Legislating Cybersecurity: 2018 Adds Patches to the Quilt of Data Privacy Law Across the US
Statehouses across the country are endeavoring to blanket all potential vulnerabilities through a narrowed focus on privacy and security. New Jersey is no different, with nearly 50 pending bills addressing data, privacy and cybersecurity.
November 28, 2018 at 10:00 AM
9 minute read
Data privacy and security law in the U.S. is like a patchwork quilt of many shapes and patterns. The first patches were formed by the common law right to privacy, see, e.g., Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890), and since then, the patchwork has proliferated with acronym-laden privacy and security protections at the federal level (e.g., GLBA, FCRA, FACTA, HIPAA and FERPA), and state legislative efforts in reaction to the consumerization of the internet, the miniaturization of processing power, and the globalization of the information economy.
At present, statehouses across the country are endeavoring to blanket all potential vulnerabilities through a narrowed focus on privacy and security. New Jersey is no different, with nearly 50 pending bills addressing data, privacy and cybersecurity. All this legislative activity will have a direct and dramatic impact on how business is conducted in New Jersey and across the country.
Consumer protection has been a major legislative focus in 2018. In the past, the Federal Trade Commission (FTC) unilaterally assumed primary responsibility for privacy and data security enforcement under Section 5 of the FTC Act. See 15 U.S.C. §45(a). Although the question is far from settled, the Third Circuit and Eleventh Circuit have both addressed, in some regard, the FTC's authority to regulate data privacy and security. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015); LabMD v. FTC, 891 F.3d 1286 (11th Cir. 2018).
States also wielded the authority to augment the security of their residents' personal data, see, e.g., 201 CMR 17.01-17.05 (Massachusetts), and to require businesses to disclose data breaches, see, e.g., N.J. Stat. §56:8-163 (New Jersey). More recently, state legislatures have not been shy about enacting laws on a range of consumer protection issues, including data security, consumer privacy rights, and data sales.
Compliance with state-based provisions typically is premised on doing business in the state, which at times means simply collecting or processing personal information on state residents. For this reason alone, non-New Jersey statutes may have extraterritorial application to New Jersey companies that do not have a physical presence in other states.
Although New Jersey has not recently passed substantial data privacy or cybersecurity legislation, the legislature's pending bills are emblematic of larger trends across the country for enhanced data security laws. By way of example:
- Bill 3923 seeks to have companies conspicuously post their privacy policies. The bill would require companies to include standard information in privacy policies, including: the categories of personal information collected, the categories of personal information that may be shared with third parties, procedures to review and change personal information if such rights are offered, procedures to notify consumers of changes to its privacy policy, the effective date of the privacy policy, procedures to respond to do-not-track signals, and whether third parties may access a data subject's personal information. The bill also would employ an expansive definition of “personally identifiable information” to include “information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service.”
- Bill 4117 would prohibit cloud service providers from disclosing educational records to anyone except a student, teacher or staff member of that school. The bill would require certification of compliance and would permit fines up to $5,000 for a first offense and $10,000 for each subsequent offense.
- Bill 4640 would require that businesses disclose their personal data collection practices to data subjects, and offer data subjects the opportunity to opt out of the collection of personal information by a business. The bill would provide data subjects certain rights, including: the right to obtain a copy of the data subject's personal information in the company's possession, and the right to opt out of the processing of the data subject's personal information. Further, the bill includes a very broad definition of “personally identifiable information,” which essentially is “any information that personally identifies, describes, or is able to be associated with a data subject.” The bill also would require the implementation of an information security program, and comes with penalties of up to $750 per data subject per security incident for noncompliance.
Regardless of whether the New Jersey bills are adopted into law, they are not unique in the patchwork of potentially applicable privacy and security statutes and regulations, and are consistent with trends in data privacy legislation that establish current and future compliance obligations for many New Jersey companies.
