Part III of our 2015 predictions series comes from Of Digital Interest editor and McDermott partner, Heather Sussman, who predicts that states will be active with privacy and data security legislation during 2015.

States Active with Privacy and Data Security Legislation

With comparatively little movement from the federal government in 2014, state legislatures around the country have been working to take an active role in addressing the ever-increasing public concern over the collection, use, disclosure and disposal of personal information.  Of the 23 states that introduced or considered security breach notification legislation in 2014, at least 11 enacted their bills into law. There remain several bills pending in 2015 in state legislatures across the United States. that may amend or impact the breach notification landscape. 

For 2015, we predict action in the following states:

  • Both Massachusetts and New Jersey have pending bills that aim to further protect financial information, focusing on the breach of “access devices” associated with electronic transactions. Massachusetts SB 132 and New Jersey AB 1239 propose to add restrictions on data retention of certain financial information collected from access devices, as well as dictate how financial institutions will recover costs after a breach.
  • In Pennsylvania, the legislature is considering AB1329, which increases penalties for failure to report a breach to $5,000 for a first offense, $10,000 for a second offense, and $15,000 for a third or subsequent offense, AB2480, which requires certain notifications and free credit reports for six months following breach, and AB3146/SB2188, which requires notification of a breach of online account credentials.
  • Two Rhode Island bills impact existing breach laws: HB 5769, which enumerates additional patient’s rights, including the right to be notified in the event of a breach of confidential health care information, and HB 7519 which mandates specific content in breach notifications to consumers.  Notifications now must include contact information for consumer reporting agencies and the Federal Trade Commission (FTC), a statement that an individual can obtain information regarding fraud alerts and security freezes, and a statement that warms against possible imposters who attempt to fraudulently notify individuals of security breaches.  This latter bill would also require providing one year of credit monitoring at no cost to individuals whose data are impacted in the breach.
  • Delaware also has two bills pending: SB101 which would clarify that a person who is a victim of a “Digital Data Breach” shall have seven years from the date the personal information is posted in which to bring a civil action for damages, and SB102 which would add name, birth date and address to the definition of personal information.  The latter bill also provides either of the following specific damages for breach victims, whichever is greater: consequential damages, profits derived from the unauthorized use, or both; or $1,000 per breach per person if no actual damages can be proven.  Punitive damages may be awarded against a person found to have willfully violated this Chapter

In addition to legislation seeking to amend existing breach notification laws, we predict continued debate in 2015 on the following bills, with New York State’s Online Privacy Act having the greatest potential to change the privacy landscape for online businesses in 2015.

CALIFORNIA

SB34: Automated License Plate Recognition Systems: Use of Data

  • Would impose specified requirements on an automated license plate recognition (ALPR) operator including, among others, ensuring that the information the ALPR operator collects is protected with certain safeguards, and implementing and maintaining specified security procedures and a usage and privacy policy with respect to that information.
  • Would require an ALPR operator that accesses or provides access to ALPR information to maintain a specified record of that access.
  • Would require an ALPR end-user to implement and maintain a specified usage and privacy policy.
  • Would authorize an individual who has been harmed by a violation of these provisions to bring a civil action against a person who knowingly caused that violation.
  • Would include information or data collected through the use or operation of an automated license plate recognition system, when that information is not encrypted and is used in combination with an individual’s name, in the definition of “personal information” discussed above.

SB26: Statewide Health Care Cost and Quality Database

  • Seeks to create a statewide health care cost and quality database comprised of health care performance information.
  • With a goal of making this database publicly available, timely and comprehensive, the bill would require all data disclosures pursuant to the bill’s provisions to comply with all applicable state and federal laws protecting privacy and security of data.
  • Also prohibits public disclosure of any unaggregated, individually identifiable health information.

MASSACHUSETTS

HB298: An Act Relative to Identity Theft Protection

  • Creates a new chapter entitled “Consumer Breach Notification”
    • Defines “personal information,” “security breach,” “data collector,” et al.
    • Creates notice requirements (time, content, form).
    • The bill amends existing penalties available for such breaches.

NEW YORK

SB5932: Student Information

  • Prohibits the release of personally identifiable student information where parental consent is not provided.

SB7358: New York State Online Privacy Act

  • Establishes the New York State Online Privacy Act; includes definitions, requirements to post a privacy policy, specifications for minors and responsibilities of operators, liability and enforcement.
  • Creates the Office of Privacy Protection to be headed by a Commission of Privacy and Protection and assisted by an advisory committee, with the powers and duties to provide guidance, make recommendations, develop programming, and receive complaints and undertake investigations.

RHODE ISLAND

HB5769/SB649: Confidentiality of Health Care Communications and Information

  • Created a section on Patient’s Rights, which permits patients to obtain a copy of their confidential health care information and communications within 10 days of a request, a copy of a disclosure report and to be notified of a breach.