States Implement New Security and Privacy Laws

In the absence of the federal government doing anything useful when it comes to cybersecurity or privacy laws, the states are left to their own ways to implement a patchwork of laws.  Here is what they are doing right now.  The impact rating is my own.

Illinois SB 1624 – This bill requires businesses that have breaches affecting more than 500 Illinois residents to notify the AG and the AG is now permitted to publish information about breaches. IMPACT-Low.

Maine LD 946 – This bill stops Maine ISPs from selling customer’s data or pressuring customers into allowing them to sell that data by giving them either financial penalties or incentives.  IMPACT-Low

Maryland HB 1154 – This law expands the scope of businesses covered by the law, stops a business from charging the data owner for information needed for notifying people of the breach and prohibits businesses from using the information obtained to notify people about the breach for any other non-breach-related purpose.  IMPACT-Low.

Massachusetts HB 4806 –  REQUIRES a company to provide breach victims with 18 months of credit monitoring if the breached data includes socials.  Breach notifications must be provided on a rolling basis to avoid delay and if the data is owned by a third party, the notice has to identify that party (which means you have to track who owns what data).  In addition, businesses must notify state regulators if they have a written information security program.  Since that is already required by the current law, not having one would likely subject you to more legal action.  IMPACT-Moderate.

New Jersey S.52 – This law expands the definition of personal information to include email addresses, security questions and other items,  adds new requirements to the breach notification letter and  prohibits notification via email if the email information was compromised, adding expense.  IMPACT-Moderate.

New York SB 5575B – Adds new categories of data to protect including biometrics, account, credit and debit card info without a security code and other information.  It exempts businesses from notifying people in cases where an unauthorized person inadvertently discloses the information AND the business finds the breach  does not pose ANY financial or emotional hard (how do you decide that?) or the business has already sent out notifications under other laws.  The definition of a breach is expanded to include just accessing the data.   Businesses are also required to take reasonable safeguards to protect data and reasonable is defined to include designating and training employees to implement and oversee the security program, regularly testing the effectiveness of the program and promptly deleting any data that is no longer used.   The AG will now have three years to bring an action against an attacker.  IMPACT-High.

Oregon SB 684 – This law expands the scope of covered data and notification requirements.  Effective 1/1/20, vendors will have TEN DAYS to notify a covered entity of a breach.  They also have to notify the AG if the breach affects more than 250 people.  It also expands the definition of covered data. IMPACT-High.

Texas HB 4390 – This law requires that consumers be notified without delay and within 60 days and notify the AG if the breach affects more than 250 people.

More importantly, it creates a commission to report to the governor after studying laws in the state, in other states and in foreign countries – including recommendations for additional laws. IMPACT-Low, not counting whatever the commission recommends next year.

Washington HB 1071 – Expands the definition of personal information and sets new notification requirements.

Effective 3/1/20, the definition of personal information is expanded to include birthdates, private signing keys, biometric information and other information.   Businesses cannot send breach notification by email if part of the breach included email access information.  If the breach affects more than 500 people, the company must notify the AG with specific information.  The law also reduces the notification window to 30 days. –IMPACT-Moderate.

As you can see, the requirements vary from state to state and the definitions differ from state to state.  Notification windows are shrinking, which is a problem for businesses and the whole process is complicated and expensive.  Businesses need to make sure that they have an attorney available who is knowledgeable in this particular area of the law

This means that businesses really need to take this seriously.  If you can avoid a breach, you can avoid a lot of pain.  Source: Data Protection Report.

Leave a Reply

Your email address will not be published.