Most significantly, California passed the California Consumer Privacy Act (CaCPA). See Cal. Civ. Code § 1798.100 et seq., as amended (operative January 1, 2020). Analyzed by many as akin to the European Union's General Data Protection Regulation (GDPR), see Reg. (EU) 2016/679 (operative May 25, 2018, and applicable to United States' data controllers under Article 3(2)), CaCPA provides consumers several rights: a private right of action for data breaches; the right to know what information a company has on a data subject including how it is sourced and whether it is disclosed or sold; the right to deletion of personal information; and the right to receive equal service and pricing despite exercising personal rights. Additionally, CaCPA is designed with transparency in mind, meaning that companies are required to make several types of disclosures regarding use of personal information, including disclosure of the rights that data subjects have. It is also worth noting that CaCPA expanded the definition of personal information to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” but exempts information that is publicly available. See Cal Civ Code §1798.140(o)(1)-(2). A New Jersey company that does business in California must comply with CaCPA's provisions if it has annual gross revenue over $25 million, buys, receives, shares or sells personal information of 50,000 consumers or more, or derives 50 percent or more of its annual revenue from the sale of personal information. See Cal Civ Code §1798.140(c).
Several other states took action in the name of protecting the personal information of residents. Colorado passed HB 18-1128, which serves multiple purposes: 1) amends the state's breach notification law requiring notice to affected residents within 30 days of the date of determination of a breach with specific content requirements; 2) requires reasonable data security protection measures including a written disposal policy; and 3) places responsibility on a data controller for the actions of third-party service providers through a flow-down provision. Nebraska also implemented legislation this year, LB 757, requiring companies to have reasonable data security procedures and practices, which applies to New Jersey companies conducting business in Nebraska and collecting personal information on Nebraska residents. Nebraska, like Colorado, also requires affected businesses to push down reasonable data security practices via contract with their vendors.
With respect to breach notification laws that likely have extraterritorial application to New Jersey businesses, Alabama and South Dakota began 2018 as the only states without a breach notification law, but each passed one this year. Alabama's SB 318 in many ways mirrors standard breach notification provisions across the country, but goes further by requiring businesses to implement and maintain reasonable data security practices to protect personal information collected on Alabama residents. Additionally, Alabama's definition of “sensitive personally identifying information” is more expansive than that of most states, and includes a resident's name in combination with one of several data elements, including “[a]ny information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” and a “user name or email address, in combination with a password or security question and answer” that would permit access to such account.
South Dakota's breach notification law, SB No. 62, has a limited definition of breach (i.e., unauthorized acquisition of unencrypted personal information), but includes a broad definition of personal information by incorporating into the statute “protected information” that is a username or email address together with a password or security question that would grant access to the account or an account number together with an access code. Other states with existing breach notification laws updated their statutes. See, e.g., Arizona HB 2145 (expands definition of personal information, requires notice within 45 days, and permits penalties of up to $500,000 for willful violations); Louisiana Act. No. 382 (expands definition of personal information, requires notice within 60 days, and mandates destruction of records containing personal information that the business does not intend to retain); and Oregon SB 1551 (applies to anyone who possesses personal information, expands definition of personal information, and requires notice within 45 days).
Finally, Vermont passed the country's first data broker law, H. 764, which seeks to regulate the aggregation and sale of personal information on Vermont residents. The law has a broad definition of personal information that includes “information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty,” and applies to a data broker that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Data brokers must register with the state, make annual disclosures to the state regarding their privacy practices and breach incidents, and maintain a comprehensive written information security program.
It is clear from the activity in 2018, both in New Jersey and across the country, that legislation is being proposed and adopted with increasing regularity that is: (i) expanding the definition of protected personal information; (ii) requiring companies to implement and maintain more expansive information security programs and practices; (iii) demanding additional transparency and disclosure of companies' data collection, processing and use practices; and (iv) implementing increasingly severe penalties for noncompliance. As a result, it is also clear that there is an ever-expanding patchwork quilt of compliance obligations that have a direct and dramatic impact on operations, which seems like cold comfort for companies in New Jersey and across the country.
John T. Wolak is Team Leader of the Privacy & Data Security Team at Gibbons P.C. in Newark. Randy A. Gray is an associate at the firm and a member of the Privacy & Data Security Team.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAppellate Division Greenlights State Bar's Leadership Diversity Initiatives
5 minute readFor Lawyers, the 'Work' of Making an Impact Does Not Have to Happen in a Courtroom. Laura E. Sedlak Says
Doing the Right Thing in the Pursuit of Justice Requires Guts, Says Lyndsay Ruotolo
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250