Colorado resident has occurred, notice must be made not later than 30 days after the date of determination that a security breach occurred.
• Notification Content: The amended law requires the consumer notification letter to include: (1) the estimated date or date range of the security breach; (2) a description of the personal information that was, or reasonably believed to have been acquired; (3) information that the resident can use to contact the covered entity to inquire about the security breach; (4) toll-free numbers addresses, and websites for the consumer reporting agencies; (5) the toll-free number, address, and website for the FTC; and (6) a statement that residents can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes. In addition, if the type of personal information disclosed included a resident’s username or email address in combination with a password or security questions and answers, the notice must also advise the consumer to promptly change their password and security question or answer, or to take other steps to protect the online account with the covered entity and all other online accounts for which the individual whose personal information was breached use the same username or email address and password or security question or answer.
• Notification to the Attorney General: Companies must notify the Colorado Attorney General not later than 30 days after the date that a security breach has occurred, if the security breach is reasonably believed to have affected 500 Colorado residents or more.

Iowa (H.F. 2354)

Effective July 1, 2018, Iowa’s new data security law prescribes requirements for the protection of student personal information. The law applies to “operators” of internet sites, online services, online applications, or mobile applications which have actual knowledge that their site, service, or application is used primarily for kindergarten through grade twelve purposes and was designed and marketed for such purposes.  Among other things, the law prohibits the use of students’ information for certain purposes, as well as sets out information security requirements.

• Prohibited Uses of Student Information: Subject to certain exceptions, the law prohibits operators from: (1) engaging in targeted advertising if the information used for targeting is based on information that operator has acquired because of the use of that operator’s applicable site, service, or application; (2) using information gathered by the operator’s internet site, service, or application, to amass a profile of a student; (3) sell or rent a student’s information; and (4) disclosing personally identifiable information about a student.
• Information Security Requirements: Operators are required to implement and maintain security procedures and practices appropriate and consistent with current industry standards and all applicable state and federal laws, rules, and regulations in order to protect student information from unauthorized access, destruction, use, modification or disclosure. In addition, operators are required to delete a student’s information upon request a school or school district.

Louisiana (Act. No. 382)

Effective August 1, 2018, the Louisiana governor enacted amendments to Louisiana’s Database Security Breach Notification Law. The law broadens Louisiana’s data breach notification law and implements new data security requirements. The key highlights are as follows:

• Definition of Personal Information: The Act broadens Louisiana’s definition of personal information from the Core Categories to include a resident of Louisiana’s first name or initial and last name in combination with: state identification card number; passport number; and “biometric data.”
• Notification Time Period: Any entity must notify affected Louisiana residents within 60 days of determining that a security breach occurred.
• Data Security Requirements: Any entity that conducts business in Louisiana or that owns or licenses computerized data that includes personal information must implement and maintain reasonable security procedures and practices.
• Data Destruction Requirements: Any entity that conducts business in Louisiana or owns or licenses computerized data that includes personal information must take “all reasonable steps” to destroy or arrange for the destruction of all records with personal information if the records no longer need to be retained. Destruction of records with personal information must occur via shredding, erasing, or otherwise modifying the personal information so that it is unreadable or undecipherable.
• Risk of Harm Analysis: If, after a reasonable investigation, the business determines that there is no reasonable likelihood of harm to Louisiana residents, then notification is not required. Such a determination must be documented in writing, with a copy of all supporting documentation, for five years.  This determination must be provided to the Attorney General within 30 days if requested by the Attorney General in writing.

Nebraska (L.B. 757)

Effective July 18, 2018, commercial entities that conduct business in Nebraska and license, own or maintain computerized data that includes personal information of Nebraska residents must implement and maintain reasonable security procedures and practices. In addition, commercial entities must contractually require non-affiliated, third-party service providers to institute and maintain reasonable security procedures and practices.

