Ch. 7 - State Privacy, Security, and Data Breach Notification Laws Flashcards

Question 1

Q

California’s first state breach notification law - definition of PI

Answer

A

PI is
(1) Social Security number,

(2) driver’s license number or California identification card number,
(3) financial account number or credit or debit card number “in combination with any required security code, access code or password that would permit access to an individual’s financial account,”
(4) medical information,
(5) health insurance information, and
(6) data collected from automated license plate recognition systems.

** Personal information that is publicly available or encrypted is excluded from the law.

Question 2

Q

California AB 1950

Answer

A

law requires a business “that owns or licenses personal information about a California resident” to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Furthermore, the bill requires businesses using unaffiliated third-party data processors to contractually mandate similar security procedures

CA AG issued report that identified Center for Internet Security’s Critical Security Controls as minimum level required.

Question 3

Q

Mass state security law, 201 CMR 17.00 = most prescriptive in nation

Answer

A

Goes beyond breach notification by requiring those holding PI (name plus sensitive element) to:

Designate an individual who is responsible for information security
Anticipate risks to personal information and take appropriate steps to mitigate such risks
Develop security program rules
Impose penalties for violations of the program rules
Prevent access to personal information by former employees
Contractually obligate third-party service providers to maintain similar procedures
Restrict physical access to records containing personal information
Monitor the effectiveness of the security program
Review the program at least once a year and whenever business changes could impact security
Document responses to incidents

From a technical perspective, 201 CMR 17.00 mandates user authentication, access controls, encryption, monitoring, firewall protection, updates and training. The law came into effect in 2010.

Question 4

Q

Washington state security law

Answer

A

Along with states including Minnesota and Nevada, Washington is part of a growing trend to incorporate the Payment Card Industry Data Security Standard (PCI DSS) into statute to ensure the security of credit card transactions and related personal information.
Washington’s HB 1149 permits financial institutions to recover the costs associated with reissuance of credit and debit cards from large processors whose negligence in the handling of credit card data is the proximate cause of the breach.
Processors are not liable if the data were encrypted at the time of the breach or had been certified as PCI-compliant within one year of the breach.

Question 5

Q

Types of data breaches

Answer

A

Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
Hacking or malware—electronic entry by an outside party, malware and spyware
Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals
Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information
Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;
Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape
Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility
Unknown or other

Question 6

Q

Data Breach Step 1

Answer

A

Determining whether breach occurred or not.

Multiple failed log ins, sudden use of long dormant account, off-hours use, unknown programs, files or devices or users;

can be difficult to detect

Question 7

Q

Data breach - step 2

Answer

A

Containment and physical analysis of the incident.

Recover items, data.

Shut down infiltrated system, revoke access.

Forensic support may be needed.

Full audit and careful analysis, document.

Question 8

Q

Data breach - step 3

Answer

A

Notify affected parties.

States often require certain content in notification.

Contractual obligations as well.

timing crucial -

Question 9

Q

Data breach - step 4

Answer

A

Implement effective follow up methods.

Additional training, internal self-assessments, 3rd party audits, additional monitoring.

Identify deficiencies and correct.

Question 10

Q

OMB requirements for federal agency data breach

Answer

A

can serve as guidance.

The OMB set forth the following framework for a security breach plan:
• Designate the members who will make up a breach response team
• Identify applicable privacy compliance documentation
• Share information concerning the breach to understand the extent of the breach
• Determine what reporting is required
• Assess the risk of harm for individuals potentially affected by the breach
• Mitigate the risk of harm for individuals potentially affected by the breach
• Notify the individuals potentially affected by the breach
OMB policies also focused on the issue of contracts with vendors. From a best-practices perspective, organizations should ensure that vendors are contractually required to do the following: provide training to their employees on identifying and reporting a breach, properly encrypt PII, report suspected or confirmed breaches; participate in the exchange of information in case of a breach, cooperate in the investigation of a breach, and make staff available to participate in the breach response team.

Question 11

Q

Basic components of state data breach notification laws

Answer

A

The definition of personal information, meaning the specific data elements that trigger reporting requirements
The definition of what entities are covered
The definition of a “security breach” or “breach of the security of a system”
The level of harm requiring notification
Whom to notify
When to notify
What to include in the notification letter
How to notify
Exceptions that may exist to the obligation to notify (or when notification may be delayed)
Penalties and rights of action

Question 12

Q

Definition of PI in state data breach notification laws

Answer

A

CT as example:

an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number, (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”

others include medical and healthcare info.

some add federal or state ID numbers

some add biometric

Almost all exclude publicly available info - from public records or widely distributed media.

Question 13

Q

Definition of covered entities under state data breach notification laws

Answer

A

CT as example:

“any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.”

Question 14

Q

Harm and Definition of Security Breach in state data breach notification laws

Answer

A

CT as example:

Connecticut defines a “breach” of security as “unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable”

Some states add materiality qualifier or likely to cause identity theft as standard.

Question 15

Q

Whom to Notify under state data breach notification law

Answer

A

Primarily state residents who are at risk because of the breach.

More than half require AG notification and/or other state agencies, if certain thresholds crossed.

Timing of AG notification varies, from same time as affected individuals, to later.

At least 28 states require notice to nationwide CRAs, if certain thresholds are crossed (usually higher than number of affected to trigger AG notice).

All require notification of owner of data if its not the company.

Question 16

Q

When to notify under state data breach notification laws

Answer

A

The most common phrase used in conjunction with timing is the most expeditious time possible and without unreasonable delay.

Legislators, however, recognize the need for the affected entity to conduct a “reasonable investigation in order to determine the scope of the breach and to restore the reasonable integrity of the data system.”

As of 2017, only Florida, New Mexico, Ohio, Rhode Island, Tennessee, Vermont, Washington and Wisconsin specify a limit to expeditious time—typically no later than 45 days after the discovery of the breach.

Delays allowed to notify law enforcement, if criminal activity is suspected, if law enforcement believes notice would hamper investigation.

Puerto Rico has 10 days.

Question 17

Q

What to include in notice under state data breach notification laws

Answer

A

NC is among most extensive:

A description of the incident in general terms
A description of the type of personal information that was subject to the unauthorized access and acquisition
A description of the general acts of the business to protect the personal information from further unauthorized access
A telephone number for the business that the person may call for further information and assistance, if one exists
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
The toll-free numbers and addresses for the major consumer reporting agencies
The toll-free numbers, addresses and website addresses for the FTC Commission and the North Carolina attorney general’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft

Question 18

Q

How to notify

Answer

A

Written notice required. email and telephone if opted in to that.

Most legislation recognizes need for alternatives if thousands/millions.

CT as example: email, conspicuous posting on website, or in media

Question 19

Q

Exceptions to notification

Answer

A

3 basics:

For entities subject to more stringent notification laws. Eg HIPAA, GLBA.
Already following procedures as part of own infosec policies, as long as compatible.
Encrypted, redacted, unreadable, unusable.

