Tag Archives: New Law

South Dakota, 49th State to Enact Breach Notification Law, Alabama Close Behind

This week, on March 21, 2018, South Dakota’s Governor signed into law the nation’s 49th Breach Notification Law.

Alabama remains the sole U.S. state without a breach notification law, but not for long. Yesterday, Alabama’s pending breach notification bill unanimously passed the House of Representatives and is headed to the Governor’s desk awaiting final passage.

Here are some of highlights of the two pieces of legislation.

South Dakota: Breach Notification Law

Highlights:

  • Applies to:
    • “Information Holder”: includes “any person or business that conducts business in the state” andowns or retains “personal or protected information” of South Dakota residents.
  • Personal AND Protected Information:
    • This South Dakota bill distinguishes and covers both personal information and protected information.
    • “Personal information” includes a person’s first name or first initial and last name combined with one or more of the following data elements (SSN, driver’s license number, account number with access code, etc.) but also includes health information (as defined in HIPAA) and employee identification numbers in combination with access code or biometric data.
    • “Protected information” includes: (1) “a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account” and (2) financial account number, in combination with a “required security code, access code or password that permits access to a person’s financial account.”
    • Of note, the definition of “protected information” does not include a person’s name.
  • Breach Definition:
    • “Breach of system security” is limited to “unauthorized acquisition” (as opposed to unauthorized access) of unencrypted computerized data or encrypted data where the decryption key is also acquired by an unauthorized person.
  • Breach Notification Requirements:
    • Trigger: Following “discovery by or notification to” an entity of a “breach of system security”, the entity must notify “any resident whose personal OR protected information was or is reasonably believed to have been, acquired by an unauthorized person”.
    • Timeline: Notification to affected individuals is required within 60 days of discovery of the breach.
  • Harm Threshold:
    • Notification is NOT required if the Entity can reasonable determine that the breach will not likely result in harm to the “affected person”.
    • However, this harm exception is an option after an “appropriate investigation and notice to the attorney general”.
    • The entity must keep documentation of any no-harm breach in writing for no less than three years.
  • Unauthorized person/access:
    • South Dakota has included a very broad definition of “unauthorized person,” a term that is defined in only a few state data breach notification laws.
    • The bill also defines “unauthorized person” to include a person with access to “personal information who has acquired or disclosed the personal information outside the guidelines for access of disclosure…” This definition is very unique amongst data breach notification laws and addresses those otherwise authorized persons that exceed their scope of authorization.
  • Other Notification Requirements:
    • Attorney General: If more than 250 individuals are affected, the entity must notify the South Dakota Attorney General.
    • Consumer Reporting Agencies: If notification to affected individuals is required, the bill requires notification to “all consumer reporting agencies” as to “the timing, distribution, and content of the notice.” This provision is a bit unusual –as it does not include a numerical threshold of affected persons as a trigger to credit reporting agency notifications (see AG trigger above).
  • Penalties:
    • The Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.
    • A violation of this breach notification law is also considered a deceptive act under the state’s consumer protection laws, allowing the possibility of both criminal liability and a possible private right of action.
    • While SB 62 does not expressly create a private right of action, South Dakota Attorney General noted that this violation has the same effect through express incorporation of South Dakota’s Deceptive Trade Practices Act.
    • This private right of action issue will likely be litigated after the law takes effect this summer.
  • Exceptions:
    • If an entity is already compliant with HIPAA, GLBA or regulated by another federal law that maintains procedures for breach of a system then that entity is deemed to be in compliance with this state law IF it notified affected South Dakota residents in accordance with the provisions of that applicable federal law or regulation.
    • If an entity maintains its own notification procedures as part of an information security policy, then the entity is in compliance with notification requirements if they notify each person affected in accordance with their internal policies regarding breach of system security.

This law will take effect on July 1, 2018.

Alabama: Proposed Bill

Alabama’s proposed bill would require a notification period of 45 days from the determination of a breach and follows suit with similar breach law definitions of “Breach of Security”, “Personally Identifiable Information (PII)” and exceptions.

Alabama Attorney General Steve Marshall has been vocally supportive of the bill through this legislative process, thanking the Alabama Senate for “taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked”.

Well…now it’s 49 states to follow for data breach notification requirements, and Alabama will complete the patchwork of state breach notification laws in the coming weeks.

Stay tuned!

 

For questions about these updates, or to obtain an up-to-date state breach notification chart, you can contact our privacy and security professionals at cyberteam@eplaceinc.com.

 

Texas Legislature Passes New Cybersecurity Regulations

The Texas State Legislature closed their special session earlier this month and with it came a new piece of legislation on Cybersecurity. These new cybersecurity regulations for Texas go into effect September 1, 2017.

