Ch. 7 - State Privacy, Security, and Data Breach Notification Laws Flashcards
California’s first state breach notification law - definition of PI
PI is
(1) Social Security number,
(2) driver’s license number or California identification card number,
(3) financial account number or credit or debit card number “in combination with any required security code, access code or password that would permit access to an individual’s financial account,”
(4) medical information,
(5) health insurance information, and
(6) data collected from automated license plate recognition systems.
** Personal information that is publicly available or encrypted is excluded from the law.
California AB 1950
- law requires a business “that owns or licenses personal information about a California resident” to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Furthermore, the bill requires businesses using unaffiliated third-party data processors to contractually mandate similar security procedures
- CA AG issued report that identified Center for Internet Security’s Critical Security Controls as minimum level required.
Mass state security law, 201 CMR 17.00 = most prescriptive in nation
Goes beyond breach notification by requiring those holding PI (name plus sensitive element) to:
- Designate an individual who is responsible for information security
- Anticipate risks to personal information and take appropriate steps to mitigate such risks
- Develop security program rules
- Impose penalties for violations of the program rules
- Prevent access to personal information by former employees
- Contractually obligate third-party service providers to maintain similar procedures
- Restrict physical access to records containing personal information
- Monitor the effectiveness of the security program
- Review the program at least once a year and whenever business changes could impact security
- Document responses to incidents
From a technical perspective, 201 CMR 17.00 mandates user authentication, access controls, encryption, monitoring, firewall protection, updates and training. The law came into effect in 2010.
Washington state security law
- Along with states including Minnesota and Nevada, Washington is part of a growing trend to incorporate the Payment Card Industry Data Security Standard (PCI DSS) into statute to ensure the security of credit card transactions and related personal information.
- Washington’s HB 1149 permits financial institutions to recover the costs associated with reissuance of credit and debit cards from large processors whose negligence in the handling of credit card data is the proximate cause of the breach.
- Processors are not liable if the data were encrypted at the time of the breach or had been certified as PCI-compliant within one year of the breach.
Types of data breaches
- Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
- Hacking or malware—electronic entry by an outside party, malware and spyware
- Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals
- Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information
- Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;
- Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape
- Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility
- Unknown or other
Data Breach Step 1
Determining whether breach occurred or not.
Multiple failed log ins, sudden use of long dormant account, off-hours use, unknown programs, files or devices or users;
can be difficult to detect
Data breach - step 2
Containment and physical analysis of the incident.
Recover items, data.
Shut down infiltrated system, revoke access.
Forensic support may be needed.
Full audit and careful analysis, document.
Data breach - step 3
Notify affected parties.
States often require certain content in notification.
Contractual obligations as well.
timing crucial -
Data breach - step 4
Implement effective follow up methods.
Additional training, internal self-assessments, 3rd party audits, additional monitoring.
Identify deficiencies and correct.
OMB requirements for federal agency data breach
can serve as guidance.
The OMB set forth the following framework for a security breach plan:
• Designate the members who will make up a breach response team
• Identify applicable privacy compliance documentation
• Share information concerning the breach to understand the extent of the breach
• Determine what reporting is required
• Assess the risk of harm for individuals potentially affected by the breach
• Mitigate the risk of harm for individuals potentially affected by the breach
• Notify the individuals potentially affected by the breach
OMB policies also focused on the issue of contracts with vendors. From a best-practices perspective, organizations should ensure that vendors are contractually required to do the following: provide training to their employees on identifying and reporting a breach, properly encrypt PII, report suspected or confirmed breaches; participate in the exchange of information in case of a breach, cooperate in the investigation of a breach, and make staff available to participate in the breach response team.
Basic components of state data breach notification laws
- The definition of personal information, meaning the specific data elements that trigger reporting requirements
- The definition of what entities are covered
- The definition of a “security breach” or “breach of the security of a system”
- The level of harm requiring notification
- Whom to notify
- When to notify
- What to include in the notification letter
- How to notify
- Exceptions that may exist to the obligation to notify (or when notification may be delayed)
- Penalties and rights of action
Definition of PI in state data breach notification laws
CT as example:
an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number, (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”
others include medical and healthcare info.
some add federal or state ID numbers
some add biometric
Almost all exclude publicly available info - from public records or widely distributed media.
Definition of covered entities under state data breach notification laws
CT as example:
“any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.”
Harm and Definition of Security Breach in state data breach notification laws
CT as example:
Connecticut defines a “breach” of security as “unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable”
Some states add materiality qualifier or likely to cause identity theft as standard.
Whom to Notify under state data breach notification law
Primarily state residents who are at risk because of the breach.
More than half require AG notification and/or other state agencies, if certain thresholds crossed.
Timing of AG notification varies, from same time as affected individuals, to later.
At least 28 states require notice to nationwide CRAs, if certain thresholds are crossed (usually higher than number of affected to trigger AG notice).
All require notification of owner of data if its not the company.
When to notify under state data breach notification laws
The most common phrase used in conjunction with timing is the most expeditious time possible and without unreasonable delay.
Legislators, however, recognize the need for the affected entity to conduct a “reasonable investigation in order to determine the scope of the breach and to restore the reasonable integrity of the data system.”
As of 2017, only Florida, New Mexico, Ohio, Rhode Island, Tennessee, Vermont, Washington and Wisconsin specify a limit to expeditious time—typically no later than 45 days after the discovery of the breach.
Delays allowed to notify law enforcement, if criminal activity is suspected, if law enforcement believes notice would hamper investigation.
Puerto Rico has 10 days.
What to include in notice under state data breach notification laws
NC is among most extensive:
- A description of the incident in general terms
- A description of the type of personal information that was subject to the unauthorized access and acquisition
- A description of the general acts of the business to protect the personal information from further unauthorized access
- A telephone number for the business that the person may call for further information and assistance, if one exists
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
- The toll-free numbers and addresses for the major consumer reporting agencies
- The toll-free numbers, addresses and website addresses for the FTC Commission and the North Carolina attorney general’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft
How to notify
Written notice required. email and telephone if opted in to that.
Most legislation recognizes need for alternatives if thousands/millions.
CT as example: email, conspicuous posting on website, or in media
Exceptions to notification
3 basics:
- For entities subject to more stringent notification laws. Eg HIPAA, GLBA.
- Already following procedures as part of own infosec policies, as long as compatible.
- Encrypted, redacted, unreadable, unusable.
Penalties
State AG, with penalties for damages of various amounts (willful more).
PROA in handful - (VA, CA, TX MD, DC, others)
State Data Destruction Laws
At least 32, by 2017
Describe whom applies to, required notice of destruction, exemptions (eg. subject to federal law requiring destruction).
Most laws like NC so use as example.
NC as example, applies to those conducting biz in NC or maintains/possesses PI of resident of NC.
NC requires entities to take reasonable measures to safeguard against unauthorized access in connection with or after disposal.
NC - required reasonable measures -
- Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that information cannot be practicably read or reconstructed
- Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed
- Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity
No PROA unless personal injury.
