On demand 1h 00s Basic

Cybersecurity and Data Privacy Law: The Basics

4.8 out of 5 Excellent(35 reviews)
View all credits6 approved jurisdictions
Play video
  • Credit information
  • Related courses

Cybersecurity and Data Privacy Law: The Basics

As data breaches continue to proliferate, state legislatures across the country have strengthened their existing data privacy and protection statutes, or have created new ones, with an increased focus on consumer protection. This program will provide an overview of trends in this legislation, with an emphasis on how the states are shifting their focus towards compressive data privacy laws that put more control over how personal data is used into the hands of consumers. The program will also provide an overview of cyber best practices, and how those practices translate into statutory best practices.

Transcript

- Hi, everyone. My name is Daniel Marvin. I'm a partner at Kennedys in the cyber security and data privacy and protection practice. My practice involves the entire life cycle of data security and privacy, including helping organizations work on the legal and cyber infrastructure by drafting appropriate policies and procedures, including employee policies, written information, security programs, incident response plans, and third-party vendor policies. I also assist clients in incident and data breach response, as well as any regulatory investigations or litigations that may arise from an incident, including the defense of class action litigations. Today we're going to talk about the basics of cybersecurity and data privacy law. By basics I mean that we're going to go over the elements of the law in the United States which concerns three basic categories. The first is that there are laws that concern how organizations need to protect their data and the personal information of their employees and customers. Next there are laws that involve how organizations are to notify individuals in the event of a data incident or breach that involves their personal information. Finally there's been a trend in the United States over the past few years, and really throughout the world in the enactment of laws that are designed to give individuals more control over what organizations do with the data they possess. But those are the three basic categories we're gonna talk about today. Now as far as the legal landscape in the US, there is no single federal law regulating the collection and use of personal data or rules governing breach notification. There's been many attempts to introduce legislation in Congress and they have all stalled. So organizations are left with a patchwork of state laws as well as federal laws that are industry-specific. A few of those which we will briefly discuss today are HIPAA and the GLBA. But there are also industry guidelines and other regulatory guidelines developed by governmental agencies that are part of some regulatory frameworks and best practices. And we'll be discussing those today as well. In addition, all of the states in the US as well as the district of Columbia and Puerto Rico have breached notification statutes, which require the notification of residents in the event of a breach and many states also have their own state-specific data protection laws that require companies that are in the possession of personal information or PII, as it's called, of state residents to safeguard that information. I always begin these talks with a discussion of the NIST standards or the National Institute of Standards and Technology. NIST is an agency of the department of commerce. And years ago, they put out cyber security guidelines for critical infrastructure in the United States and eventually adopted those guidelines for small businesses. And they really apply to all businesses. And these guidelines, which you could find on the NIST website, provide basic advice on how companies can secure the information systems as well as networks. And as we go forward with today's presentations, you'll see how the NIST framework is relevant towards the statutory framework that's been set up in the US. So the NIST framework has five basic elements, identify, protect, detect, respond, and recover. All of these elements deal with risks. How can organizations identify risks, protect against risks, detect them, respond to them, and of course recover to them? So what are the elements of these things? Well, first is to identify risks and that's going to be different for every organization dependent on its size, the nature of its business, and the type of information it collects. But a risk assessment is a vital and necessary element of any cyber security program. Organizations need to identify what information they store, what its value is. They need to identify their threats and vulnerabilities, where their systems may be weak. And it's also important of course to know where the systems are strong. Organizations need to identify if access to databases containing PII is limited to just those employees with the business need. And this is an area where many organizations have gotten into the trouble by allowing access to information to employees who don't necessarily need it in their everyday work. Next is to identify if there are any policies and procedures for information security to identify acceptable practices and expectations for business operations. But this is really a written information security program, employee policies, kind of the things I mentioned before that I work on in my day to day practice. It's important to have this written documentation. So if an organization ever needs to demonstrate that they've been reasonable in how they're carrying out their cybersecurity practices, they're able to do that. Next, organizations need to protect their information by doing a number of things. And these things may all apply to your organization. Some may apply, and there may be others that are not on the list in front of you that apply. But some of the most critical things are limiting employee access to data, making sure operating systems and applications are patched on a regular