State Privacy Laws Flashcards
What is information security?
Protection of information for the purpose of preventing loss unauthorized access or misuse. Requires ongoing assessments of threats and risks to information and of the procedures and controls to preserve the information.
What are the three key attributes of information security?
Confidentiality -access to data is limited to authorized parties
Integrity - assurance that the data is authentic and complete
Availability - knowledge that the data is accessible as needed by those who are authorized to use it
How is information security achieved?
Implementing controls which need to be monitored and reviewed to ensure security objectives are met. Security controls are mechanisms put in place to prevent detect or correct a security incident
What are the three types of security controls?
Physical - such as locks security cameras and fences
Administrative - incident response procedures and training
Technical - firewalls, antivirus software and access logs
Information security vs information privacy
Privacy includes what sorts of use and disclosure of personal information should be authorized and data subjects rights to control the data including notice and consent
Federal information security laws
No federal legislation directly imposes information security standards across all industries but healthcare and financial sectors have federally imposed information security provisions.
The FTC uses its section 5 under the FTC act to bring actions against companies misrepresenting their information security practices (deceptive trade practice) or failing to provide reasonable procedures to protect personal information (as an unfair trade practice)
California AB 1950
California’s accessibly bill 1950 is to encourage businesses that own or license personal information about Californians to provide reasonable security.
One of the first state laws on security
State laws on information security
In the absence of comprehensive federal requirements some state legislatures have passed laws requiring companies to take information security measure to protect citizens sensitive information
Laws on social security numbers
Majority of states have laws limiting businesses right to use social security numbers.
Ex: prohibiting businesses from requiring that customers transmit their SSN over an unencrypted internet connection, no printing on mailings, printing on ID or membership cards
Federal government has limits as well.
Data destruction laws
As of 2017 at least 32 states have data destruction laws, which are sometimes incorporated into data breach laws
Common elements are.. describing who the law applies to, the required notice, exemptions, the covered media, and the penalties
What are the elements of state data breach notification laws
- Definition of personal information / data elements that trigger reporting requirements
- what entities are covered
- definition of a security breach
- level or harm requiring notification
- whom to notify
- when to notify
- what to include in notification
- how to notify
- exceptions to notifications
- penalties and rights of action
What is personal information (data breach notification state laws)
These elements are part of the definition in all state data breach notification laws although more than half contain additional elements
An individuals first name or first initial and last name in combination with any one or more of the following..
SSN, Drivers license, or state ID card, account number, CC or debit number in combination with any required security code that would permit access to an individuals financial account
Security breach (state data breach notification laws)
Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or other method that renders the personal information unreadable or unusable
Covered entity (state data breach notification law)
Any person who conducts business in the state data and who owns licenses or maintains computerized data that included personal information
Who to notify in data breach
Primary - State residents / third parties whose data has been exposed
More than half of the states require entities notify the State attorney general and or other state agencies some only require it if 500 or more of their residents were effected
Some states require entities to notify nationwide credit reporting agencies
All states must notify 3rd parties if they do not own the data (processor. Notifying controller)
When to notify of data breach
The most expeditious time possible and without unreasonable delay
Typically no later than 45 days after the discovery of the breach
Legislatures recognize the need for the affected entity to conduct a reasonable investigation in order to determine the scope of the breach and restore the integrity of the system or if is the result of criminal activity
What to include in data breach notification
Description of the incident
Type of personal information that was subject
Steps taken to protect the personal information from further unauthorized access
A phone number to call
Advice to stay vigilant
Number for consumer reporting agencies
Number and websites to the FTC
How to notify of data breach
Written notice to the data subject is required first
Telephone and electronic messages are alternatives
Notification to state attorney generals and regulators may be sent via email or letter, or online forms
Notification to consumer reporting agencies is via email
Exceptions to notifications for data breaches
Entities subject to other more stringent data breach notification laws (HIPAA or GLBA safeguards rules)
Entities that already follow breach notification procedures as part of their own information security policies as long as these are compatible with the requirements of the state law
If the data was encrypted redacted unreadable or unusable
Penalties for data breaches
Enforcement is with the state attorney general
Civil penalty or payment
Private right of action to individuals harmed to recover damages
Types of data breach incidents
Unintended disclosure - sensitive info mishandled or sent to the wrong party
Hacking / malware - electronic entry by an outside party
Payment card fraud - fraud involving payment cards that is not accomplished via hacking
Insider - employee or CW intentionally breaching information
Physical loss - stolen paper documents
Portable device - lost or stolen laptop smartphone etc.
stationary device - lost or stolen computer or server not designed for mobility
Fundamentals of incident management for a data breach
- Determine whether a breach has actually occurred
- Containment and analysis of the incident
- Notify affected parties
- Implementing effective follow-up methods
California SB-1
California financial information privacy act
Expands the financial privacy protections afforded under the GLBA
- increases the disclosure requirements of financial institutions and grants consumers increased rights with regard to the sharing of information
- opt-in consent is required for a financial institution to share personal information with no affiliated third parties
- grants consumers the ability to opt-out of information sharing between their financial institutions and affiliates not in the same line of business
Data breach notification laws - Tennessee SB 2005
First state to require notification of any breach, whether data is encrypted or not.
45 days to notify of breach
Data breach notification laws - California AB 2828
Requires notification of breached encrypted data in addition to unencrypted data.
Data breach notification laws - New Mexico HB 15
Includes encrypted data if keys were likely compromised and unencrypted data.
45 days to notify
CCPA
Residents of CA have the following rights:
- what personal info is collected about them
- access that information
- know if their personal info is disclosed
- know if their personal info is sold
- receive equal service and price whether or not they exercise their privacy rights
CalECPA
California electronic communications privacy act
Protects location data, content, metadata, and device searches
Act requires law enforcement obtain a warrant, wiretap order, order for electronic reader records or subpoena issued pursuant to existing state law before compelling or accessing electronic information except in emergency situations
NYDFS cyber security regulation
- creation and implementation of security policies and procedures
- limitation of user access privileges
- designation of a CISO
- written IR plan
Illinois right to know act
Gives consumers the right to know what information has been collected about them and who has access
Washington biometric privacy law
Forbids commercial interests from obtaining or selling biometric information for individuals without their consent and to keep data for a period of time
New Jersey personal information and privacy protection act
Limits the purpose for which retail establishments may lawfully scan a persons government issued identification card like a drivers license.
Limits the data that can be collected from such scanning and how these data can be retained and used
Delaware online privacy and protection act
A law that provides privacy protections to its residents.
- advertising to children is strictly regulated
- privacy policies must be conspicuously posted
- enhancing the privacy protections of users of digital books
Nevada SB 538
Requires operators of websites and online services to provide notice to Nevada residents of their practices relating to the collection and disclosure of PII
Massachusetts HB 4806
Has notice requirements in the case of a data breach
Requires companies to contract with a third party to offer affected residents free credit monitoring services and prohibits security freeze fees.
Illinois HB 1260
Expands the definition of personal information to in life medical info
Requires that the attorney general be notified of a breach in certain circumstances
Limits the encryption safe harbor if the encryption key was possibly acquired in the data breach
