As organizations exponentially add third parties to their ecosystem, new privacy and security regulations have made it clear that businesses must know the security posture of their third parties. This includes having a clear understanding of the data security controls they have in place.
2018 brought more privacy and security regulations to the headlines, and the United States felt the pressure to mature their privacy and security practices. Individually, states reacted by creating laws or amending existing regulations to keep up with the global speed of privacy and security. Three areas receiving the most attention are breach notifications, consumer protection, and security practices.
Let’s take a look some highlights of passed or amended privacy and security-related laws in the past year:
In late February, Nebraska amended the Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act to include the following:
Individuals or companies who own or possess computerized personal information:
(1) must implement and maintain reasonable security procedures and practices to secure that data; and (2) must ensure that any third-party vendors that have access to the personal information contractually agree to implement appropriate security procedures and practices to protect that information.
As the second to last state to enact a breach notification law, South Dakota finally joined the 21st century in security practices. The law defines personal information and protected information, breach notice requirements, and penalties of fines up to $10,000 per violation.
The Oregon legislature voted to broaden the scope of its existing Breach Notification Law. Additionally, reporting requirements were strengthened to “no later than 45 day and without delay.”
A separate amendment was made to Oregon’s Information Security Law. Once again, the scope was adjusted and now includes those who have control and access to personal data. The added data security controls requirement addresses many industry best practices such as, risk assessments, access reviews, hardening standards and more.
In March, Iowa enacted a law that specifically protects the information of students from kindergarten through 12th grade. This legislation requires internet sites, online services, online applications and mobile applications to implement and maintain security practices while prohibiting the sale of a student’s personal information.
Alabama became the last state to enact a breach notification law with The Alabama Data Breach Notification Act of 2018. In addition to breach notification requirements, the law includes “reasonable security measures” organizations who handle personal information must follow.
Thanks to Alabama, now all 50 states have some form of a breach notification law.
In April 2018, Arizona strengthened its current breach notification law to include a new definition of personal information, new timelines requirements, and new notification requirements. Additionally, increased the maximum penalty for willful violation from $10,000.00 to $500,000.00 per breach.
Colorado unanimously passed the Protections for Consumer Data Privacy Act on May 29, 2018, only four days after the implementation of the European Union’s trendsetting General Data Protection Regulation (GDPR). This Law applies to businesses and government entities who possess the personal information of Colorado residents. Details of the bill include policy and breach notification requirements, as well as safeguards to protect the information they store.
Vermont led the way in May 2018 by enacting the 2018 Data Broker Regulation, which aims to protect consumers from the faulty security practices of data brokers. This legislation requires that data brokers adhere to strict security practices to prevent the unauthorized access of consumer data.
Changes to Louisiana’s Database Security Breach Notification Law came in June. These included an update to the definition of personal information; breach notice requirements; and data security and destruction provisions. The data security and destruction provisions outline “reasonable security measure” to define best practices for organization’s who handle personal information to follow.
The California Consumer Privacy Act (CCPA) was passed and signed into law on June 28. Under CCPA, California residents will have more rights regarding how organizations use their personal information. Consequently, organizations who violate CCPA are subject to civil fines for negligence, up to $2,500.00 per violation, and intentional violations, up to $7,500.00 per violation.
The regulation has been widely recognized as the most mature in the U.S. and closest related to the GDPR.
For the second year in a row, Virginia has amended their breach notification legislation. These changes alter the scope of the law to include income tax information and hold the preparers accountable to the Department of Taxation if a breach occurs.
South Carolina added new breach notice provisions for insurance companies to their Breach Notification Law. Now, insurance companies have industry-specific requirements of prompt notification and preventative security measures that mirror those of National Association of Insurance Commissioners.
What’s to Come in 2019
This year, New York, Utah, and Washington have already proposed bills that create or build on existing regulations around security and data protection. As breaches that affect consumers continue to make the headlines, I expect more states will get on board. Strengthening your data security controls now will prevent you from being rushed at a later date.
Please stay informed. It’s important to know in which states your organization does business and to keep up-to-date on which laws apply to you.
Welcome to 2019, the year of consumer protection.
LEAD PRIVACY ANALYST