Data Security and State Statutes Flashcards
State Notifications differ around these 4 elements
- Trigger for notice
- exceptions to notifications
- parties to whom disclosure is required
- enforcement
is there a private right of action under CCPA, Amended CPRA?
yes, 2 situations
- unauthorized access and exfiltration, theft, disclosure of consumer nonencrypted PI.
- breach of an email address, as well as password or security question and the answer that would allow an account to be accessed.
CA enforcement action against Sephora
- Sephora failed to disclose the sale of personal information or provide a “Do Not Sell My Personal Information” link as a result of the use of analytics and advertising cookies on its website.
- The complaint alleges that Sephora’s use and transmittal of the personal information was a “sale” under the CCPA because the disclosure was made in exchange for free, discounted, or higher quality advertising or analytics services from its third-party vendors.
30 day cure in CPRA?
CPRA removes the 30 day cure and gives CPPA discretionary power and time to cure a violation.
CPRA; Is written notice require prior to a consumer initiating an action for pecuniary damages suffered as a result?
no
what about third parties and the Colorado, Concerning Strengthening protections for consumer data privacy law.
- covered entities must required all third parties with access to PII to take reasonable measures.
What policy is called out in the Colorado law?
entities must write a records destruction policy for those records containing PII
What should be addressed in the comprehensive security program under Massachusetts Standards for the Protection of Personal Information? (7)
- workforce security training
- monitoring of third party vendors
- secure storage
- user authentication protocols
- reasonable restrictions on the access to personal information
- encryption of data transmitted and stored on portable devices
- review security measures annually
what should be addressed under NY Shield Act 2019?
- workforce security training
- an employee responsible for security
- dispose of sensitive data after its business purpose has expired
Who enforces NY Shield Act?
NY AG
under NY-CRR 2017, when should a security breach be reported?
within 72 hours
Who is exempt from NY-CRR?
- employers with less than 10 employees
- produce less than 5 million in gross revenue
- less than 10 million in year end assets
What is special about Ohio Data Protection Act?
sets up incentive, safe harbor if businesses follow certain frameworks (NIST CSF, 800-171, ISO 27000, GLBA, HIPA, FISMA)
what two states require insurers to submit annual compliance certifications to the state?
New York and south Carolina
Does Virginia CDPA include employee data?
No
What is the scope of V CDPA?
- Control or process the personal data of at least 100,000 consumers during a calendar year.
- Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.
what are the 6 consumer rights under the V CDPA?
- Right to access. Consumers have the right “to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.”
- Right to correct. Consumers have the right to correct inaccuracies in their personal data,
- Right to delete.
- Right to data portability.
- Right to opt out. To opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data and profiling in advancing decisions that produce legal or similarly significant effects concerning the consumer.
- right to appeal
The CDPA fails to provide any exceptions to these rights