Narrowing the focus to legislation that conveys certain rights to consumers and restricts the use of personal information, more than 60 bills were considered in almost 30 states. A comparison chart of those bills can be accessed here.
- Right to access
- Right to correct (except Iowa)
- Right to delete
- Right to obtain
- Right to opt-out of certain processing
- Data and entity-level Gramm-Leach-Bliley Act exemptions (Oregon is data-level only but includes an entity-level exemption for financial institutions as defined in Rev. Stat. Ann. § 706.008)
- Requirements for contracts between controllers and processors
- Risk assessments for processing certain data (except Iowa)
- No private right of action
State Data Breach Notification Laws
- Creation of the Utah Cyber Center tasked with, among other things, developing a cybersecurity plan for government agencies, identifying, assessing, and mitigating cyber threats, and promoting cybersecurity best practices;
Shortening the time to notify the attorney general from 60 days to 30;
Requiring notification be submitted electronically using a form provided on the attorney general’s website.
Nevada SB 355 was enacted June 15 and went into effect Oct. 1. The law amends Nevada’s data breach notification statutes (Nev. Rev. Stat. Ann. § 603A.300, et seq.) by exempting installment loan companies and making them subject to different data breach notification provisions, including:
- The notice deadline is 30 days, as opposed to “in the most expedient time possible and without unreasonable delay”;
- Breach notification by email is prohibited if a breach involves a username, password or other login credentials to an email account furnished by the licensee;
- Notice must be made to the attorney general if there are more than 500 affected residents;
- There is no safe harbor for data controllers subject to and compliant with the privacy and security provisions of the Gramm-Leach-Bliley Act;
- Notice must be provided to consumer reporting agencies if the breach affects more than 1,000 persons.
- Adding “precise geolocation data” to the definition of “personal information”;
- Depositing civil penalties into a “privacy protection guaranty and enforcement account”;
- Designating a violation as an unfair trade practice under Conn. Gen. Stat. § 42-110b.
- Adding definitions for “classified data” and “cybersecurity incident”;
- Requiring notification to the state police within 24 hours;
- Specifying what must be included in a notification.
- Methods for allowing consumers to exercise the right to correct personal information;
- Required terms that must be included in contracts between businesses and the service providers and third parties with whom personal information is shared or disclosed;
- Modified notice requirements;
- Additional guidance on what constitutes a “dark pattern”;
- Expectations regarding opt-out preference signals.
- Heightened security measures for Class A companies;
- Annual penetration testing by a qualified internal or external party;
- Automated or manual scans of information systems;
- Risk assessments reviewed and updated annually, or as necessary;
- Multi-factor authentication for any individual accessing any information system;
- Notification to the Superintendent of any cybersecurity incident within 72 hours;
- Annual certification of compliance, or acknowledgment of noncompliance;
- Notice and explanation of extortion payments made in connection with a cybersecurity incident.
In September, the Federal Trade Commission announced its approval of an amendment to the Gramm-Leach-Bliley Act Safeguards Rule requiring nonbank financial institutions to report to the FTC the unauthorized acquisition of unencrypted customer information involving at least 500 consumers (a “notification event”). The amendment, which becomes effective May 13, 2024, also provides:
Notification must be made as soon as possible, and no later than 30 days after discovery of the event;
Notice must be provided through an online form that will be available on the FTC’s website;
The notice must include:
- the name and contact information of the reporting financial institution;
- a description of the types of information that were involved in the notification event;
- if the information is possible to determine, the date or date range of the notification event;
- the number of consumers affected or potentially affected by the notification event;
- a general description of the notification event; and
- whether any law enforcement official provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.
2024 will undoubtedly be a remarkable year with respect to data privacy and security legislation and regulation and we expect an increased focus on issues related to the use of artificial intelligence. For more information and insight from Maurice Wutscher on data privacy and security laws and how to stay compliant click here.
Don't miss reporting on the top collections & recovery trends! Every Thursday, Collections & Recovery sends out an exclusive email packed with analysis on the newest trends in collections strategy, the shift to digital collections, best practices for vendor management, and deep-dives into regulatory and compliance issues that matter to you. The only way to get it is to subscribe.