Question 20

Q

Penalties

Answer

A

State AG, with penalties for damages of various amounts (willful more).

PROA in handful - (VA, CA, TX MD, DC, others)

Question 21

Q

State Data Destruction Laws

Answer

A

At least 32, by 2017

Describe whom applies to, required notice of destruction, exemptions (eg. subject to federal law requiring destruction).

Most laws like NC so use as example.

NC as example, applies to those conducting biz in NC or maintains/possesses PI of resident of NC.

NC requires entities to take reasonable measures to safeguard against unauthorized access in connection with or after disposal.

NC - required reasonable measures -

Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed
Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed
Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity

No PROA unless personal injury.

Question 22

Q

State Regulatory Authorities

Answer

A

The lack of a comprehensive federal privacy law increases the power of the states

Question 23

Q

Marketing Laws

Answer

A

a. Covered by both self-regulation and federal/state laws (CIPP/US Limits on Private Sector Data)
b. Self-regulation is when companies in an organization form a coalition, define standards of conduct, then mutually commit to following those standards and develop an enforcement program to verify to each other and the public that they are doing it.
c. NAI (Network Advertising Initiative) – for those who participate in online advertising, the NAI publishes a code of conduct with detailed requirements including notices of privacy practices, an opt-out option for consumers, and how to provide information on data security, use, and availability. The NAI is one example of an industry self-regulatory framework.
d. The BBB offers a self-regulatory framework for advertising to children
e. Every state as a law protecting consumers against unfair and deceptive trade practices
f. CAN-SPAM provides state AG to bring legal action against violators.

Question 24

Q

California SB-1

Answer

A

expands upon GLBA. Restricts financial institutions sharing of customer information. Under GLBA financial institutions can share customer information with third parties unless the customer opts-out, SB-1 requires the customer to opt-in. SB-1 also requires that financial institutions must provide a “important privacy notices for consumers” prominently.

Question 25

Q

Social Security Number (SSN)

Answer

A

The most sensitive information for individuals in the U.S., the digitization of consumer finance has resulted in an increased use of SSNs. Possession of an SSN is widely used as proof of identity. Organizations now need to purse unnecessary stores of SSNs and protect SSNs they still need.

Question 26

Q

California Electronic Communications Privacy Act (2015)

Answer

A

Requires state law enforcement to get a warrant before they can access electronic information about who we are, where we go, who we know, and what we do.
1. Builds upon the federal electronic communications privacy act. Places restrictions on state law enforcement in two different ways:
o Access to Service Provider Records – requires a search warrant or court order in criminal cases; requires a subpoena in noncriminal cases
o Access to Electronic Devices – requires a search warrant, wiretap order, consent of the customer, or certification of an emergency situation
o CalECPA only applies to California law enforcement agencies, not federal agencies operating in CA

Question 27

Q

Delaware Online Privacy and Protection Act of 2016 (DOPPA)

Answer

A

Summary:
Requires any website collecting PII must post and comply with the regulation by conspicuous posting (on the homepage or with a link with the word “privacy”. Must be reasonable accessible to users.
o The policy must identify PII collected and third parties whom the site shares PII.
o Disclose handling of “do not track requests”
o Describe policy change notification procedures

eBook providers are prohibited from sharing information about users without appropriate legal process.

Prohibited Advertising to Children – the prohibited categories include alcohol/drugs, firearms or fireworks, tanning, dietary supplements, tanning, lottery/gambling, body modifications, sexual materials

Detail:
Effective January 1, 2016, provides strong online privacy protection for the residents of Delaware. The law grants the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violation of the law.

Question 28

Q

Three major provisions of DOPPA

Answer

A

o Websites must post privacy policies
o eBook providers must safeguard user information
o Websites targeting children must restrict advertising.

Question 29

Q

Nevada SB 538 - 2017

Answer

A

Requires website owners to post privacy notices. Applies to any website operators who collect and maintain PII of Nevada residences. Organizations who do not meet this requirement are fined $5,000.

Question 30

Q

Nevada SB Requirements

Answer

A

o Categories of information and third-party partners
o Describe process to review and correct records, if available
o Describe notification process for policy changes
o Disclosure use of third-party tracking services
o Include an effective date.

Question 31

Q

Illinois Right to Know Act - 2017

Answer

A

Proposed protections for personal information collected by websites. Failed to reach a vote. Even though it did not pass, it’s noteworthy for the exam to know that it provided the first private right of action to civilians who felt their privacy was harmed by an organization

Question 32

Q

New Jersey Personal Information and Privacy Protection Act (2017)

Answer

A

Regulates the scanning of identification cards. For the purposes of the law, scanning applies to any type of electronic reading of the card. Retail can only scan cards for 8 purposes:
o Verify the authenticity of the card or identity of card holder
o Verify the age for age-restricted purchases
o Prevent fraud for refunds or exchanges
o Open or manage a credit account or transaction
o Establish or maintain a contractual relationship
o Meet obligations under federal or state law
o Transmit information to a financial institution
o Meet obligations under HIPAA.
• Data for age or authenticity cannot be retained.
• Information retained must be reported.
• Retailers are prohibited from selling and otherwise using this information.
• NJPIPPA includes a private right of action and allows fines of up to $5,000.

Question 33

Q

Washington Biometric Privacy Law (H.B. 1493) (2017)

Answer

A

Biometrics are an important security control used to protect sensitive data.
1. Biometric Identifier – data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual
2. The law excludes photos, video recordings and audio recordings
3. Enrollment requirements:
o Notice
o Consent
o Mechanism preventing commercial use
4. The law limits sharing biometric information with third parties unless consent, required by law, or to a contracted third-party consistent with the law
5. Maintenance requirements:
o Protect against unauthorized access
o Dispose when not needed
o Only used as disclosed when it was obtained

Question 34

Q

NYDFS Cyber-security Regulation (2017)

Answer

A

Regulates banks, insurance companies, and other FSI providers operating out of NY. Cybersecurity regulation applies to all covered entities regulated by DFS.

Requires that all covered entities must implement a risk-based cybersecurity program
Covered entities must also implement a written cybersecurity policy
Designate a chief information security officer (CSISO) who provides a written report to the board.
DFS Cybersecurity Controls

Question 35

Q

DFS Cyber-security Controls

Answer

A

o	Penetration testing
o	Vulnerability assessment
o	Audit trail
o	Access privileges
o	Application security
o	Risk assessments
o	Multi-factor authentication
o	Encryption
o	Incident response plan
o	Secure disposal

Question 36

Q

Personal Information

Answer

A

a person’s first name or first initial and their last name when combined with their social security number, driver’s license number or state identity card number, or financial account number, credit card number, or debit card number in combination with a security code of password.

