The original version of this blog, excluding NICE references, was initially published in Lydia de la Torre's Medium Blog. The version below has been extensively edited. The original version can be accessible here.
The year 2019 began with a significant increase in bill introductions at the State level addressing various aspects of informational privacy and cybersecurity compared to previous years.
Legislation of privacy practices of commercial entities, online services or commercial websites, covering legislation related to the privacy of consumer data, including bills related to online privacy, collection of consumers' biometric data, data broker regulation and other miscellaneous consumer privacy issues were introduced /filed in at least 25 states and in Puerto Rico.
We distinguish 3 main pillars: 1 – informational privacy is being redefined in the US with CCPA, 2- data breach bills are becoming more mainstream and defining private information in more broader terms and 3 – there is much less room for flexibility in security practices.
1 - Informational privacy in the US is being re-defined
The California Consumer Privacy Act, signed into law on June 28, 2018 and set to go into effect January 1, 2020 was a factor in the increase of bills introduced and enacted this year. CCPA will drastically change the requirements for handling personal information for California's 39.5 M. It includes a right to opt-out (opt-in for minors) of "data sales" that gives consumers or their authorized agents the ability to direct businesses to stop "selling" their personal information to third parties.
The definition of sale under CCPA could potentially include any transfer of data where the entity transferring the data receives some form of benefit as a consequence of the transfer. Clearly defining the boundary between what constitutes a 'data sale' and what does not will likely take years and will ultimately re-define the way informational privacy is regulated under US law.
2 - Data breach bills in 2019
All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. States modify their data breach laws on regular basis. At least 21 states in 2019 considered measures that would amend existing security breach laws. Trends this year include proposals that would:
- Expand definitions of "personal information" (e.g., to include biometric information, email address with password, passport number, etc.).
- Set or shorten the timeframe within which a business must report a breach.
- Require reporting of breaches to the state attorney general.
- Provide for free credit freezes or identity theft protection for victims of data breaches.
The following States enacted modifications to their data breach laws in 2019: Arkansas; Florida; Illinois; Maine; Maryland; New Jersey; New York; Oregon; South Carolina; Utah; Washington. Several bills are still pending and could potentially be enacted in 2019.
3 - The days of allowing flexibility for organizations to implement reasonable security practices may be over.
Both at the Federal level and at the State level there is a trend for more granular security requirements.
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, was signed into law on July 25, 2019 amending New York data breach notification law to require covered entities to employ "reasonable" administrative, technical and physical cybersecurity safeguards to protect the private information of New York residents.
- Covered entities include any person or business that owns or licenses private information concerning a New York resident.
- Specific methods for maintaining a reasonable security program include conducting risk assessments to test the sufficiency and effectiveness of the employed safeguards, selecting service providers capable of maintaining appropriate cybersecurity safeguards and requiring those safeguards by contract, disposing of private information within a reasonable amount of time after it is no longer needed for business purposes, designating an employee to coordinate the program and requiring employee training.
- Additionally, the bill will expand the definition of personal information to include biometric information, user-name or email address together with an accompanying password, and account (credit or debit card) numbers without the accompanying password or access code if circumstances permit unauthorized access of the financial account.
Recent FTC consent decrees: TheD-Link Systems FTC settlement and the DealerBuilt settlement continue the current trend towards more detailed specifications for how companies should implement information security programs. That said, the FTC is showing willingness to accept industry standards in determining what constitutes appropriate technical security safeguards.
At NICE, we have made simplifying compliance a cornerstone of our strategy with a unique solution that supports the most stringent requirements of privacy and data security regulations. With the Compliance Center, you can monitor your compliance processes and take corrective and proactive actions on your interactions – whether to provide access, or to limit retention of private information. To learn more about how we can help you with your compliance strategy for privacy and other regulations, click here, or contact us to schedule a demo!
This blog is part of a 2 part piece, click here to read what to expect in 2020!