basis. Having firewalls installed on networks and making sure wireless access points and networks are secured. And over the past few years with more and more people teleworking, making sure that access points in remote telework locations are secured has been an issue that many companies are grappling with, 'cause companies have gone from just a few access points at the physical location to potentially hundreds or even thousands of new access points throughout the workspace where their employees live. Setting up email and web filters are also vitally important as well as the use of encryption. Many of the statutes we'll be talking about today have encryption-safe harbors, which don't require breach notification if the data which was compromised was encrypted. How companies disposed of old computers and media in a safe way is also vitally important information, needs to be disposed of in a way that makes PII and other confidential information indecipherable, whether that be in physical or electronic form. The use of passwords is really a given in today's day and age. I'll add, I think that multifactor authentication is something that needs to be used in all instances. And of course the training of employees and having written policies and guidelines that employees follow is also of vital importance. Detect, respond, and recover of risks is the next portion of the next framework. And what's most important about this is having both the technological and written framework to make sure that organizations can respond to risks in a timely, efficient and complete way. Cyber insurance is also, in my opinion, a critical portion of any response and recovery plan. And also of vital importance is having full backups of important business data and information. If a company is hit, for example, with a ransomware attack, which locks the amount of the data, or even worse, deletes all that data. A full and daily backup can eliminate a lot of headaches which come with those sorts of threats. Now we're going to talk a little bit about the evolution of cyber security law in the United States. While many states have had cyber security and data protection laws in the past, the first big law, and by big, I mean the most, the law that became the most well known and really set the tone for other laws across the United States was the New York State's Department of Financial Services' requirements for financial services companies. This law was first introduced in 2014 and was enacted in 2015 and applies to any organization which is regulated by the New York State Department of Financial Services. Now that involved many, many banks and insurance companies as many of them had their headquarters in New York, as well as other smaller companies, such as mortgage brokers and other types of financial companies that are licensed in New York. The DFS regulations require these companies to adopt the cybersecurity program to protect sensitive and confidential data. Now the DFS regulations required that the program perform, among other things, the following functions. Identify and assess internal and external cyber security risks, protect information systems, and non-public information from unauthorized access, detect, respond and recover from cyber security incidents, and fulfill applicable regulatory reporting requirements. You can see from this list that the DFS essentially took inspiration, if not copied, these requirements from NIST. You can see here, identify, protect, detect, respond, and recover. And many other statute in the United States followed the DFS framework, including the National Institute of Insurance Commissioners, who, I'm sorry, National Association of Insurance Commissioners, who put out their model guidelines which also followed the DFS and NIST model. DFS requires, as does just about every cybersecurity law, that covered entities periodically undertake a comprehensive risk assessment. Now I recommend that companies do this every 12 to 18 months, depending on their size. And as cyber threats evolve and get more sophisticated as time passes, it's important that companies also evolve to keep up with the pace of the cyber threats. So companies need to continually assess the security of their information systems. They need to evaluate the adequacy of their existing controls. They need to continually update their cyber infrastructure and the technology that they're being used. And they need to determine how the risks that are identified will be mitigated, or in many instances, accepted by the company. There were many risks that companies face. And in some circumstances, if a company mitigated to a full extent every single risk that they faced, it would severely hamper their ability to operate and conduct their business operations in the most beneficial way. So many companies do accept some risks often with the advice of council, which is okay, as long as they're reasonable risks that don't, in the long run, severely hamper the company's health. DFS went through some of the elements that companies should include in their policies. We've mentioned the risk assessment. Equally important is having an incident response plan. Every company should have this, whether it be a one-page document or a 30-page document. In the event of an incident, companies need to make sure that they have all of the information, including phone trees, if necessary, important contact numbers, including their insurance broker or an attorney or law enforcement agencies. They need to have a plan on how they could keep their business operational and respond to the threat in an efficient and timely manner. Asset inventory and device management is also very important. Companies need to make sure that they know what devices have personal data on. And that includes everything from mobile phones to laptops, to the computers they're using in the office. Access controls and identity management are also very important. And I mentioned that before. Organizations should make sure that they are limiting access to systems, so only those with a need to use it. Systems and network security also very important. Vendor