  • House Bill 8 sets new standards for training, cyber reporting and protection among state agencies:
    • Calls for the long overdue creation of Texas House and Senate select committees on cybersecurity;
    • Requires a security assessment of Texas systems, training on how to respond to threats, a review of state digital data storage and state incident response plan that can be used in the event of a cyberattack; and
    • Creates a public-private cyber information sharing task force to be staffed with both government officials and private sector professionals.
  • House Bill 9 criminalizes the intentional, indirect compromise of a network and computer without the consent of the owner.
    • Current Texas law oddly addresses only direct access. House Bill 9 extends prosecutorial authorities to cover the use of malware and ransomware against parties not physically present at the computer.

Impact on Data Breach Notification Law

  • Good News: This change only affects state agencies and election data.
  • Previously: State agencies only had to comply with the notification requirements imposed on private companies under the Texas Business & Commerce code. This new legislation creates heightened standards for state agencies and complicates breach notification law:
    • High Reporting Standards for State Agencies. State Agencies are now required to notify the following within 48 hours of a discovery of breach:
      • Texas Department of Information Resources, including the chief information security officer
      • State cybersecurity coordinator
      • If the breach involves election data, the secretary of state
    • Widens the scope of the notification requirements. Where the original statute says “in the event of a breach of system security”, the new House Bill expands the scope by also including “in the event of a breach or suspected breach of system security or an unauthorized exposure of that information.

Legal statutes are evolving to both keep up with the private sector threats and defend state agencies against the inevitable threats that come with the age of technology.

Nevada Enacts Website Privacy Notice Law

If your company has a website, take note: Nevada enacted the nation’s third online privacy notice law.

Following the example set by California and Delaware, these laws generally require online notices to inform consumers on how their information is collected, what types of information is collected, and with whom it is shared.

Companies failing to abide by the requirements are subject to fines and penalties from enforcement actions by state attorneys general.

Nevada’s Online Privacy Notice Law

Similar to those of its predecessors, Nevada’s privacy notice law covers a broad range of information collected by website operators. This includes the following data elements:

  • First and last name
  • Home or other physical address which includes the name of a street and the name of a city or town
  • Email address
  • Social Security number
  • Any identifier that allows a specific person to be contacted either physically or online
  • Any other information concerning a person collected from the person through the Internet website or online service in combination with an identifier in a form that makes the information personally identifiable

To be compliant, the online notice must include:

  • The categories of information about the consumer that are collected;
  • The categories of third parties with whom the information is shared;
  • A description of the process, if any exists, for a consumer who uses or visits the website to review and request changes to his or her information that has been collect;
  • The process by which the operator notifies consumers of material changes to its online notice;
  • Whether third parties are permitted to track users’ online activities over time and across different websites (through use of cookies); and
  • The effective date of the notice.

Nevada’s new law applies to companies that:

  1. Own or operate an Internet website or online service for commercial purposes;
  2. Collect and maintain information from consumers who reside in Nevada; and
  3. Purposefully direct their activities toward Nevada, carry out transactions with Nevada or a resident of it, or purposefully make use of the rights and privileges of conducting activities within Nevada.

The law is not applicable to website operators in Nevada whose revenue is derived primarily from a source other than online services and whose website has fewer than 20,000 unique visitors per year.

Finally, Nevada’s Attorney General is permitted to enforce the law’s provisions, with the ability to seek injunctive relief (requiring the website operator to comply with the law) or impose up to $5,000 per violation. Upon notification of noncompliance, operators have 30 days to remedy the noncompliance before enforcement actions may be brought.

What Now?

With an effective date of October 1, 2017, companies with websites who reside in or direct their business towards Nevada or its residents should ensure they are in compliance with Nevada’s new online privacy notice law. Additionally, companies should be aware that they may have additional obligations under California and Delaware’s online privacy notice laws which require all companies (regardless of their location) to comply with their terms if they collect information on residents of California or Delaware.

Virginia Adds a New Twist to its Breach Notification Law

Virginia passes a first-of-its-kind amendment in reaction to popular payroll tax scams.

Breach Notification Laws are constantly evolving and reacting to the perils of cyber threats and vulnerabilities. Two of the most recent regulatory updates (NYDFS & VA) show specific reactions to the rapidly changing security threats.

One prominent threat impacting legislation is the increasing persistence of W-2 scams. The W-2 scams have raised the issue of cybersecurity beyond the common stereotype that breaches only occur to large retailers. With this employee-focused social engineering scheme, organizations large and small in all industries are now targets.

