Legislating Cybersecurity: 2018 Adds Patches to the Quilt of Data Privacy Law Across the US

Data privacy and security law in the U.S. is like a patchwork quilt of many shapes and patterns. The first patches were formed by the common law right to privacy, see, e.g., Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890), and since then, the patchwork has proliferated with acronym-laden privacy and security protections at the federal level (e.g., GLBA, FCRA, FACTA, HIPAA and FERPA), and state legislative efforts in reaction to the consumerization of the internet, the miniaturization of processing power, and the globalization of the information economy.

At present, statehouses across the country are endeavoring to blanket all potential vulnerabilities through a narrowed focus on privacy and security. New Jersey is no different, with nearly 50 pending bills addressing data, privacy and cybersecurity. All this legislative activity will have a direct and dramatic impact on how business is conducted in New Jersey and across the country.

Consumer protection has been a major legislative focus in 2018. In the past, the Federal Trade Commission (FTC) unilaterally assumed primary responsibility for privacy and data security enforcement under Section 5 of the FTC Act. See 15 U.S.C. §45(a). Although the question is far from settled, the Third Circuit and Eleventh Circuit have both addressed, in some regard, the FTC’s authority to regulate data privacy and security. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015); LabMD v. FTC, 891 F.3d 1286 (11th Cir. 2018).

States also wielded the authority to augment the security of their residents’ personal data, see, e.g., 201 CMR 17.01-17.05 (Massachusetts), and to require businesses to disclose data breaches, see, e.g., N.J. Stat. §56:8-163 (New Jersey). More recently, state legislatures have not been shy about enacting laws on a range of consumer protection issues, including data security, consumer privacy rights, and data sales.

Compliance with state-based provisions typically is premised on doing business in the state, which at times means simply collecting or processing personal information on state residents. For this reason alone, non-New Jersey statutes may have extraterritorial application to New Jersey companies that do not have a physical presence in other states.

Although New Jersey has not recently passed substantial data privacy or cybersecurity legislation, the legislature’s pending bills are emblematic of larger trends across the country for enhanced data security laws. By way of example:

• • Bill 3923 seeks to have companies conspicuously post their privacy policies. The bill would require companies to include standard information in privacy policies, including: the categories of personal information collected, the categories of personal information that may be shared with third parties, procedures to review and change personal information if such rights are offered, procedures to notify consumers of changes to its privacy policy, the effective date of the privacy policy, procedures to respond to do-not-track signals, and whether third parties may access a data subject’s personal information. The bill also would employ an expansive definition of “personally identifiable information” to include “information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service.”

• • Bill 4117 would prohibit cloud service providers from disclosing educational records to anyone except a student, teacher or staff member of that school. The bill would require certification of compliance and would permit fines up to $5,000 for a first offense and $10,000 for each subsequent offense.

• • Bill 4640 would require that businesses disclose their personal data collection practices to data subjects, and offer data subjects the opportunity to opt out of the collection of personal information by a business. The bill would provide data subjects certain rights, including: the right to obtain a copy of the data subject’s personal information in the company’s possession, and the right to opt out of the processing of the data subject’s personal information. Further, the bill includes a very broad definition of “personally identifiable information,” which essentially is “any information that personally identifies, describes, or is able to be associated with a data subject.” The bill also would require the implementation of an information security program, and comes with penalties of up to $750 per data subject per security incident for noncompliance.

• Regardless of whether the New Jersey bills are adopted into law, they are not unique in the patchwork of potentially applicable privacy and security statutes and regulations, and are consistent with trends in data privacy legislation that establish current and future compliance obligations for many New Jersey companies.

