We are honored to welcome Chris Cwalina, Global Co-Head of Cyber Risk and Tristan Coughlin, Associate at Norton Rose Fulbright as guest authors. Chris Cwalina and Tristan Coughlin recently joined the Washington D.C office as part of a rebuild and expansion of the Norton Rose Fulbright's Global Cyber Risk Group.
Guest post by Chris Cwalina and Tristan Coughlin
While many businesses in the U.S. and around the world have been focused on the EU’s General Data Protection Regulation (“GDPR”), which came into effect on May 25, 2018, many may have missed the steady trend of U.S. states that have busy amending and enacting more onerous data breach notification and security laws. While there has not been much activity at the federal level, a number of new state data security and privacy laws have been passed or enacted that will impact businesses (some significantly) doing business in the United States.
California made headlines by recently enacting a sweeping privacy law with GDPR –like privacy controls. The California Consumer Privacy Act of 2018 ( “CCPA”) gives California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, and a lot can happen between now and then in terms of implementing regulations and State AG Guidance, the law will require U.S. companies to implement substantial compliance regimes and make a number of operational changes (including to disclosures and practices). The CCPA also provides for a private right of action and statutory damages in the event of a data breach.
On the security front, as of March 2018, every U.S. state, as well as District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers or citizens if their personal information is compromised. Data breach laws are well understood but new state data breach laws are being drafted to more broadly encompass the information covered and specifically mandate security requirements are met.
Below is an overview of recently enacted or amended U.S. data notification and security laws which further demonstrates U.S. states are taking action to protect consumer information.
Alabama passed its first data breach notification law which went into effect on June 1, 2018. The law applies to the unauthorized acquisition of sensitive personally identifying information in electronic form. The definition of sensitive personally identifying information is expansive and includes health information, as well as username or email address in combination with a password or security question and answer. Other key provisions of the law include a risk of harm provision, and the requirement that covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information from a breach of security. The law also contains a data disposal requirement, which requires applicable entities and their third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records no longer need to be retained. In addition, the Alabama law imposes civil penalties of up to $500,000 per breach for any entity that knowingly violates or fails to comply with the notification provisions of the law.
On April 11, 2018, Arizona’s governor signed H.B. 2154 to amend the Arizona data breach notification law. The law was effective upon signing and among other things, amends Arizona’s data breach notification law to expand the definition of personal information, refine the time period in which consumers must be notified, and prescribes circumstances when the Attorney General and Consumer Reporting Agencies (CRAs) must be notified. The key amendment highlights are as follows:
On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, the law will require companies to implement compliance plans similar to those required under the GDPR. Specifically, the CCPA requires business to disclose to consumers, among other things, the categories and specific types of personal information collected about the consumer, the sources from which that information is collected, the purpose for collecting or selling such personal information, the categories of personal information sold, and the categories of third parties to whom the personal information is shared. In addition, the CCPA provides consumers with various GDPR like rights, including but not limited to: (1) the right to access and data portability; (3) the right to opt-out of data sharing; and (4) the right to be forgotten. The CCPA limits private actions by giving the California Attorney General the right to enforce the law, subject to certain exceptions, however, the CCPA does provide for damages in data breach cases of up to $750 per consumer per incident and in proceedings instituted by the Attorney General. Entities that are found to have intentionally violated the law can face penalties of up to $7,500 per violation.
Effective September 1, 2018, Colorado’s updated data security and breach notification laws will go into effect. Among other things, the new law establishes data security and disposal requirements and expands Colorado’s state breach notification law. The key highlights are as follows:
Data Security Requirements
Breach Notification Requirements
Effective July 1, 2018, Iowa’s new data security law prescribes requirements for the protection of student personal information. The law applies to “operators” of internet sites, online services, online applications, or mobile applications which have actual knowledge that their site, service, or application is used primarily for kindergarten through grade twelve purposes and was designed and marketed for such purposes. Among other things, the law prohibits the use of students’ information for certain purposes, as well as sets out information security requirements.
