Since the implementation of the European Union’s General Privacy Data Protection Regulation (GDPR) in May 2018, thousands upon thousands of European-based businesses have had to adapt their policies and operational processes to comply with the GDPR’s stringent standards of consumer privacy and security. Violation of the GDPR’s more serious security compliance requirements carries with it the threat of a large fine (up to 20 million Euros) for the offending company. Apart from the purely financial aspect, there is also the loss of credibility that non-compliant businesses must increasingly face.
While the U.S. federal government has not yet enacted such legislation, individual states are implementing a set of compliance requirements. In fact, these state laws may eventually contain more restrictive data brokering standards.
The following information provides details on 11 new state security compliance laws that have been implemented within the last year. It is important to note that each of these compliance requirements can apply to businesses that have any users, subscribers, or clients living within the state in question.
The California Consumer Privacy Act
The CCPA officially goes into effect on January 1st, 2020. As of this writing, it is the most comprehensive piece of data protection/compliance legislation enacted within the United States. What makes the CCPA especially potent is the fact that many tech giants, such as Facebook and Google, are based in California.
Major features of the CCPA include the following compliance requirements:
- Specific consumer requests. Upon request, companies are required to give consumers details regarding what specific data is being collected. Also, which 3rd parties are involved in potential data sharing and the methods used for collecting the information.
- Requested deletion. In most instances, upon consumer request, the business must delete his or her personal information from the company database.
- Equality of service. Under the CCPA, companies must provide equal service and pricing to those consumers that exercise any of their privacy rights outlined by the Act.
Illinois’ Personal Information Protection Act
On May 27th, 2019, the Illinois General Assembly voted to approve an amendment to the Personal Information Protection Act (PIPA). This amendment mandates that a data collecting company must promptly notify the Illinois Attorney General of any data breach. The company must also provide details concerning the nature of the breach, the number of consumers affected, and a description of remedial steps taken to resolve the issue.
The amendment also gives the Attorney General the authority to publish the data collector’s name, the types of information compromised by the breach, and other details deemed necessary to notify and forewarn Illinois residents in a prompt manner.
Maine’s Act to Protect the Privacy of Online Consumer Information
This new piece of legislation will go into effect on July 1st, 2020. One of the Act’s main provisions is the prohibition of any Internet service provider in Maine to pressure a customer into allowing the ISP to sell his or her personal data. This can be either by means of penalties for refusal or discounts for compliance.
Maryland’s Personal Information Protection Act
Maryland’s amended PIPA goes into effect on October 1st, 2019. Indeed, the amendments to this law strengthen data protection standards by means of three features:
- An expanded scope. Businesses that maintain personal information, along with businesses that own or license it, are now covered under this Act.
- Prohibition of breach notification charges. Businesses cannot charge data owners or licensees a fee for them to obtain the necessary information needed for a data breach notification.
- Limits to the usage of breach-related information. Businesses can only use breach-related information for breach notification purposes (including notification of certain information security organizations), and the protection or securing of applicable personal data.
Massachusetts’ Data Breach Notification Law
As of April 11th, 2019, data collectors that handle a Massachusetts resident’s personal information must provide free credit monitoring for 18 months after a data breach. Businesses must provide breach notifications on a “rolling basis” (ongoing internal investigation), and identify third parties that own exposed data. Moreover, companies are required to inform state regulators as to the documentation status of their information security plan.
Nevada’s Senate Bill 220
On May 29th, 2019, Nevada’s governor signed Senate Bill 220 into law. Beginning in October, businesses subject to this legislation are required to allow consumers to opt-out of the sale of their personal data to third parties. Businesses must respond to a consumer’s opt-out request within 60 days. Unlike the CCPA, however, businesses are not yet required to provide a conspicuous notice of the opt-out option.
New Jersey’s A-3245 Bill
As of September 1st, 2019, New Jersey’s A-3245 Bill will expand the scope of the term “personal information” to include usernames, email addresses, passwords, and other security features of a user’s online account. In the event of a data breach, businesses are required to promptly notify New Jersey residents. The notice must include direction to change any affected log-in credentials. If a resident’s email account is breached, the notifying company cannot send a notification to the affected email address.
New York’s Stop Hacks and Improve Electronic Data Security Act
In July 2019, the New York legislature enacted amendments to the state’s data security law. These amendments enhance data breach protection for biometric data, account numbers, credit or debit card numbers with no security code, and personal information. This includes usernames, passwords, email addresses, and questions and answers for authentication purposes.
The definition of a “breach” has been expanded to include unauthorized access of personal protected information. Businesses are required to take proactive steps for the protection of personal data. These steps could include the implementation of a data security training program for employees, regular security audits and modifications, and the prompt deletion of private data that is no longer necessary for business transactions.
Finally, these amendments include an additional one-year extension for the New York Attorney General to bring an action against companies that violate the Act. Now, he has three years to bring an action, instead of two.
Oregon’s Consumer Information Protection Act
Starting January 1st, 2020, Oregon’s CIPA law will extend breach notification requirements to data vendors. Vendors will have a 10-day window in which to notify any contracted “covered entities” of a data breach. The vendors must also notify Oregon’s Attorney General, if the breach affects more than 250 consumers, or if the total number of affected individuals is unknown. (The only exception is if the covered entity previously notified the Attorney General.)
Additionally, CIPA’s definition of “personal information” will now encompass usernames and other personally identifying information used for the purpose of granting access to the consumer’s account.
Texas’ Identity Theft Enforcement and Protection Act
As of January 1st, 2020, new amendments to Texas’ Identity Theft Enforcement and Protection Act (ITEPA) will mandate that businesses notify residents affected by a data breach without “unreasonable delay”. Indeed, this has to be completed no later than 60 days after identifying the breach. If the breach affects more than 250 Texas residents, companies are also required to notify the Texas Attorney General within that 60-day time frame.
Another feature of these amendments is the establishment of a Privacy Protection Advisory Council. It will study data protection and privacy requirements within Texas, other states, and foreign countries. This Council will leverage any insights gained in order to provide higher data protection standards within Texas’ jurisdiction.
Washington’s HB 1071
Washington State’s HB 1071 Bill will go into effect on March 1st, 2020. It will expand the term “personal information” to encompass date of birth, electronic signatures, online login credentials, etc.
Businesses must notify Washington’s Attorney General of data breaches that involve more than 500 Washington State residents. Also, they must provide details about the information that was exposed, a time frame and steps to repair the breach, and a copy of the notice. In addition, the new bill reduces the required notification time frame from 45 days to 30.
Learn More About Security Compliance Requirements
We are entering a brave new era of strict data privacy and security standards. The Cambridge Analytica breach and other recent scandals have made consumers increasingly conscious of the importance of data protection. GDPR compliance has become a necessity for many businesses with a global reach, and will only grow in importance in the years to come. Individual state compliance laws are affording enhanced data protection and privacy for American consumers. Simultaneously, they are putting increased pressure on data brokers and other companies that handle sensitive user information.
With such factors in mind, it is good to consider options for the development and implementation of a comprehensive security compliance strategy. Agile IT can assist you in this endeavor. We have managed security, compliance, and governance for companies within the following sectors:
If you would like to learn more about how we can help you become compliant and stay compliant, reach out to us at Agile IT today for a free quote.