Most significantly, California passed the California Consumer Privacy Act (CaCPA). See Cal. Civ. Code § 1798.100 et seq., as amended (operative January 1, 2020). Analyzed by many as akin to the European Union’s General Data Protection Regulation (GDPR), see Reg. (EU) 2016/679 (operative May 25, 2018, and applicable to United States’ data controllers under Article 3(2)), CaCPA provides consumers several rights: a private right of action for data breaches; the right to know what information a company has on a data subject including how it is sourced and whether it is disclosed or sold; the right to deletion of personal information; and the right to receive equal service and pricing despite exercising personal rights. Additionally, CaCPA is designed with transparency in mind, meaning that companies are required to make several types of disclosures regarding use of personal information, including disclosure of the rights that data subjects have. It is also worth noting that CaCPA expanded the definition of personal information to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” but exempts information that is publicly available. See Cal Civ Code §1798.140(o)(1)-(2). A New Jersey company that does business in California must comply with CaCPA’s provisions if it has annual gross revenue over $25 million, buys, receives, shares or sells personal information of 50,000 consumers or more, or derives 50 percent or more of its annual revenue from the sale of personal information. See Cal Civ Code §1798.140(c).

Several other states took action in the name of protecting the personal information of residents. Colorado passed HB 18-1128, which serves multiple purposes: 1) amends the state’s breach notification law requiring notice to affected residents within 30 days of the date of determination of a breach with specific content requirements; 2) requires reasonable data security protection measures including a written disposal policy; and 3) places responsibility on a data controller for the actions of third-party service providers through a flow-down provision. Nebraska also implemented legislation this year, LB 757, requiring companies to have reasonable data security procedures and practices, which applies to New Jersey companies conducting business in Nebraska and collecting personal information on Nebraska residents. Nebraska, like Colorado, also requires affected businesses to push down reasonable data security practices via contract with their vendors.

With respect to breach notification laws that likely have extraterritorial application to New Jersey businesses, Alabama and South Dakota began 2018 as the only states without a breach notification law, but each passed one this year. Alabama’s SB 318 in many ways mirrors standard breach notification provisions across the country, but goes further by requiring businesses to implement and maintain reasonable data security practices to protect personal information collected on Alabama residents. Additionally, Alabama’s definition of “sensitive personally identifying information” is more expansive than that of most states, and includes a resident’s name in combination with one of several data elements, including “[a]ny information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” and a “user name or email address, in combination with a password or security question and answer” that would permit access to such account.

South Dakota’s breach notification law, SB No. 62, has a limited definition of breach (i.e., unauthorized acquisition of unencrypted personal information), but includes a broad definition of personal information by incorporating into the statute “protected information” that is a username or email address together with a password or security question that would grant access to the account or an account number together with an access code. Other states with existing breach notification laws updated their statutes. See, e.g., Arizona HB 2145 (expands definition of personal information, requires notice within 45 days, and permits penalties of up to $500,000 for willful violations); Louisiana Act. No. 382 (expands definition of personal information, requires notice within 60 days, and mandates destruction of records containing personal information that the business does not intend to retain); and Oregon SB 1551 (applies to anyone who possesses personal information, expands definition of personal information, and requires notice within 45 days).

Finally, Vermont passed the country’s first data broker law, H. 764, which seeks to regulate the aggregation and sale of personal information on Vermont residents. The law has a broad definition of personal information that includes “information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty,” and applies to a data broker that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Data brokers must register with the state, make annual disclosures to the state regarding their privacy practices and breach incidents, and maintain a comprehensive written information security program.

It is clear from the activity in 2018, both in New Jersey and across the country, that legislation is being proposed and adopted with increasing regularity that is: (i) expanding the definition of protected personal information; (ii) requiring companies to implement and maintain more expansive information security programs and practices; (iii) demanding additional transparency and disclosure of companies’ data collection, processing and use practices; and (iv) implementing increasingly severe penalties for noncompliance. As a result, it is also clear that there is an ever-expanding patchwork quilt of compliance obligations that have a direct and dramatic impact on operations, which seems like cold comfort for companies in New Jersey and across the country.

---

Reprinted with permission from the December 3, 2018 issue of the New Jersey Law Journal. © 2018 ALM Media Properties, LLC.
Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.