State Privacy Laws
What are the penalties for California SB-1
Violations can lead to statutory damages of $2500 per consumer, up to a $500,000 per occurrence - no cap for willfull violations.
What happens when the text of an express pre-emption clause is susceptible to more than one plausible reading?
When the text of an express pre-emption clause is susceptible of more than one plausible reading, courts ordinarily "accept the reading that disfavors pre-emption." Thus, generally, express language is needed for a federal law to negate a State‟s right to create more restrictive legislation.
Massachusetts HB 4806
require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers.
What are the basic exceptions to Data Breach Notifications in State law?
1. The most common exception is for entities subject to other more stringent data breach notification laws (e.g., HIPAA, GLBA, etc.) 2. Most states allow exceptions for entities that already follow breach notification procedures as part of their own information security policies. 3. A safe harbor exists for data that was encrypted, unreadable, etc. This motivates orgs to use encryption to protect data. Most states, however, state that this exception does not apply when the decryption key is breached along with the encrypted data.
Massachusetts HB 4806
Amends certain provisions of the state's data breach notification law- will also require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers. The amendments, which will enter into force on April 11, 2019.
Data Destruction Laws
At least 32 states have data destruction laws, sometimes incorporated in data breach laws. FTC's Disposal Rule, part of FACTA, contains requirements for proper disposal of consumer reports and information derived from consumer reports.
Tennessee SB 2005
Breach of system security" is defined to include: (i) Unencrypted computerized data; or (ii) Encrypted computerized data and the encryption key.
California SB-1
California SB-1, also known as the California Financial Information Privacy Act, expands the financial privacy protections afforded under the GLBA. 1. SB1 requires opt-in notice before a financial institution can disclose customer information to nonaffiliated third parties for the marketing of non-financial products and services. [The GLBA requires only opt-out notice in this situation.] 2. Privacy notices may be delivered electronically if they comply with the applicable provisions of "ESIGN". [The GLBA requires that the initial and annual privacy notice be in writing]
Illinois HB 1260
Effective January 1, 2017, Illinois House Bill 1260 significantly broadened the scope of the state's Personal Information Protection Act. Included in the bill are key provisions that follow trends we identified in 2015 and 2016 as states continue to enact increasingly stringent and complex data breach notification legislation including amendments that significantly expand the scope of personal information. Illinois HB 1260: § Expands the definition of personal information to include medical information, health insurance information, certain unique biometric data, and a username or email address in combination with a password or security question and answer Requires that the attorney general be notified of a breach in certain circumstances (more below) Limits the encryption safe harbor if the encryption key was or is reasonably believed to have been acquired in the data breach
California Online Privacy Protection Act Online ("CalOPPA")
Enacted in 2003, the California Online Privacy Protection Act Online ("CalOPPA") requires operators of commercial websites, including mobile apps, that collect personally identifiable information from California residents to conspicuously post a privacy policy that meets certain requirements. This includes Do NOT Track amendments.
New Mexico HB 15
Importantly, the definition of personal identifying information under New Mexico's Data Breach Notification Act includes biometric data."
Is there any federal data breach legislation?
No, but forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.
Can you freely use SSNs?
No. A majority of states have laws limiting business's rights to use Social Security Numbers. CA law prohibits form using SSN in public posting, printing, or mailing and printing on IDs or membership card. CA also prohibits businesses from requiring customers to transmit their SS numbers over an unencrypted internet connection. Federal government has a variety of limits on disclosure of SSNs including prohibition on having the numbers be visible through the window of Treasury-disbursed check envelopes.
California AB 2828
Nov, 2017 - A recently amended California state law now requires data breach notifications to be sent to residents when encrypted personal data has been breached. AB 2828 requires businesses and government agencies to notify affected consumers of a breach related to (1) encrypted data and the encryption key; or (2) encrypted data with a reasonable belief that that the encryption key can be obtained by a hacker.
California Consumer Privacy Act (CCPA) (2018)
The California Consumer Privacy Act, or CCPA, is a state-level law that requires, among other things, that companies notify users of the intent to monetize their data, and give them a straightforward means of opting out of said monetization.
California Electronic Communications Privacy Act (2015)
The California Electronic Communications Privacy Act ("CalECPA"), which took effect on January 1, 2016, while not the first digital privacy legislation in the United States, has been hailed as a landmark victory for digital privacy. The law bars any state enforcement agency from acquiring "electronic communication information" without first obtaining a warrant. The bill defines "electronic communication information" broadly to include private user data such as emails, text messages, and documents stored in the cloud.
New Mexico HB 15
The state of New Mexico has joined 47 other U.S. states in enacting a data breach notification law on April 6, 2017 . . . importantly, the definition of personal identifying information under New Mexico's Data Breach Notification Act includes biometric data."