Ch. 7 - State Privacy, Security, and Data Breach Notification Laws Flashcards

Question

Social Security Number (SSN)

Answer 1

The most sensitive information for individuals in the U.S., the digitization of consumer finance has resulted in an increased use of SSNs. Possession of an SSN is widely used as proof of identity. Organizations now need to purse unnecessary stores of SSNs and protect SSNs they still need.

Answer 2

Requires state law enforcement to get a warrant before they can access electronic information about who we are, where we go, who we know, and what we do. 1. Builds upon the federal electronic communications privacy act. Places restrictions on state law enforcement in two different ways: o Access to Service Provider Records – requires a search warrant or court order in criminal cases; requires a subpoena in noncriminal cases o Access to Electronic Devices – requires a search warrant, wiretap order, consent of the customer, or certification of an emergency situation o CalECPA only applies to California law enforcement agencies, not federal agencies operating in CA

Answer 3

Summary: Requires any website collecting PII must post and comply with the regulation by conspicuous posting (on the homepage or with a link with the word “privacy”. Must be reasonable accessible to users. o The policy must identify PII collected and third parties whom the site shares PII. o Disclose handling of “do not track requests” o Describe policy change notification procedures eBook providers are prohibited from sharing information about users without appropriate legal process. Prohibited Advertising to Children – the prohibited categories include alcohol/drugs, firearms or fireworks, tanning, dietary supplements, tanning, lottery/gambling, body modifications, sexual materials Detail: Effective January 1, 2016, provides strong online privacy protection for the residents of Delaware. The law grants the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violation of the law.

Answer 4

o Websites must post privacy policies o eBook providers must safeguard user information o Websites targeting children must restrict advertising.

Answer 5

Requires website owners to post privacy notices. Applies to any website operators who collect and maintain PII of Nevada residences. Organizations who do not meet this requirement are fined $5,000.

Answer 6

o Categories of information and third-party partners o Describe process to review and correct records, if available o Describe notification process for policy changes o Disclosure use of third-party tracking services o Include an effective date.

Answer 7

Proposed protections for personal information collected by websites. Failed to reach a vote. Even though it did not pass, it’s noteworthy for the exam to know that it provided the first private right of action to civilians who felt their privacy was harmed by an organization

Answer 8

Regulates the scanning of identification cards. For the purposes of the law, scanning applies to any type of electronic reading of the card. Retail can only scan cards for 8 purposes: o Verify the authenticity of the card or identity of card holder o Verify the age for age-restricted purchases o Prevent fraud for refunds or exchanges o Open or manage a credit account or transaction o Establish or maintain a contractual relationship o Meet obligations under federal or state law o Transmit information to a financial institution o Meet obligations under HIPAA. • Data for age or authenticity cannot be retained. • Information retained must be reported. • Retailers are prohibited from selling and otherwise using this information. • NJPIPPA includes a private right of action and allows fines of up to $5,000.

Answer 9

Biometrics are an important security control used to protect sensitive data. 1. Biometric Identifier – data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual 2. The law excludes photos, video recordings and audio recordings 3. Enrollment requirements: o Notice o Consent o Mechanism preventing commercial use 4. The law limits sharing biometric information with third parties unless consent, required by law, or to a contracted third-party consistent with the law 5. Maintenance requirements: o Protect against unauthorized access o Dispose when not needed o Only used as disclosed when it was obtained

Answer 10

Regulates banks, insurance companies, and other FSI providers operating out of NY. Cybersecurity regulation applies to all covered entities regulated by DFS. 1. Requires that all covered entities must implement a risk-based cybersecurity program 2. Covered entities must also implement a written cybersecurity policy 3. Designate a chief information security officer (CSISO) who provides a written report to the board. 4. DFS Cybersecurity Controls

