Data Security and State Statutes

Question 1

State Notifications differ around these 4 elements

Answer 1

1. Trigger for notice
2. exceptions to notifications
3. parties to whom disclosure is required
4. enforcement

Question 2

is there a private right of action under CCPA, Amended CPRA?

Answer 2

yes, 2 situations

1. unauthorized access and exfiltration, theft, disclosure of consumer nonencrypted PI.
2. breach of an email address, as well as password or security question and the answer that would allow an account to be accessed.

Question 3

CA enforcement action against Sephora

Answer 3

1. Sephora failed to disclose the sale of personal information or provide a “Do Not Sell My Personal Information” link as a result of the use of analytics and advertising cookies on its website.
2. The complaint alleges that Sephora’s use and transmittal of the personal information was a “sale” under the CCPA because the disclosure was made in exchange for free, discounted, or higher quality advertising or analytics services from its third-party vendors.

Question 4

30 day cure in CPRA?

Answer 4

CPRA removes the 30 day cure and gives CPPA discretionary power and time to cure a violation.

Question 5

CPRA; Is written notice require prior to a consumer initiating an action for pecuniary damages suffered as a result?

Answer 5

no

Question 6

what about third parties and the Colorado, Concerning Strengthening protections for consumer data privacy law.

Answer 6

1. covered entities must required all third parties with access to PII to take reasonable measures.

Question 7

What policy is called out in the Colorado law?

Answer 7

entities must write a records destruction policy for those records containing PII

Question 8

What should be addressed in the comprehensive security program under Massachusetts Standards for the Protection of Personal Information? (7)

Answer 8

1. workforce security training
2. monitoring of third party vendors
3. secure storage
4. user authentication protocols
5. reasonable restrictions on the access to personal information
6. encryption of data transmitted and stored on portable devices
7. review security measures annually

Question 9

what should be addressed under NY Shield Act 2019?

Answer 9

1. workforce security training
2. an employee responsible for security
3. dispose of sensitive data after its business purpose has expired

Question 10

Who enforces NY Shield Act?

Answer 10

NY AG

Question 11

under NY-CRR 2017, when should a security breach be reported?

Answer 11

within 72 hours

Question 12

Who is exempt from NY-CRR?

Answer 12

1. employers with less than 10 employees
2. produce less than 5 million in gross revenue
3. less than 10 million in year end assets

Question 13

What is special about Ohio Data Protection Act?

Answer 13

sets up incentive, safe harbor if businesses follow certain frameworks (NIST CSF, 800-171, ISO 27000, GLBA, HIPA, FISMA)

Question 14

what two states require insurers to submit annual compliance certifications to the state?

Answer 14

New York and south Carolina

Question 15

Does Virginia CDPA include employee data?

Answer 15

No

Question 16

What is the scope of V CDPA?

Answer 16

1. Control or process the personal data of at least 100,000 consumers during a calendar year.
2. Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

Question 17

what are the 6 consumer rights under the V CDPA?

Answer 17

1. Right to access. Consumers have the right “to confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.”
2. Right to correct. Consumers have the right to correct inaccuracies in their personal data,
3. Right to delete.
4. Right to data portability.
5. Right to opt out. To opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data and profiling in advancing decisions that produce legal or similarly significant effects concerning the consumer.
6. right to appeal

The CDPA fails to provide any exceptions to these rights