Module 14: State data security and breach notification laws

Question 1

FTC Section 5

Answer 1

actions against companies
misrepresenting their information security practices or failing to provide “reasonable
procedures” to protect personal information

Question 2

federal vs state laws

Answer 2

no federal legislation directly imposes minimum information security standards
across all industries.

state legislatures have passed laws to ensure companies protect individuals’ sensitive informatioN

Question 3

What states have a data breach notification law?

Answer 3

In March 2018, Alabama became the last of 50 states to pass a data breach notification law.

The District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands also have data breach notification laws.

Question 4

State Data Security

Social Security #s

Answer 4

In Cali

• public posting
• mailings
• ID or membership cards
• transmission over unencrypted internet connection
• visible thru enveloper windows

Question 5

Data destruction requirements

Answer 5

• to whom the law applies
• the required notice
• exemptions
• the covered media
• any penalties for non-compliance

Question 6

North Carolina’s Data Destruction Policies and Procedures for

tangible data

Answer 6

#1 require the
-burning
-pulverizing
-shredding
of papers containing personal info so that info cannot be practicably read or reconstructed

Question 7

North Carolina’s Data Destruction Policies and Procedures for

electronic media

Answer 7

Policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot be
practicably read or reconstructed

Question 8

North Carolina’s Data Destruction Policies and Procedures for

the business entity

Answer 8

Procedures relating to the adequate destruction or proper disposal of personal records as
official policy in the writings of the business entity

Question 9

State law data security

California

Answer 9

-same as NC +

requires destruction such that records are unreadable or undecipherable by ANY means

Question 10

State law data security

Arizona

Answer 10

applies only to paper records

Question 11

State law data security

Alaska

Answer 11

applies a right to private action

Question 12

State law data security

Illinois and Utah

Answer 12

applies to government entities

Question 13

State law data security

Massachusetts

Answer 13

-stipulates steep penalties for each instance of improper disposal

Question 14

State law data security

New Mexico HB 15

Answer 14

requires PI be made unreadable by shredding, erasing, or otherwise modifying

Question 15

Connecticut’s Definition of Personal Info

Answer 15

• First Name (or initial) and last name
• SS#
• DL # or state identification card #
• Account,CC, Debit, Pin #, Access Code, or Password

Question 16

Connecticut’s Definition of

Covered entities

Answer 16

any person who conducts business in this state and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.

Question 17

Connecticut’s Definition of

security breach

Answer 17

A security breach is unauthorized access to or acquisition of

• -electronic files
• -media,
• -databases or
• -computerized data

containing personal information

–when access to the personal information has not been secured by encryption or by any other method or technology that
renders the personal information unreadable or unusable

Question 18

Connecticut’s

Whom to notify

Answer 18

• -state residents whose personal information is believed to have been compromised
• -State Attorney General; other entities

Question 19

Connecticut

When to notify

Answer 19

• -in the most expeditious time possible
• -without unreasonable delay

average seems to be 45 days

Question 20

Connecticut

What to include in notification

Answer 20

• description of incident
• personal info subject to the breach
• prevention measures
• monitoring accounts
• contacting regulators

Question 21

Connecticut

How to notify

Answer 21

• written
• telephone
• email
• conspicious postings
• media outlets

Question 22

Connecticut

Exceptions

Answer 22

• HIPPA
• GLBA (gramm-leach-bliley act)
• Breach notification already in place
• safe harbor for encrpyted, redacted, unreadable or unusable data

Question 23

Connecticut

Penalties and Rights of Action

Answer 23

-enforcement reserved to the state attorney general (in most states)

Question 24

true or false:

Most US States have laws limiting the use of SS#s?

Answer 24

true

Question 25

true or false?

data destruction requirements are often built into state data breach laws?

Answer 25

true

Question 26

In the event of a data breach, Connecticut’s breach notification law defines personal
information as the first name (or initial) and last name in combination with one or more what?
Select all that apply.

A) Social Security number
B) Driver’s license number
C) Mailing address
D) Phone number
E) Bank account or card number in combination with a security or access code

Answer 26

A
B
E

Question 27

Which states specify extensive requirements for data breach notifications?

A) Hawaii
B) Virgin Islands
C) Maryland
D) Massachusetts
E) California

Answer 27

All US States

Question 28

True or False?

In the case of state requirements regarding data breach notification, email notice is always required first?

Answer 28

false

Question 29

True or False?

State laws regarding data breaches may require 3rd party notifications to the state attorney general

Answer 29

true

Question 30

Which are exceptions to state data breach notification laws?

A)entities that already follow breach notification procedures that are compatible with state law
B) Entities enrolled in self-certification programs that meet industry security standards
C)entities subject to other, more stringent data breach notification laws

Answer 30

C