State Regulatory Authorities
The lack of a comprehensive federal privacy law increases the power of the states
Marketing Laws
a. Covered by both self-regulation and federal/state laws (CIPP/US Limits on Private Sector Data)
b. Self-regulation is when companies in an organization form a coalition, define standards of conduct, then mutually commit to following those standards and develop an enforcement program to verify to each other and the public that they are doing it.
c. NAI (Network Advertising Initiative) – for those who participate in online advertising, the NAI publishes a code of conduct with detailed requirements including notices of privacy practices, an opt-out option for consumers, and how to provide information on data security, use, and availability. The NAI is one example of an industry self-regulatory framework.
d. The BBB offers a self-regulatory framework for advertising to children
e. Every state as a law protecting consumers against unfair and deceptive trade practices
f. CAN-SPAM provides state AG to bring legal action against violators.
California SB-1
expands upon GLBA. Restricts financial institutions sharing of customer information. Under GLBA financial institutions can share customer information with third parties unless the customer opts-out, SB-1 requires the customer to opt-in. SB-1 also requires that financial institutions must provide a “important privacy notices for consumers” prominently.
Social Security Number (SSN)
The most sensitive information for individuals in the U.S., the digitization of consumer finance has resulted in an increased use of SSNs. Possession of an SSN is widely used as proof of identity. Organizations now need to purse unnecessary stores of SSNs and protect SSNs they still need.
California Electronic Communications Privacy Act (2015)
Requires state law enforcement to get a warrant before they can access electronic information about who we are, where we go, who we know, and what we do.
1. Builds upon the federal electronic communications privacy act. Places restrictions on state law enforcement in two different ways:
o Access to Service Provider Records – requires a search warrant or court order in criminal cases; requires a subpoena in noncriminal cases
o Access to Electronic Devices – requires a search warrant, wiretap order, consent of the customer, or certification of an emergency situation
o CalECPA only applies to California law enforcement agencies, not federal agencies operating in CA
Delaware Online Privacy and Protection Act of 2016 (DOPPA)
Summary:
Requires any website collecting PII must post and comply with the regulation by conspicuous posting (on the homepage or with a link with the word “privacy”. Must be reasonable accessible to users.
o The policy must identify PII collected and third parties whom the site shares PII.
o Disclose handling of “do not track requests”
o Describe policy change notification procedures
eBook providers are prohibited from sharing information about users without appropriate legal process.
Prohibited Advertising to Children – the prohibited categories include alcohol/drugs, firearms or fireworks, tanning, dietary supplements, tanning, lottery/gambling, body modifications, sexual materials
Detail:
Effective January 1, 2016, provides strong online privacy protection for the residents of Delaware. The law grants the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violation of the law.
Three major provisions of DOPPA
o Websites must post privacy policies
o eBook providers must safeguard user information
o Websites targeting children must restrict advertising.
Nevada SB 538 - 2017
Requires website owners to post privacy notices. Applies to any website operators who collect and maintain PII of Nevada residences. Organizations who do not meet this requirement are fined $5,000.
Nevada SB Requirements
o Categories of information and third-party partners
o Describe process to review and correct records, if available
o Describe notification process for policy changes
o Disclosure use of third-party tracking services
o Include an effective date.
Illinois Right to Know Act - 2017
Proposed protections for personal information collected by websites. Failed to reach a vote. Even though it did not pass, it’s noteworthy for the exam to know that it provided the first private right of action to civilians who felt their privacy was harmed by an organization
New Jersey Personal Information and Privacy Protection Act (2017)
Regulates the scanning of identification cards. For the purposes of the law, scanning applies to any type of electronic reading of the card. Retail can only scan cards for 8 purposes:
o Verify the authenticity of the card or identity of card holder
o Verify the age for age-restricted purchases
o Prevent fraud for refunds or exchanges
o Open or manage a credit account or transaction
o Establish or maintain a contractual relationship
o Meet obligations under federal or state law
o Transmit information to a financial institution
o Meet obligations under HIPAA.
• Data for age or authenticity cannot be retained.
• Information retained must be reported.
• Retailers are prohibited from selling and otherwise using this information.
• NJPIPPA includes a private right of action and allows fines of up to $5,000.
Washington Biometric Privacy Law (H.B. 1493) (2017)
Biometrics are an important security control used to protect sensitive data.
1. Biometric Identifier – data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual
2. The law excludes photos, video recordings and audio recordings
3. Enrollment requirements:
o Notice
o Consent
o Mechanism preventing commercial use
4. The law limits sharing biometric information with third parties unless consent, required by law, or to a contracted third-party consistent with the law
5. Maintenance requirements:
o Protect against unauthorized access
o Dispose when not needed
o Only used as disclosed when it was obtained
NYDFS Cyber-security Regulation (2017)
Regulates banks, insurance companies, and other FSI providers operating out of NY. Cybersecurity regulation applies to all covered entities regulated by DFS.
- Requires that all covered entities must implement a risk-based cybersecurity program
- Covered entities must also implement a written cybersecurity policy
- Designate a chief information security officer (CSISO) who provides a written report to the board.
- DFS Cybersecurity Controls
DFS Cyber-security Controls
o Penetration testing o Vulnerability assessment o Audit trail o Access privileges o Application security o Risk assessments o Multi-factor authentication o Encryption o Incident response plan o Secure disposal
Personal Information
a person’s first name or first initial and their last name when combined with their social security number, driver’s license number or state identity card number, or financial account number, credit card number, or debit card number in combination with a security code of password.
Security Breach
Unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of any Mississippi resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable
Conditions for notification of a breach
Most states use generic language (i.e. “unreasonable delay”) Others have specific days (30, 60, or 90)
Subject Rights for Data Breaches
Most states do not allow a private right of action. (Only AG can bring forward a suit).
Tennessee SB 2005
i. Passed in 2016
ii. Changes:
1. Defined personal information to include encrypted data
2. Shortened the notice period to 14 days
3. Extended definition of a data breach to unauthorized access by an employee of information to be used for an unlawful purpose
Illinois HB 1260
- Expanded PI to include health records, biometric data, and usernames/passwords to the scope of the law
- Requires notification of AG for HIPPA breaches
- Removes encryption safe harbor if encryption key was breached
California AB 2828
- Removes encryption safe harbor if encryption key was breached
- Allows delayed notification at the request of law enforcement
- Creates specific content and format requirements for breach notices
New Mexico HB 15
- One of the last to pass a data breach notification law
- Includes biometric information in scope
- Requires AG notification if more than 1,000 new Mexicans are affected
- Exempts GLBA and HIPPA covered entities
- Includes secure data storage and disposal
Massachusetts HB 4806
- Requires credit monitoring services for breaches involving SSNs
The California data breach notification law (SB 1386):
A. Defines personal information as the person’s name only
B. Does not provide for monetary damages in the event of a breach
C. Is enforced by the California Attorney General and allows for a private right of action
D. Requires encryption of all personal information
C. Is enforced by the California Attorney General and allows for a private right of action
DOPPA (DE)
Similar to CalOPPA.
