- Bipartisan legislation aiming to improve current data privacy laws was recently introduced in Colorado. The bill would require entities implement “reasonable security procedures” to protect consumers’ personal information and would also expand the notification requirements.
Protections for Consumer Data Privacy (HB18-1128) also expands the definition of “personal information,” and would account for medical information, health insurance information, and biometric data.
The bill would consider the following data personal information, which when compromised with consumers’ first and last names will require notification:
- Social Security number
- Driver’s license number or identification card number
- Account number or credit card or debit card number
- Medical information
- Health insurance information
- Biometric data
- User name or email address, in combination with a password or security questions and answers, that would permit access to an online account.
Data breach notification “must be made in the most expedient time possible and without unreasonable delay, but not later than forty-five days from the date of the security breach,” the bill reads. However, entities can adhere to law enforcement needs or other necessary investigative measures being used to determine the scope of the breach and “restore the reasonable integrity of the computerized data system.”
"Regardless of the need to provide notice to affected Colorado residents…the individual or commercial entity that was breached shall provide notice of any unauthorized acquisition of unencrypted or encrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or commercial entity to the Colorado Attorney General as soon as practicable but not later than seven days after discovery of the unauthorized acquisition of data if such unauthorized acquisition affected or is reasonably believed to have affected five hundred Colorado residents or more," the legislation reads.
HB18-1128 also requires that Colorado entities develop a written policy for the destruction or proper disposal of paper and electronic documents used during the course of business that contain personal identifying information.
South Dakota Senate Judiciary Committee approves data breach bill
South Dakota’s Senate Judiciary Committee recently approved data breach legislation that would require state residents to be notified “not later than forty-five days from the discovery or notification of the breach of system security.”
“Any information holder that experiences a breach of system security under this section shall disclose to the attorney general by mail or electronic mail any breach of system security that exceeds two hundred fifty residents of this state,” the legislation reads.
A breach would occur when “the acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder” happens.
Medical information and health insurance information are also considered personal information in the bill.
“Each failure to disclose under the provisions of this Act is a deceptive act or practice under § 37-24-6,” the bill states. “In addition to any remedy provided under chapter 37-24, the attorney general may bring an action to recover on behalf of the state a civil penalty of not more than ten thousand dollars per day per violation.”
PHI included in proposed Arizona data breach law
A data breach law accounting for PHI was introduced in Arizona. The legislation would also include physical characteristics, taxpayer identification numbers or IRS issued identification numbers, user name or email address, and student personally identifiable data under the definition of personal information.
Current Arizona law requires notification be given in the "most expedient manner possible and without unreasonable delay." The updated law would require organizations notify the Attorney General and notify individuals within 30 days.
The legislation would keep the current requirement that notice is not needed if data was encrypted or redacted.
Virginia to review two laws concerning data security
Two pieces of legislation were recently introduced in Virginia that could affect how the Commonwealth’s organizations approach consumer data security.
The Virginia Consumer Protection Act (HB1588) was introduced by Rep. Kelly Convirs-Fowler, and would require consumer reporting agencies to disclose a breach of security of a computerized data system within 15 days.
In separate legislation, a study conducted by the Joint Commission on Technology and Science was proposed to “evaluate and compare the various methods used by localities to report unauthorized breaches of personal information to the Office of the Attorney General and affected residents of the Commonwealth.”
HJ39 would also “identify one or more methods of reporting, such as through a central portal system, that promote the efficient and timely reporting of information breaches” and “develop a list of best practices, processes, and resources that localities can use for cyber security remediation assistance and to report unauthorized information breaches.”
Breaches of secured information have increased over the past several years, the joint resolution explained. Cyberattacks are also becoming more common the in the US, with identity theft a common outcome. There must be an efficient and timely manner for data breach reporting, the resolution authors explained.
“A work group of the Commonwealth of Virginia Cyber Security Commission has determined, on the basis of feedback received during outreach events, that localities need a reliable source of clear, concise, and understandable cyber threat information, including best practices and processes for requesting cyber security remediation assistance as well as a method to report cyber incidents,” the joint resolution read.
Meetings shall be completed by November 30, 2018 and an executive summary of findings as well as recommendations will be submitted no later than the first day of the 2019 Regular Session of the General Assembly.