State Data Security and Breach Notification Laws

Question 1

How do state laws, specifically California, address the use of SSNs?

Answer 1

California prohibits businesses as well as state and local agencies from using Social Security numbers for a variety of purposes, including public posting, printing on mailings (unless mandated by federal law) and printing on ID or membership cards.

California also prohibits businesses from requiring customers to transmit their Social Security number over an unencrypted internet connection.

Question 2

How does the federal government limit the Treasury’s use of SSNs?

Answer 2

The federal government limits the disclosure of Social Security numbers through prohibition on having the numbers be visible through the window of Treasury-disbursed check envelopes.

Question 3

What are common components of Data Destruction laws?

Answer 3

Data destruction requirements are often built into data breach laws.

Common elements of data destruction describe to whom the law applies, the required notice, exemptions, the covered media and any penalties for noncompliance.

Question 4

What three-fold description does North Carolina use to assess reasonable measures to safeguard information in connection with/after disposal?

Answer 4

Companies must demonstrate:
(1) Policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed

(2) Policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed

(3) Procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity

Question 5

What deviations from the North Carolina definition of reasonable safeguards during disposal do states employ?

Answer 5

California: Requires destruction such that records are unreadable or undecipherable by ANY means

Arizona: Applies only to paper records

Alaska: Applies a right to private action

Illinois and Utah: Applies only to government entities

Massachusetts: Stipulates steep penalties for each instance of improper disposal

New Mexico HB 15: Requires PI be made unreadable by shredding, erasing or otherwise modifying

Question 6

How do California and Virginia regulate the use of cookies and online tracking?

Answer 6

Both California and Virginia require companies to obtain opt-in consent before processing personal data. They also require companies to provide users with a privacy policy that allows users to opt-out of targeted advertising.

Question 7

In California, under the CCPA and CPRA, does “personal information” include cookies?

Answer 7

Yes, it counts as a unique identifier.

Question 8

In Virginia, what regulations exist surrounding targeted advertising and use of cookies?

Answer 8

In Virginia, under the CDPA, users must be able to opt out of targeted advertising and the use of cookies is included in the activities requiring a documented DPA.

In addition, organizations must disclose when AdTech processes include any sales of personal data.

Question 9

What are the main consumer rights and controller obligations under the Colorado Privacy Act (CPA) (2021)?

Answer 9

Consumer rights to access, correction, deletion, portability, opt-out

Controller obligations
▪ Transparency, purpose specifications, data minimization, avoidance of secondary use, use of appropriate security precautions during storage and use of data, avoidance of unlawful discrimination, processing sensitive data only with consent, use of data protection assessments and data processing contracts

Question 10

Who enforces the Colorado Privacy Act (CPA) (2021)? Is there a cure period?

Answer 10

Attorney general and district attorneys
▪ 60-day cure period (only for the first two years — no longer required after January 1, 2025)

Question 11

What are the key features of the Nevada Privacy Law, and what did the Amendment (SB260) change? (2019/2021)

Answer 11

Allows consumers to opt-out of the sale of “covered information” collected through a website or online service
▪ Covered entities must provide consumers with an email address, a toll-free telephone number or an internet website to submit verified out-out requests
▪ Must disclose whether a third party may collect information about the user’s online activities over time and across websites
▪ SB 260 broadened the scope of the Nevada Privacy Law by adding a data broker category and expanding the definition of “sale”

Question 12

Who does the Utah Consumer Privacy Act (UCPA) (2022) apply to?

Answer 12

▪ Enforced by the state attorney general

Affects businesses that
1) Conduct business in the state or produce a product or service that is targeted to consumers who are residents of the state
2) Have more than $25M in annual revenue AND
a) Process personal data on at least 100,000 consumers, OR
b) Derive 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers

Question 13

What are the primary consumer rights under the Utah Consumer Privacy Act (UCPA) (2022) ?

Answer 13

Consumer rights: Access, deletion, portability, opt out of targeted advertising and sale of personal data
* No private right of action

Question 14

What are the primary business obligations under the Utah Consumer Privacy Act (UCPA) (2022) ?

Answer 14

Business obligations: Notice/transparency, prohibition on discrimination against consumers who exercise their rights
* 30-day cure period

Question 15

What is the Illinois Student Online Personal Protection Act? (SOPPA) (2021)

Answer 15

Places new requirements for data security on school districts, vendors and the Illinois State Board of Education, including specific district and school requirements.