Answer 11

``` o Penetration testing o Vulnerability assessment o Audit trail o Access privileges o Application security o Risk assessments o Multi-factor authentication o Encryption o Incident response plan o Secure disposal ```

Answer 12

a person’s first name or first initial and their last name when combined with their social security number, driver’s license number or state identity card number, or financial account number, credit card number, or debit card number in combination with a security code of password.

Answer 13

Unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of any Mississippi resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable

Answer 14

Most states use generic language (i.e. “unreasonable delay”) Others have specific days (30, 60, or 90)

Answer 15

Most states do not allow a private right of action. (Only AG can bring forward a suit).

Answer 16

i. Passed in 2016 ii. Changes: 1. Defined personal information to include encrypted data 2. Shortened the notice period to 14 days 3. Extended definition of a data breach to unauthorized access by an employee of information to be used for an unlawful purpose

Answer 17

1. Expanded PI to include health records, biometric data, and usernames/passwords to the scope of the law 2. Requires notification of AG for HIPPA breaches 3. Removes encryption safe harbor if encryption key was breached

Answer 18

1. Removes encryption safe harbor if encryption key was breached 2. Allows delayed notification at the request of law enforcement 3. Creates specific content and format requirements for breach notices

Answer 19

1. One of the last to pass a data breach notification law 2. Includes biometric information in scope 3. Requires AG notification if more than 1,000 new Mexicans are affected 4. Exempts GLBA and HIPPA covered entities 5. Includes secure data storage and disposal

Answer 20

1. Requires credit monitoring services for breaches involving SSNs

Answer 21

C. Is enforced by the California Attorney General and allows for a private right of action

Answer 22

Similar to CalOPPA. Must post privacy policy if working with kids, and can't use PII to market alcohol, tobacco, tattoos, fireworks, piercings, etc to kids.

Answer 23

1st law in nation to include websites, including mobile apps, to conspicuously post a privacy policy if they collect PII from CA residents. 2013

Answer 24

Must disclose: - categories of PII collected - types of 3rd parties that data can be shared to - how site responds to Do Not Track signals - If other parties can collect PII over time when using the site

Answer 25

Investigative Consumer Reporting Agencies Act- stricter than FCRA, requires written consent and includes a person's "character." Also requires that people can request a copy of the report, and a copy must be provided if adverse action is taken (regardless of whether you requested the copy)

Answer 26

Confidentiality of Medical Information Act- broader definition of contractor than HIPAA (eg, you're considered a contractor if you made the healthcare software, phone apps with health data, etc)

Answer 27

AKA Financial Info Privacy Act- limits financial data sharing to 3rd party partners

Answer 28

If you store any customer data, you must notify CA residents of breaches.

Answer 29

All parties that own or license PI of MA residents must encrypt all PI stored on laptops or other portable devices, as well as in transit when wireless or public networks.

Answer 30

Most prescriptive breach law in nation. Establishes minimum PI safeguards for physical and electronic records.Basically have to have an ISO-style compliance program and report breaches. If the breach includes credit/debit #s, the financial institutions must report, too.

Answer 31

1st state to require notification of any breach, whether encrypted or not. Original bill exempted encrypted data. 45 days to notify of breach

Answer 32

"Personal Info Protection Act," or PIPA PII = PHI, PI, email, address, passwords, security questions, biometric data Limits encryption safe harbor if the keys were likely exposed or compromised

Answer 33

Requires notification of breached encrypted data, in addition to unencrypted data.

Answer 34

Breach notification law PII includes biometrics, like fingerprints and voice prints Includes encrypted data if keys were likely compromised, and unencrypted data. 45 days to notify

Answer 35

Requires operators of commercial websites to conspicuously post a privacy policy is the collect PII from those living in California. The policy must include information on how the operator responds to Do Not Track signals and to state whether 3 parties can collect PII about the site's users.

Answer 36

The Confidentiality of Medical Information Act (CMIA) is a California law that protects the confidentiality of individually identifiable medical information obtained by health care providers, health insurers, and their contractors.

Answer 37

CMIA requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records.

Answer 38

who may release confidential medical information, and under what circumstances. The CMIA also prohibits the sharing, selling, or otherwise unlawful use of medical information.

Answer 39

health care providers, health care service plans, contractors, and pharmaceutical companies from disclosing patient medical information without first receiving a valid written authorization signed by the patient or the patient’s legal representative.

Answer 40

“any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”

Answer 41

medical information that “. . .includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”

Answer 42

authorization must be either handwritten by the individual who signs the document (the patient or their representative), or printed in a minimum of 14-point type authorization language must be clearly separated from any other language on the same page patient’s signature must “serve no other purpose than to execute the authorization” authorization form must be signed and dated.

Answer 43

the specific uses and limitations on the types of medical information to be disclosed the name or functions of the health care provider, health care service plan pharmaceutical company, or contractor that is being allowed to disclose the information pursuant to the authorization the names or functions of those persons or entities authorized to receive the information the specific uses and limitations on use of the information by the authorized recipients the expiration date of the authorization notice that the signer is entitled to a copy of the form

Answer 44

the patient the patient’s legal representative, if the patient is a minor or incompetent (unless the minor could give legal consent to the care and treatment which is the subject of the information, in which case the minor must give written authorization) the patient’s spouse or other financially responsible person, but only for the purpose of processing an application for dependent health care coverage and the patient will become an enrolled spouse or dependent the beneficiary or personal representative of a deceased patient

Answer 45

California’s Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information. Among the requirements, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees’ medical information, how and for what purposes medical information may be collected, the circumstances under which medical information may be disclosed without prior authorization, and how patients may obtain access to their records.

Answer 46

California’s Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information. Among the requirements, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees’ medical information, how and for what purposes medical information may be collected, the circumstances under which medical information may be disclosed without prior authorization, and how patients may obtain access to their records.

