State Data Security and Breach Notification Laws Flashcards
How do state laws, specifically California, address the use of SSNs?
California prohibits businesses as well as state and local agencies from using Social Security numbers for a variety of purposes, including public posting, printing on mailings (unless mandated by federal law) and printing on ID or membership cards.
California also prohibits businesses from requiring customers to transmit their Social Security number over an unencrypted internet connection.
How does the federal government limit the Treasury’s use of SSNs?
The federal government limits the disclosure of Social Security numbers through prohibition on having the numbers be visible through the window of Treasury-disbursed check envelopes.
What are common components of Data Destruction laws?
Data destruction requirements are often built into data breach laws.
Common elements of data destruction describe to whom the law applies, the required notice, exemptions, the covered media and any penalties for noncompliance.
What three-fold description does North Carolina use to assess reasonable measures to safeguard information in connection with/after disposal?
Companies must demonstrate:
(1) Policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed
(2) Policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed
(3) Procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity
What deviations from the North Carolina definition of reasonable safeguards during disposal do states employ?
California: Requires destruction such that records are unreadable or undecipherable by ANY means
Arizona: Applies only to paper records
Alaska: Applies a right to private action
Illinois and Utah: Applies only to government entities
Massachusetts: Stipulates steep penalties for each instance of improper disposal
New Mexico HB 15: Requires PI be made unreadable by shredding, erasing or otherwise modifying
How do California and Virginia regulate the use of cookies and online tracking?
Both California and Virginia require companies to obtain opt-in consent before processing personal data. They also require companies to provide users with a privacy policy that allows users to opt-out of targeted advertising.
In California, under the CCPA and CPRA, does “personal information” include cookies?
Yes, it counts as a unique identifier.
In Virginia, what regulations exist surrounding targeted advertising and use of cookies?
In Virginia, under the CDPA, users must be able to opt out of targeted advertising and the use of cookies is included in the activities requiring a documented DPA.
In addition, organizations must disclose when AdTech processes include any sales of personal data.
What are the main consumer rights and controller obligations under the Colorado Privacy Act (CPA) (2021)?
Consumer rights to access, correction, deletion, portability, opt-out
Controller obligations
▪ Transparency, purpose specifications, data minimization, avoidance of secondary use, use of appropriate security precautions during storage and use of data, avoidance of unlawful discrimination, processing sensitive data only with consent, use of data protection assessments and data processing contracts
Who enforces the Colorado Privacy Act (CPA) (2021)? Is there a cure period?
Attorney general and district attorneys
▪ 60-day cure period (only for the first two years — no longer required after January 1, 2025)
What are the key features of the Nevada Privacy Law, and what did the Amendment (SB260) change? (2019/2021)
Allows consumers to opt-out of the sale of “covered information” collected through a website or online service
▪ Covered entities must provide consumers with an email address, a toll-free telephone number or an internet website to submit verified out-out requests
▪ Must disclose whether a third party may collect information about the user’s online activities over time and across websites
▪ SB 260 broadened the scope of the Nevada Privacy Law by adding a data broker category and expanding the definition of “sale”
Who does the Utah Consumer Privacy Act (UCPA) (2022) apply to?
▪ Enforced by the state attorney general
Affects businesses that
1) Conduct business in the state or produce a product or service that is targeted to consumers who are residents of the state
2) Have more than $25M in annual revenue AND
a) Process personal data on at least 100,000 consumers, OR
b) Derive 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers
What are the primary consumer rights under the Utah Consumer Privacy Act (UCPA) (2022) ?
Consumer rights: Access, deletion, portability, opt out of targeted advertising and sale of personal data
* No private right of action
What are the primary business obligations under the Utah Consumer Privacy Act (UCPA) (2022) ?
Business obligations: Notice/transparency, prohibition on discrimination against consumers who exercise their rights
* 30-day cure period
What is the Illinois Student Online Personal Protection Act? (SOPPA) (2021)
Places new requirements for data security on school districts, vendors and the Illinois State Board of Education, including specific district and school requirements.
▪Goals include increased transparency, protection of student data
▪Includes notification procedures and documentation guidelines, as well as procedures for handling data breaches
▪Bottom line: Schools cannot sell, rent, lease, or trade student information