Question 37

Q

Security Breach

Answer

A

Unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of any Mississippi resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable

Question 38

Q

Conditions for notification of a breach

Answer

A

Most states use generic language (i.e. “unreasonable delay”) Others have specific days (30, 60, or 90)

Question 39

Q

Subject Rights for Data Breaches

Answer

A

Most states do not allow a private right of action. (Only AG can bring forward a suit).

Question 40

Q

Tennessee SB 2005

Answer

A

i. Passed in 2016
ii. Changes:
1. Defined personal information to include encrypted data
2. Shortened the notice period to 14 days
3. Extended definition of a data breach to unauthorized access by an employee of information to be used for an unlawful purpose

Question 41

Q

Illinois HB 1260

Answer

A

Expanded PI to include health records, biometric data, and usernames/passwords to the scope of the law
Requires notification of AG for HIPPA breaches
Removes encryption safe harbor if encryption key was breached

Question 42

Q

California AB 2828

Answer

A

Removes encryption safe harbor if encryption key was breached
Allows delayed notification at the request of law enforcement
Creates specific content and format requirements for breach notices

Question 43

Q

New Mexico HB 15

Answer

A

One of the last to pass a data breach notification law
Includes biometric information in scope
Requires AG notification if more than 1,000 new Mexicans are affected
Exempts GLBA and HIPPA covered entities
Includes secure data storage and disposal

Question 44

Q

Massachusetts HB 4806

Answer

A

Requires credit monitoring services for breaches involving SSNs

Question 45

Q

The California data breach notification law (SB 1386):

A. Defines personal information as the person’s name only
B. Does not provide for monetary damages in the event of a breach
C. Is enforced by the California Attorney General and allows for a private right of action
D. Requires encryption of all personal information

Answer

A

C. Is enforced by the California Attorney General and allows for a private right of action

Question 46

Q

DOPPA (DE)

Answer

A

Similar to CalOPPA.

Must post privacy policy if working with kids, and can’t use PII to market alcohol, tobacco, tattoos, fireworks, piercings, etc to kids.

Question 47

Q

CalOPPA (CA) - What is it?

Answer

A

1st law in nation to include websites, including mobile apps, to conspicuously post a privacy policy if they collect PII from CA residents. 2013

Question 48

Q

CalOPPA (CA) - Disclosure Requirements (4)

Answer

A

Must disclose:

categories of PII collected
types of 3rd parties that data can be shared to
how site responds to Do Not Track signals
If other parties can collect PII over time when using the site

Question 49

Q

ICRAA (CA)

Answer

A

Investigative Consumer Reporting Agencies Act- stricter than FCRA, requires written consent and includes a person’s “character.” Also requires that people can request a copy of the report, and a copy must be provided if adverse action is taken (regardless of whether you requested the copy)

Question 50

Q

CMIA (CA)

Answer

A

Confidentiality of Medical Information Act- broader definition of contractor than HIPAA (eg, you’re considered a contractor if you made the healthcare software, phone apps with health data, etc)

Question 51

Q

SB-1 (CA)

Answer

A

AKA Financial Info Privacy Act- limits financial data sharing to 3rd party partners

Question 52

Q

SB-1386 (CA)

Answer

A

If you store any customer data, you must notify CA residents of breaches.

Question 53

Q

Do Not Track Law (CA)

Question 54

Q

Massachusetts Personal Information Security Regulation

Answer

A

All parties that own or license PI of MA residents must encrypt all PI stored on laptops or other portable devices, as well as in transit when wireless or public networks.

Question 55

Q

MA State 201 CMR 17

Answer

A

Most prescriptive breach law in nation.

Establishes minimum PI safeguards for physical and electronic records.Basically have to have an ISO-style compliance program and report breaches.

If the breach includes credit/debit #s, the financial institutions must report, too.

Question 56

Q

TN SB 2005

Answer

A

1st state to require notification of any breach, whether encrypted or not. Original bill exempted encrypted data.

45 days to notify of breach

Question 57

Q

IL HB 1260

Answer

A

“Personal Info Protection Act,” or PIPA

PII = PHI, PI, email, address, passwords, security questions, biometric data

Limits encryption safe harbor if the keys were likely exposed or compromised

Question 58

Q

CA AB 2828

Answer

A

Requires notification of breached encrypted data, in addition to unencrypted data.

Question 59

Q

NM HB 15

Answer

A

Breach notification law

PII includes biometrics, like fingerprints and voice prints

Includes encrypted data if keys were likely compromised, and unencrypted data.

45 days to notify

Question 60

Q

What does the CalOPPA do?

Answer

A

Requires operators of commercial websites to conspicuously post a privacy policy is the collect PII from those living in California. The policy must include information on how the operator responds to Do Not Track signals and to state whether 3 parties can collect PII about the site’s users.

Question 61

Q

What is the California confidentiality of medical information Act?

Answer

A

The Confidentiality of Medical Information Act (CMIA) is a California law that protects the confidentiality of individually identifiable medical information obtained by health care providers, health insurers, and their contractors.

Question 62

Q

Who does the California confidentiality of medical information Act apply to?

Answer

A

CMIA requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records.

Question 63

Q

The California Confidentiality of Medical Information Act (CMIA) defines

Answer

A

who may release confidential medical information, and under what circumstances.

The CMIA also prohibits the sharing, selling, or otherwise unlawful use of medical information.

Question 64

Q

In general, the CMIA prohibits

Answer

A

health care providers, health care service plans, contractors, and pharmaceutical companies from disclosing patient medical information without first receiving a valid written authorization signed by the patient or the patient’s legal representative.

Answer 64

A

“any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”

Answer 65

A

medical information that “. . .includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”

Answer 66

A

authorization must be either handwritten by the individual who signs the document (the patient or their representative), or printed in a minimum of 14-point type
authorization language must be clearly separated from any other language on the same page
patient’s signature must “serve no other purpose than to execute the authorization”
authorization form must be signed and dated.

Answer 67

A

the specific uses and limitations on the types of medical information to be disclosed
the name or functions of the health care provider, health care service plan pharmaceutical company, or contractor that is being allowed to disclose the information pursuant to the authorization
the names or functions of those persons or entities authorized to receive the information
the specific uses and limitations on use of the information by the authorized recipients
the expiration date of the authorization
notice that the signer is entitled to a copy of the form

Answer 68

A

the patient
the patient’s legal representative, if the patient is a minor or incompetent (unless the minor could give legal consent to the care and treatment which is the subject of the information, in which case the minor must give written authorization)
the patient’s spouse or other financially responsible person, but only for the purpose of processing an application for dependent health care coverage and the patient will become an enrolled spouse or dependent
the beneficiary or personal representative of a deceased patient

Answer 69

A

California’s Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information.

Among the requirements, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees’ medical information, how and for what purposes medical information may be collected, the circumstances under which medical information may be disclosed without prior authorization, and how patients may obtain access to their records.

Answer 70

A

California’s Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information.

Among the requirements, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees’ medical information, how and for what purposes medical information may be collected, the circumstances under which medical information may be disclosed without prior authorization, and how patients may obtain access to their records.

