State Data Security and Breach Notification Laws Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

How do state laws, specifically California, address the use of SSNs?

A

California prohibits businesses as well as state and local agencies from using Social Security numbers for a variety of purposes, including public posting, printing on mailings (unless mandated by federal law) and printing on ID or membership cards.

California also prohibits businesses from requiring customers to transmit their Social Security number over an unencrypted internet connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does the federal government limit the Treasury’s use of SSNs?

A

The federal government limits the disclosure of Social Security numbers through prohibition on having the numbers be visible through the window of Treasury-disbursed check envelopes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are common components of Data Destruction laws?

A

Data destruction requirements are often built into data breach laws.

Common elements of data destruction describe to whom the law applies, the required notice, exemptions, the covered media and any penalties for noncompliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What three-fold description does North Carolina use to assess reasonable measures to safeguard information in connection with/after disposal?

A

Companies must demonstrate:
(1) Policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed

(2) Policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed

(3) Procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What deviations from the North Carolina definition of reasonable safeguards during disposal do states employ?

A

California: Requires destruction such that records are unreadable or undecipherable by ANY means

Arizona: Applies only to paper records

Alaska: Applies a right to private action

Illinois and Utah: Applies only to government entities

Massachusetts: Stipulates steep penalties for each instance of improper disposal

New Mexico HB 15: Requires PI be made unreadable by shredding, erasing or otherwise modifying

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do California and Virginia regulate the use of cookies and online tracking?

A

Both California and Virginia require companies to obtain opt-in consent before processing personal data. They also require companies to provide users with a privacy policy that allows users to opt-out of targeted advertising.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In California, under the CCPA and CPRA, does “personal information” include cookies?

A

Yes, it counts as a unique identifier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In Virginia, what regulations exist surrounding targeted advertising and use of cookies?

A

In Virginia, under the CDPA, users must be able to opt out of targeted advertising and the use of cookies is included in the activities requiring a documented DPA.

In addition, organizations must disclose when AdTech processes include any sales of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the main consumer rights and controller obligations under the Colorado Privacy Act (CPA) (2021)?

A

Consumer rights to access, correction, deletion, portability, opt-out

Controller obligations
▪ Transparency, purpose specifications, data minimization, avoidance of secondary use, use of appropriate security precautions during storage and use of data, avoidance of unlawful discrimination, processing sensitive data only with consent, use of data protection assessments and data processing contracts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who enforces the Colorado Privacy Act (CPA) (2021)? Is there a cure period?

A

Attorney general and district attorneys
▪ 60-day cure period (only for the first two years — no longer required after January 1, 2025)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the key features of the Nevada Privacy Law, and what did the Amendment (SB260) change? (2019/2021)

A

Allows consumers to opt-out of the sale of “covered information” collected through a website or online service
▪ Covered entities must provide consumers with an email address, a toll-free telephone number or an internet website to submit verified out-out requests
▪ Must disclose whether a third party may collect information about the user’s online activities over time and across websites
▪ SB 260 broadened the scope of the Nevada Privacy Law by adding a data broker category and expanding the definition of “sale”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Who does the Utah Consumer Privacy Act (UCPA) (2022) apply to?

A

▪ Enforced by the state attorney general

Affects businesses that
1) Conduct business in the state or produce a product or service that is targeted to consumers who are residents of the state
2) Have more than $25M in annual revenue AND
a) Process personal data on at least 100,000 consumers, OR
b) Derive 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the primary consumer rights under the Utah Consumer Privacy Act (UCPA) (2022) ?

A

Consumer rights: Access, deletion, portability, opt out of targeted advertising and sale of personal data
* No private right of action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the primary business obligations under the Utah Consumer Privacy Act (UCPA) (2022) ?

A

Business obligations: Notice/transparency, prohibition on discrimination against consumers who exercise their rights
* 30-day cure period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the Illinois Student Online Personal Protection Act? (SOPPA) (2021)

A

Places new requirements for data security on school districts, vendors and the Illinois State Board of Education, including specific district and school requirements.

▪Goals include increased transparency, protection of student data

▪Includes notification procedures and documentation guidelines, as well as procedures for handling data breaches

▪Bottom line: Schools cannot sell, rent, lease, or trade student information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the common elements of state data breach notification laws?