Must post privacy policy if working with kids, and can’t use PII to market alcohol, tobacco, tattoos, fireworks, piercings, etc to kids.
CalOPPA (CA) - What is it?
1st law in nation to include websites, including mobile apps, to conspicuously post a privacy policy if they collect PII from CA residents. 2013
CalOPPA (CA) - Disclosure Requirements (4)
Must disclose:
- categories of PII collected
- types of 3rd parties that data can be shared to
- how site responds to Do Not Track signals
- If other parties can collect PII over time when using the site
ICRAA (CA)
Investigative Consumer Reporting Agencies Act- stricter than FCRA, requires written consent and includes a person’s “character.” Also requires that people can request a copy of the report, and a copy must be provided if adverse action is taken (regardless of whether you requested the copy)
CMIA (CA)
Confidentiality of Medical Information Act- broader definition of contractor than HIPAA (eg, you’re considered a contractor if you made the healthcare software, phone apps with health data, etc)
SB-1 (CA)
AKA Financial Info Privacy Act- limits financial data sharing to 3rd party partners
SB-1386 (CA)
If you store any customer data, you must notify CA residents of breaches.
Do Not Track Law (CA)
CalOPPA
Massachusetts Personal Information Security Regulation
All parties that own or license PI of MA residents must encrypt all PI stored on laptops or other portable devices, as well as in transit when wireless or public networks.
MA State 201 CMR 17
Most prescriptive breach law in nation.
Establishes minimum PI safeguards for physical and electronic records.Basically have to have an ISO-style compliance program and report breaches.
If the breach includes credit/debit #s, the financial institutions must report, too.
TN SB 2005
1st state to require notification of any breach, whether encrypted or not. Original bill exempted encrypted data.
45 days to notify of breach
IL HB 1260
“Personal Info Protection Act,” or PIPA
PII = PHI, PI, email, address, passwords, security questions, biometric data
Limits encryption safe harbor if the keys were likely exposed or compromised
CA AB 2828
Requires notification of breached encrypted data, in addition to unencrypted data.
NM HB 15
Breach notification law
PII includes biometrics, like fingerprints and voice prints
Includes encrypted data if keys were likely compromised, and unencrypted data.
45 days to notify
What does the CalOPPA do?
Requires operators of commercial websites to conspicuously post a privacy policy is the collect PII from those living in California. The policy must include information on how the operator responds to Do Not Track signals and to state whether 3 parties can collect PII about the site’s users.
What is the California confidentiality of medical information Act?
The Confidentiality of Medical Information Act (CMIA) is a California law that protects the confidentiality of individually identifiable medical information obtained by health care providers, health insurers, and their contractors.
Who does the California confidentiality of medical information Act apply to?
CMIA requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records.
The California Confidentiality of Medical Information Act (CMIA) defines
who may release confidential medical information, and under what circumstances.
The CMIA also prohibits the sharing, selling, or otherwise unlawful use of medical information.
In general, the CMIA prohibits
health care providers, health care service plans, contractors, and pharmaceutical companies from disclosing patient medical information without first receiving a valid written authorization signed by the patient or the patient’s legal representative.
Under the CMIA, medical information is defined as:
“any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”
Under the CMIA, Individually identifiable is defined as:
medical information that “. . .includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.”
The CMIA imposes requirements on the written authorization used for disclosure of medical information:
authorization must be either handwritten by the individual who signs the document (the patient or their representative), or printed in a minimum of 14-point type
authorization language must be clearly separated from any other language on the same page
patient’s signature must “serve no other purpose than to execute the authorization”
authorization form must be signed and dated.
Under the CMIA, The authorization must specifically include the following:
the specific uses and limitations on the types of medical information to be disclosed
the name or functions of the health care provider, health care service plan pharmaceutical company, or contractor that is being allowed to disclose the information pursuant to the authorization
the names or functions of those persons or entities authorized to receive the information
the specific uses and limitations on use of the information by the authorized recipients
the expiration date of the authorization
notice that the signer is entitled to a copy of the form
Under the CMIA, Only the following individuals are allowed to sign the authorization:
the patient
the patient’s legal representative, if the patient is a minor or incompetent (unless the minor could give legal consent to the care and treatment which is the subject of the information, in which case the minor must give written authorization)
the patient’s spouse or other financially responsible person, but only for the purpose of processing an application for dependent health care coverage and the patient will become an enrolled spouse or dependent
the beneficiary or personal representative of a deceased patient
What law states Health care service plans must assure confidentiality?
California’s Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information.
Among the requirements, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees’ medical information, how and for what purposes medical information may be collected, the circumstances under which medical information may be disclosed without prior authorization, and how patients may obtain access to their records.
What law states Health care service plans must assure confidentiality?
California’s Health & Safety Code §1364.5 mandates that health care service plans must protect the security of patient medical information.
Among the requirements, health care plans must have available to all enrollees a written statement to describe how the plan maintains the confidentiality of enrollees’ medical information, how and for what purposes medical information may be collected, the circumstances under which medical information may be disclosed without prior authorization, and how patients may obtain access to their records.
The CMIA requires that providers who “create, maintain, preserve, store, ‘abandon’ destroy, or dispose of” medical information do so in a manner that preserves the information’s confidentiality, or
they will be subjected to the penalties for wrongful disclosure.
Furthermore, an electronic medical record system must protect and preserve the integrity of electronic information, and “automatically record and preserve any change or deletion of any electronically stored medical information.”
The record of any change or deletion must include the identity of the person who accessed and changed the information, the date and time the information was accessed, and the change that was made.
California Health & Safety Code §123110 provides that
1) any adult, minor authorized by law to consent to treatment, or patient representative may inspect the patient’s medical records upon presentation of a written request and payment of reasonable clerical costs.
2) Physical inspection of the records must be allowed within five working days after receipt of the written request.
3) Copies of records may be obtained by written request and payment of certain costs, and the records must be transmitted within 15 working days after receiving the written request.
California Health & Safety Code §123111 allows
1) any “adult patient” to “provide to the health care provider a written addendum with respect to any item or statement in his or her records that the patient believes to be incomplete or incorrect.” The addendum is limited to 250 words per alleged incomplete or incorrect item in the patient’s record, and it must clearly indicate in writing that the patient wants the addendum to be part of the medical chart.
2) The physician must “attach the addendum to the patient’s records” and must include it whenever the health care provider “makes a disclosure of the allegedly incomplete or incorrect portion of the patient’s records to any third party.” Health care providers are protected from liability under this code section for any “defamatory or otherwise unlawful language” written in the addendum and subsequently included in the medical record.
What does CMIA say about “Disclosure to friends, relatives and personal representatives”?
