As we have outlined in prior articles, states such as California, Colorado, and New York are actively implementing regulations that will enforce compliance regulations concerning the management of personal information. Like cybersecurity itself, legislation is a dynamic process and states continue to tweak and add amendments to the existing laws. We have outlined some of the updates below.
California Consumer Protection Act
Of the forthcoming state-initiated privacy acts, none are more sweeping and encompassing than the California Consumer Privacy Act (CCPA) that will become law on January 1, 2020. Like Europe’s GDPR, the California set of regulations applies to any company that deals with the personal information of California residents, regardless of where they are geographically located. Due to the state’s large population and influence, the legislation could become the template for a nationwide de facto standard. This is one of the reasons why any company that handles the personal data of U.S. citizens needs to be aware of its requirements.
CCPA gives California citizens proprietorship of their data, allotting them the right to know who is selling their personal data and the ability to opt-out of such collections if they wish. Of course, no legislation is perfect, as any enacted set of regulations is a result of bargaining, concessions, and compromise. Because CCPA was passed under rushed circumstances last year, politicians are in the process of passing a series of amendments to improve upon it. Politicians have until September 13 to enact any amendments for them to become effective in 2020.
Active Amendments for CCPA as of June 2019
Below we have outlined some of the amendments that have been passed by the California Assembly.
- One of the objectives is to better define what “consumer data” is. AB25 excludes job applicants, employees, agents of a business, and contractors from CCPA.
- One concern of CCPA is that consumers that opt-out will be essentially getting a free ride as they will not be trading their personal information for free or reduced price services. AB846 would allow businesses to charge higher prices or offer reduced services for customers who implement their right to opt-out.
- Legislators have realized that there should be limits to the types of personal data that consumers can choose to remove. AB1146 exempts vehicle information such as VIN, make, model, year, odometer reading as well as the list of previous owners. AB981 exempts insurance companies from having to comply with delete and opt-out sale requests of personal information that is related to an insurance transaction. AB846 would exempt loyalty programs, reward programs, and coupons from CCPA.
- AB1564 is being put through to ease the burden on any business that handles consumer rights requests by expanding the permissible methods by which a consumer submitted request can be made.
- Lawmakers are still struggling to define what the concept of “personal data” means as it relates to a data breach. AB1130 would now expand the definition to include biometric data and government-issued identification numbers.
Current Amendments to 23 NYCRR 500
The New York State Department of Financial Services enacted a set of regulations called 23 NYCRR 500 that requires any registered entity that provides financial services to asses their cybersecurity risk profiles and implement a comprehensive plan to mitigate those stated risks. While the legislation went into effect on March 1 of this year, state lawmakers continue to tweak the enacted legal requirements. On June 17 the New York State Senate passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act to overhaul their current breach notification requirements as well as broaden the scope of protected information and security control requirements. Some of the most notable SHIELD proposals are outlined below.
- SHIELD broadens the definition of a data breach to include the unauthorized access to private information by internal employees, thus making the employer liable for such incidents.
- SHIELD follows the examples of GDPR and CCPA as it applies its breach notification requirements to any entity regardless of their geographical location concerning the personal information of New York residents.
- SHIELD requires any business that owns or licenses the private information of New York residents to implement “reasonable safeguards” to protect that information.
- SHIELD expands the amount of time to three years in which the New York Attorney General can bring action against a business for accused violations.
- An entity that meets the definition of a “small business” is allowed to tailor its information security programs as appropriate for its size. Larger businesses may be deemed compliant by complying with current existing standards such as HIPAA or GLBA.
Current Amendments to Colorado’s HB 18-1128
Colorado recently amended its Colorado Protections for Consumer Data Privacy Law (HB 18-1128) to include the following measures below.
- All entities that maintain, own, or license Personally Identifiable Information (PII) of Colorado residents must take reasonable security measures to protect that information from being compromised. The term “reasonable” denotes what steps and procedures are appropriate according to the size and operations of the entity.
- All applicable entities must implement a written data disposal policy that outlines and requires the appropriate steps necessary to ensure that personal data is properly disposed of or rendered anonymous. This means that both digital media and paper documents must be made unreadable. In addition, organizations must accept responsibility for determining when data is no longer necessary to be maintained.
- All organizations that fall under the law’s jurisdiction must notify Colorado residents if and when their PII is compromised no later than 30 days after the date of breach determination. The notification must provide a detailed account of the circumstances such as what information was exposed, as well as the date of the occurrence.
Other States Are Being Active Too
While the actions of California, New York, and Colorado lawmakers attract nationwide attention due to their size and stature, other states are actively creating and adapting their own cybersecurity initiatives.
- Maryland expanded their state’s Personal Information Protection Act to expand the scope of businesses covered by the law to include any entity that owns, licenses, or maintains the personal information of its residents. This and other changes will go into effect on October 1 of this year.
- Massachusetts made modifications to their state’s data breach notification law that went into effect on April 1 of this year. The amendment requires businesses to offer complimentary credit monitoring for 18 months if a breach involves a resident’s social security number. Businesses must also disclose the name of any third parties that owns data involved in a breach.
Navigating Through Legislative Changes
While large corporations and multi-national businesses have lobbyists to help them press lawmakers to attend to their needs, most businesses are at the mercy of what lawmakers enact. This means that you need someone who not only stays abreast of the ever-dynamic environment of cybersecurity laws and compliance but understands how they can affect your business as well.