Consistent with global developments, the landscape of privacy and cybersecurity laws in the United States has been rapidly changing. Data privacy and cybersecurity are regulated at both the federal and state level in the United States, and it is at the state level that many of the major legislative developments have occurred in recent years. Most notably, California recently enacted the most sweeping general privacy standard in the United States. In addition, all 50 states now have data breach notification laws, and those laws have been evolving and growing in scope, with more states expanding the categories of information that would trigger notification obligations. States have also moved into regulating other aspects of data privacy and cybersecurity and are increasingly adopting cybersecurity requirements that are much more specific than the usual “reasonable and appropriate” standard. For example, Ohio has passed a law that provides a cybersecurity safe harbor, and Vermont now imposes specific minimum data security requirements on data brokers. These constant changes create challenges for managing effective compliance programs, and staying abreast of these changes is key to maintaining effective cybersecurity and data privacy compliance programs.
Consumer Privacy Rights
The most significant new law is California’s passage of the California Consumer Privacy Act (“CCPA”), which represents a significant departure from most US privacy laws. The CCPA applies to a wide range of companies doing business in California and to a wide range of consumer information. For example, the law contains a broad definition of “personal information” that covers information that can identify not just an individual consumer but also a particular household—such a definition is broader than the corresponding definition under most US privacy laws and arguably even the EU’s General Data Protection Regulation. The CCPA also differs from most current US privacy laws in its focus on providing consumers with new rights and protections with respect to broad categories of personal information collected about them. For example, under the CCPA, consumers have the right to request that a company disclose the categories and specific pieces of personal information it has collected about them in the past 12 months and also reveal what this information is used for and what third parties have access to it. Companies must also allow consumers to opt out of the sale of their data or to have their data deleted under certain conditions.
The CCPA has already been amended since its initial passage, and further amendments are likely. Further complicating compliance for companies is that other states have been proposing similar—but not identical—statutes that apply to the data of consumers in their states. For example, Washington, New Jersey and New Mexico are proposing or have proposed laws that are similar to the CCPA. The CCPA may prove to be one of the most significant pieces of privacy and cybersecurity legislation in the United States, and it may just be the beginning.
Cybersecurity Safe Harbors
The first of its kind, Ohio’s new Data Protection Act, passed in June 2018, provides a legal safe harbor for companies that implement a cybersecurity program that meets certain requirements. Specifically, the law provides an affirmative defense against tort claims that allege that a personal information data breach was caused by a failure to implement reasonable information security controls. Companies that wish to be protected under the safe harbor must implement cybersecurity measures that reasonably conform to certain governmental or industry cybersecurity frameworks or laws for the protection of personal information. The frameworks cited by the law include the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, various NIST special publications, FedRAMP and ISO 27000, among others. Although the impact of this law is yet to be determined, it is important to note that it is a business-friendly law that can potentially incentivize companies to proactively implement stronger cybersecurity measures.
State Data Breach Notification Laws
Many states have taken steps to enact new data breach notification laws or to amend existing ones. In 2018, Alabama and South Dakota enacted data breach notification statutes—the last two states to do so. Moreover, in recent years, several states—including Arizona, Colorado, Delaware, Louisiana and Oregon—have amended their existing data breach notification statutes. Three trends are evident in these newly enacted and amended statutes.
First, states are generally using broader definitions of personal information in new or amended statutes. For example, Colorado’s amended law now defines personal information to include student, military and passport identification numbers, medical information, biometric data and username or email address in combination with a password or security questions and answers, among other data elements. Other new and amended laws have similarly expanded the categories of information that would trigger notification obligations. For example, several states now require notification if a resident’s health or medical information or biometric data (such as fingerprints and retina scans) are compromised. In addition, states increasingly provide that the breach of a resident’s username or email address and password associated with an account triggers notification obligations.
Second, states are more frequently setting specific time limits within which notification must occur. Many laws still tend not to specify notification time frames, but instead require notification within a reasonable time period, such as “as soon as possible and without unreasonable delay.” However, several new and amended laws, by contrast, have established specific notification time frames. For example, the newly enacted laws in Alabama and South Dakota require notification within 45 days and 60 days, respectively. With a 30-day time limit, Colorado’s amended law joins Florida with an especially short time frame for mandatory notifications.
Finally, many states now require notification of the state attorney general or other regulatory body in certain circumstances. Some laws only require notification if a certain number of state residents are affected by the breach. For example, Alabama requires notice to the state attorney general if at least 1,000 state residents are impacted by the breach. However, some states have lower thresholds (such as South Dakota with a 250 state-resident threshold) or no threshold at all (such as Indiana, which requires notice to the attorney general in the event of notice to a single state resident).
Vermont Data Broker Legislation
In May 2018, Vermont became the first state to enact legislation regulating personal information data brokers. Effective January 1, 2019, the Vermont law requires data brokers to implement a “comprehensive information security program” with appropriate administrative, technical and physical safeguards to protect consumers’ personal information. Similar to other recent sector-specific laws, the law provides numerous specific minimum requirements for the security program, including regular monitoring, employee training and encryption of certain personal information. The law also requires data brokers to register with the state and to notify authorities of data breaches. In addition, data brokers must provide clear “opt-out” instructions and information on any limitations to such an opt-out right.
California Internet of Things Security Legislation
Impact on Vendor Agreements
With all these changes in laws, you will need to make sure that not only your systems and processes meet the new laws’ requirements but your agreements with vendors who will be processing personal data on your behalf will need to meet them as well. At a high level, this means you will need to make sure that your vendors maintain minimum security requirements, notify you of data breaches and only use your data as necessary to provide the contracted services to you. However, some of these new laws will require further changes to your vendor agreements. For example, the CCPA requires you to contractually require your vendors “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.” You may also need to require your vendors to meet specific security requirements, such as with the NY DFS Cybersecurity Regulation, or if you are trying to take advantage of the safe harbor under Ohio’s Data Protection Act. It remains critical to keep up to date on further legislative updates—laws are rapidly changing, as these last few years have shown.