1) Providers may disclose to a family member, other relative, domestic partner, or a close personal friend of the patient, or to any other person identified by the patient, the medical information directly relevant to that person’s involvement with the patient’s care. A provider may also disclose the patient’s location, general condition, or death to notify or assist in the notification, identification or location of a family member, personal representative of the patient, domestic partner, or another person responsible for the care of the patient.
2) If the patient is available and has the capacity to make health care decisions, the information above may be disclosed only if: the patient agrees, or the patient is provided with an opportunity to object and does not object, or the provider “reasonably infers from the circumstances, based on the exercise of professional judgment,” that the patient would not object to the disclosure.
3) If the patient is not available or incapacitated, or if an “emergency circumstance” exists, the provider “may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient, and if so disclose that information relevant to that person’s involvement in the patient’s medical care. Professional judgment and experience with common practice may also be used to make reasonable inferences of the patient’s best interests, to allow a person to pick up prescriptions, medical supplies, x-rays or other forms of medical information.
4) A psychotherapist may only disclose information under the above circumstances if the patient agrees, or if the patient has not expressed an objection when provided with the opportunity to object to the disclosure.
What does CMIA say about “Discretionary disclosure of information”?
There is a lengthy list of persons and/or entities to which, and circumstances in which, medical information may be disclosed at the discretion of the provider without a patient’s written authorization.
Before releasing any medical information without a patient’s authorization, providers should confirm who is requesting the information, and for what purpose the information is being requested. Discretionary disclosure is only allowable in the specific situations outlined in the applicable code section.
Under the CMIA, medical information must be released when compelled:
by court order
by a board, commission or administrative agency for purposes of adjudication
by a party to a legal action before a court, arbitration, or administrative agency, by subpoena or discovery request
by a board, commission or administrative agency pursuant to an investigative subpoena
by an arbitrator or arbitration panel, when arbitration is lawfully requested by either party
by lawful search warrant
at the “request” of the coroner (see below)
when otherwise specifically required by law
The patient or patient’s representative must also be given access to inspect or get copies of medical records upon payment of reasonable clerical costs and certain other conditions.
Additionally, the CMIA requires provision of confidential medical information to a medical examiner, forensic pathologist, or coroner, “when requested in the course of an investigation… for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant deaths, suspicious deaths, unknown deaths, or criminal deaths, or upon notification of, or investigation of, imminent deaths that may involve organ or tissue donation pursuant to [Health & Safety Code §7151.15], or when otherwise authorized by the decedent’s representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation or who is the prospective donor and shall be disclosed to the coroner without delay upon request.”
An example of a State healthcare law that prompts HIPAA
One example of this is the California Confidentiality of Medical Information Act (CMIA), which has greater standards of protection of privacy than HIPAA.
Patient health information is governed by robust rules that determine how this data is handled, stored, and accessed. Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and various state laws strengthen patient rights. HIPAA set a baseline for regulatory compliance with patient health information. Under the “preemption” language in the rule, no state may create less effective or weaker medical privacy protection for individuals.
However, states can exceed HIPAA regulations and institute more stringent requirements.
Under the CMIA,
medical information is defined as “individually identifiable health information about a patient’s medical history, mental or physical condition, or treatment.”
Information that identifies a person, inclusive of a name, email address, physical address, phone number or Social Security number, is considered “individually identifiable” under the CMIA. Additionally, if the information can be combined with publicly available information to reveal a person’s identity, it is also considered “individually identifiable.”
CMIA covers providers of health care, health care service plans, contractors, as well as “recipients” of that information.
Employers should note that “recipients” are not defined under the CMIA and may have a broad range of applications. Therefore, it is prudent that providers who fall under CMIA investigate methods by which health care information may be received. They must also manage all possible sources of intake with proper safeguards.
One significant way the two regulations differ is in violations. While HHS can issue fines under HIPAA, the CMIA allows patients to bring legal action for violations, inclusive of compensation, attorney fees, and damages.
Additionally, the CMIA’s definition of “provider of health care” is more extensive than HIPAA’s language. Under Cal. Civ. Code § 56.06., any business that offers software or hardware, “including a mobile application or related device,” that are designed to maintain medical information, is considered a provider.
Employers who receive employee medical information fall under the CMIA. Employers must assess and apply methods to secure such information, as well as integrate systems that prevent disclosure of employee health information without worker authorizations.
Conclusion
Organizations, health care providers and covered entities who fall under CMIA and HIPAA should train employees. Instruct them on the specific requirements to ensure end-to-end protection of data, and regularly survey the integrity of the risk management program and reassess systems and policies.
Because CMIA is more stringent than HIPAA, employers should ensure employee compliance, not only to protect the organization, but also to protect patient privacy and to operate ethically. Protecting patient privacy is essential to improving the quality of care and fostering access to care.
Can you bring a lawsuit if your information is disclosed in violation of CMIA?
Yes, under certain circumstances. Unlike HIPAA, CMIA provides individuals a private right of action. Consult an attorney for more information. Cal. Civ. Code §§ 56.35 – 56.37.
Can you bring a lawsuit if your information is disclosed in violation of CMIA?
Yes, under certain circumstances. Unlike HIPAA, CMIA provides individuals a private right of action. Consult an attorney for more information. Cal. Civ. Code §§ 56.35 – 56.37.
Who Must Comply with the CDPA?
Businesses are subject to the CDPA if both of the following criteria are met:
They either conduct business in Virginia or
produce products or services that are targeted to Virginia residents, and
During a calendar year (i) control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.
The Virginia law does not have a revenue threshold, and thus many large businesses that do not hold a substantial amount of consumer data will not be subject to the law.
The law explicitly excludes B2B and employee data from the definition of consumer, noting that “consumer” does not include individuals “acting in a commercial or employment context.”
The CDPA does not apply to
1) certain government agencies,
2) financial institutions subject to the GBLA,
3) covered entities or business associates governed by HIPAA,
4) nonprofit organizations and institutions of higher education.
5) The CDPA also exempts certain data, including data protected by federal laws like HIPAA, the GLBA, the Fair Credit Reporting Act, the Driver’s License Protection Act and the Family Educational Rights and Privacy Act.
6) The CDPA further exempts data processed or maintained: (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; (ii) as emergency contact information for an individual; or (iii) that is necessary to retain to administer benefits for another individual.
7) Additionally, controllers and processors that comply with verifiable parent consent requirements under the Children’s Online Privacy Protection Act shall be deemed compliant with any parental consent obligations under the CDPA.
What is “Personal Data” Under the CDPA?
As with other comprehensive privacy laws, the CDPA defines “personal data” broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, the CDPA does not aim to capture Virginia residents in the employment and B2B context as the CCPA does. Instead, under the CDPA a “consumer” is defined as a natural person who is a resident of the Commonwealth “acting only in an individual or household context” and “does not include a natural person acting in a commercial or employment context.”
Similar to the GDPR and the CPRA, the CDPA regulates “sensitive data.” Sensitive data is defined as a category of personal data that includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The protections for sensitive data are discussed further below.
How Does The CDPA Apply Differently to Controllers and Processors?