A

Definition of personal information,
definition of covered entities,
definition of security breach,
whom to notify,
when to notify,
requirements,
how to notify,
exceptions and penalties and rights of action.

17
Q

How does Connecticut law define personal information in the event of a data breach?

A

First name or initial and last name in combination with one or more of the following:
▪ Social Security number
▪ Driver’s license number or state identification card number
▪ Or account, credit, or debit card number, in combination with any required financial account security code, access code, or password

18
Q

Who counts as a covered entity under state data breach notification law, and how might this be limited?

A

A covered entity is any person who conducts business in this state and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.

Some states limit the definition of “covered entities” to those that conduct business in that state- ex, Georgia.

19
Q

What is the common definition of a security breach?

A

unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.

20
Q

What are the various conditions that may affect a state data breach notification (who, when)?

A

Privacy professionals should be aware of the laws in their states as to the minimum number of people affected before notification is required.

State laws regarding data breaches may require third-party notification and notification to the attorney general (AG), as well as specific time requirements and notifications to Credit Reporting Agencies (CRAs).

21
Q

What are the common elements of a state data breach notification?

A

description of the incident,
the type of personal information subject to the breach,
what the business has done to prevent further unauthorized access,
advice on monitoring accounts and
information on how to contact regulators.

22
Q

Name three standards for determining when to report a state data breach and give example metrics?

A

-Notification to the attorney general within a specified time period: 24 hours, 5, days, 10 days, 30 days, before notifying subjects, after notifying subjects

-Minimum number affected threshold: 250, 500, 1000 state residents

-Notification to Credit Reporting Agencies-minimum numbers affected: 500, 1000, 5000, 10000 (within or outside residents), entities to coordinate.

23
Q

What is a “reasonable period of time” when it comes to data breach notification? How does law enforcement play a role?

A

Laws recognize the need for the affected entity to conduct a “reasonable investigation in order to determine the scope of the breach and to restore the reasonable integrity of the data system”

*Some laws specify an expeditious time limit of 45 days (FL, NM, OH, RI, TN, VT, WA, WI)

  • For most states, “a reasonable period of time” is allowed if a law enforcement agency determines that the notification will impede a criminal investigation and that such law enforcement agency has made a request that the notification be delayed
24
Q

How must states notify subjects of a data breach?

A

Written notice to the data subject is always required first

  • Telephonic and electronic messages are alternatives only if the data subject has previously chosen one as their preferred communication method
25
Q

If states claim an undue financial burden when it comes to notifying data breach subjects, what can they do instead?

A
  • Substitute notification methods for undue financial burden
    o “Substitute notice shall consist of the following: a) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; b) conspicuous posting of the notice on the web site of the person, business or agency if the person maintains one; and c) notification to major state-wide media, including newspapers, radio and television.” (CT)
26
Q

How must states notify the AG and CRAs of a data breach?

A
  • AGs and regulators may be notified via letter or email
    o Specific online forms must be used for this reporting (CA, NY, NC)
  • CRAs have established email addresses to receive breach notification reports
27
Q

What are the three primary exceptions to state data breach notification laws?

A

Entities subject to other, more stringent data breach notification laws like the HIPAA Security Rule and the GLBA Safeguards Rule

  • Entities that already follow breach notification procedures as part of their information security policies, if compatible with state law
  • Safe harbor for encrypted, redacted, unreadable or unusable data
28
Q

How does Illinois HB 1260 define personal information in the context of a data breach?

A

Includes usernames and email addresses when combined with information allowing access to a user’s online account (Illinois HB 1260)

29
Q

How does Massachusetts HB 4806 address data breaches?

A

MA law (HB 4806) states consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services

30
Q

What are the key features of the Virginia Consumer Data Protection Act (CDPA)?

A

Similar to WA Privacy Act and CCPA. Took effect Jan 2023.

*Affirmative consent or opt-in requirements to process sensitive personal data
* Right to opt-out of processing related to sales of personal data, targeted advertising and profiling that produces legal or similarly significant effects
* Mandatory data protection assessments for sales, targeted advertising, certain profiling and processing of sensitive data that presents a heightened risk of harm
* Obligation to confirm processing, provide a copy of personal data in a portable format and to correct or delete data upon consumer request