Module 14: State data security and breach notification laws Flashcards
FTC Section 5
actions against companies
misrepresenting their information security practices or failing to provide “reasonable
procedures” to protect personal information
federal vs state laws
no federal legislation directly imposes minimum information security standards
across all industries.
state legislatures have passed laws to ensure companies protect individuals’ sensitive informatioN
What states have a data breach notification law?
In March 2018, Alabama became the last of 50 states to pass a data breach notification law.
The District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands also have data breach notification laws.
State Data Security
Social Security #s
In Cali
- public posting
- mailings
- ID or membership cards
- transmission over unencrypted internet connection
- visible thru enveloper windows
Data destruction requirements
- to whom the law applies
- the required notice
- exemptions
- the covered media
- any penalties for non-compliance
North Carolina’s Data Destruction Policies and Procedures for
tangible data
#1 require the -burning -pulverizing -shredding of papers containing personal info so that info cannot be practicably read or reconstructed
North Carolina’s Data Destruction Policies and Procedures for
electronic media
Policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot be
practicably read or reconstructed
North Carolina’s Data Destruction Policies and Procedures for
the business entity
Procedures relating to the adequate destruction or proper disposal of personal records as
official policy in the writings of the business entity
State law data security
California
-same as NC +
requires destruction such that records are unreadable or undecipherable by ANY means
State law data security
Arizona
applies only to paper records
State law data security
Alaska
applies a right to private action
State law data security
Illinois and Utah
applies to government entities
State law data security
Massachusetts
-stipulates steep penalties for each instance of improper disposal
State law data security
New Mexico HB 15
requires PI be made unreadable by shredding, erasing, or otherwise modifying
Connecticut’s Definition of Personal Info
- First Name (or initial) and last name
- SS#
- DL # or state identification card #
- Account,CC, Debit, Pin #, Access Code, or Password
Connecticut’s Definition of
Covered entities
any person who conducts business in this state and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.
Connecticut’s Definition of
security breach
A security breach is unauthorized access to or acquisition of
- -electronic files
- -media,
- -databases or
- -computerized data
containing personal information
–when access to the personal information has not been secured by encryption or by any other method or technology that
renders the personal information unreadable or unusable
Connecticut’s
Whom to notify
- -state residents whose personal information is believed to have been compromised
- -State Attorney General; other entities
Connecticut
When to notify
- -in the most expeditious time possible
- -without unreasonable delay
average seems to be 45 days
Connecticut
What to include in notification
- description of incident
- personal info subject to the breach
- prevention measures
- monitoring accounts
- contacting regulators
Connecticut
How to notify
- written
- telephone
- conspicious postings
- media outlets
Connecticut
Exceptions
- HIPPA
- GLBA (gramm-leach-bliley act)
- Breach notification already in place
- safe harbor for encrpyted, redacted, unreadable or unusable data
Connecticut
Penalties and Rights of Action
-enforcement reserved to the state attorney general (in most states)
true or false:
Most US States have laws limiting the use of SS#s?
true
true or false?
data destruction requirements are often built into state data breach laws?
true
In the event of a data breach, Connecticut’s breach notification law defines personal
information as the first name (or initial) and last name in combination with one or more what?
Select all that apply.
A) Social Security number B) Driver’s license number C) Mailing address D) Phone number E) Bank account or card number in combination with a security or access code
A
B
E
Which states specify extensive requirements for data breach notifications?
A) Hawaii B) Virgin Islands C) Maryland D) Massachusetts E) California
All US States
True or False?
In the case of state requirements regarding data breach notification, email notice is always required first?
false
True or False?
State laws regarding data breaches may require 3rd party notifications to the state attorney general
true
Which are exceptions to state data breach notification laws?
A)entities that already follow breach notification procedures that are compatible with state law
B) Entities enrolled in self-certification programs that meet industry security standards
C)entities subject to other, more stringent data breach notification laws
C