This threat was recently addressed through an amendment to Virginia’s data breach notification law. Virginia amended their notification requirements by expanding the types of data requiring notification and adding the requirement for state authorities to be promptly notified of a breach of payroll data.

As recent at March 13, 2017, Virginia’s governor approved the amendment requiring employers and payroll service providers to notify the state’s Office of the Attorney General after the discovery of a breach of computerized employee payroll data that compromises the confidentiality of such data. Once the Attorney General’s office receives notice, the Office of the AG must then notify the state’s Department of Taxation of the breach.

Background

Existing state law requires that an entity or individual that owns, maintains, or possesses personal information of Virginia residents, and who has a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, must report the unauthorized breach to the Office of the Virginia Attorney General, and also must provide notification to each affected Virginia resident.

How is this amendment different?

This new notification requirement stands even if the organization is not required by the statute to notify affected residents of the state of the breach. Therefore, this amendment not only expands the definition of types of data that require notification, but requires notification of this data even if the same circumstances would not currently trigger the notification requirement of individuals.

Additionally, the notice to the Attorney General’s office requires additional details from the organization, including the affected employer or payroll service provider’s name and federal employer identification number. This notice to the Office of the AG must be made “without unreasonable delay”

When is this effective?

These amendments to the Virginia law are effective July 1, 2017.

Practical Application: Employee Awareness & Training

Companies and individual taxpayers should remain vigilant and exercise care in responding to any request for copies of W-2 forms. Employees are often an organization’s weakest link leading to a data breach. Training employees on data security best practices and awareness of potential risks and consequences of such threats can greatly reduce security risks.

ePlace Solutions provides a series of training courses on Social Engineering, including Spear-Phishing attacks such as the W-2 Scam. If you’re reading our newsletter, it’s likely your organization has access to these training courses through your cyber insurance policy. Reach out to cyberteam@eplaceinc.com to take advantage of your free training resources for your workforce.

New Jersey Continues Push for Shopper Privacy Law

The New Jersey Senate approved a bill – Personal Information and Privacy Protection Act – to increase the privacy protections for New Jersey shoppers. The bill limits a retailer’s ability to collect and use personal data from a consumer’s identification card.

A retailer can scan an identification card only for the following purposes:

  • To verify the authenticity of the ID card or the identity of the person paying,
  • To verify the person’s age when providing age-restricted goods or services,
  • To prevent fraud if the person returns an item or requests a refund,
  • To establish or maintain a contractual relationship,
  • To record, retain, or transmit information required by state or federal law, or
  • To transmit information as permitted by FCRA, GLBA or HIPAA.

The bill also limits the types of information scanned to name, address, date of birth, the state issuing the identification card, and the identification card number.

Other noteworthy provisions include:

  • Limitations on retaining the relevant information,
  • Data security requirements,
  • The state’s data breach notification requirements, and
  • Restrictions on selling the relevant information.

The next step for the bill is to be approved by the New Jersey Assembly.

California Law Protects Student’s Privacy

A new law, AB 2097, was passed in California limiting the personal information public schools are allowed to collect from students.

The new law prohibits school districts from collecting students’ Social Security numbers and other information, except when required by federal and state law.

The law surfaced after a judge earlier this year ordered Social Security number and other personal information be released on over 10 million California students earlier this year. What followed was a frenzy of objections filed regarding the data release. The judge reversed that decision a couple months later, based on the concerns over identity theft.

Cybersecurity Information Sharing Act: Government Surveillance or Critical Protection?

The controversial Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law as a part of the $1.1 trillion omnibus spending bill, establishing a process for organizations to voluntarily share threat indicators with the Federal government and other private entities to help organizations better prepare for and respond to cyber threats.

CISA Provisions

CISA calls for a voluntary program for cyber threat indicators to be shared with the government and circulated among participating organizations. The types of threat indicators to be shared include malicious code, suspected reconnaissance, and security vulnerabilities.

As an incentive, participating entities will receive liability protection from lawsuits arising out of participation in the program and will not be penalized for not using the information received from the government to improve cybersecurity defenses.

While proponents hail CISA as a critical step in combatting cyber threats, critics in the privacy community claim it is a government surveillance measure diminishing privacy rights. Critics also question whether the privacy safeguards are adequate and protections afforded for participation will be enough to incentivize organizations to join the program.

To address these concerns, CISA requires participating organizations to remove all personal information prior to sending threat alerts to the government. The Department of Homeland Security Secretary is tasked with developing guidance on the information that must be removed and how the government handles the information it receives. CISA also provides that information shared is considered proprietary information of the sharing entity, exempt from disclosure under the Freedom of Information Act and generally prohibited from being used for regulatory purposes by Federal or State agencies.

