Chapter 8: State Laws Flashcards
T/F: If a job seeker doesn’t consent to a credit report, it is illegal to reject them based on FCRA?
False
How many states banned using credit reports in hiring decisions?
11 plus DC
CFIPA aka
SB-1
CFIPA
California Financial Information Privacy Act
CFIPA purpose…
Controls sharing of consumer financial information
CFIPA requirement for sharing with affiliate
Provide notification and allow customers to opt out before sharing data.
CFIPA requirement for sharing with non-affiliate 3rd party
Express written consent
CFIPA discrimination provision
May not discriminate against those not providing consent
CFIPA penalties
Up to $2,500 per violation
$500,000 max per incident
No cap for willful violations
CalECPA requirements
Warrant to access “electronic communication information”
CalECPA Exemptions (2)
Access with permission, if recovering stolen property
Emergencies
CCPA Personal information categories
Name
SSN
Address
IP Address
Email Address
Biometric info
Web browsing history
Geolocation data
Retail transactions
Inferences drawn from such information
CCPA preemption exception
CCPA doesn’t apply when it is preempted by other laws (CFIPA, HIPAA, GLBA)
CCPA Rights (5)
Right to Know
Right to Access
Right to Delete
Right to opt-out
Nondiscrimination
CCPA Right to know
Businesses must notify customers about what they collect and how it is used when it is collected. Also, purpose limitation
CCPA Right to Access
Consumers have a right to know what information companies have and be able to receive a copy in a portable format
CCPA Right to delete
Businesses must delete any PI that is collected.
Exceptions: Info needed to complete transactions, detect fraud, legal requirements, and a few others
CCPA Right to opt out
Businesses that intend to sell PI must give consumers the right to opt out
CCPA nondiscrimination
People exercising rights must not be treated differently
CCPA Private right of action requirements
Unauthorized disclosure of unencrypted data.
Must include combo of name and another identifier
CCPA Private right of action fines
$100-$750 per incident. Actual damages if greater
CPRA
Passed by voters
Introduces “Sensitive Personal Information”
New CPRA rights
Correction
Opt-out of automated decision making
Know about automated decision making
Restrict Sensitive personal information
CPPA
California Consumer Privacy Protection Agency
CPPA purpose
Enforce CPRA and CCPA
CPRA targeted advertising
Must regulate the use of PI
CPRA Audits and Risk Assessments
Required if processing consumer PI poses a significant risk to privacy or security
Delware Online Privacy and Protection Act (DOPPA)
Applies to websites accessible to people in Delaware.
Excludes hosting providers.
DOPPA requirements
Privacy policy
Process to review and update PI
Info about how Do Not Track is handled
Infor about 3rd parties collecting PI
DOPPA childrens protections apply to
Anyone under 18
DOPPA prohibits advertising ______ to children?
Adult products including tanning beds
DOPPA rules for book service providers
May not share reading habits with the gov’t without a court order
Nevada SB 538
Website must have privacy policies covering the basics (collection, use, sharing, 3rd parties).
Applies to websites with 20K plus visits
Nevada SB 538
30 day cure period
Up to $5,000 fine
NJ Personal Information and Privacy Protection Act
Limits when and how companies scan ID cards.
Also, storage, retention, and destruction
NJ PIPA fines
$2,500 first offense
Up to $5.000 for the rest
Washington Biometric Privacy Law
Covers biometric identifiers for Washington residents
Excludes photo and video
Washington biometric law use limitations
Notice of collection
Consent required to store biometric data
Washington Biometric Privacy Law opt-out scenarios
People can opt-out of having data disclosed
Facebook BIPA fine (2021)
$650 million
NYDFS
Requires financial institutions to implement security controls
NYDFS aligned with what standard?
NIST CSF
NYDFS NIST CSF requirements
Hire a CISO
Risk assessments
Pentest
Annual reports on the security program
Annual compliance certification
NYDFS breach reporting
Required to report to state officials or agencies
Washington HB 1149 Bank Card law
Businesses that mismanage bank cards causing a breach must pay for replacement
TN SB 2005 Breach Notification avoidance
If data is encrypted up to federal standards and they can show the keys were not compromised
IL Breach notification
Must notify if Usernames or emails and passwords are taken
CA AB 2828 breach notification
Must notify if encrypted data and keys are compromised
NM HB 15 Breach notification
Encrypted data with keys.
Biometric data
MA HB 4806 Breach notification
Instructions on how to place credit freeze
Timelines for notification
Must offer credit monitoring
Utah Consumer Privacy Act Scope
Businesses exceeding $5 Million or processing data of over 100K Utah residents, or 25K residents if data is sold.