Answer 47

they will be subjected to the penalties for wrongful disclosure. Furthermore, an electronic medical record system must protect and preserve the integrity of electronic information, and “automatically record and preserve any change or deletion of any electronically stored medical information.” The record of any change or deletion must include the identity of the person who accessed and changed the information, the date and time the information was accessed, and the change that was made.

Answer 48

1) any adult, minor authorized by law to consent to treatment, or patient representative may inspect the patient’s medical records upon presentation of a written request and payment of reasonable clerical costs. 2) Physical inspection of the records must be allowed within five working days after receipt of the written request. 3) Copies of records may be obtained by written request and payment of certain costs, and the records must be transmitted within 15 working days after receiving the written request.

Answer 49

1) any “adult patient” to “provide to the health care provider a written addendum with respect to any item or statement in his or her records that the patient believes to be incomplete or incorrect.” The addendum is limited to 250 words per alleged incomplete or incorrect item in the patient’s record, and it must clearly indicate in writing that the patient wants the addendum to be part of the medical chart. 2) The physician must “attach the addendum to the patient’s records” and must include it whenever the health care provider “makes a disclosure of the allegedly incomplete or incorrect portion of the patient’s records to any third party.” Health care providers are protected from liability under this code section for any “defamatory or otherwise unlawful language” written in the addendum and subsequently included in the medical record.

Answer 50

1) Providers may disclose to a family member, other relative, domestic partner, or a close personal friend of the patient, or to any other person identified by the patient, the medical information directly relevant to that person’s involvement with the patient’s care. A provider may also disclose the patient’s location, general condition, or death to notify or assist in the notification, identification or location of a family member, personal representative of the patient, domestic partner, or another person responsible for the care of the patient. 2) If the patient is available and has the capacity to make health care decisions, the information above may be disclosed only if: the patient agrees, or the patient is provided with an opportunity to object and does not object, or the provider “reasonably infers from the circumstances, based on the exercise of professional judgment,” that the patient would not object to the disclosure. 3) If the patient is not available or incapacitated, or if an “emergency circumstance” exists, the provider “may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient, and if so disclose that information relevant to that person’s involvement in the patient’s medical care. Professional judgment and experience with common practice may also be used to make reasonable inferences of the patient’s best interests, to allow a person to pick up prescriptions, medical supplies, x-rays or other forms of medical information. 4) A psychotherapist may only disclose information under the above circumstances if the patient agrees, or if the patient has not expressed an objection when provided with the opportunity to object to the disclosure.

Answer 51

There is a lengthy list of persons and/or entities to which, and circumstances in which, medical information may be disclosed at the discretion of the provider without a patient’s written authorization. Before releasing any medical information without a patient’s authorization, providers should confirm who is requesting the information, and for what purpose the information is being requested. Discretionary disclosure is only allowable in the specific situations outlined in the applicable code section.

Answer 52

by court order by a board, commission or administrative agency for purposes of adjudication by a party to a legal action before a court, arbitration, or administrative agency, by subpoena or discovery request by a board, commission or administrative agency pursuant to an investigative subpoena by an arbitrator or arbitration panel, when arbitration is lawfully requested by either party by lawful search warrant at the “request” of the coroner (see below) when otherwise specifically required by law The patient or patient’s representative must also be given access to inspect or get copies of medical records upon payment of reasonable clerical costs and certain other conditions. Additionally, the CMIA requires provision of confidential medical information to a medical examiner, forensic pathologist, or coroner, “when requested in the course of an investigation… for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant deaths, suspicious deaths, unknown deaths, or criminal deaths, or upon notification of, or investigation of, imminent deaths that may involve organ or tissue donation pursuant to [Health & Safety Code §7151.15], or when otherwise authorized by the decedent’s representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation or who is the prospective donor and shall be disclosed to the coroner without delay upon request.”

Answer 53

One example of this is the California Confidentiality of Medical Information Act (CMIA), which has greater standards of protection of privacy than HIPAA. Patient health information is governed by robust rules that determine how this data is handled, stored, and accessed. Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and various state laws strengthen patient rights. HIPAA set a baseline for regulatory compliance with patient health information. Under the “preemption” language in the rule, no state may create less effective or weaker medical privacy protection for individuals. However, states can exceed HIPAA regulations and institute more stringent requirements.

Answer 54

medical information is defined as “individually identifiable health information about a patient’s medical history, mental or physical condition, or treatment.” Information that identifies a person, inclusive of a name, email address, physical address, phone number or Social Security number, is considered “individually identifiable” under the CMIA. Additionally, if the information can be combined with publicly available information to reveal a person’s identity, it is also considered “individually identifiable.” CMIA covers providers of health care, health care service plans, contractors, as well as “recipients” of that information. Employers should note that “recipients” are not defined under the CMIA and may have a broad range of applications. Therefore, it is prudent that providers who fall under CMIA investigate methods by which health care information may be received. They must also manage all possible sources of intake with proper safeguards. One significant way the two regulations differ is in violations. While HHS can issue fines under HIPAA, the CMIA allows patients to bring legal action for violations, inclusive of compensation, attorney fees, and damages. Additionally, the CMIA’s definition of “provider of health care” is more extensive than HIPAA’s language. Under Cal. Civ. Code § 56.06., any business that offers software or hardware, “including a mobile application or related device,” that are designed to maintain medical information, is considered a provider. Employers who receive employee medical information fall under the CMIA. Employers must assess and apply methods to secure such information, as well as integrate systems that prevent disclosure of employee health information without worker authorizations. Conclusion Organizations, health care providers and covered entities who fall under CMIA and HIPAA should train employees. Instruct them on the specific requirements to ensure end-to-end protection of data, and regularly survey the integrity of the risk management program and reassess systems and policies. Because CMIA is more stringent than HIPAA, employers should ensure employee compliance, not only to protect the organization, but also to protect patient privacy and to operate ethically. Protecting patient privacy is essential to improving the quality of care and fostering access to care.

