|
December 28, 2015 – In less than a week, a wide variety of new state privacy and data breach laws will go into effect across the country. That’s the good news. The bad news is that Congress continues to move forward with a national data breach law that would usurp all state data breach laws. With that said, here is a short run down on some of the more important legislation passed this year.
California – Several new privacy laws and changes to data breach notification requirements are slated to go into effect in the next week.
The Electronic Communications Privacy Act will require that law enforcement agencies obtain a search warrant to access electronic communications. Federal law only requires a subpoena (a much lower standard) for communications over 180 days old. Note: this law will only apply to state law enforcement agencies.
A.B. 964 is a new law that will define “encrypted” to mean “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” This will mean that companies storing personally identifiable information will have to continually monitor their encryption standards and regularly update them as industry standards change.
S.B 34 amends “personally identifiable information” to include license plate data if it can be paired with an individual name. Many companies use automatic plate recognition systems in their parking facilities. If that data is stored and associated with an employee or a known visitor, a breach of the data would trigger the state’s data breach notification law. The law only applies to private systems; not to government operated systems.
A.B. 1116 places restrictions on TV manufacturers on the use of voice recognition data they collect from “connected televisions”. When a TV is connected to the internet, if the manufacturer stores voice recognition data the user must be told about it and the data can’t be used for advertising. The law has a huge loophole in it though. The warning and restrictions only apply to software installed at the time the TV is sold. If the manufacturer updates the software or firmware on the set after the sale, the law doesn’t appear to apply. Likewise for any third party applications the set’s owner chooses to install.
S.B. 570 changes the rules for data breach notification letters sent to consumers. Letters must be labeled “Notice of Data Breach” and clearly use the following headings for sections in the letter:
· What happened
· What information was involved
· What we are doing
· What you can do
· For more information
Connecticut – Public Act No 15-142 actually went into effect on October 1st of 2015. It is the first law in the country requiring companies to provide free identity theft prevention services to affected consumers in a data breach. The law also requires data breach notification letters to provide information about how to freeze your credit file if your data is released in a breach.
The law expands the definition of personally identifiable information to included protected health care information and biometric data such as digitized finger prints and retinal scans.
Nevada – Assembly Bill 179 is already in effect but contained an exemption for companies collecting data until July 1, 2016. It expands the definition of personally identifiable information to include medical and health insurance identification/policy numbers.
New Hampshire – House Bill 322 went into effect in June, 2015. It requires the state’s Department of Education to implement procedures to protect teacher and student data from data breaches. It also requires the department to notify students and teachers in the event of a data breach.
North Dakota – Senate Bill 2214 expands the requirements for data breach notification and now requires companies to provide notice to the state’s Attorney General for breaches of 250 or more records.
Oregon – Senate Bill 601 makes some major changes to the states data breach law.
It expands the definition of personally identifiable information to include digitized biometric data, health insurance policy information and health condition information (including mental conditions).
Additionally, the law requires that the state’s Attorney General be notified of any breach involving 250 or more records.
Rhode Island – Beginning on June 26th, 2016 the new Rhode Island Identity Theft Protection Act of 2015 goes into effect. The law significantly expands the definition of “personally identifiable information” which will now also include medical insurance account information. It also requires companies to use 128 bit encryption or better. And it expands the definition of a data breach to include “unauthorized access” to unencrypted information that is personally identifiable.
The law also has some financial teeth. The state can fine companies up to $100 per record if they fail to notify consumers of a data breach accidentally and up to $200 per record if they willfully ignore the states data breach notification requirements. Breaches of more than 500 records will also need to be reported to the state’s Attorney General.
Washington (state) - House Bill 1078 now requires companies to notify the state’s Attorney General for any breach of 500 or more records. The law also clearly defines which companies are covered by it and which are exempt (primarily those that are subject to HIPAA notification requirements).
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|
Identity Theft 