Answer 71

A

they will be subjected to the penalties for wrongful disclosure.

Furthermore, an electronic medical record system must protect and preserve the integrity of electronic information, and “automatically record and preserve any change or deletion of any electronically stored medical information.”

The record of any change or deletion must include the identity of the person who accessed and changed the information, the date and time the information was accessed, and the change that was made.

Answer 72

A

1) any adult, minor authorized by law to consent to treatment, or patient representative may inspect the patient’s medical records upon presentation of a written request and payment of reasonable clerical costs.
2) Physical inspection of the records must be allowed within five working days after receipt of the written request.
3) Copies of records may be obtained by written request and payment of certain costs, and the records must be transmitted within 15 working days after receiving the written request.

Answer 73

A

1) any “adult patient” to “provide to the health care provider a written addendum with respect to any item or statement in his or her records that the patient believes to be incomplete or incorrect.” The addendum is limited to 250 words per alleged incomplete or incorrect item in the patient’s record, and it must clearly indicate in writing that the patient wants the addendum to be part of the medical chart.
2) The physician must “attach the addendum to the patient’s records” and must include it whenever the health care provider “makes a disclosure of the allegedly incomplete or incorrect portion of the patient’s records to any third party.” Health care providers are protected from liability under this code section for any “defamatory or otherwise unlawful language” written in the addendum and subsequently included in the medical record.

Answer 74

A

1) Providers may disclose to a family member, other relative, domestic partner, or a close personal friend of the patient, or to any other person identified by the patient, the medical information directly relevant to that person’s involvement with the patient’s care. A provider may also disclose the patient’s location, general condition, or death to notify or assist in the notification, identification or location of a family member, personal representative of the patient, domestic partner, or another person responsible for the care of the patient.
2) If the patient is available and has the capacity to make health care decisions, the information above may be disclosed only if: the patient agrees, or the patient is provided with an opportunity to object and does not object, or the provider “reasonably infers from the circumstances, based on the exercise of professional judgment,” that the patient would not object to the disclosure.
3) If the patient is not available or incapacitated, or if an “emergency circumstance” exists, the provider “may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient, and if so disclose that information relevant to that person’s involvement in the patient’s medical care. Professional judgment and experience with common practice may also be used to make reasonable inferences of the patient’s best interests, to allow a person to pick up prescriptions, medical supplies, x-rays or other forms of medical information.
4) A psychotherapist may only disclose information under the above circumstances if the patient agrees, or if the patient has not expressed an objection when provided with the opportunity to object to the disclosure.

Answer 75

A

There is a lengthy list of persons and/or entities to which, and circumstances in which, medical information may be disclosed at the discretion of the provider without a patient’s written authorization.

Before releasing any medical information without a patient’s authorization, providers should confirm who is requesting the information, and for what purpose the information is being requested. Discretionary disclosure is only allowable in the specific situations outlined in the applicable code section.

Answer 76

A

by court order
by a board, commission or administrative agency for purposes of adjudication
by a party to a legal action before a court, arbitration, or administrative agency, by subpoena or discovery request
by a board, commission or administrative agency pursuant to an investigative subpoena
by an arbitrator or arbitration panel, when arbitration is lawfully requested by either party
by lawful search warrant
at the “request” of the coroner (see below)
when otherwise specifically required by law
The patient or patient’s representative must also be given access to inspect or get copies of medical records upon payment of reasonable clerical costs and certain other conditions.

Additionally, the CMIA requires provision of confidential medical information to a medical examiner, forensic pathologist, or coroner, “when requested in the course of an investigation… for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant deaths, suspicious deaths, unknown deaths, or criminal deaths, or upon notification of, or investigation of, imminent deaths that may involve organ or tissue donation pursuant to [Health & Safety Code §7151.15], or when otherwise authorized by the decedent’s representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation or who is the prospective donor and shall be disclosed to the coroner without delay upon request.”

Answer 77

A

One example of this is the California Confidentiality of Medical Information Act (CMIA), which has greater standards of protection of privacy than HIPAA.

Patient health information is governed by robust rules that determine how this data is handled, stored, and accessed. Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and various state laws strengthen patient rights. HIPAA set a baseline for regulatory compliance with patient health information. Under the “preemption” language in the rule, no state may create less effective or weaker medical privacy protection for individuals.

However, states can exceed HIPAA regulations and institute more stringent requirements.

Answer 78

A

medical information is defined as “individually identifiable health information about a patient’s medical history, mental or physical condition, or treatment.”

Information that identifies a person, inclusive of a name, email address, physical address, phone number or Social Security number, is considered “individually identifiable” under the CMIA. Additionally, if the information can be combined with publicly available information to reveal a person’s identity, it is also considered “individually identifiable.”

CMIA covers providers of health care, health care service plans, contractors, as well as “recipients” of that information.

Employers should note that “recipients” are not defined under the CMIA and may have a broad range of applications. Therefore, it is prudent that providers who fall under CMIA investigate methods by which health care information may be received. They must also manage all possible sources of intake with proper safeguards.

One significant way the two regulations differ is in violations. While HHS can issue fines under HIPAA, the CMIA allows patients to bring legal action for violations, inclusive of compensation, attorney fees, and damages.

Additionally, the CMIA’s definition of “provider of health care” is more extensive than HIPAA’s language. Under Cal. Civ. Code § 56.06., any business that offers software or hardware, “including a mobile application or related device,” that are designed to maintain medical information, is considered a provider.

Employers who receive employee medical information fall under the CMIA. Employers must assess and apply methods to secure such information, as well as integrate systems that prevent disclosure of employee health information without worker authorizations.

Conclusion

Organizations, health care providers and covered entities who fall under CMIA and HIPAA should train employees. Instruct them on the specific requirements to ensure end-to-end protection of data, and regularly survey the integrity of the risk management program and reassess systems and policies.

Because CMIA is more stringent than HIPAA, employers should ensure employee compliance, not only to protect the organization, but also to protect patient privacy and to operate ethically. Protecting patient privacy is essential to improving the quality of care and fostering access to care.

Answer 79

A

Yes, under certain circumstances. Unlike HIPAA, CMIA provides individuals a private right of action. Consult an attorney for more information. Cal. Civ. Code §§ 56.35 – 56.37.

Answer 80

A

Yes, under certain circumstances. Unlike HIPAA, CMIA provides individuals a private right of action. Consult an attorney for more information. Cal. Civ. Code §§ 56.35 – 56.37.

Answer 81

A

Businesses are subject to the CDPA if both of the following criteria are met:

They either conduct business in Virginia or

produce products or services that are targeted to Virginia residents, and

During a calendar year (i) control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

The Virginia law does not have a revenue threshold, and thus many large businesses that do not hold a substantial amount of consumer data will not be subject to the law.
The law explicitly excludes B2B and employee data from the definition of consumer, noting that “consumer” does not include individuals “acting in a commercial or employment context.”