and third-party service provider management is also important. More and more breaches nowadays are happening through vendor and third-party service providers. So having agreements in place that mitigate risk in the face of a vendor, having a data breach is very important. And those risks could be mitigated through requiring these vendors to indemnify the company in the event of a breach, having them added as an additional insured on the policies and other ways which can be set forth in these contracts. So that summarizes the DFS cybersecurity guidelines. And we'll move on now to the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. We're only gonna talk about HIPAA for a very brief moment, but I will say that HIPAA is a very large statute and really could lend itself to its own presentation, probably multiple presentations to go over some of the nuances. But in the essence, the HIPAA regulations require healthcare providers as well as their business associates and the business associate is defined in the statute, essentially, as any company that receives personal information from a HIPAA-covered entity to develop and follow procedures to ensure the privacy and security of protected health information. HIPAA has both privacy and security requirements and applies to all forms of personal health information, including paper, oral, and electronic records. Over the years, health information has been a highly targeted source of information to threat actors as it contains the most personal details of patients, which can be used for identity theft and even blackmail among other things. So it's important to know that if your organization deals with this type of information, it follows the HIPAA guidelines. It's a rare instance where a healthcare provider is not aware of, if not follow the HIPAA act, but what's less prevalent, sorry, more prevalent are companies not realizing they may be handling this type of information. So it's something to definitely be aware of. Next we're going to talk about the Gramm-Leach-Bliley Act, which is another federal law, which is industry-specific. This law requires companies that are engaged in financial activities such as the offering of loans, financial or investment advice, and other types of activities, to explain their information-sharing practices to their customers and to safeguard sensitive data. The GLBA is enforced by a number of federal regulatory agencies, including the FTC, the FCC, the office of the controller of the company. And what's interesting is that the GLBA regulation itself is pretty short in text if you would to look up the statute. But the enforcement guidelines are much larger. And it's important that a financial services company know its regulatory body, the enforcement agency, and to make sure that it follows those guidelines. I'll also mention the safeguards rule under the FTC Act, because the FTC essentially has jurisdiction over just about every organization in the United States, 'cause it deals with consumer protections. So the safeguard rules requires financial institutions under the FTC jurisdiction to have measures in place to keep customer information secure. And in addition to developing their own safeguards, companies are responsible for taking steps to ensure that their affiliates and service providers safeguard information in their care. And there's been many instances where not doing that can lead to an unfair or deceptive claim practice case filed by the FTC against these companies pursuant to Article 5 of the FTC Act. We're now gonna move on to talking a little bit about some state laws. And I'm using the SHIELD Act which is the Stop Hacks and Improve Electronic Data Security Act, which was enacted into law in March of 2020 in New York as a guideline for other states, 'cause it's a comprehensive statute that has many of the elements of other state statutes. So if you look to the state statute where you're located or that you're looking into for your client, you'll see many of these elements in those statutes. The SHIELD Act has both data privacy and data breach notification elements in it. Those two regulations used to be separate in New York and the SHIELD Act merged them into one. So your state might have two, I might have one, but the elements will be the same. So the SHIELD Act requires businesses that own a license, New York residents' private information to provide notification to a resident in the event of a cybersecurity incident, irrespective of whether the company conducts business in the state. And you'll see that mimicked in other statutes across the country. These breach notification statutes are designed to protect the personal information of residents of the state, irrespective of whether the company does business in the state. And that's been a change in evolution of the statutes through the years. The SHIELD Act added biometric data and email addresses with associate passwords or security questions to the definition of private information. A little bit further down in this presentation, we're going to talk about how private or personal information is defined in many statutes. But it's important to know that this definition is changing as technology advances and the ability for a threat acted to compromise the identity or financial information of an individual changes. So biometric data includes such things as voice prints, fingerprints or facial recognition scans, for example. And these things are being added to extent they're not already into the definition of PII and statutes and companies are required to safeguard that information. The SHIELD Act requires breach notifications to New York residents when there is unauthorized access of private information. So some states require breach notification when there's access. In other words, when the information is viewed. Other states require notification when there's actual acquisition or they're taking information. So it's important to be aware of that distinction. It's also important to know that many states have enacted what is known as a risk of harm analysis. In other words, even if there is