Answer 55

Yes, under certain circumstances. Unlike HIPAA, CMIA provides individuals a private right of action. Consult an attorney for more information. Cal. Civ. Code §§ 56.35 – 56.37.

Answer 56

Yes, under certain circumstances. Unlike HIPAA, CMIA provides individuals a private right of action. Consult an attorney for more information. Cal. Civ. Code §§ 56.35 – 56.37.

Answer 57

Businesses are subject to the CDPA if both of the following criteria are met: They either conduct business in Virginia or produce products or services that are targeted to Virginia residents, and During a calendar year (i) control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. The Virginia law does not have a revenue threshold, and thus many large businesses that do not hold a substantial amount of consumer data will not be subject to the law. The law explicitly excludes B2B and employee data from the definition of consumer, noting that “consumer” does not include individuals “acting in a commercial or employment context.”

Answer 58

1) certain government agencies, 2) financial institutions subject to the GBLA, 3) covered entities or business associates governed by HIPAA, 4) nonprofit organizations and institutions of higher education. 5) The CDPA also exempts certain data, including data protected by federal laws like HIPAA, the GLBA, the Fair Credit Reporting Act, the Driver’s License Protection Act and the Family Educational Rights and Privacy Act. 6) The CDPA further exempts data processed or maintained: (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; (ii) as emergency contact information for an individual; or (iii) that is necessary to retain to administer benefits for another individual. 7) Additionally, controllers and processors that comply with verifiable parent consent requirements under the Children’s Online Privacy Protection Act shall be deemed compliant with any parental consent obligations under the CDPA.

Answer 59

As with other comprehensive privacy laws, the CDPA defines “personal data” broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, the CDPA does not aim to capture Virginia residents in the employment and B2B context as the CCPA does. Instead, under the CDPA a “consumer” is defined as a natural person who is a resident of the Commonwealth “acting only in an individual or household context” and “does not include a natural person acting in a commercial or employment context.” Similar to the GDPR and the CPRA, the CDPA regulates “sensitive data.” Sensitive data is defined as a category of personal data that includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The protections for sensitive data are discussed further below.

Answer 60

Like the GDPR, the CDPA differentiates between controllers (companies that are responsible for determining the purpose and means of processing personal data) and processors (companies that process personal data on controllers’ behalf). Under the CDPA, businesses who constitute “controllers” have more stringent obligations. In contrast, processors’ obligations are generally connected to their contracts with controllers. For instance, processors are required to follow controllers’ instructions; implement appropriate technical and organizational measures to help the controller respond to consumer rights; and provide the necessary information for controllers to comply with their data protection assessment obligations. Similar to the GDPR, the relationship between the controller and processor must be governed by a contract that includes certain specified requirements and obligations for the processor.

Answer 61

Limits on Collection and Use of Data. The CDPA requires that controllers limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose for which the data is processed. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purpose for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer consent. Reasonable Security. Controllers must also establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data at issue. Consent for Processing Sensitive Data. Controllers are required to obtain the consumer’s consent before processing any sensitive data. Consent is defined similarly to the GDPR and the CPRA as a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer and may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. Data Processing Agreements (DPAs). As noted above, the CDPA requires that controllers enter into DPAs with their data processors. These agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The CDPA provides specific terms that must be included in any DPA. Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. This is similar to requirements for privacy policies under the CCPA and, to a more limited extent, under the GDPR. Notice of Sale. Controllers that sell personal data to third parties or process personal data for targeted advertising must clearly and conspicuously disclose such processing in its privacy notice and provide a manner in which a consumer may exercise his or her opt out right. Unlike the CCPA, the CDPA does not appear to specify the specific manner in which the controller must prove the opt out right (i.e., there is no requirement for a specific link or button). Consumer Request Process. Controllers must establish one or more secure means for consumers to submit requests to exercise their rights. Unlike the CCPA and CPRA, the CDPA is not prescriptive in how consumers must submit such requests, but provides that such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Data Protection Assessment. Controllers must conduct and document a data protection assessment for certain processing activities, including the sale of personal data, the processing of personal data for purposes of targeted advertising or profiling, the processing of sensitive data and any processing activities involving personal data that present a heightened risk of harm to consumers. These data protection assessments must identify and weigh the benefits to the business of processing consumers’ data against potential risks to consumers associated with such processing. In balancing those competing concerns, businesses should consider whether certain safeguards, such as using de-identified data, would mitigate risks to consumers, as well as consumers’ reasonable expectations and the relationship between the business and the consumer.

Answer 62

Right to access. Consumers have the right to confirm whether a controller is processing the consumer’s personal data and obtain access to such data. Right to correct. Consumers have the right to correct inaccuracies in the consumer’s personal data. Right to delete. Consumers have the right to delete personal data provided by or obtained about the consumer. Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data in a portable and readily usable format. Right to opt out of certain data processing. Consumers will have the right to opt out of the processing of personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in further of decisions that produce legal or similarly significant effects concerning the consumer. A “sale” under the CDPA is defined more narrowly than under the CCPA or CPRA to mean the exchange of personal data for monetary consideration by the controller to a third party.