Effective August 1, 2018, the Louisiana governor enacted amendments to Louisiana’s Database Security Breach Notification Law. The law broadens Louisiana’s data breach notification law and implements new data security requirements. The key highlights are as follows:
Effective July 18, 2018, commercial entities that conduct business in Nebraska and license, own or maintain computerized data that includes personal information of Nebraska residents must implement and maintain reasonable security procedures and practices. In addition, commercial entities must contractually require non-affiliated, third-party service providers to institute and maintain reasonable security procedures and practices.
Effective June 2, 2018, Oregon implemented updated data breach notification and information security laws. Among other things, Oregon’s laws were amended to expand the scope of those who must provide notice of a security breach and are subject to the information security laws. The key highlights are as follows:
Data Breach Notification Law
Information Security Law
Effective January 1, 2019, a new Vermont law will regulate data brokers. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Among other things the law requires data brokers to: (1) register with the Vermont Attorney General and pay a $100 registration fee; (2) make annual disclosure to the Vermont Attorney General concerning data privacy practices and data breaches; and (3) develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.
Effective July 1, 2018, Virginia’s data breach notification law was amended to require individuals that prepare tax returns on behalf any Virginia individual to notify the Virginia Department of Taxation without unreasonable delay upon the discovery or notification of unauthorized access to an individual’s “return information” if the tax preparer has a reasonable belief that: (1) the information was accessed and acquired by an unauthorized person; and (2) such access or acquisition will cause or has caused, identity theft or other fraud. “Return information” is defined as a “taxpayer’s identity and the nature source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld assessments, or tax payments.”
States are actively strengthening their data privacy and security laws and we expect this trend to accelerate. With California’s enactment of the CCPA, we expect more states to follow California’s lead in expanding consumer data privacy rights. California was the first US state to enact a mandatory breach notification law in 2002 and now all 50 U.S. states have their own breach notification law. Should history repeat itself, and should the federal government fail to step in and implement comprehensive legislation regarding data breach notification and data security, we anticipate U.S. states will continue to strengthen their data breach notification and security laws in a piecemeal manner -implementing certain requirements that are similar to the CCPA and the GDPR.
Companies should continually reassess the effectiveness of their risk mitigation controls, as well as their written data protection policies and security procedures. In addition, for laws like the CCPA, companies should consider conducting a gap assessment to determine how their existing procedures will need to be revised in order to comply with new state laws. Because we expect amendments to the CCPA, as well as other enactments of GDPR-like legislation, it is increasingly important to have legal and compliance teams work closely with the business, marketing, and Information Security teams to monitor changes in the regulatory landscape.
[1] The Consumer Reporting Agencies consist of Equifax, Experian and TransUnion.
[2] Oregon previously had a robust definition of personal information which included an individual’s name and: (1) SSN; (2) driver license number or state identification card; (3) passport number or other identification number issued by the United States; and/ or (4) financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account. See Or. Rev. Stat. §646A.602(11)(a).
Chris Cwalina | Global Co-Head of Cyber Risk at Norton Rose Fulbright
Chris Cwalina is the Global Co-Head of the Cyber Risk Group and concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations. Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.
Tristan Coughlin | Associate at Norton Rose Fulbright
Tristan Coughlin is an associate in the Washington, DC office.Ms. Coughlin focuses her international practice on cybersecurity, data protection, and privacy matters. Ms. Coughlin helps clients navigate the various state, federal and international laws that govern the protection of data, as well as advises clients on data breach preparation and cybersecurity risk management, including but not limited to conducting information security and privacy program assessments and developing and conducting tabletop exercises. Ms. Coughlin also counsels clients in investigating and responding to events compromising information and systems security, working closely with third-party forensic consulting experts and law enforcement to identify the nature and scope of a compromise. She is also well versed in managing any resulting regulatory inquiries that may follow the discovery of a data security incident.
Norton Rose Fulbright is a global law firm, providing the world’s pre-eminent corporations and financial institutions with a full business law service. They have more than 4000 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. For more information visit: http://www.nortonrosefulbright.com/
Val joined TrustArc in October 2023 to lead its Legal and Privacy Departments and serve a...
Read MoreEricka Watson is an accomplished leader, ethicist, technologist, data and legal strategis...
Read MoreEd is an accomplished leader in the privacy, policy, and technology fields, with a wealth...
Read More