unauthorized access or acquisition of personal information, organizations can take a risk of harm analysis. They can determine based on the incident, if there is no reasonable risk that individuals could suffer identity theft or financial harm based on that incident, the notification is not required. Now when that happens, some states require you send a notice to their attorney's general letting them know that you've undertaken that risk of harm analysis and no notification will be required. And at least one state, Florida, requires that law enforcement be involved before that determination can be made. So again we're seeing how the states really handle these issues differently. And it's important to know what state you're dealing with when you're undertaken your analysis. So the SHIELD Act also requires businesses to implement reasonable state guards to protect private information. And the act that supports three categories of businesses recognizing that all companies are not built the same and a very, very large Fortune 50 company may have the resources to, and need for that matter to undertake a really, really comprehensive cybersecurity infrastructure and a small mom and pop business may not have that. So one category of businesses are compliant-regulated entities. And this is another theme we see in statutes across the country. If there's an entity that can demonstrate compliance with another data security statute such as the GOBA, which we've talked about or HIPAA, or even the cyber security regulation by DFS, then those organizations are automatically deemed to be in compliance with the SHIELD Act. The next category of company are really the small companies that have fewer than 50 employees or less than $3 million in gross annual revenue or five million, less than five million a year in assets. These companies have to undertake a security program that contains reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the business. But this is a very vague requirement and it doesn't specify exactly what these companies need to do, because the company of this size generally is gonna have very specific things that it needs to do to secure data. And DFS recognizes that and recognizes that the resources it has to, for example, hire an outside CISO or things of that nature might not be there. The next category is essentially everyone else. So if you're not a compliant regulated entity, I'm sorry, if you're not an entity that's regulated by another statute or if you're not a small business, then you also have to undertake a data program that has reasonable administrative, technical and safeguards, but you have to have a few specific things. You have to have an individual who's responsible for coordinating the program. You have to have an identification of internal and external risks. You have to have a risk assessment. You have to have employee training. And you have to undertake that vendor, third-party vendor analysis, and make sure you're only doing business with service providers that are capable of maintaining appropriate safeguards. We're going to shift a little bit from talking about data protection statutes and breach notification statutes to the third type of statute, which has gained a lot of steam in the United States, really in the past four or five years. And those are statutes that give consumers control over the data that companies maintain on them. These statutes really have a genesis in the EU General Data Protection Regulation or the GDPR, which was implemented in the EU in 2018. It was first introduced in 2016 and companies had a few years to figure out how they were going to comply. And it was implemented in May of 2018. So the EU, the GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor who are not established in the union when the processing of activities are related to either the offering of goods and services or the monitoring of behavior in the union. You can see in the slide in front of you how the words processing, personal data, data subjects, controller, and processor in quotes. And that's because the GDPR really introduced new types of definitions to some of these elements. The first thing it did was worldly defined personal data as any information relating to an identified or identified natural person. In the United States, the PII which needed to be protected under most statutes were the traditional elements you may think of with PII: social security numbers, driver's license numbers, financial account information. Other of those very important elements that could lead to data theft. And as I mentioned before, we've seen a bit of an evolution where biometric data may be covered, but in the EU, it's any information that could relate to an identifiable person. That could be anything from a Twitter handle, a Facebook name or geolocation data. It's very, very broad. It could be a telephone number. It could be an IP address. It could be login information. So that's something to be cognizant of, 'cause that definition has been carried over, to some extent, into the United States. Now data processing in the EU is any operation or set of operations perform their personal data, and that includes the storage of data. So when you hear the word processing, it's really an active word, but it deals with, in the EU, passive activities such as the mere storage of data. So if you, or if your client is dealing with information in the EU, it's important to see if they are subject to the GDPR. So what rights did the EU give consumers? Well, the GDPR says that consumers have the right to access the information that companies keep on them. They have a right to rectify information if it's incorrect. They have a right to have that information erased. They have a right to object to the use of the information. And they have a right not to be subject to automatic or automated decision-making. What that means is companies can't aggregate data and then have the computer make a decision on how that data is going to be used. For example, if someone's applying for a loan, and they submit their information via computer, a computer can't