Answer 82

A

1) certain government agencies,
2) financial institutions subject to the GBLA,
3) covered entities or business associates governed by HIPAA,
4) nonprofit organizations and institutions of higher education.
5) The CDPA also exempts certain data, including data protected by federal laws like HIPAA, the GLBA, the Fair Credit Reporting Act, the Driver’s License Protection Act and the Family Educational Rights and Privacy Act.
6) The CDPA further exempts data processed or maintained: (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; (ii) as emergency contact information for an individual; or (iii) that is necessary to retain to administer benefits for another individual.
7) Additionally, controllers and processors that comply with verifiable parent consent requirements under the Children’s Online Privacy Protection Act shall be deemed compliant with any parental consent obligations under the CDPA.

Answer 83

A

As with other comprehensive privacy laws, the CDPA defines “personal data” broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, the CDPA does not aim to capture Virginia residents in the employment and B2B context as the CCPA does. Instead, under the CDPA a “consumer” is defined as a natural person who is a resident of the Commonwealth “acting only in an individual or household context” and “does not include a natural person acting in a commercial or employment context.”

Similar to the GDPR and the CPRA, the CDPA regulates “sensitive data.” Sensitive data is defined as a category of personal data that includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The protections for sensitive data are discussed further below.

Answer 84

A

Like the GDPR, the CDPA differentiates between controllers (companies that are responsible for determining the purpose and means of processing personal data) and processors (companies that process personal data on controllers’ behalf).

Under the CDPA, businesses who constitute “controllers” have more stringent obligations. In contrast, processors’ obligations are generally connected to their contracts with controllers. For instance, processors are required to follow controllers’ instructions; implement appropriate technical and organizational measures to help the controller respond to consumer rights; and provide the necessary information for controllers to comply with their data protection assessment obligations.

Similar to the GDPR, the relationship between the controller and processor must be governed by a contract that includes certain specified requirements and obligations for the processor.

Answer 85

A

Limits on Collection and Use of Data. The CDPA requires that controllers limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose for which the data is processed. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purpose for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer consent.
Reasonable Security. Controllers must also establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data at issue.
Consent for Processing Sensitive Data. Controllers are required to obtain the consumer’s consent before processing any sensitive data. Consent is defined similarly to the GDPR and the CPRA as a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer and may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
Data Processing Agreements (DPAs). As noted above, the CDPA requires that controllers enter into DPAs with their data processors. These agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The CDPA provides specific terms that must be included in any DPA.
Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. This is similar to requirements for privacy policies under the CCPA and, to a more limited extent, under the GDPR.
Notice of Sale. Controllers that sell personal data to third parties or process personal data for targeted advertising must clearly and conspicuously disclose such processing in its privacy notice and provide a manner in which a consumer may exercise his or her opt out right. Unlike the CCPA, the CDPA does not appear to specify the specific manner in which the controller must prove the opt out right (i.e., there is no requirement for a specific link or button).
Consumer Request Process. Controllers must establish one or more secure means for consumers to submit requests to exercise their rights. Unlike the CCPA and CPRA, the CDPA is not prescriptive in how consumers must submit such requests, but provides that such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.
Data Protection Assessment. Controllers must conduct and document a data protection assessment for certain processing activities, including the sale of personal data, the processing of personal data for purposes of targeted advertising or profiling, the processing of sensitive data and any processing activities involving personal data that present a heightened risk of harm to consumers. These data protection assessments must identify and weigh the benefits to the business of processing consumers’ data against potential risks to consumers associated with such processing. In balancing those competing concerns, businesses should consider whether certain safeguards, such as using de-identified data, would mitigate risks to consumers, as well as consumers’ reasonable expectations and the relationship between the business and the consumer.

Answer 86

A

Right to access. Consumers have the right to confirm whether a controller is processing the consumer’s personal data and obtain access to such data.
Right to correct. Consumers have the right to correct inaccuracies in the consumer’s personal data.
Right to delete. Consumers have the right to delete personal data provided by or obtained about the consumer.
Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data in a portable and readily usable format.
Right to opt out of certain data processing. Consumers will have the right to opt out of the processing of personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in further of decisions that produce legal or similarly significant effects concerning the consumer. A “sale” under the CDPA is defined more narrowly than under the CCPA or CPRA to mean the exchange of personal data for monetary consideration by the controller to a third party.

Answer 87

A

within 45 days of receipt of the request and may extend where reasonably necessary for an additional 45 days if the consumer is notified within the first 45-day window. Businesses must establish procedures for consumers to appeal a failure to act on a rights request within a reasonable time period and inform consumers of how they can submit a complaint to the attorney general if the appeal is denied.

Answer 88

A

The Virginia Attorney General has exclusive authority to enforce the CDPA and to impose a civil penalty of up to $7,500 per violation. Businesses may avoid an enforcement action, however, by properly remedying the violation. The CDPA’s right to cure allows businesses to correct any violation of the CDPA within 30 days of receiving notice thereof from the Virginia Attorney General. Unlike the CCPA, the CDPA does not provide a private right of action to consumers.

The CDPA also requires businesses to establish procedures for consumers to appeal any denial of their rights under the CDPA. This appeal right, coupled with the provision for enforcement by the attorney general and the possibility of hefty civil fines, may compensate for the lack of a private right of action in the CDPA.

Answer 89

A

Businesses subject to the CDPA will need to perform a comprehensive data inventory and update their external policies and internal procedures to come into compliance. The CDPA requires businesses to conduct data protection assessments for specified processing activities and to establish procedures by which consumers may appeal any denial of their CDPA rights. Businesses must also update their public-facing privacy policies to, among other changes, make a public commitment to not re-identify de-identified personal data and provide details on its data processing activities. The CDPA extends its protections to businesses’ contracts with service providers by requiring businesses to limit the service provider’s use and further distribution of personal data. Notably, the CDPA does not displace or change businesses’ existing obligations to report data breaches.

Answer 90

A

provide key protections for consumers and clearly define the obligations for businesses to ensure a smooth path toward compliance, without imposing overly burdensome requirements in a complicated statutory structure. As State Sen. David Marsden, who introduced the legislation, described, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.”

On the federal level, it has already been predicted that the Biden administration will be active in the federal data privacy movement, given the Obama administration’s steps toward a federal privacy regulatory framework and Vice President Kamala Harris’s support for data privacy initiatives during her time as California’s attorney general. With several other states poised to follow Virginia with their own comprehensive privacy legislation, Congress may shift its priorities in the direction of a federal standard.

Answer 91

A

Unlike the CCPA, the VCDPA does not apply to employee data and does not create a private right of action for protected consumers

Answer 92

A

that reveals (a) consumer’s Social Security or other state identification number; (b) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) consumer’s geolocation; (d) consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, or text messages, unless the business is the intended recipient of the communication; and (f) consumer’s genetic data.

