Data privacy and breach notification has become a hot topic for state legislatures—thanks, in part, to the prompting of State AGs and a recent spate of high profile data breaches affecting millions of consumers. During the first half of 2015, 32 state legislatures considered bills to significantly amend or enhance state laws on consumer data protection. At least 13 of those have made it beyond the governor’s desk, and of those still pending, many stand a good chance of being passed, in some form, in the fall term as the issue is one with broad bipartisan support.
The 2015 bills demonstrate the variability of state policies approaches to address a common problem. Yet, for the most part, the bills demonstrate a few general trends in data protection:
- AG Involvement: Many of the new bills require the breached entity to provide notification to the State AG, at least when facing a breach that effects a certain threshold number of consumers. States differ on the number of affected consumers necessary to trigger the reporting requirements, or the number of days a company has to report after discovering the breach, but there is a clear trend toward greater AG authority to investigate data breaches and comment on companies’ data privacy policies.
- Encryption: The 2015 bills continue to focus on the issue of encryption, creating a safe harbor from liability for businesses to store data and personal information in encrypted format. The new Washington law goes even further as it identifies a minimum standard for encryption, and grants safe harbor only when the breach does not also provide access to the encryption key, or other capacity to decrypt the data.
- A Growing Universe of Covered Data: State legislatures continue to expand protection to a broader set of consumer data. For example, Nevada now protects health insurance identification numbers, state driver identification numbers, credit and debit card numbers, social security numbers, user names or email addresses with passwords, and bank account information; North Dakota added consumer birth dates, mothers’ maiden name, and employment identification credentials to the list of protected data. Other states want to include birth certificates, medical information, digital signatures, security tokens, and biometric information.
- Expanded Jurisdiction: The 2015 legislative efforts demonstrate a continued movement toward establishing liability not only for the owners of the data or the databases, but also for businesses that license, maintain, or simply access data, regardless of ownership (see e.g., Illinois S.B. 1833). Likewise, states are also expanding liability to businesses that maintain data on state residents, even if those businesses are not residents, and have no business in the state.
- Post-Breach Mitigation: A rapidly growing trend is the requirement that a business provide identity theft protection and loss mitigation services following a data breach for which they are at fault. Certain State AGs have required this on an ad hoc basis for the past few years, but the idea to codify loss mitigation started in California last year. As we indicated then, trends can spread quickly among state legislatures. Although states appear to be converging on a 12-month period for such protection (see e.g., Pennsylvania S.B. 753), some AGs may view these provisions as a floor, and insist on greater coverage for more severe breaches.
- Student Data Protection: Finally, states are also looking to expand protections for student-specific data. For example, Virginia H.B. 2350 would require the state department of education to create a model data security protocol to protect student data privacy, with the idea that it could then be adopted by school districts. New Hampshire H.B. 322, Utah H.B. 163, and North Dakota S.B. 2326 all attempt to create similar legislative frameworks for protecting students.
In this rapidly evolving area of law, policy makers are not always content to follow trends, but choose instead to get out in front of the next new problem. The lineup of 2015 bills provides a glimpse of new ideas that could find staying power among policy makers, including the following:
- Biometrics: Biometric data is beginning to make its way into legislative definitions of protectable personal information. For example, Oregon S.B. 601 looks to protect “data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris…” Wyoming S.B. 36 includes “data generated from measurements or analysis of human body characteristics for authentication purposes.”
- Mobile: States are also experimenting with provisions that specifically address mobile data issues. Connecticut S.B. 949 includes a provision that requires companies that sell smart phones to ensure capability for the owner to lock out the phone when it is lost or stolen. Illinois S.B. 1833 contained a provision that would have expanded protected personal information to include geolocation data, however that bill was vetoed by the Governor on the basis that guarding geolocation data was too onerous, and not in line with other states’ requirements. As more consumer activity migrates to the mobile web, we are likely to see more states try to address mobile-specific issues of data security.
- Secure Access Measures: In certain sensitive industries like insurance and banking, a few states have sought to require companies to use specific data security protocols, like multifactor verification, secure access controls, and internal security compartmentalization that prevents employees and third-party affiliates from accessing data outside the specific needs of their duties, and creates firewalls against hackers who gain access to one area of the system.
Harmonization or Amalgamation?
It is not too surprising that state policies addressing a rapidly evolving area of law—like consumer data privacy—will vary in their approach. As uniform federal legislation has failed to build consensus in Congress, and since State AGs are almost uniformly against federal legislation on this topic that would preempt state law, the baton remains in the hands of state legislatures.
Although it is still too early to determine whether a unified theory of data protection will emerge from the assorted state efforts, the business reality is that it might not even matter. As states focus their data breach jurisdiction on consumers, and businesses expand in a digital space without state lines, the stricter elements of each state’s data privacy regime will become part of an amalgamated national approach. Illinois Governor Rauner essentially acknowledged this in the text accompanying his veto of S.B. 1833, where he argued that Illinois need not require companies to post a privacy notice on their website, because California already does. Thus, for large and midsized companies, rather than customize privacy policies for each state where their consumers live, the goal will be to craft a single policy with maximum compliance.