Healthcare Organizations

Several provisions under CISA pertain to healthcare organizations. To start, the Department of Health and Human Services is to develop a set of cybersecurity best practices for organizations in the healthcare industry. These best practices will be consistent with the standards in the HIPAA Security Rule, and may end up being more specific.

CISA also addresses systems that are connected to electronic health records, specifically medical devices. The HHS Secretary is to create a task force that will review the issues and challenges surrounding the security of networked medical devices. The task force will report on ways to improve and better prepare and respond to cybersecurity threats.

Key Takeaways

As cyber criminals are becoming more sophisticated, knowledge of emerging threats is critical to mitigate against such risks. Organizations should evaluate whether participation in the information sharing program would be a valuable way to obtain inside information about cyber threats in their industry and sector.

As an ePlace Solutions client, you are also entitled to receive various threat alerts that identify emerging cyber threats. For more questions about ePlace threat alerts, or to sign up for the threat alerts, please feel free to reach out to Matt Peranick at (559)577-1306 or mperanick@eplaceinc.com.

California Amends Data Breach Notification Law

Governor Jerry Brown recently signed three bills into law, amending California’s breach notification statute. The new laws expand the definition of personal information, add clarity to the term encryption, and add requirements for notification letters.

Personal Information Definition

S.B. 34 expands the definition of personal information to include information or data collected through the use or operation of an automated license plate recognition system.

License plate recognition systems use optical character recognition on images to read license plate numbers and store that data. Many police departments have adopted this technology, creating concerns regarding the use and safety of that data.

The amendment requires entities using the technology to maintain reasonable safeguards to protect the license plate recognition data from unauthorized use or disclosure. The law also has a provision allowing private right of action for anyone harmed by violations of the statute.

Encryption Definition

A.B. 964 provides a bit of clarity on the definition of encryption. Most state laws, including California’s, allow for a safe harbor for encrypted information that is accessed by an unauthorized person. The grey area of the law is what qualifies as acceptable encryption.

The amendment defines encryption as information that is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

Notification Letter Changes

S.B. 570 updates the requirements for breach notification letters that are sent to individuals affected by a security breach.

Additional requirements include:

  • The notification must be titled “Notice of Data Breach.”
  • The information must be presented under the following headings – “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
  • The title and headings must be clearly and conspicuously displayed.
  • The text should be at least 10-point font size.

The new law also provides a model security breach notification form that complies with the requirements listed above.

The amendments are effective January 1, 2016.

Florida Data Protection Law: CADRA

Florida’s new data protection law, the Computer Abuse and Data Recovery Act (CADRA), becomes effective October 1, 2015.

The purpose of this new law is to provide a civil remedy to business owners who suffer harm or loss resulting from unauthorized access to computer systems and business data. The law was also created to offer a framework for other legislation to provide businesses the right to recover damages.

What is protected under CADRA?

To be protected under CADRA, certain ‘technological access barriers’ (TABs) must be in place to protect computers and data. Access control methods include passwords, security codes, tokens, or similar measures.

When is CADRA violated?

An individual violates CADRA when he or she “knowingly and with intent to cause harm or loss” including:

  • Obtains information from a TAB-protected computer without authorization and causes harm or loss;
  • Causes the transmission of a program, code, or command to a TAB-protected computer and causes harm or loss; or
  • Traffics in any TAB through which access to a protected computer might be gained without authorization.

Who is an authorized user?

Directors, officers, employees, and others are authorized users when they have express permission from the business owner to access TAB-protected computers. The authorization status is striped when the relationship between the individual and business ends.

What remedies does CADRA allow?

CADRA allows business owners to recover certain damages including:

  • Lost profits
  • Economic damages
  • Profits gained by the violator
  • Reasonable attorneys’ fees
  • Injunctive relief to prevent further harm and recover the stolen information

DoD Issues New Cyber Incident Reporting Requirements

The Department of Defense issued new interim rules amending the Defense Federal Acquisition Regulation Supplement. The important provisions include expanded incident reporting requirements for contractors and increased security requirements for cloud service providers.

DoD added several regulatory definitions to contractors’ security requirements including:

  1. Compromise: A disclosure of information to unauthorized persons or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
  2. Cyber Incident: Actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing within that system.
  3. Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.

Contractors and subcontractors are now required to report such cyber incidents to the DoD within 72 hours of discovery.

For cloud computing providers, the new provisions require storage of government data not onsite at DoD to be kept within the U.S. or outlying areas.

The DoD’s new interim rules create additional requirements that government contractors must become familiar with to stay in compliance with the Defense Federal Acquisition Regulations.