Legislative Heat Wave: A Mid-Year Review of Upcoming Cybersecurity Laws and Enforcement Activity

First, states are expanding the definition of protected personal information. Instead of just driver’s licenses, payment information and social security numbers, states are including biometrics, medical records, username and passwords, among other data, into the types of information that, if compromised, require notification. This expansion is a particularly important trend, already witnessed in California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) — and one we should expect to continue.

Second, state regulators are looking to clamp down on the time that companies take to notify state agencies that a breach has occurred. While typical formulations had been “without undue delay” or “as soon as reasonably practicable,” states are now requiring more specific timeframes.

Third, state regulators are increasingly requiring that companies implement written security plans to address potential cyber threats and to appoint an individual to take responsibility for maintaining the plan. The U.S. Securities and Exchange Commission (SEC) and New York’s Department of Financial Services (DFS) have led on the requirement for written plans and the need for senior officer sign off, but many other regulators and legislators are following suit.

Finally, along with having general breach notification rules that apply to all companies, a number of state agencies are passing industry-specific legislation that requires companies to notify their primary regulator in addition to, or in lieu of, notifying the state attorney general. This is particularly true of the insurance industry, where a number of states are adopting the National Association of Insurance Commissioners’ (NAIC) data security model law.

The rest of this article identifies the key points within the major cybersecurity legislation passed in the last few months. It also highlights that many of these developments are reflected in federal enforcement and rulemaking as well, particularly with recent FTC and SEC actions against Facebook, and the recent FTC action against DealerBuilt.

New York

New York is poised to join the growing number of states in strengthening its existing cybersecurity laws. On July 25, Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Security (SHIELD) Act to require the development and implementation of a data security program and broaden notification and data security laws. The data breach provisions will go into effect on Oct. 23, 2019, while the updated data security safeguard requirements will be effective on March 21, 2020.

The new legislation, which applies not only to New York state entities but also to entities that store the private information of New York residents, requires enhanced steps to safeguard personal data by:

• Expanding the notification requirement to apply to any breach that results in unauthorized access to personal information, regardless of whether any such information is actually acquired or stolen. This expanded standard means that an unauthorized individual viewing protected personal information would trigger breach notification requirements.
• Requiring a data holder to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information including the disposal of data (Data Security Program), tailored to the size and complexity of the business. One or more designated company employees must coordinate this Data Security Program.
• Expanding the definition of “Private Information” to include the following data elements: |
  • Account number, credit or debit card number, where such number could be used to access an individual’s financial account without additional identifying information, security code, access code or password;
  • Biometric information;
  • Username or e-mail address in combination with a password or security question and answer that would permit access to an online account.

In addition, the new legislation clarifies that:

• Notification is not required in the event of an inadvertent disclosure by authorized persons where such exposure is unlikely to result in financial or emotional harm or the misuse of the information (however, such a determination should be recorded and maintained for at least five years).
• Separate notification to affected persons is not required if breach notification is made under other data security laws and rules, but notice needs to be provided to the state attorney general, the department of state and the division of state police (and within five business days for breaches involving information subject to the Health Insurance Portability and Accountability Act or the Health Information Technology for Economic and Clinical Health Act).
• E-mail notification is not sufficient where the breach includes an e-mail address in combination with a password or security question and answer; online notification is required instead.

The new legislation also raises the stakes for non-complying entities by increasing the civil penalty to the greater of $5,000 or $20 per instance, up to a maximum of $250,000, for failed notifications and permitting action to be commenced within three years (as opposed to two years) of the attorney general becoming aware of any violation. The law will be enforced by the New York Attorney General and does not create a private right of action.

Washington

On May 7, 2019, Washington passed new legislation updating its existing cybersecurity law to expand the definition of personal information and change the current breach notification requirements. The law continues to apply to any person conducting business in Washington who owns or licenses computerized data that includes personal information and the amendments will be effective from March 1, 2020.

The new legislation requires enhanced steps to protect personal data by:

• Broadening the definition of “Personal Information” to include the following data elements: |
  • Any numbers or information that can be used to access a person’s financial account;
  • Full date of birth;
  • Unique private keys used to authenticate or sign an electronic record;
  • Student, military or passport identification numbers;
  • Health insurance policy or identification number;
  • Any medical information;
  • Biometric data; and
  • Username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
• Changing the notification requirements:
• To include any breach by a person who maintains or possesses data that includes personal information immediately to the owner or licensee;
• To require AG notification within 30 days (previously it was 45 days) after the breach was discovered where more than 500 Washington residents are affected, with certain prescribed information including a summary of steps taken to contain the breach; and
• To require consumer notification in the most expedient time possible without undue delay and no more than 30 calendar days after the breach was discovered.

The new law also clarifies that separate notification to the affected consumer is not required if breach notification is made:

• That involves information subject to the Health Insurance Portability and Accountability Act or the Health Information Technology for Economic and Clinical Health Act; or
• By a financial institution pursuant to interagency guidelines establishing information security standards.

Texas

Texas also updated its data privacy laws. On June 14, 2019, Texas adopted new laws requiring breach notifications and creating a new advisory council to monitor developments in privacy law. The new law goes into effect on Jan. 1, 2020. It is particularly noteworthy because it creates an attorney general notification requirement in Texas for the first time. Texas previously only had an insurance department notification requirement that only applied to domestic insurers.

The new Texas law will continue to apply to any person conducting business in Texas who owns or licenses computerized data that includes sensitive personal information, and the amendment provides that notifications should:

• Be made to affected persons and the state attorney general if more than 250 Texas residents are affected, within 60 days from the date the breach occurred; and
• Contain certain prescribed information.

