Flashcards in State Laws Deck (14)
Similar to CalOPPA.
CalOPPA (CA) - What is it?
CalOPPA (CA) - Disclosure Requirements (4)
- categories of PII collected
- types of 3rd parties that data can be shared to
- how site responds to Do Not Track signals
- If other parties can collect PII over time when using the site
Investigative Consumer Reporting Agencies Act- stricter than FCRA, requires written consent and includes a person's "character." Also requires that people can request a copy of the report, and a copy must be provided if adverse action is taken (regardless of whether you requested the copy)
Confidentiality of Medical Information Act- broader definition of contractor than HIPAA (eg, you're considered a contractor if you made the healthcare software, phone apps with health data, etc)
AKA Financial Info Privacy Act- limits financial data sharing to 3rd party partners
If you store any customer data, you must notify CA residents of breaches.
Do Not Track Law (CA)
Massachusetts Personal Information Security Regulation
All parties that own or license PI of MA residents must encrypt all PI stored on laptops or other portable devices, as well as in transit when wireless or public networks.
MA State 201 CMR 17
Most prescriptive breach law in nation.
Establishes minimum PI safeguards for physical and electronic records.Basically have to have an ISO-style compliance program and report breaches.
If the breach includes credit/debit #s, the financial institutions must report, too.
TN SB 2005
1st state to require notification of any breach, whether encrypted or not. Original bill exempted encrypted data.
45 days to notify of breach
IL HB 1260
"Personal Info Protection Act," or PIPA
PII = PHI, PI, email, address, passwords, security questions, biometric data
Limits encryption safe harbor if the keys were likely exposed or compromised
CA AB 2828
Requires notification of breached encrypted data, in addition to unencrypted data.