Like the GDPR, the CDPA differentiates between controllers (companies that are responsible for determining the purpose and means of processing personal data) and processors (companies that process personal data on controllers’ behalf).
Under the CDPA, businesses who constitute “controllers” have more stringent obligations. In contrast, processors’ obligations are generally connected to their contracts with controllers. For instance, processors are required to follow controllers’ instructions; implement appropriate technical and organizational measures to help the controller respond to consumer rights; and provide the necessary information for controllers to comply with their data protection assessment obligations.
Similar to the GDPR, the relationship between the controller and processor must be governed by a contract that includes certain specified requirements and obligations for the processor.
The CDPA places several responsibilities on controllers including:
Limits on Collection and Use of Data. The CDPA requires that controllers limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose for which the data is processed. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purpose for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer consent.
Reasonable Security. Controllers must also establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data at issue.
Consent for Processing Sensitive Data. Controllers are required to obtain the consumer’s consent before processing any sensitive data. Consent is defined similarly to the GDPR and the CPRA as a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer and may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
Data Processing Agreements (DPAs). As noted above, the CDPA requires that controllers enter into DPAs with their data processors. These agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The CDPA provides specific terms that must be included in any DPA.
Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. This is similar to requirements for privacy policies under the CCPA and, to a more limited extent, under the GDPR.
Notice of Sale. Controllers that sell personal data to third parties or process personal data for targeted advertising must clearly and conspicuously disclose such processing in its privacy notice and provide a manner in which a consumer may exercise his or her opt out right. Unlike the CCPA, the CDPA does not appear to specify the specific manner in which the controller must prove the opt out right (i.e., there is no requirement for a specific link or button).
Consumer Request Process. Controllers must establish one or more secure means for consumers to submit requests to exercise their rights. Unlike the CCPA and CPRA, the CDPA is not prescriptive in how consumers must submit such requests, but provides that such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.
Data Protection Assessment. Controllers must conduct and document a data protection assessment for certain processing activities, including the sale of personal data, the processing of personal data for purposes of targeted advertising or profiling, the processing of sensitive data and any processing activities involving personal data that present a heightened risk of harm to consumers. These data protection assessments must identify and weigh the benefits to the business of processing consumers’ data against potential risks to consumers associated with such processing. In balancing those competing concerns, businesses should consider whether certain safeguards, such as using de-identified data, would mitigate risks to consumers, as well as consumers’ reasonable expectations and the relationship between the business and the consumer.
What Rights Do Individuals Have Under the CDPA?
Similar to the CPRA and the GDPR, consumers have the following rights under the CDPA:
Right to access. Consumers have the right to confirm whether a controller is processing the consumer’s personal data and obtain access to such data.
Right to correct. Consumers have the right to correct inaccuracies in the consumer’s personal data.
Right to delete. Consumers have the right to delete personal data provided by or obtained about the consumer.
Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data in a portable and readily usable format.
Right to opt out of certain data processing. Consumers will have the right to opt out of the processing of personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in further of decisions that produce legal or similarly significant effects concerning the consumer. A “sale” under the CDPA is defined more narrowly than under the CCPA or CPRA to mean the exchange of personal data for monetary consideration by the controller to a third party.
The CDPA does not provide for any hardship exemptions to these rights. Businesses must respond to requests
within 45 days of receipt of the request and may extend where reasonably necessary for an additional 45 days if the consumer is notified within the first 45-day window. Businesses must establish procedures for consumers to appeal a failure to act on a rights request within a reasonable time period and inform consumers of how they can submit a complaint to the attorney general if the appeal is denied.
Who Enforces the CDPA?
The Virginia Attorney General has exclusive authority to enforce the CDPA and to impose a civil penalty of up to $7,500 per violation. Businesses may avoid an enforcement action, however, by properly remedying the violation. The CDPA’s right to cure allows businesses to correct any violation of the CDPA within 30 days of receiving notice thereof from the Virginia Attorney General. Unlike the CCPA, the CDPA does not provide a private right of action to consumers.
The CDPA also requires businesses to establish procedures for consumers to appeal any denial of their rights under the CDPA. This appeal right, coupled with the provision for enforcement by the attorney general and the possibility of hefty civil fines, may compensate for the lack of a private right of action in the CDPA.
CDPA Key Takeaways
Businesses subject to the CDPA will need to perform a comprehensive data inventory and update their external policies and internal procedures to come into compliance. The CDPA requires businesses to conduct data protection assessments for specified processing activities and to establish procedures by which consumers may appeal any denial of their CDPA rights. Businesses must also update their public-facing privacy policies to, among other changes, make a public commitment to not re-identify de-identified personal data and provide details on its data processing activities. The CDPA extends its protections to businesses’ contracts with service providers by requiring businesses to limit the service provider’s use and further distribution of personal data. Notably, the CDPA does not displace or change businesses’ existing obligations to report data breaches.
The CDPA’s quick pace toward enactment may foreshadow its role as a blueprint for other states looking to enact comprehensive data privacy reform. The CDPA was designed to
provide key protections for consumers and clearly define the obligations for businesses to ensure a smooth path toward compliance, without imposing overly burdensome requirements in a complicated statutory structure. As State Sen. David Marsden, who introduced the legislation, described, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.”
On the federal level, it has already been predicted that the Biden administration will be active in the federal data privacy movement, given the Obama administration’s steps toward a federal privacy regulatory framework and Vice President Kamala Harris’s support for data privacy initiatives during her time as California’s attorney general. With several other states poised to follow Virginia with their own comprehensive privacy legislation, Congress may shift its priorities in the direction of a federal standard.
Does Virginia privacy law apply to employees?
Unlike the CCPA, the VCDPA does not apply to employee data and does not create a private right of action for protected consumers
The CPRA defines “sensitive personal information” as personal information
that reveals (a) consumer’s Social Security or other state identification number; (b) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) consumer’s geolocation; (d) consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, or text messages, unless the business is the intended recipient of the communication; and (f) consumer’s genetic data.
The CPRA prescribes several methods by which businesses would be required to enable consumers to limit the use and disclosure of sensitive personal information:
(1) by providing a link on their homepage titled “Limit the Use of My Sensitive Personal Information,”
(2) by utilizing a single link which would easily allow consumers to limit the use of their sensitive personal information and to opt-out of the sale and sharing of their personal information; or
(3) by complying with the automatic opt-out preference signal.
Under the CCPA, entities governed by HIPAA and Gramm-Leach-Bliley may collect personal data that is not covered by those federal laws, which could require compliance with the CCPA. How does the Virginia law compare?
The Virginia law broadly exempts financial institutions or data subject to Gramm-Leach-Bliley, not just data collected pursuant to it. And Virginia exempts covered entities and business associates governed by HIPAA, not just PHI collected pursuant to HIPAA.
Although the Virginia Consumer Data Protection Act prevents class action lawsuits against violations,
the Attorney General of Virginia will be able to administer fines up to $7,500 per instance of violations that aren’t addressed and corrected.