Along with passing cybersecurity legislation, Texas’s new law also created a privacy council, which will be comprised of appointed residents from across industries who will study and evaluate national and global data privacy laws and make recommendations to the legislature for future privacy legislation. The purpose of the council is likely to determine whether Texas should pass comprehensive data privacy legislation, similar to the CCPA.

Illinois

Like Texas, Illinois did not have an attorney general notification requirement for private businesses (they did have one for state agencies), but that is also likely to change soon. On June 25, 2019, an update to Illinois data privacy law was sent to Governor J.B. Pritzker for his signature. Data privacy laws continue to apply to any data collector that owns or licenses personal information concerning an Illinois resident. Once in effect, the amendment will require that all data collectors that own or license personal information concerning Illinois residents shall notify the state attorney general if more than 500 Illinois residents are affected. Notification must be made in the most expedient time possible and without unreasonable delay, but in no event later than when the data collector provides notice to consumers.

Maryland

On April 30, 2019, Maryland updated its existing data privacy legislation to expand the required actions a business must take after becoming aware of a data security breach. The amendments, which will take effect from Oct. 1, 2019, include:

• An express authorization to use the information subject to the breach for providing notification to national information security organizations created for information sharing purposes, in addition to the existing purposes of notification and data protection; and
• A prohibition on a business maintaining or possessing computerized data from charging a fee for providing the owner or licensee of that data the information required to comply with notification requirements.

Arkansas

On April 5, 2019, Arkansas updated its data privacy laws to join a growing number of states to:

• Include “biometric data” under the definition of “personal information;”
• Keep a record of any determination of the likelihood of harm following a data breach; and
• Notify the attorney general within 45 days after a determination has been made that there is a reasonable likelihood of harm following a breach of the security system affecting more than 1,000 individuals.

The new law went into effect on July 23, 2019.

Alabama and Mississippi

Alabama and Mississippi recently joined Michigan, Ohio and South Carolina as the most recent states to adopt the NAIC Data Security Model Law (NAIC Model Law 668). Model 668 is based on the New York’s Department of Financial Services’ Cybersecurity Regulation, and it creates requirements for both data breach notification and written information security plans for all licensees of the insurance department (including insurers, insurance producers and agents and third-party administrators), as well as a requirement that the licensee’s board of directors require executive management to develop, maintain and implement a cybersecurity plan. The law also creates special requirements relating to third-party service providers.

Alabama’s law was passed on May1, 2019, and will partially go into effect a year later on May 1, 2020 (the third-party service provider requirements will go into effect in 2021). Mississippi’s law partially went into effect on July 1, 2019, though the requirements for third-party service providers will not go into effect until 2020 (the due diligence requirements for service providers are pushed back until 2021).

Federal Enforcement

The FTC’s and SEC’s recent settlements with Facebook, and the FTC’s recent settlement with DealerBuilt, further highlight that these trends — especially senior executive accountability — are a feature of federal regulatory expectations as well. In the DealerBuilt case, the FTC required the software developer to implement a written security plan and designate a senior executive accountable for ongoing cybersecurity in light of a hack that accessed the unencrypted personal information of over 12 million DealerBuilt consumers.

Regarding Facebook, the FTC recently fined the social media giant five billion as part of a consent order — the largest penalty ever levied against a tech company — and it imposed strong senior officer accountability measures. The FTC will require Facebook to establish an independent, senior privacy committee within its board of directors, and Facebook will have to designate, Board-approved privacy compliance officers. Furthermore, the new compliance officers and Facebook CEO Mark Zuckerberg will both be required to independently provide the FTC with quarterly certifications that the company is in compliance with the privacy program mandated by its consent order.

On the same day that the FTC’s settlement with Facebook was announced, the SEC announced a separate settlement with the company. In the SEC’s resolution, Facebook agreed to pay the SEC $100 million to settle claims that the company had made misleading disclosures regarding the risk of misuse of Facebook user data. The SEC reached a similar resolution with Altaba Inc., the company formerly known as Yahoo, last year, but in that case the disclosures at issue related to a massive data breach. The SEC’s complaint against Facebook is more expansive from a privacy perspective, in that the disclosures in question related not to a breach or a hack, but rather to a third-party developer’s improper transfer of user data.

In addition, the FTC announced that it will be soliciting comments on the Children’s Online Privacy Protection Act (COPPA), including on its 2013 amendments, which included an expanded definition of personal information.

Conclusion

We’re just a little more than halfway through 2019 and the trend lines are clear. What stands out the most is that cybersecurity remains top of mind for legislators and alike — as it must for companies.

Ultimately, companies would do well to recognize these trends and stay current — if not get out ahead of them. Falling behind, however, will become increasingly costly.

*****

Michael Bahar, a partner at Eversheds Sutherland (US) LLP, is the co-lead of the Global Cybersecurity and Data Privacy team. He was previously Staff Director and General Counsel for the Minority Staff of the U.S. House Intelligence Committee, and prior Deputy Legal Advisor to the National Security Council.

Sarah Paul, a partner at Eversheds Sutherland (US) LLP, currently advises clients on cybersecurity and privacy law issues, and is a former federal prosecutor who served for nearly six years in the Complex Frauds and Cybercrime Unit of the U.S. Attorney’s Office for the Southern District of New York.

Mary Jane Wilson-Bilik, a partner at Eversheds Sutherland (US), has over 25 years of experience advising financial services enterprises on cybersecurity and privacy issues.

Ali Jessani is an associate at Eversheds Sutherland (US) and advises clients on matters relating to cybersecurity, data privacy and law and technology.