Oregon (S.B. 1551)

Effective June 2, 2018, Oregon implemented updated data breach notification and information security laws. Among other things, Oregon’s laws were amended to expand the scope of those who must provide notice of a security breach and are subject to the information security laws. The key highlights are as follows:

Data Breach Notification Law

• Definition of Personal Information: Oregon amended the definition of personal information to include a consumer’s first name or initial and last name in combination with “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”[2]
• Expanded Scope: The amendment expands the scope of those who must provide notice under the data breach law to include those who “otherwise possess[]” personal information. The law was previously limited to those who own or license personal information.
• Notification Requirements: The law has been revised to require notice to affected Oregon residents within 45 days of determining that a security breach occurred.
• Credit Monitoring Services: The amended law prohibits entities offering free credit monitoring or identity theft prevention services from conditioning such services on the person providing a credit or debit card number or accepting any other services the person offers to provide for a fee.

Information Security Law

• Expanded Scope: The law expands the information security law to apply to any entity that “has control over or access to” data that includes a consumer’s personal information. The law was previously limited to entities that “own, maintains or otherwise possess[]” data that includes personal information.
• Security Requirements: The amended law updates various administrative, technical and physical safeguards required to be included in an applicable entity’s information security program.

Vermont (H. 764)

Effective January 1, 2019, a new Vermont law will regulate data brokers. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”  Among other things the law requires data brokers to: (1) register with the Vermont Attorney General and pay a $100 registration fee; (2) make annual disclosure to the Vermont Attorney General concerning data privacy practices and data breaches; and (3) develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.

Virginia (B. 183)

Effective July 1, 2018, Virginia’s data breach notification law was amended to require individuals that prepare tax returns on behalf any Virginia individual to notify the Virginia Department of Taxation without unreasonable delay upon the discovery or notification of unauthorized access to an individual’s “return information” if the tax preparer has a reasonable belief that: (1) the information was accessed and acquired by an unauthorized person; and (2) such access or acquisition will cause or has caused, identity theft or other fraud. “Return information” is defined as a “taxpayer’s identity and the nature source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld assessments, or tax payments.”

Conclusion

States are actively strengthening their data privacy and security laws and we expect this trend to accelerate. With California’s enactment of the CCPA, we expect more states to follow California’s lead in expanding consumer data privacy rights.  California was the first US state to enact a mandatory breach notification law in 2002 and now all 50 U.S. states have their own breach notification law.  Should history repeat itself, and should the federal government fail to step in and implement comprehensive legislation regarding data breach notification and data security, we anticipate U.S. states will continue to strengthen their data breach notification and security laws in a piecemeal manner -implementing certain requirements that are similar to the CCPA and the GDPR.

Companies should continually reassess the effectiveness of their risk mitigation controls, as well as their written data protection policies and security procedures. In addition, for laws like the CCPA, companies should consider conducting a gap assessment to determine how their existing procedures will need to be revised in order to comply with new state laws.  Because we expect amendments to the CCPA, as well as other enactments of GDPR-like legislation, it is increasingly important to have legal and compliance teams work closely with the business, marketing, and Information Security teams to monitor changes in the regulatory landscape.

[1] The Consumer Reporting Agencies consist of Equifax, Experian and TransUnion.

[2] Oregon previously had a robust definition of personal information which included an individual’s name and:  (1) SSN; (2) driver license number or state identification card; (3) passport number or other identification number issued by the United States; and/ or (4) financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account. See Or. Rev. Stat. §646A.602(11)(a).

About the Authors

Chris Cwalina | Global Co-Head of Cyber Risk at Norton Rose Fulbright
Chris Cwalina is the Global Co-Head of the Cyber Risk Group and concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations. Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.

Tristan Coughlin | Associate at Norton Rose Fulbright
Tristan Coughlin is an associate in the Washington, DC office.Ms. Coughlin focuses her international practice on cybersecurity, data protection, and privacy matters. Ms. Coughlin helps clients navigate the various state, federal and international laws that govern the protection of data, as well as advises clients on data breach preparation and cybersecurity risk management, including but not limited to conducting information security and privacy program assessments and developing and conducting tabletop exercises. Ms. Coughlin also counsels clients in investigating and responding to events compromising information and systems security, working closely with third-party forensic consulting experts and law enforcement to identify the nature and scope of a compromise. She is also well versed in managing any resulting regulatory inquiries that may follow the discovery of a data security incident.

About Norton Rose Fulbright

Norton Rose Fulbright is a global law firm, providing the world’s pre-eminent corporations and financial institutions with a full business law service. They have more than 4000 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. For more information visit: http://www.nortonrosefulbright.com/