Who does the Colorado Privacy Act apply to?
The Colorado Privacy Act applies to Colorado residents – which it refers to as “consumers” – and imposes data protection requirements on entities who either:
conduct business in Colorado; or
produce or deliver commercial products or services that are intentionally targeted to residents of Colorado;
and
control or processes personal data of at least 100,000 consumers (Colorado Residents) a year; or
control or process personal data of at least 25,000 consumers and derive revenue or receives a discount on the price of goods or services, from the sale of personal data.1
What does the Colorado Privacy Act apply to?
The Colorado Privacy Act applies to “Personal Data,” which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.”2 Personal Data does not include information that is de-identified or that is publicly available. Similar to the Virginia Privacy Law, the Colorado Privacy Act’s definition of consumer does not include individuals acting in commercial or employment contexts.
The Colorado Privacy Act identifies and imposes obligations on “controllers” and “processors.”
A controller is defined as a person that “determines the purposes for and means of processing personal data.”4 Under the Colorado Privacy Act, controllers are required to:
provide consumers with a “reasonably accessible, clear, and meaningful privacy notice,” that outlines i) categories of personal data collected or processed by the controller or processors; ii) the purposes for processing; iii) how consumers can exercise the rights granted by the Colorado Privacy Act; iv) categories of personal data shared with third parties; v) categories of third parties with whom personal data is shared;5
disclose in a conspicuous manner any sale of consumer data and the manner in which a consumer may opt-out of the sale or processing of personal data;6
limit collection of personal data to what is adequate, relevant, and “reasonably necessary in relation to the specified purposes for which the data are processed;”7
take reasonable measures to secure personal data compatible with the scope, volume, and nature of the data;8 and
obtain consumer consent before processing sensitive personal data by a clear affirmative act signifying that consent is freely given, specific, informed, and unambiguous.9 Notably, the Colorado Privacy Act specifies that such consent shall not be obtained through general or broad terms of use or through dark patterns designed to subvert consumer decision-making.10
A processor is a person that processes personal data on behalf of the controller.11 The Colorado Privacy Act requires processors to adhere to the controller’s instructions and assist and cooperate with the controller to comply with its obligations under the act. The Colorado Privacy Act also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.12
Colorado Privacy Act Compliance
The similarities between the Colorado, California and Virginia privacy laws will permit companies to develop a general uniform approach to data privacy compliance obligations in the US. Similar to these other state data privacy laws, entities operating in Colorado should consider the following framework in assessing compliance obligations under the Colorado Privacy Act:
Confirm That Your Business is Subject to the Colorado Privacy Act. Entities must determine whether they meet the jurisdictional threshold of the Colorado Privacy Act, which notably does not include a minimum revenue threshold.
Determine Whether Your Business Depends on the Sale or Purchase of Personal Information. Businesses will need to assess whether and to what extent their disclosures of personal information to third parties falls within the Colorado Privacy Act’s broad definition of “sale” of data, which, similar to the California Privacy Law, includes disclosure for “valuable consideration.” Businesses should note that, under the Colorado Privacy Act (CCPA), disclosures to processors or affiliates for the purpose of providing a product or service requested by a consumer or made intentionally by the consumer are not considered sales.30
Revise Privacy Policies. Revise privacy policies to reflect personal data processing activities, communicate the new rights available to consumers and identify the mechanisms implemented for consumers to exercise those rights.
Implement “Reasonable Security Measures.” Assess cybersecurity policies, practices, and controls to ensure they are consistent with industry-recognized standards.
Conduct Data Protection Assessment. Businesses will need to conduct data protection assessments that evaluate how the business processes, sells and uses personal data. Importantly, they should consider the risk involved in such processing.
Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Prior to July 1, 2024 when the requirement comes into effect, businesses should begin to implement use of a user-selected universal opt-out mechanism that meets the technical specifications established by the Attorney General (to be established by July 1, 2023).
Implement Consent Mechanism for Collecting Sensitive Information. Businesses who collect sensitive data from consumers must obtain affirmative, informed and clear consent. The Colorado Privacy Act specifies that consent does not include accepting general terms of use, use of dark patterns, or hovering over, muting, pausing, or closing content. Businesses should develop opt-in mechanisms for consent in line with these constraints.
Facilitate Receipt and Response to Consumer Requests. Develop mechanisms for accepting, tracking, verifying and honoring consumer requests to exercise their access, correction, and deletion rights under the Colorado Privacy Act.
Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely and consistent manner that is ultimately compliant with the Colorado Privacy Act.
Although the Colorado Privacy Act fits within the general compliance approach applicable to the California and Virginia privacy laws, there will inevitably be certain compliance aspects among these state laws that will require consideration on an individual state basis. Additional guidance on the practical implementation of the Colorado Privacy Act is expected in the coming months. This is consistent with the approach taken by other states following the initial enactment of their respective data privacy laws, to further refine these laws. Nonetheless, businesses will likely be expected to take steps to comply with the existing statutory requirements in California and Virginia by January 1, 2023 and Colorado on July 1, 2023, while remaining nimble enough to adjust as additional guidance and regulations are issued. It is worth noting that several other states are in the process of considering and enacting data privacy laws, which may create additional layers of compliance obligations on entities conducting business in the US. As such, businesses should keep apprised of the developments in the evolving area of US consumer data privacy compliance.
Although the CPA does not create a private right of action, violations of the law constitute
a deceptive trade practice, and Colorado’s attorney general and local district attorneys are vested with the authority to investigate and impose civil penalties against noncompliant businesses
CPA Scope of applicability.
The CPA primarily applies to a limited set of organizations that control the processing of Colorado residents’ personal data (classified as “Controllers”) and to the third-party service providers who assist in the data processing activities (classified as “Processors”). These classifications mirror the structure set forth in other data protection laws (e.g., Virginia, EU GDPR). In particular, the CPA applies to Controllers conducting business in Colorado or producing or delivering commercial products or services that intentionally target Colorado residents and (i) control the collection of or process the personal data of at least 100,000 consumers annually, or (ii) derive revenue from or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 consumers.
The CPA defines “personal data” broadly as
any “information that is linked or reasonably linkable to” an identifiable person. On the other hand, it creates many exceptions to its scope of applicability and does not, for example, apply to personal data concerning an individual acting in the commercial or employment context or to protected health information, nonpublic personal information, and other data subject to certain federal privacy laws (e.g., HIPAA, GLBA, FCRA, FERPA, COPPA).
CPA Data privacy rights.
The CPA creates several new data privacy rights and privileges for Colorado consumers:
the right to confirm whether a Controller is processing their personal data;
the right to access personal data in a portable, and to the extent technically feasible, readily usable format to enable transfer to another entity;
the right to correct inaccurate personal data, and
the right to delete personal data.