▪Goals include increased transparency, protection of student data

▪Includes notification procedures and documentation guidelines, as well as procedures for handling data breaches

▪Bottom line: Schools cannot sell, rent, lease, or trade student information

Question 16

What are the common elements of state data breach notification laws?

Answer 16

Definition of personal information,
definition of covered entities,
definition of security breach,
whom to notify,
when to notify,
requirements,
how to notify,
exceptions and penalties and rights of action.

Question 17

How does Connecticut law define personal information in the event of a data breach?

Answer 17

First name or initial and last name in combination with one or more of the following:
▪ Social Security number
▪ Driver’s license number or state identification card number
▪ Or account, credit, or debit card number, in combination with any required financial account security code, access code, or password

Question 18

Who counts as a covered entity under state data breach notification law, and how might this be limited?

Answer 18

A covered entity is any person who conducts business in this state and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.

Some states limit the definition of “covered entities” to those that conduct business in that state- ex, Georgia.

Question 19

What is the common definition of a security breach?

Answer 19

unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.

Question 20

What are the various conditions that may affect a state data breach notification (who, when)?

Answer 20

Privacy professionals should be aware of the laws in their states as to the minimum number of people affected before notification is required.

State laws regarding data breaches may require third-party notification and notification to the attorney general (AG), as well as specific time requirements and notifications to Credit Reporting Agencies (CRAs).

Question 21

What are the common elements of a state data breach notification?

Answer 21

description of the incident,
the type of personal information subject to the breach,
what the business has done to prevent further unauthorized access,
advice on monitoring accounts and
information on how to contact regulators.

Question 22

Name three standards for determining when to report a state data breach and give example metrics?

Answer 22

-Notification to the attorney general within a specified time period: 24 hours, 5, days, 10 days, 30 days, before notifying subjects, after notifying subjects

-Minimum number affected threshold: 250, 500, 1000 state residents

-Notification to Credit Reporting Agencies-minimum numbers affected: 500, 1000, 5000, 10000 (within or outside residents), entities to coordinate.

Question 23

What is a “reasonable period of time” when it comes to data breach notification? How does law enforcement play a role?

Answer 23

Laws recognize the need for the affected entity to conduct a “reasonable investigation in order to determine the scope of the breach and to restore the reasonable integrity of the data system”

*Some laws specify an expeditious time limit of 45 days (FL, NM, OH, RI, TN, VT, WA, WI)

• For most states, “a reasonable period of time” is allowed if a law enforcement agency determines that the notification will impede a criminal investigation and that such law enforcement agency has made a request that the notification be delayed

Question 24

How must states notify subjects of a data breach?

Answer 24

Written notice to the data subject is always required first

• Telephonic and electronic messages are alternatives only if the data subject has previously chosen one as their preferred communication method

Question 25

If states claim an undue financial burden when it comes to notifying data breach subjects, what can they do instead?

Answer 25

• Substitute notification methods for undue financial burden
  o “Substitute notice shall consist of the following: a) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; b) conspicuous posting of the notice on the web site of the person, business or agency if the person maintains one; and c) notification to major state-wide media, including newspapers, radio and television.” (CT)

Question 26

How must states notify the AG and CRAs of a data breach?

Answer 26

• AGs and regulators may be notified via letter or email
  o Specific online forms must be used for this reporting (CA, NY, NC)
• CRAs have established email addresses to receive breach notification reports

Question 27

What are the three primary exceptions to state data breach notification laws?

Answer 27

Entities subject to other, more stringent data breach notification laws like the HIPAA Security Rule and the GLBA Safeguards Rule

• Entities that already follow breach notification procedures as part of their information security policies, if compatible with state law
• Safe harbor for encrypted, redacted, unreadable or unusable data

Question 28

How does Illinois HB 1260 define personal information in the context of a data breach?

Answer 28

Includes usernames and email addresses when combined with information allowing access to a user’s online account (Illinois HB 1260)

Question 29

How does Massachusetts HB 4806 address data breaches?

Answer 29

MA law (HB 4806) states consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services

Question 30

What are the key features of the Virginia Consumer Data Protection Act (CDPA)?

Answer 30

Similar to WA Privacy Act and CCPA. Took effect Jan 2023.

*Affirmative consent or opt-in requirements to process sensitive personal data
* Right to opt-out of processing related to sales of personal data, targeted advertising and profiling that produces legal or similarly significant effects
* Mandatory data protection assessments for sales, targeted advertising, certain profiling and processing of sensitive data that presents a heightened risk of harm
* Obligation to confirm processing, provide a copy of personal data in a portable format and to correct or delete data upon consumer request