Answer 93

A

(1) by providing a link on their homepage titled “Limit the Use of My Sensitive Personal Information,”
(2) by utilizing a single link which would easily allow consumers to limit the use of their sensitive personal information and to opt-out of the sale and sharing of their personal information; or
(3) by complying with the automatic opt-out preference signal.

Answer 94

A

The Virginia law broadly exempts financial institutions or data subject to Gramm-Leach-Bliley, not just data collected pursuant to it. And Virginia exempts covered entities and business associates governed by HIPAA, not just PHI collected pursuant to HIPAA.

Answer 95

A

the Attorney General of Virginia will be able to administer fines up to $7,500 per instance of violations that aren’t addressed and corrected.

Answer 96

A

The Colorado Privacy Act applies to Colorado residents – which it refers to as “consumers” – and imposes data protection requirements on entities who either:

conduct business in Colorado; or
produce or deliver commercial products or services that are intentionally targeted to residents of Colorado;
and

control or processes personal data of at least 100,000 consumers (Colorado Residents) a year; or
control or process personal data of at least 25,000 consumers and derive revenue or receives a discount on the price of goods or services, from the sale of personal data.1

Answer 97

A

The Colorado Privacy Act applies to “Personal Data,” which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.”2 Personal Data does not include information that is de-identified or that is publicly available. Similar to the Virginia Privacy Law, the Colorado Privacy Act’s definition of consumer does not include individuals acting in commercial or employment contexts.

Answer 98

A

A controller is defined as a person that “determines the purposes for and means of processing personal data.”4 Under the Colorado Privacy Act, controllers are required to:

provide consumers with a “reasonably accessible, clear, and meaningful privacy notice,” that outlines i) categories of personal data collected or processed by the controller or processors; ii) the purposes for processing; iii) how consumers can exercise the rights granted by the Colorado Privacy Act; iv) categories of personal data shared with third parties; v) categories of third parties with whom personal data is shared;5
disclose in a conspicuous manner any sale of consumer data and the manner in which a consumer may opt-out of the sale or processing of personal data;6
limit collection of personal data to what is adequate, relevant, and “reasonably necessary in relation to the specified purposes for which the data are processed;”7
take reasonable measures to secure personal data compatible with the scope, volume, and nature of the data;8 and
obtain consumer consent before processing sensitive personal data by a clear affirmative act signifying that consent is freely given, specific, informed, and unambiguous.9 Notably, the Colorado Privacy Act specifies that such consent shall not be obtained through general or broad terms of use or through dark patterns designed to subvert consumer decision-making.10
A processor is a person that processes personal data on behalf of the controller.11 The Colorado Privacy Act requires processors to adhere to the controller’s instructions and assist and cooperate with the controller to comply with its obligations under the act. The Colorado Privacy Act also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.12

Answer 99

A

The similarities between the Colorado, California and Virginia privacy laws will permit companies to develop a general uniform approach to data privacy compliance obligations in the US. Similar to these other state data privacy laws, entities operating in Colorado should consider the following framework in assessing compliance obligations under the Colorado Privacy Act:

Confirm That Your Business is Subject to the Colorado Privacy Act. Entities must determine whether they meet the jurisdictional threshold of the Colorado Privacy Act, which notably does not include a minimum revenue threshold.
Determine Whether Your Business Depends on the Sale or Purchase of Personal Information. Businesses will need to assess whether and to what extent their disclosures of personal information to third parties falls within the Colorado Privacy Act’s broad definition of “sale” of data, which, similar to the California Privacy Law, includes disclosure for “valuable consideration.” Businesses should note that, under the Colorado Privacy Act (CCPA), disclosures to processors or affiliates for the purpose of providing a product or service requested by a consumer or made intentionally by the consumer are not considered sales.30
Revise Privacy Policies. Revise privacy policies to reflect personal data processing activities, communicate the new rights available to consumers and identify the mechanisms implemented for consumers to exercise those rights.
Implement “Reasonable Security Measures.” Assess cybersecurity policies, practices, and controls to ensure they are consistent with industry-recognized standards.
Conduct Data Protection Assessment. Businesses will need to conduct data protection assessments that evaluate how the business processes, sells and uses personal data. Importantly, they should consider the risk involved in such processing.
Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Prior to July 1, 2024 when the requirement comes into effect, businesses should begin to implement use of a user-selected universal opt-out mechanism that meets the technical specifications established by the Attorney General (to be established by July 1, 2023).
Implement Consent Mechanism for Collecting Sensitive Information. Businesses who collect sensitive data from consumers must obtain affirmative, informed and clear consent. The Colorado Privacy Act specifies that consent does not include accepting general terms of use, use of dark patterns, or hovering over, muting, pausing, or closing content. Businesses should develop opt-in mechanisms for consent in line with these constraints.
Facilitate Receipt and Response to Consumer Requests. Develop mechanisms for accepting, tracking, verifying and honoring consumer requests to exercise their access, correction, and deletion rights under the Colorado Privacy Act.
Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely and consistent manner that is ultimately compliant with the Colorado Privacy Act.
Although the Colorado Privacy Act fits within the general compliance approach applicable to the California and Virginia privacy laws, there will inevitably be certain compliance aspects among these state laws that will require consideration on an individual state basis. Additional guidance on the practical implementation of the Colorado Privacy Act is expected in the coming months. This is consistent with the approach taken by other states following the initial enactment of their respective data privacy laws, to further refine these laws. Nonetheless, businesses will likely be expected to take steps to comply with the existing statutory requirements in California and Virginia by January 1, 2023 and Colorado on July 1, 2023, while remaining nimble enough to adjust as additional guidance and regulations are issued. It is worth noting that several other states are in the process of considering and enacting data privacy laws, which may create additional layers of compliance obligations on entities conducting business in the US. As such, businesses should keep apprised of the developments in the evolving area of US consumer data privacy compliance.

Answer 100

A

a deceptive trade practice, and Colorado’s attorney general and local district attorneys are vested with the authority to investigate and impose civil penalties against noncompliant businesses

Answer 101

A

The CPA primarily applies to a limited set of organizations that control the processing of Colorado residents’ personal data (classified as “Controllers”) and to the third-party service providers who assist in the data processing activities (classified as “Processors”). These classifications mirror the structure set forth in other data protection laws (e.g., Virginia, EU GDPR). In particular, the CPA applies to Controllers conducting business in Colorado or producing or delivering commercial products or services that intentionally target Colorado residents and (i) control the collection of or process the personal data of at least 100,000 consumers annually, or (ii) derive revenue from or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 consumers.

Answer 102

A

any “information that is linked or reasonably linkable to” an identifiable person. On the other hand, it creates many exceptions to its scope of applicability and does not, for example, apply to personal data concerning an individual acting in the commercial or employment context or to protected health information, nonpublic personal information, and other data subject to certain federal privacy laws (e.g., HIPAA, GLBA, FCRA, FERPA, COPPA).