Answer 63

within 45 days of receipt of the request and may extend where reasonably necessary for an additional 45 days if the consumer is notified within the first 45-day window. Businesses must establish procedures for consumers to appeal a failure to act on a rights request within a reasonable time period and inform consumers of how they can submit a complaint to the attorney general if the appeal is denied.

Answer 64

The Virginia Attorney General has exclusive authority to enforce the CDPA and to impose a civil penalty of up to $7,500 per violation. Businesses may avoid an enforcement action, however, by properly remedying the violation. The CDPA’s right to cure allows businesses to correct any violation of the CDPA within 30 days of receiving notice thereof from the Virginia Attorney General. Unlike the CCPA, the CDPA does not provide a private right of action to consumers. The CDPA also requires businesses to establish procedures for consumers to appeal any denial of their rights under the CDPA. This appeal right, coupled with the provision for enforcement by the attorney general and the possibility of hefty civil fines, may compensate for the lack of a private right of action in the CDPA.

Answer 65

Businesses subject to the CDPA will need to perform a comprehensive data inventory and update their external policies and internal procedures to come into compliance. The CDPA requires businesses to conduct data protection assessments for specified processing activities and to establish procedures by which consumers may appeal any denial of their CDPA rights. Businesses must also update their public-facing privacy policies to, among other changes, make a public commitment to not re-identify de-identified personal data and provide details on its data processing activities. The CDPA extends its protections to businesses’ contracts with service providers by requiring businesses to limit the service provider’s use and further distribution of personal data. Notably, the CDPA does not displace or change businesses’ existing obligations to report data breaches.

Answer 66

provide key protections for consumers and clearly define the obligations for businesses to ensure a smooth path toward compliance, without imposing overly burdensome requirements in a complicated statutory structure. As State Sen. David Marsden, who introduced the legislation, described, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.” On the federal level, it has already been predicted that the Biden administration will be active in the federal data privacy movement, given the Obama administration’s steps toward a federal privacy regulatory framework and Vice President Kamala Harris’s support for data privacy initiatives during her time as California’s attorney general. With several other states poised to follow Virginia with their own comprehensive privacy legislation, Congress may shift its priorities in the direction of a federal standard.

Answer 67

Unlike the CCPA, the VCDPA does not apply to employee data and does not create a private right of action for protected consumers

Answer 68

that reveals (a) consumer’s Social Security or other state identification number; (b) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) consumer’s geolocation; (d) consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, or text messages, unless the business is the intended recipient of the communication; and (f) consumer’s genetic data.

Answer 69

(1) by providing a link on their homepage titled “Limit the Use of My Sensitive Personal Information,” (2) by utilizing a single link which would easily allow consumers to limit the use of their sensitive personal information and to opt-out of the sale and sharing of their personal information; or (3) by complying with the automatic opt-out preference signal.

Answer 70

The Virginia law broadly exempts financial institutions or data subject to Gramm-Leach-Bliley, not just data collected pursuant to it. And Virginia exempts covered entities and business associates governed by HIPAA, not just PHI collected pursuant to HIPAA.

Answer 71

the Attorney General of Virginia will be able to administer fines up to $7,500 per instance of violations that aren’t addressed and corrected.

Answer 72

The Colorado Privacy Act applies to Colorado residents – which it refers to as "consumers" – and imposes data protection requirements on entities who either: conduct business in Colorado; or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado; and control or processes personal data of at least 100,000 consumers (Colorado Residents) a year; or control or process personal data of at least 25,000 consumers and derive revenue or receives a discount on the price of goods or services, from the sale of personal data.1

Answer 73

The Colorado Privacy Act applies to "Personal Data," which is defined as "information that is linked or reasonably linkable to an identified or identifiable individual."2 Personal Data does not include information that is de-identified or that is publicly available. Similar to the Virginia Privacy Law, the Colorado Privacy Act's definition of consumer does not include individuals acting in commercial or employment contexts.

Answer 74

A controller is defined as a person that "determines the purposes for and means of processing personal data."4 Under the Colorado Privacy Act, controllers are required to: provide consumers with a "reasonably accessible, clear, and meaningful privacy notice," that outlines i) categories of personal data collected or processed by the controller or processors; ii) the purposes for processing; iii) how consumers can exercise the rights granted by the Colorado Privacy Act; iv) categories of personal data shared with third parties; v) categories of third parties with whom personal data is shared;5 disclose in a conspicuous manner any sale of consumer data and the manner in which a consumer may opt-out of the sale or processing of personal data;6 limit collection of personal data to what is adequate, relevant, and "reasonably necessary in relation to the specified purposes for which the data are processed;"7 take reasonable measures to secure personal data compatible with the scope, volume, and nature of the data;8 and obtain consumer consent before processing sensitive personal data by a clear affirmative act signifying that consent is freely given, specific, informed, and unambiguous.9 Notably, the Colorado Privacy Act specifies that such consent shall not be obtained through general or broad terms of use or through dark patterns designed to subvert consumer decision-making.10 A processor is a person that processes personal data on behalf of the controller.11 The Colorado Privacy Act requires processors to adhere to the controller's instructions and assist and cooperate with the controller to comply with its obligations under the act. The Colorado Privacy Act also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.12

Answer 75

