14. State Data Security and Breach Flashcards
Recent developments: WA
Washington Biometric Privacy Law (H.B. 1493) (2017)
Governs how biometric information can be obtained and handled for commercial purposes
Recent developments: CA
California Electronic Communications Privacy Act (2015)
Extends California’s due process requirements and privacy protections to electronic information
Recent developments: NV
Nevada SB 538 (2017)
Requires notice for online collection and disclosure of personally identifiable information
Recent developments: IL
• Illinois Right to Know Act (2017)
Requires that commercial websites or online services that collect PI through the internet about individual customers must notify those customers of certain specified information pertaining to its personal information sharing practices
Recent developments: NY
New York Department of Financial Services Cybersecurity Regulation (2017)
Imposes strict cybersecurity rules on covered organizations including requiring a detailed cybersecurity plan, the designation of a DPO, the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of a reporting system for cybersecurity events
Recent developments: NJ
New Jersey Personal Information and Privacy Protection Act (2017)
▪ Limits the purposes for which retail establishments may lawfully scan a person’s government-issued ID card (e.g., a driver’s license)
▪ Limits what data can be collected from ID cards and how the data can be retained and used
Recent developments: DE
Delaware Online Privacy and Protection Act (2016)
Requires online operators “to conspicuously post a privacy policy identifying the personally identifiable information it collects on users and how it responds to do-not track signals”
Recent developments VA:
The Virginia Consumer Data Protection Act (CDPA)
▪ Signed into law in March 2021 (takes effect January 1, 2023)
▪ Only the second state to enact comprehensive privacy legislation (California was the first)
▪ Draws heavily from the proposed Washington Privacy Act (defeated for the third time in 2021) and includes components similar to the California Consumer Privacy Act
▪ Notable features of CDPA:
• Affirmative consent or opt-in requirements to process sensitive personal data
• Right to opt-out of processing related to sales of personal data, targeted
advertising and profiling that produces legal or similarly significant effects
• Mandatory data protection assessments for sales, targeted advertising, certain profiling, and processing of sensitive data that presents a heightened risk of harm
• Obligation to confirm processing, provide a copy of personal data in a portable format, and to correct or delete data upon consumer request
State data security: Data destruction- NC
Policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed
Policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed
Procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity
State data security: Data destruction- CA
Requires destruction such that records are unreadable or undecipherable by ANY means
State data security: Data destruction- AZ
Applies only to paper records
State data security: Data destruction- AL
Applies a right to private action
State data security: Data destruction- IL and UT
Applies only to government entities
State data security: Data destruction- MA
Stipulates steep penalties for each instance of improper disposal
State data security: Data destruction- NM
Requires PI be made unreadable by shredding, erasing or otherwise modifying