Answer 103

A

The CPA creates several new data privacy rights and privileges for Colorado consumers:

the right to confirm whether a Controller is processing their personal data;
the right to access personal data in a portable, and to the extent technically feasible, readily usable format to enable transfer to another entity;
the right to correct inaccurate personal data, and
the right to delete personal data.

Answer 104

A

how Controllers must intake, authenticate and respond to consumer privacy requests and mandates that organizations create “an internal process” to allow a consumer to “appeal” a Controller’s decision not to honor a data rights request, but it lacks any material specificity on how the appellate review must be formulated. It is not uncommon for Controllers to dispute that a consumer’s personal data is “inaccurate” and refuse to “correct” it. In turn, the CPA provides some flexibility in this area and allows Controllers to make these decisions based on the “nature of the Personal Data and the purposes of the processing.”

Answer 105

A

In addition, the CPA provides consumers with the right to opt out of the processing of their personal data to the extent it relates to targeted advertising, the sale of personal data or certain types of profiling. Consumers may exercise these rights directly or through third-party agents. The CPA further provides that Controllers must (as of July 2024) allow for consumers to exercise their opt-out rights in certain situations (e.g., targeted advertising, data sales) through a “user selected universal opt-out mechanism” that meets certain requirements set forth by the Colorado attorney general in future regulations. The CPA adopts a definition of “sale” similar to the one set forth in California’s data protection law. Under the CPA, “sale” means the “exchange of Personal Data for monetary or other valuable consideration by a Controller to a third party.” However, the CPA creates important exemptions to the definition of “sale,” such as the disclosure of personal data to a Processor or a Controller’s affiliate.

Answer 106

A

A Controller is required to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that describes its data processing activities (e.g., categories of personal data collected and processed, the express purposes of processing, types of personal data shared with third parties, categories of recipients). It must also describe how consumers can exercise their data privacy rights and the Controller’s appeals process. A controller that sells personal data or uses it for targeted advertising purposes has the additional obligation to “clearly and conspicuously disclose” such processing and the manner in which consumers can exercise their opt-out rights.

Answer 107

A

The CPA limits how a Controller can use personal data without a consumer’s consent.

For example, a Controller must not process personal data “for purposes that are not reasonably necessary to or compatible with” the original purposes for which the personal data was collected and processed, unless it obtains the consumer’s consent. Also, a Controller is prohibited from processing “Sensitive Data” without obtaining appropriate consent.

The CPA defines “Sensitive Data” as personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health diagnosis, sex life or sexual orientation, or immigration status; relates to certain genetic or biometric data; or involves personal data collected from a “known child.” The requirement of express prior consent (as opposed to honoring after-the-fact opt-out requests) may add new burdens on Controllers.

Answer 108

A

Pursuant to the CPA, a Controller is prohibited from engaging in data processing that “presents a heightened risk of harm to a Consumer” without first undertaking a data protection assessment. In turn, the CPA defines this category of processing broadly to address a variety of common business activities, such as targeted advertising, selling of data, the processing of Sensitive Data, and certain types of profiling. The assessment must be made available to the Colorado attorney general, upon request.

Answer 109

A

Like many other data protection laws, the CPA requires Controllers and Processors to execute written agreements that contain certain data protection clauses, which must address, among other things, the nature and duration of data processing, the limited manner in which the Processor can use the personal data, confidentiality and employee/personnel vetting requirements, proof of compliance, and auditing. The CPA provides that Processors may only retain subcontractors after furnishing a Controller the opportunity to object to the arrangement and (if so approved by the Controller) only if the subcontractor agrees to the same data protection terms applicable to the Processor. The CPA also requires these Controller-to-Processor contracts to include clauses requiring the Processor to, at the end of the data processing services, delete or return the personal data in its custody, unless retention is required by law; however, it does not expressly create any exceptions for personal data retained in backup or archived formats.

Answer 110

A

The CPA places affirmative data security obligations on Controllers. It requires them to “take reasonable measures to secure personal data during both storage and use from unauthorized acquisition,” and such measures must be appropriate to the volume, scope and nature of the personal data. The CPA does not address or otherwise attempt to limit other data security requirements set forth in other areas of Colorado law. For instance, pursuant to CO ST § 6-1-713.5, certain businesses must “implement and maintain reasonable security procedures and practices” to safeguard “personal identifying information,” and these measures must be based on the “nature and size of the business and its operations.”

Answer 111

A

Unlike the Virginia Consumer Data Protection Act (VCDPA), the CPA does not exempt nonprofits, nor does it expressly provide an entity-level exemption for organizations regulated by the Health Information Portability and Accountability Act (HIPAA).

Answer 112

A

the California Act or the Virginia Act.

Answer 113

A

meets technical specifications that the attorney general must establish by July 1, 2023. This differs from the CCPA, which makes a universal or global control optional.

Answer 114

A

Businesses covered by the new data privacy laws should:
Implement cybersecurity safeguards;
Create and communicate to consumers a process by which consumers may submit a request regarding their personal data and subsequently appeal a decision;
Provide a clear and conspicuous notice informing consumers that they have the right to opt out of targeted advertising and sales of their personal data;
Establish a user-selected universal opt-out mechanism by July 1, 2024;
Update their Privacy Policy to explain their collection and use of data;
Update their contracts with third parties to ensure that they comply with the laws;
Obtain consumers’ informed consent before collecting sensitive data; and
Establish a procedure to determine when to conduct a data protection assessment.

Answer 115

A

Under the CPA a violation is a deceptive trade practice under the Colorado Consumer Protection Act, such that while the CPA does not specify a penalty amount, the Colorado Consumer Protection Act specifies a penalty of up to $20,000 per violation.

Answer 116

A

Under the CPA, the controller has 60 days to cure a violation after the attorney general or district attorney provides notice. The CCPA and VCDPA only provide 30 days to cure.

Critically, unlike the CCPA or VCDPA, the CPA’s right-to-cure provision expires on January 1, 2025.

Answer 117

A

De-identified data is generally exempt from obligations under the CPA because de-identified data is not personal data if certain conditions are met. However, controllers maintaining de-identified data are required to exercise reasonable oversight over contractual commitments related to de-identified data and to take appropriate steps to address breaches of those commitments. Similar to Virginia’s CDPA, controllers are also required to consider their use of de-identified data when conducting data protection assessments.

De-identified information means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:

Takes reasonable measures to ensure the data cannot be associated with an individual.
Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data.
Contractually obligates any recipients of the information to comply with these requirements.
This approach to de-identified information is similar to the approach reflected in California’s CPRA and Virginia’s CDPA. All three privacy laws broadly align with the de-identification framework set forth in the FTC’s 2012 Staff Report.

