As reported in BNA Privacy Law Watch, on June 27, 2018, Equifax entered into a consent order (the “Order”) with 8 state banking regulators (the “Multi-State Regulatory Agencies”), including those in New York and California, arising from the company’s 2017 data breach that exposed the personal information of 143 million consumers. Continue Reading Equifax Enters Into Consent Order with State Banking Regulators Regarding 2017 Data Breach

On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020. Continue Reading California Consumer Privacy Act Signed, Introduces Key Privacy Requirements for Businesses

On June 21, 2018, California lawmakers introduced AB 375, the California Consumer Privacy Act of 2018 (the “Bill”). If enacted and signed by the Governor by June 28, 2018, the Bill would introduce key privacy requirements for businesses, but would also result in the removal of a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. Continue Reading California Assembly Bill Aims to Avert State Ballot Initiative Related to Privacy

On July 1, 2018, HB 183, which amends Virginia’s breach notification law, will come into effect (the “amended law”). The amended law will require income tax return preparers who prepare individual Virginia income tax returns to notify the state’s Department of Taxation (the “Department”) if they discover or are notified of a breach of “return information.” Under the amended law, “return information” is defined as “a taxpayer’s identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.” Continue Reading Virginia Amends Breach Notification Law Applicable to Income Tax Information

Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information. Continue Reading Iowa and Nebraska Enact Information Security Laws

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information. Continue Reading California Ballot Initiative to Establish Disclosure and Opt-Out Requirements for Consumers’ Personal Information

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information. Continue Reading Colorado Amends Data Breach Notification Law and Enacts Data Security Requirements

Recently, Vermont enacted legislation (H.764) that regulates data brokers who buy and sell personal information. Vermont is the first state in the nation to enact this type of legislation.

  • Definition of Data Broker. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
  • Definition of “Brokered Personal Information.” “Brokered personal information” is defined broadly to mean one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties: (1) name, (2) address, (3) date of birth, (4) place of birth, (5) mother’s maiden name, (6) unique biometric data, including fingerprints, retina or iris images, or other unique physical or digital representations of biometric data, (7) name or address of a member of the consumer’s immediate family or household, (8) Social Security number or other government-issued identification number, or (9) other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable security.
  • Registration Requirement. The law requires data brokers to register annually with the Vermont Attorney General and pay a $100 annual registration fee.
  • Disclosures to State Attorney General. Data brokers must disclose annually to the State Attorney General information regarding their practices related to the collection, storage or sale of consumers’ personal information. Data brokers also must disclose annually their practices, if any, for allowing consumers to opt out of the collection, storage or sale of their personal information. Further, the law requires data brokers to report annually the number of data breaches experienced during the prior year and, if known the total number of consumers affected by the breaches. There are additional disclosure requirements if the data broker knowingly possesses brokered personal information of minors, including a separate statement detailing the data broker’s practices for the collection, storage and sale of that information and applicable opt-out policies. Importantly, the law does not require data brokers to offer consumers the ability to opt out.
  • Information Security Program. The law requires data brokers to develop, implement and maintain a written, comprehensive information security program that contains appropriate physical, technical and administrative safeguards designed to protect consumers’ personal information.
  • Elimination of Fees for Security Freezes. The law eliminates fees associated with a consumer placing or lifting a security freeze. Previously, Vermont law allowed for fees of up to $10 to place, and up to $5 to lift temporarily or remove, a security freeze.
  • Enforcement. A violation of the law is considered an unfair and deceptive act in commerce in violation of Vermont’s consumer protection law.
  • Effective Date. The registration and data security obligations take effect January 1, 2019, while the other provisions of the law take effect immediately.

In a statement, Vermont Attorney General T.J. Donovan said, “This bill not only saves [Vermonters] money, but it gives them information and tools to help them keep their personal information secure.”

Recently, Louisiana amended its Database Security Breach Notification Law (the “amended law”). Notably, the amended law (1) amends the state’s data breach notification law to expand the definition of personal information and requires notice to affected Louisiana residents within 60 days, and (2) imposes data security and destruction requirements on covered entities. The amended law goes into effect on August 1, 2018. Continue Reading Louisiana Amends Data Breach Notification Law, Eliminates Fees for Security Freezes

On June 2, 2018, Oregon’s amended data breach notification law (“the amended law”) went into effect. Among other changes, the amended law broadens the applicability of breach notification requirements, prohibits fees for security freezes and related services provided to consumers in the wake of a breach and adds a specific notification timing requirement. Continue Reading Oregon Amends Data Breach Notification Law