The CPA creates a framework for
how Controllers must intake, authenticate and respond to consumer privacy requests and mandates that organizations create “an internal process” to allow a consumer to “appeal” a Controller’s decision not to honor a data rights request, but it lacks any material specificity on how the appellate review must be formulated. It is not uncommon for Controllers to dispute that a consumer’s personal data is “inaccurate” and refuse to “correct” it. In turn, the CPA provides some flexibility in this area and allows Controllers to make these decisions based on the “nature of the Personal Data and the purposes of the processing.”
CPA Opt-out rights
In addition, the CPA provides consumers with the right to opt out of the processing of their personal data to the extent it relates to targeted advertising, the sale of personal data or certain types of profiling. Consumers may exercise these rights directly or through third-party agents. The CPA further provides that Controllers must (as of July 2024) allow for consumers to exercise their opt-out rights in certain situations (e.g., targeted advertising, data sales) through a “user selected universal opt-out mechanism” that meets certain requirements set forth by the Colorado attorney general in future regulations. The CPA adopts a definition of “sale” similar to the one set forth in California’s data protection law. Under the CPA, “sale” means the “exchange of Personal Data for monetary or other valuable consideration by a Controller to a third party.” However, the CPA creates important exemptions to the definition of “sale,” such as the disclosure of personal data to a Processor or a Controller’s affiliate.
CPA Privacy policies and other notices.
A Controller is required to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that describes its data processing activities (e.g., categories of personal data collected and processed, the express purposes of processing, types of personal data shared with third parties, categories of recipients). It must also describe how consumers can exercise their data privacy rights and the Controller’s appeals process. A controller that sells personal data or uses it for targeted advertising purposes has the additional obligation to “clearly and conspicuously disclose” such processing and the manner in which consumers can exercise their opt-out rights.
CPA Consent.
The CPA limits how a Controller can use personal data without a consumer’s consent.
For example, a Controller must not process personal data “for purposes that are not reasonably necessary to or compatible with” the original purposes for which the personal data was collected and processed, unless it obtains the consumer’s consent. Also, a Controller is prohibited from processing “Sensitive Data” without obtaining appropriate consent.
The CPA defines “Sensitive Data” as personal data that reveals a consumer’s racial or ethnic origin, religious beliefs, health diagnosis, sex life or sexual orientation, or immigration status; relates to certain genetic or biometric data; or involves personal data collected from a “known child.” The requirement of express prior consent (as opposed to honoring after-the-fact opt-out requests) may add new burdens on Controllers.
CPA Data protection assessments.
Pursuant to the CPA, a Controller is prohibited from engaging in data processing that “presents a heightened risk of harm to a Consumer” without first undertaking a data protection assessment. In turn, the CPA defines this category of processing broadly to address a variety of common business activities, such as targeted advertising, selling of data, the processing of Sensitive Data, and certain types of profiling. The assessment must be made available to the Colorado attorney general, upon request.
CPA Data processing agreements
Like many other data protection laws, the CPA requires Controllers and Processors to execute written agreements that contain certain data protection clauses, which must address, among other things, the nature and duration of data processing, the limited manner in which the Processor can use the personal data, confidentiality and employee/personnel vetting requirements, proof of compliance, and auditing. The CPA provides that Processors may only retain subcontractors after furnishing a Controller the opportunity to object to the arrangement and (if so approved by the Controller) only if the subcontractor agrees to the same data protection terms applicable to the Processor. The CPA also requires these Controller-to-Processor contracts to include clauses requiring the Processor to, at the end of the data processing services, delete or return the personal data in its custody, unless retention is required by law; however, it does not expressly create any exceptions for personal data retained in backup or archived formats.
CPA Data security.
The CPA places affirmative data security obligations on Controllers. It requires them to “take reasonable measures to secure personal data during both storage and use from unauthorized acquisition,” and such measures must be appropriate to the volume, scope and nature of the personal data. The CPA does not address or otherwise attempt to limit other data security requirements set forth in other areas of Colorado law. For instance, pursuant to CO ST § 6-1-713.5, certain businesses must “implement and maintain reasonable security procedures and practices” to safeguard “personal identifying information,” and these measures must be based on the “nature and size of the business and its operations.”
Does Colorado privacy Act apply to nonprofits?
Unlike the Virginia Consumer Data Protection Act (VCDPA), the CPA does not exempt nonprofits, nor does it expressly provide an entity-level exemption for organizations regulated by the Health Information Portability and Accountability Act (HIPAA).
The CPA’s mandatory “user-selected universal opt-out mechanism” is not required by either
the California Act or the Virginia Act.
Under the CPA, consumers must be able to opt out of the sale or sharing of personal data for the purposes of targeted advertising through a user-selected “universal opt-out mechanism” (i.e., a consumer must be able to click one button to exercise all opt-out rights), which
meets technical specifications that the attorney general must establish by July 1, 2023. This differs from the CCPA, which makes a universal or global control optional.
CPA Compliance
Businesses covered by the new data privacy laws should:
Implement cybersecurity safeguards;
Create and communicate to consumers a process by which consumers may submit a request regarding their personal data and subsequently appeal a decision;
Provide a clear and conspicuous notice informing consumers that they have the right to opt out of targeted advertising and sales of their personal data;
Establish a user-selected universal opt-out mechanism by July 1, 2024;
Update their Privacy Policy to explain their collection and use of data;
Update their contracts with third parties to ensure that they comply with the laws;
Obtain consumers’ informed consent before collecting sensitive data; and
Establish a procedure to determine when to conduct a data protection assessment.
Enforcement of the CPA
Under the CPA a violation is a deceptive trade practice under the Colorado Consumer Protection Act, such that while the CPA does not specify a penalty amount, the Colorado Consumer Protection Act specifies a penalty of up to $20,000 per violation.
CPA Right to Cure
Under the CPA, the controller has 60 days to cure a violation after the attorney general or district attorney provides notice. The CCPA and VCDPA only provide 30 days to cure.
Critically, unlike the CCPA or VCDPA, the CPA’s right-to-cure provision expires on January 1, 2025.
CPA De-identified Data
De-identified data is generally exempt from obligations under the CPA because de-identified data is not personal data if certain conditions are met. However, controllers maintaining de-identified data are required to exercise reasonable oversight over contractual commitments related to de-identified data and to take appropriate steps to address breaches of those commitments. Similar to Virginia’s CDPA, controllers are also required to consider their use of de-identified data when conducting data protection assessments.
De-identified information means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:
Takes reasonable measures to ensure the data cannot be associated with an individual.
Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data.
Contractually obligates any recipients of the information to comply with these requirements.
This approach to de-identified information is similar to the approach reflected in California’s CPRA and Virginia’s CDPA. All three privacy laws broadly align with the de-identification framework set forth in the FTC’s 2012 Staff Report.
CPA Pseudonymous Data
The CPA exempts “pseudonymous data” from certain data subject rights (the right of access and the rights to correction, deletion, and data portability). Pseudonymous data is personal data that cannot be attributed to a specific individual without additional information if such information is “kept separately” and is subject to technical and organizational measures to ensure that the data is not attributed to a specific individual. Similar to Virginia’s CDPA, controllers that maintain pseudonymous data are not required to honor consumer rights requests (except requests to opt out) if the controllers can demonstrate that the information needed to identify the consumer exercising the right is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.
