Ping Service
Feedback Forms

State Privacy Laws Evolve While Congress Campaigns

New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.

Connecticut

At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly’s Special Session as an attachment of the Budget Bill.

The new statute, which will become effective on October 1, 2012, is remarkably straightforward and simple in comparison to other states’ laws that mandate which breach notification or reporting. Specifically, the data breach statutes of most states provide a type of safe harbor by mandating notification in the event of a data breach of personal information, but defining “personal information” as unencrypted personal information. The effect is that the breach of the encrypted personal information does not require a breach notification. Connecticut’s new statute does not allow for such a loophole. For example, under the Connecticut statute, “breach notification” means:

Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [sec. 369-701b(a)]

Of course, the Connecticut statute isn’t perfect, as the resolution of some problems remains unclear. (E.g., would password protection be considered a method that “renders the personal information unreadable or unusable”? Why is the breach regulated to only computerized data?) Still, it is superior to the data breach statutes of most other states, which often require analysis of multiple different sections and complex definitions. Also, as an added bonus, Section 369-701b operates in addition to any other data breach reporting requirements that exist in the Connecticut Statutes or promulgated by industry regulators (e.g., the Connecticut Department of Insurance Bulletin 1C-25). Finally, failure to comply with the new Connecticut Statute constitutes an “unfair trade practice” under Connecticut Statutes section 42-1106 and is enforceable by the Attorney General.

Vermont

Vermont recently updated its data breach law, in particular the notice requirement. Act 109, effective as of May 8, 2012, now requires that notification to consumers of a security breach h occur no later than 45 days after discovery of the incident and must include the approximate date of the breach, if known. In addition, the Vermont Attorney General must be notified within 14 business days of either discovery of the security breach or notice to consumers, whichever is sooner, and must include the date of the breach, date of discovery of the breach and a preliminary description of the breach.

Although the revised notice requirement is the most significant change to the Vermont law, it is not the only change. With Act 109, Vermont adopts the industry standard label “Personally Identifiable Information” (“PII”) in lieu of the former “personal information” and alters what constitutes a data breach, removing the “on access, criterion and leaving it as “unauthorized acquisition of electronic data that comprises the security, confidentiality, or integrity” of an individual’s PII. Finally, the revised legislation provides a list of factors that may help determine whether the PII has been or is reasonably believed to be acquired.

Illinois

While not a data breach statute, the new Illinois law is groundbreaking in the privacy arena. Public Act 097-0875, which was signed into law on August 1, 2012, makes it illegal for an employer to request social network account information from its employees in order to gain access to the employee’s profiles, and prevents employers from screening potential job candidates or reprimanding current employees based on social network information that would otherwise be private. Employees can, however, view any information that is publicly available. Moreover, nothing in the law limits an employer’s right to maintain workplace policies governing applicable use of social networking sites.

Illinois is only the second state in the country to enact this type of legislation (Maryland is the first!), but it is likely that many more states will follow suit.

Cyberinquirer strongly recommend that companies institute a system to monitor and adjust their internal data breach response policies and procedures to ensure compliance with continuously changing laws like the new Connecticut and Vermont statutes, and that companies make their employees aware of the potential for privacy legislation such as that in Maryland and Illinois..

Create PDF    Send article as PDF   

One Response to “State Privacy Laws Evolve While Congress Campaigns”

  1. Challenger Says:

    Thank you for your summary. This will be helpful when our out of State clients request information about this topic.

    I would like to know why you consider the access of encrypted data as a ‘loophole” ? We perform full disk encryption of every hard drive we have using 256 AES from TruCrypt. Even if God himself hacks into our hard drive no one is going to get any data without the 25 digit password. If I didn’t give up the password to that Colombian drug runner who offered me $1,000,000 I am not going to give it up to God either. The point is we should encourage every ‘data bank’ out there to use whole disk encryption. There are countless examples of stolen IDs, and credit cards because some IT guy assured everyone they were hack proof and so they did everything except encrypt the drives when that is what they should have done first.

    Encryption does not slow you down enough to make any real difference and when the servers are secure in a high security data center no one will be freezing the RAM chips to capture the passwords. I would say they are safer than any non encrypted drive, hacked or not. After all, no data leak is the goal and there will not be a data leak if all of the data is encrypted. Is that not the idea, absolute data protection?

    Thank you.

Leave a Reply

You must be logged in to post a comment.