The similarities between the Colorado, California and Virginia privacy laws will permit companies to develop a general uniform approach to data privacy compliance obligations in the US. Similar to these other state data privacy laws, entities operating in Colorado should consider the following framework in assessing compliance obligations under the Colorado Privacy Act: Confirm That Your Business is Subject to the Colorado Privacy Act. Entities must determine whether they meet the jurisdictional threshold of the Colorado Privacy Act, which notably does not include a minimum revenue threshold. Determine Whether Your Business Depends on the Sale or Purchase of Personal Information. Businesses will need to assess whether and to what extent their disclosures of personal information to third parties falls within the Colorado Privacy Act's broad definition of "sale" of data, which, similar to the California Privacy Law, includes disclosure for "valuable consideration." Businesses should note that, under the Colorado Privacy Act (CCPA), disclosures to processors or affiliates for the purpose of providing a product or service requested by a consumer or made intentionally by the consumer are not considered sales.30 Revise Privacy Policies. Revise privacy policies to reflect personal data processing activities, communicate the new rights available to consumers and identify the mechanisms implemented for consumers to exercise those rights. Implement "Reasonable Security Measures." Assess cybersecurity policies, practices, and controls to ensure they are consistent with industry-recognized standards. Conduct Data Protection Assessment. Businesses will need to conduct data protection assessments that evaluate how the business processes, sells and uses personal data. Importantly, they should consider the risk involved in such processing. Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Prior to July 1, 2024 when the requirement comes into effect, businesses should begin to implement use of a user-selected universal opt-out mechanism that meets the technical specifications established by the Attorney General (to be established by July 1, 2023). Implement Consent Mechanism for Collecting Sensitive Information. Businesses who collect sensitive data from consumers must obtain affirmative, informed and clear consent. The Colorado Privacy Act specifies that consent does not include accepting general terms of use, use of dark patterns, or hovering over, muting, pausing, or closing content. Businesses should develop opt-in mechanisms for consent in line with these constraints. Facilitate Receipt and Response to Consumer Requests. Develop mechanisms for accepting, tracking, verifying and honoring consumer requests to exercise their access, correction, and deletion rights under the Colorado Privacy Act. Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely and consistent manner that is ultimately compliant with the Colorado Privacy Act. Although the Colorado Privacy Act fits within the general compliance approach applicable to the California and Virginia privacy laws, there will inevitably be certain compliance aspects among these state laws that will require consideration on an individual state basis. Additional guidance on the practical implementation of the Colorado Privacy Act is expected in the coming months. This is consistent with the approach taken by other states following the initial enactment of their respective data privacy laws, to further refine these laws. Nonetheless, businesses will likely be expected to take steps to comply with the existing statutory requirements in California and Virginia by January 1, 2023 and Colorado on July 1, 2023, while remaining nimble enough to adjust as additional guidance and regulations are issued. It is worth noting that several other states are in the process of considering and enacting data privacy laws, which may create additional layers of compliance obligations on entities conducting business in the US. As such, businesses should keep apprised of the developments in the evolving area of US consumer data privacy compliance.

Answer 76

a deceptive trade practice, and Colorado’s attorney general and local district attorneys are vested with the authority to investigate and impose civil penalties against noncompliant businesses

Answer 77

The CPA primarily applies to a limited set of organizations that control the processing of Colorado residents’ personal data (classified as “Controllers”) and to the third-party service providers who assist in the data processing activities (classified as “Processors”). These classifications mirror the structure set forth in other data protection laws (e.g., Virginia, EU GDPR). In particular, the CPA applies to Controllers conducting business in Colorado or producing or delivering commercial products or services that intentionally target Colorado residents and (i) control the collection of or process the personal data of at least 100,000 consumers annually, or (ii) derive revenue from or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 consumers.

Answer 78

any “information that is linked or reasonably linkable to” an identifiable person. On the other hand, it creates many exceptions to its scope of applicability and does not, for example, apply to personal data concerning an individual acting in the commercial or employment context or to protected health information, nonpublic personal information, and other data subject to certain federal privacy laws (e.g., HIPAA, GLBA, FCRA, FERPA, COPPA).

Answer 79

The CPA creates several new data privacy rights and privileges for Colorado consumers: the right to confirm whether a Controller is processing their personal data; the right to access personal data in a portable, and to the extent technically feasible, readily usable format to enable transfer to another entity; the right to correct inaccurate personal data, and the right to delete personal data.

Answer 80

how Controllers must intake, authenticate and respond to consumer privacy requests and mandates that organizations create “an internal process” to allow a consumer to “appeal” a Controller’s decision not to honor a data rights request, but it lacks any material specificity on how the appellate review must be formulated. It is not uncommon for Controllers to dispute that a consumer’s personal data is “inaccurate” and refuse to “correct” it. In turn, the CPA provides some flexibility in this area and allows Controllers to make these decisions based on the “nature of the Personal Data and the purposes of the processing.”

Answer 81

In addition, the CPA provides consumers with the right to opt out of the processing of their personal data to the extent it relates to targeted advertising, the sale of personal data or certain types of profiling. Consumers may exercise these rights directly or through third-party agents. The CPA further provides that Controllers must (as of July 2024) allow for consumers to exercise their opt-out rights in certain situations (e.g., targeted advertising, data sales) through a “user selected universal opt-out mechanism” that meets certain requirements set forth by the Colorado attorney general in future regulations. The CPA adopts a definition of “sale” similar to the one set forth in California’s data protection law. Under the CPA, “sale” means the “exchange of Personal Data for monetary or other valuable consideration by a Controller to a third party.” However, the CPA creates important exemptions to the definition of “sale,” such as the disclosure of personal data to a Processor or a Controller’s affiliate.

Answer 82

A Controller is required to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that describes its data processing activities (e.g., categories of personal data collected and processed, the express purposes of processing, types of personal data shared with third parties, categories of recipients). It must also describe how consumers can exercise their data privacy rights and the Controller’s appeals process. A controller that sells personal data or uses it for targeted advertising purposes has the additional obligation to “clearly and conspicuously disclose” such processing and the manner in which consumers can exercise their opt-out rights.

Answer 83