CPA Exemptions
The CPA contains exemptions similar to other privacy laws. For instance, the Act does not apply to certain medical information, including personal data governed by the Health Insurance Portability and Accountability Act, and personal data subject to the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and Gramm–Leach–Bliley Act (GLBA). In addition to a GLBA data-level exemption, the law includes an entity-level exemption for financial institutions and their affiliates that are subject to the GLBA and its implementing regulations. The CPA also exempts employee information and business-to-business data from substantial regulation. Data maintained for employment record purposes is exempt, The law applies to consumers, but the term consumer
excludes individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
Connecticut Public Act 21-59: An Act Concerning Data Privacy Breaches
Public Act 21-59 modifies Connecticut’s existing data breach and cybersecurity law in three key areas.
1) it expands the substantive definition of what constitutes “personal information” subject to legal protection.
2) it shortens the deadline for providing notice of data breaches (subject to certain qualifications and exceptions as further discussed below) and creates unique notification requirements for incidents involving a breach of login credentials.
3) it protects from public disclosure certain information provided in response to a Connecticut unfair trade practices investigation arising from a data breach.
CT Expanded Definition of “Personal Information”
Connecticut law previously defined “personal information” as a person’s first name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver’s license number; (3) state identification card number; (4) credit or debit card number; or (5) financial account number in combination with any password or security code that would permit access to such account.
Public Act 21-59 expands this definition significantly to include the following data elements:
Taxpayer identification number;
IRS identity protection personal identification number;
Passport number, military identification number, or other government-issued identification number used to verify identity (e.g., Social Security number);
Information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
Health insurance policy number, subscriber identification number, or other number used by a medical insurer to identify the individual;
Biometric information consisting of data generated by measurements of unique physical characteristics, such as a fingerprint, voice print, retina, or iris image, used to authenticate identity;
User name or electronic mail address in combination with a password or security code that would permit access to an online account.
CT Strengthened Data Breach Notice Requirements
Under Public Act 21-59, the deadline for providing notice of a data breach to affected individuals and the Connecticut attorney general is shortened from 90 days to “without unreasonable delay, but not later than 60 days.” In the event that the notifying entity discovers additional individuals after the reporting deadline, it is still obligated to act in good faith to notify those individuals “as expediently as possible.” Moreover, if the entity determines it cannot confirm the identities of and provide notice to all affected individuals within the new 60-day deadline, it must provide preliminary substitute notice to all potentially affected individuals and follow up with direct notice as soon as possible. Substitute notice consists of (1) email notice (where the individual’s email address is known), (2) “conspicuous posting” of the notice on the entity’s website (if any), and (3) “notification to major state-wide media, including newspapers, radio and television.”
Further, Public Act 21-59 contains special rules applicable to incidents involving a breach of login credentials. Notice of a breach of login credentials can be provided via email (or other electronic means) to direct the recipient to change their login credentials or take other steps to secure their account. However, if the affected individual’s receipt of the email notification cannot be verified, then an alternative form of notice must be used, or the individual must receive “clear and conspicuous notice” while the individual is “connected to the online account” that the individual “customarily accesses … .” Although not expressly required by the statute, businesses also can consider forcing affected customers to change their passwords or other login information.
Notably, Public Act 21-59 provides that data breach notification requirements apply to anyone who owns, licenses, or maintains computerized data that includes “personal information,” not just those who do so in the ordinary course of business. This broadens the applicability of the statute’s prior notification requirements.
CT. Exemption for HIPAA/HITECH Compliant Companies
With two important exceptions, any entity subject to (and in compliance with) HIPAA and/or HITECH privacy and security standards is deemed to be in compliance with the notice obligations set forth in Public Act 21-59.
The exceptions are that
(1) an entity required to notify Connecticut residents of a breach under HIPAA/HITECH must also notify the attorney general when those residents are notified; and
(2) if the entity would have been required to provide identity protection or mitigation services under Connecticut law (e.g., due to breach of a Social Security number), that requirement remains in effect. This provision attempts to address any confusion from conflicting state law requirements and requirements under HIPAA/HITECH.
CT Protection of Data Breach Reporting from Freedom of Information Requests
Public Act 21-59 also provides confidentiality protections to businesses responding to an investigation into alleged violations of Connecticut’s Unfair Trade Practices Act arising from a data breach. Public Act 21-59 recognizes that “documents, materials and information” provided in response to an investigation of a potential violation of Connecticut’s Unfair Trade Practices Act arising from a data breach are exempt disclosure requirements under Connecticut’s freedom of information law. However, the attorney general is permitted to make such documents, material, and information available to third parties for investigative purposes.
CT Public Act 21-119: An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses
Public Act 21-119 seeks to incentivize greater adoption of cybersecurity standards by businesses. Among other things, Public Act 21-119 allows businesses that comply with certain industry-recognized cybersecurity practices to avoid punitive damages in any tort claim that alleges a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The immunity from punitive damages afforded by Public Act 21-119, however, is subject to a few qualifications.
First, protection from punitive damages is provided only for tort claims “brought under the laws of [the state of Connecticut] or in the courts [of the state of Connecticut].” Second, the entity must have complied with a formal, written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information … .” Finally, the program must conform to one or more of the industry-recognized cybersecurity frameworks referenced in the statute. These frameworks include standards adopted by the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), and the Payment Card Industry (PCI) Security Standards Council — and, for applicable businesses, the security regulations established by HIPAA, HITECH, FISMA, or GLBA. Entities will be deemed in compliance with subsequently amended or revised versions of the industry-recognized frameworks listed in the statute as long as they conform to such amended or revised version within six months of its publication.
CT
Connecticut’s updated data breach notification and cybersecurity statutes are consistent with a growing trend of states seeking to protect personal information by expanding the definition of personal identifying information and by providing businesses with new tools to stay in compliance with the law and manage risk associated with information security and privacy.
The tightened notice requirements and expanded definition of “personal information” set forth in Public Act 21-59 will require affected businesses to enhance their efforts to quickly and effectively respond to data breach and other cybersecurity threats. To do so, businesses should strongly consider reviewing and updating their incident response plans, enhancing their training and roundtable exercises, and having in place a list of forensic consultants, outside counsel, and media advisors to meet the tightened deadlines and manage their response.
The immunity from punitive damages afforded by Public Act 21-119 should serve to galvanize potentially affected businesses, as well as their general counsels, CTOs, risk managers, and other privacy professionals to reevaluate and strengthen their information security policies and procedures and adopt industry-recognized standards.
Finally, the exemption from compliance with Public Act 21-59 for entities already compliant with HIPAA and/or HITECH’s privacy and security obligations should enhance efficiency and avoid confusion between state and federal standards, at least with respect to covered entities in the health care industry.
