New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.
At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.
The new statute, which will become effective on October 1, 2012, is remarkably straightforward and simple in comparison to other states’ laws that mandate which breach notification or reporting. Specifically, the data breach statutes of most states provide a type of safe harbor by mandating notification in the event of a data breach of personal information, but defining “personal information” as unencrypted personal information. The effect is that the breach of the encrypted personal information does not require a breach notification. Connecticut’s new statute does not allow for such a loophole. For example, under the Connecticut statute, “breach notification” means:
Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [sec. 369-701b(a)]
Of course, the Connecticut statute isn’t perfect, as the resolution of some problems remains unclear. (E.g., would password protection be considered a method that “renders the personal information unreadable or unusable”? Why is the breach regulated to only computerized data?) Still, it is superior to the data breach statutes of most other states, which often require analysis of multiple different sections and complex definitions. Also, as an added bonus, Section 369-701b operates in addition to any other data breach reporting requirements that exist in the Connecticut Statutes or promulgated by industry regulators (e.g., the Connecticut Department of Insurance Bulletin 1C-25). Finally, failure to comply with the new Connecticut Statute constitutes an “unfair trade practice” under Connecticut Statutes section 42-1106 and is enforceable by the Attorney General.
Vermont recently updated its data breach law, in particular the notice requirement. Act 109, effective as of May 8, 2012, now requires that notification to consumers of a security breach h occur no later than 45 days after discovery of the incident and must include the approximate date of the breach, if known. In addition, the Vermont Attorney General must be notified within 14 business days of either discovery of the security breach or notice to consumers, whichever is sooner, and must include the date of the breach, date of discovery of the breach and a preliminary description of the breach.
Although the revised notice requirement is the most significant change to the Vermont law, it is not the only change. With Act 109, Vermont adopts the industry standard label “Personally Identifiable Information” (“PII”) in lieu of the former “personal information” and alters what constitutes a data breach, removing the “on access, criterion and leaving it as “unauthorized acquisition of electronic data that comprises the security, confidentiality, or integrity” of an individual’s PII. Finally, the revised legislation provides a list of factors that may help determine whether the PII has been or is reasonably believed to be acquired.
While not a data breach statute, the new Illinois law is groundbreaking in the privacy arena. Public Act 097-0875, which was signed into law on August 1, 2012, makes it illegal for an employer to request social network account information from its employees in order to gain access to the employee’s profiles, and prevents employers from screening potential job candidates or reprimanding current employees based on social network information that would otherwise be private. Employees can, however, view any information that is publicly available. Moreover, nothing in the law limits an employer’s right to maintain workplace policies governing applicable use of social networking sites.
Illinois is only the second state in the country to enact this type of legislation (Maryland is the first!), but it is likely that many more states will follow suit.
Cyberinquirer strongly recommend that companies institute a system to monitor and adjust their internal data breach response policies and procedures to ensure compliance with continuously changing laws like the new Connecticut and Vermont statutes, and that companies make their employees aware of the potential for privacy legislation such as that in Maryland and Illinois..
One Response to “State Privacy Laws Evolve While Congress Campaigns”
Leave a Reply
You must be logged in to post a comment.