Answer 118

A

The CPA exempts “pseudonymous data” from certain data subject rights (the right of access and the rights to correction, deletion, and data portability). Pseudonymous data is personal data that cannot be attributed to a specific individual without additional information if such information is “kept separately” and is subject to technical and organizational measures to ensure that the data is not attributed to a specific individual. Similar to Virginia’s CDPA, controllers that maintain pseudonymous data are not required to honor consumer rights requests (except requests to opt out) if the controllers can demonstrate that the information needed to identify the consumer exercising the right is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

Answer 119

A

The CPA contains exemptions similar to other privacy laws. For instance, the Act does not apply to certain medical information, including personal data governed by the Health Insurance Portability and Accountability Act, and personal data subject to the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and Gramm–Leach–Bliley Act (GLBA). In addition to a GLBA data-level exemption, the law includes an entity-level exemption for financial institutions and their affiliates that are subject to the GLBA and its implementing regulations. The CPA also exempts employee information and business-to-business data from substantial regulation. Data maintained for employment record purposes is exempt, The law applies to consumers, but the term consumer
excludes individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

Answer 120

A

Public Act 21-59 modifies Connecticut’s existing data breach and cybersecurity law in three key areas.

1) it expands the substantive definition of what constitutes “personal information” subject to legal protection.
2) it shortens the deadline for providing notice of data breaches (subject to certain qualifications and exceptions as further discussed below) and creates unique notification requirements for incidents involving a breach of login credentials.
3) it protects from public disclosure certain information provided in response to a Connecticut unfair trade practices investigation arising from a data breach.

Answer 121

A

Connecticut law previously defined “personal information” as a person’s first name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver’s license number; (3) state identification card number; (4) credit or debit card number; or (5) financial account number in combination with any password or security code that would permit access to such account.

Public Act 21-59 expands this definition significantly to include the following data elements:

Taxpayer identification number;

IRS identity protection personal identification number;

Passport number, military identification number, or other government-issued identification number used to verify identity (e.g., Social Security number);

Information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;

Health insurance policy number, subscriber identification number, or other number used by a medical insurer to identify the individual;

Biometric information consisting of data generated by measurements of unique physical characteristics, such as a fingerprint, voice print, retina, or iris image, used to authenticate identity;

User name or electronic mail address in combination with a password or security code that would permit access to an online account.

Answer 122

A

Under Public Act 21-59, the deadline for providing notice of a data breach to affected individuals and the Connecticut attorney general is shortened from 90 days to “without unreasonable delay, but not later than 60 days.” In the event that the notifying entity discovers additional individuals after the reporting deadline, it is still obligated to act in good faith to notify those individuals “as expediently as possible.” Moreover, if the entity determines it cannot confirm the identities of and provide notice to all affected individuals within the new 60-day deadline, it must provide preliminary substitute notice to all potentially affected individuals and follow up with direct notice as soon as possible. Substitute notice consists of (1) email notice (where the individual’s email address is known), (2) “conspicuous posting” of the notice on the entity’s website (if any), and (3) “notification to major state-wide media, including newspapers, radio and television.”

Further, Public Act 21-59 contains special rules applicable to incidents involving a breach of login credentials. Notice of a breach of login credentials can be provided via email (or other electronic means) to direct the recipient to change their login credentials or take other steps to secure their account. However, if the affected individual’s receipt of the email notification cannot be verified, then an alternative form of notice must be used, or the individual must receive “clear and conspicuous notice” while the individual is “connected to the online account” that the individual “customarily accesses … .” Although not expressly required by the statute, businesses also can consider forcing affected customers to change their passwords or other login information.

Notably, Public Act 21-59 provides that data breach notification requirements apply to anyone who owns, licenses, or maintains computerized data that includes “personal information,” not just those who do so in the ordinary course of business. This broadens the applicability of the statute’s prior notification requirements.

Answer 123

A

With two important exceptions, any entity subject to (and in compliance with) HIPAA and/or HITECH privacy and security standards is deemed to be in compliance with the notice obligations set forth in Public Act 21-59.

The exceptions are that

(1) an entity required to notify Connecticut residents of a breach under HIPAA/HITECH must also notify the attorney general when those residents are notified; and
(2) if the entity would have been required to provide identity protection or mitigation services under Connecticut law (e.g., due to breach of a Social Security number), that requirement remains in effect. This provision attempts to address any confusion from conflicting state law requirements and requirements under HIPAA/HITECH.

Answer 124

A

Public Act 21-59 also provides confidentiality protections to businesses responding to an investigation into alleged violations of Connecticut’s Unfair Trade Practices Act arising from a data breach. Public Act 21-59 recognizes that “documents, materials and information” provided in response to an investigation of a potential violation of Connecticut’s Unfair Trade Practices Act arising from a data breach are exempt disclosure requirements under Connecticut’s freedom of information law. However, the attorney general is permitted to make such documents, material, and information available to third parties for investigative purposes.

Answer 125

A

Public Act 21-119 seeks to incentivize greater adoption of cybersecurity standards by businesses. Among other things, Public Act 21-119 allows businesses that comply with certain industry-recognized cybersecurity practices to avoid punitive damages in any tort claim that alleges a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The immunity from punitive damages afforded by Public Act 21-119, however, is subject to a few qualifications.

First, protection from punitive damages is provided only for tort claims “brought under the laws of [the state of Connecticut] or in the courts [of the state of Connecticut].” Second, the entity must have complied with a formal, written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information … .” Finally, the program must conform to one or more of the industry-recognized cybersecurity frameworks referenced in the statute. These frameworks include standards adopted by the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), and the Payment Card Industry (PCI) Security Standards Council — and, for applicable businesses, the security regulations established by HIPAA, HITECH, FISMA, or GLBA. Entities will be deemed in compliance with subsequently amended or revised versions of the industry-recognized frameworks listed in the statute as long as they conform to such amended or revised version within six months of its publication.

Answer 126

A

Connecticut’s updated data breach notification and cybersecurity statutes are consistent with a growing trend of states seeking to protect personal information by expanding the definition of personal identifying information and by providing businesses with new tools to stay in compliance with the law and manage risk associated with information security and privacy.

The tightened notice requirements and expanded definition of “personal information” set forth in Public Act 21-59 will require affected businesses to enhance their efforts to quickly and effectively respond to data breach and other cybersecurity threats. To do so, businesses should strongly consider reviewing and updating their incident response plans, enhancing their training and roundtable exercises, and having in place a list of forensic consultants, outside counsel, and media advisors to meet the tightened deadlines and manage their response.

The immunity from punitive damages afforded by Public Act 21-119 should serve to galvanize potentially affected businesses, as well as their general counsels, CTOs, risk managers, and other privacy professionals to reevaluate and strengthen their information security policies and procedures and adopt industry-recognized standards.

Finally, the exemption from compliance with Public Act 21-59 for entities already compliant with HIPAA and/or HITECH’s privacy and security obligations should enhance efficiency and avoid confusion between state and federal standards, at least with respect to covered entities in the health care industry.

Brainscape's Knowledge GenomeTM

Ch. 7 - State Privacy, Security, and Data Breach Notification Laws Flashcards

Brainscape's Knowledge Genome^TM