The CPA limits how a Controller can use personal data without a consumer’s consent. For example, a Controller must not process personal data “for purposes that are not reasonably necessary to or compatible with” the original purposes for which the personal data was collected and processed, unless it obtains the consumer’s consent. Also, a Controller is prohibited from processing “Sensitive Data” without obtaining appropriate consent. The CPA defines “Sensitive Data” as personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health diagnosis, sex life or sexual orientation, or immigration status; relates to certain genetic or biometric data; or involves personal data collected from a “known child.” The requirement of express prior consent (as opposed to honoring after-the-fact opt-out requests) may add new burdens on Controllers.

Answer 84

Pursuant to the CPA, a Controller is prohibited from engaging in data processing that “presents a heightened risk of harm to a Consumer” without first undertaking a data protection assessment. In turn, the CPA defines this category of processing broadly to address a variety of common business activities, such as targeted advertising, selling of data, the processing of Sensitive Data, and certain types of profiling. The assessment must be made available to the Colorado attorney general, upon request.

Answer 85

Like many other data protection laws, the CPA requires Controllers and Processors to execute written agreements that contain certain data protection clauses, which must address, among other things, the nature and duration of data processing, the limited manner in which the Processor can use the personal data, confidentiality and employee/personnel vetting requirements, proof of compliance, and auditing. The CPA provides that Processors may only retain subcontractors after furnishing a Controller the opportunity to object to the arrangement and (if so approved by the Controller) only if the subcontractor agrees to the same data protection terms applicable to the Processor. The CPA also requires these Controller-to-Processor contracts to include clauses requiring the Processor to, at the end of the data processing services, delete or return the personal data in its custody, unless retention is required by law; however, it does not expressly create any exceptions for personal data retained in backup or archived formats.

Answer 86

The CPA places affirmative data security obligations on Controllers. It requires them to “take reasonable measures to secure personal data during both storage and use from unauthorized acquisition,” and such measures must be appropriate to the volume, scope and nature of the personal data. The CPA does not address or otherwise attempt to limit other data security requirements set forth in other areas of Colorado law. For instance, pursuant to CO ST § 6-1-713.5, certain businesses must “implement and maintain reasonable security procedures and practices” to safeguard “personal identifying information,” and these measures must be based on the “nature and size of the business and its operations.”

Answer 87

Unlike the Virginia Consumer Data Protection Act (VCDPA), the CPA does not exempt nonprofits, nor does it expressly provide an entity-level exemption for organizations regulated by the Health Information Portability and Accountability Act (HIPAA).

Answer 88

the California Act or the Virginia Act.

Answer 89

meets technical specifications that the attorney general must establish by July 1, 2023. This differs from the CCPA, which makes a universal or global control optional.

Answer 90

Businesses covered by the new data privacy laws should: Implement cybersecurity safeguards; Create and communicate to consumers a process by which consumers may submit a request regarding their personal data and subsequently appeal a decision; Provide a clear and conspicuous notice informing consumers that they have the right to opt out of targeted advertising and sales of their personal data; Establish a user-selected universal opt-out mechanism by July 1, 2024; Update their Privacy Policy to explain their collection and use of data; Update their contracts with third parties to ensure that they comply with the laws; Obtain consumers’ informed consent before collecting sensitive data; and Establish a procedure to determine when to conduct a data protection assessment.

Answer 91

Under the CPA a violation is a deceptive trade practice under the Colorado Consumer Protection Act, such that while the CPA does not specify a penalty amount, the Colorado Consumer Protection Act specifies a penalty of up to $20,000 per violation.

Answer 92

Under the CPA, the controller has 60 days to cure a violation after the attorney general or district attorney provides notice. The CCPA and VCDPA only provide 30 days to cure. Critically, unlike the CCPA or VCDPA, the CPA’s right-to-cure provision expires on January 1, 2025.

Answer 93

De-identified data is generally exempt from obligations under the CPA because de-identified data is not personal data if certain conditions are met. However, controllers maintaining de-identified data are required to exercise reasonable oversight over contractual commitments related to de-identified data and to take appropriate steps to address breaches of those commitments. Similar to Virginia’s CDPA, controllers are also required to consider their use of de-identified data when conducting data protection assessments. De-identified information means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: Takes reasonable measures to ensure the data cannot be associated with an individual. Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data. Contractually obligates any recipients of the information to comply with these requirements. This approach to de-identified information is similar to the approach reflected in California’s CPRA and Virginia’s CDPA. All three privacy laws broadly align with the de-identification framework set forth in the FTC’s 2012 Staff Report.

Answer 94

The CPA exempts “pseudonymous data” from certain data subject rights (the right of access and the rights to correction, deletion, and data portability). Pseudonymous data is personal data that cannot be attributed to a specific individual without additional information if such information is “kept separately” and is subject to technical and organizational measures to ensure that the data is not attributed to a specific individual. Similar to Virginia’s CDPA, controllers that maintain pseudonymous data are not required to honor consumer rights requests (except requests to opt out) if the controllers can demonstrate that the information needed to identify the consumer exercising the right is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

Answer 95

The CPA contains exemptions similar to other privacy laws. For instance, the Act does not apply to certain medical information, including personal data governed by the Health Insurance Portability and Accountability Act, and personal data subject to the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and Gramm–Leach–Bliley Act (GLBA). In addition to a GLBA data-level exemption, the law includes an entity-level exemption for financial institutions and their affiliates that are subject to the GLBA and its implementing regulations. The CPA also exempts employee information and business-to-business data from substantial regulation. Data maintained for employment record purposes is exempt, The law applies to consumers, but the term consumer excludes individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

Answer 96

Public Act 21-59 modifies Connecticut’s existing data breach and cybersecurity law in three key areas. 1) it expands the substantive definition of what constitutes “personal information” subject to legal protection. 2) it shortens the deadline for providing notice of data breaches (subject to certain qualifications and exceptions as further discussed below) and creates unique notification requirements for incidents involving a breach of login credentials. 3) it protects from public disclosure certain information provided in response to a Connecticut unfair trade practices investigation arising from a data breach.

Answer 97

Connecticut law previously defined “personal information” as a person’s first name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver’s license number; (3) state identification card number; (4) credit or debit card number; or (5) financial account number in combination with any password or security code that would permit access to such account. Public Act 21-59 expands this definition significantly to include the following data elements: Taxpayer identification number; IRS identity protection personal identification number; Passport number, military identification number, or other government-issued identification number used to verify identity (e.g., Social Security number); Information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; Health insurance policy number, subscriber identification number, or other number used by a medical insurer to identify the individual; Biometric information consisting of data generated by measurements of unique physical characteristics, such as a fingerprint, voice print, retina, or iris image, used to authenticate identity; User name or electronic mail address in combination with a password or security code that would permit access to an online account.

Answer 98

Under Public Act 21-59, the deadline for providing notice of a data breach to affected individuals and the Connecticut attorney general is shortened from 90 days to “without unreasonable delay, but not later than 60 days.” In the event that the notifying entity discovers additional individuals after the reporting deadline, it is still obligated to act in good faith to notify those individuals “as expediently as possible.” Moreover, if the entity determines it cannot confirm the identities of and provide notice to all affected individuals within the new 60-day deadline, it must provide preliminary substitute notice to all potentially affected individuals and follow up with direct notice as soon as possible. Substitute notice consists of (1) email notice (where the individual’s email address is known), (2) “conspicuous posting” of the notice on the entity’s website (if any), and (3) “notification to major state-wide media, including newspapers, radio and television.” Further, Public Act 21-59 contains special rules applicable to incidents involving a breach of login credentials. Notice of a breach of login credentials can be provided via email (or other electronic means) to direct the recipient to change their login credentials or take other steps to secure their account. However, if the affected individual’s receipt of the email notification cannot be verified, then an alternative form of notice must be used, or the individual must receive “clear and conspicuous notice” while the individual is “connected to the online account” that the individual “customarily accesses … .” Although not expressly required by the statute, businesses also can consider forcing affected customers to change their passwords or other login information. Notably, Public Act 21-59 provides that data breach notification requirements apply to anyone who owns, licenses, or maintains computerized data that includes “personal information,” not just those who do so in the ordinary course of business. This broadens the applicability of the statute’s prior notification requirements.

Answer 99

With two important exceptions, any entity subject to (and in compliance with) HIPAA and/or HITECH privacy and security standards is deemed to be in compliance with the notice obligations set forth in Public Act 21-59. The exceptions are that (1) an entity required to notify Connecticut residents of a breach under HIPAA/HITECH must also notify the attorney general when those residents are notified; and (2) if the entity would have been required to provide identity protection or mitigation services under Connecticut law (e.g., due to breach of a Social Security number), that requirement remains in effect. This provision attempts to address any confusion from conflicting state law requirements and requirements under HIPAA/HITECH.

Answer 100

Public Act 21-59 also provides confidentiality protections to businesses responding to an investigation into alleged violations of Connecticut’s Unfair Trade Practices Act arising from a data breach. Public Act 21-59 recognizes that “documents, materials and information” provided in response to an investigation of a potential violation of Connecticut’s Unfair Trade Practices Act arising from a data breach are exempt disclosure requirements under Connecticut’s freedom of information law. However, the attorney general is permitted to make such documents, material, and information available to third parties for investigative purposes.

Answer 101

Public Act 21-119 seeks to incentivize greater adoption of cybersecurity standards by businesses. Among other things, Public Act 21-119 allows businesses that comply with certain industry-recognized cybersecurity practices to avoid punitive damages in any tort claim that alleges a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The immunity from punitive damages afforded by Public Act 21-119, however, is subject to a few qualifications. First, protection from punitive damages is provided only for tort claims “brought under the laws of [the state of Connecticut] or in the courts [of the state of Connecticut].” Second, the entity must have complied with a formal, written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information … .” Finally, the program must conform to one or more of the industry-recognized cybersecurity frameworks referenced in the statute. These frameworks include standards adopted by the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), and the Payment Card Industry (PCI) Security Standards Council — and, for applicable businesses, the security regulations established by HIPAA, HITECH, FISMA, or GLBA. Entities will be deemed in compliance with subsequently amended or revised versions of the industry-recognized frameworks listed in the statute as long as they conform to such amended or revised version within six months of its publication.

Answer 102

Connecticut’s updated data breach notification and cybersecurity statutes are consistent with a growing trend of states seeking to protect personal information by expanding the definition of personal identifying information and by providing businesses with new tools to stay in compliance with the law and manage risk associated with information security and privacy. The tightened notice requirements and expanded definition of “personal information” set forth in Public Act 21-59 will require affected businesses to enhance their efforts to quickly and effectively respond to data breach and other cybersecurity threats. To do so, businesses should strongly consider reviewing and updating their incident response plans, enhancing their training and roundtable exercises, and having in place a list of forensic consultants, outside counsel, and media advisors to meet the tightened deadlines and manage their response. The immunity from punitive damages afforded by Public Act 21-119 should serve to galvanize potentially affected businesses, as well as their general counsels, CTOs, risk managers, and other privacy professionals to reevaluate and strengthen their information security policies and procedures and adopt industry-recognized standards. Finally, the exemption from compliance with Public Act 21-59 for entities already compliant with HIPAA and/or HITECH’s privacy and security obligations should enhance efficiency and avoid confusion between state and federal standards, at least with respect to covered entities in the health care industry.