make a decision on whether or not that loan is going to be granted. A human has to be involved somewhere in the process. And so how can data be used in the EU? Well, data can be used for any lawful purpose. And that includes pursuant to the performance or entry into a contract. If there's a requirement to comply with a EU member law to protect the vital interest of the data subjects or if it's in the public interest to use that information. But you'll see, as it's in the slide, in all of the instances specific, explicit, informed, unambiguous consent has to be freely given by the individual. So with the use of all those words, specific, explicit, informed, and unambiguous, you can see how serious the EU takes the lawful use of data. Now we're going to talk about the CCPA or the California Consumer Privacy Act of 2018. Now this is a law similar to the GDPR that is consumer-oriented. It's designed to give consumers in California the ability to control how their information is being used by organizations. This law took effect on January 1st, 2020, and gives four basic rights to consumers relating to the collection and use of their personal information. And as we go through these rights, you will see they draw similarities to the rights that the EU gave its citizens through the GDPR. California residents have a right to know what personal information a business has collected, how it's being used, to whom it's being sold or disclosed, and the source of the information. These residents also have the right to opt out of allowing businesses to sell that personal information to third parties. Now this is also very different than in the EU where consumers actually have to opt in to allowing businesses to sell their personal information to third parties. You may recall a few years ago when the GDPR was first introduced, you were getting emails from many organizations or popups on the websites asking you to opt in to the use of your personal information by those websites and organizations. And that's all because of the GDPR. But in the US or in California at least, they went with an opt-out standard. Consumers in California also have the right to have a business delete their personal information and the right to receive equal service and pricing from a business even if they exercise their privacy rights under the act. So companies in California can't discriminate against consumers just because those consumers decide to exercise their rights, an issue with the CCPA that many consumers, I'm sorry, businesses faced with the enactment of the statute was how they were going to implement internal processes to timely respond within the timeframe set by the CCPA to consumer requests. Companies, many companies have data spread in many different places and to respond to a consumer request required aggregation of that data from these places, which was a difficult process to figure out and undertake, in particular for very large organizations. So that is a challenge that companies faced and are still facing. Another thing to be aware of is that many states have data and document retention requirements outside the CCPA. So organizations can't just delete certain information on a consumer request if another regulation or statute requires indicate that information. Now this is especially prevalent in the financial services industry. So it's important to view the CCPA through the prism of other statutes that your clients may be subject to and developed a comprehensive data security and data processing framework for them to work under. Now the CCPA defines personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. You can see how this definition bears similarity to the GDPR and really bears no similarity to the other statutes we discussed, including really any other state statute in the United States. Some of the things to be cognizant of when dealing with the CCPA are not only names and aliases and IP addresses, but biometric information, geolocation data, audio, electronic, visual, even thermal, or similar information here, we're talking more of the biometric information, professional employment or educational information. And finally, any inference drawn from the information identified to create a profile about a consumer. So many organizations, particularly those in marketing and sales, will use information that they gain regarding the consumer and profile those consumers in order to offer targeted advertising. That sort of information is considered personal information under the CCPA and is subject to the statutes protection. The CCPA also mandates that consumers have the right to, excuse me, consumers have the right to have businesses that are subject to the statute make affirmative disclosures about how they will respond to verifiable consumer requests with individualized disclosures about the businesses' collection, sale or disclosure of PII. If you go into a website of an organization that is subject to the CCPA, you will see at the bottom of every page a link to their CCPA policy, and those policies will contain these types of affirmative disclosures. The CCPA also guarantees consumers the right to access a copy of specific pieces of information that a business has collected about the consumer. And that information has to be delivered either by mail or electronically. And again, this is an issue that organizations had to face when they have information scattered in many different places regarding a consumer. As I mentioned, consumers may opt out of the sale of their personal information to third parties. And in order to implement a feasible system, businesses need to separate consumer personal information that they wish to sell at least in two categories: information of consumers who have opted out, and those who have not opted out. Again, this has been a challenge to many companies. It's been expensive, but it's something that they have to do to be in compliance with the statute. Naturally many companies may also keep data on non-California residents, and that leads to a quandary in these companies, 'cause it opens up a third category of data in systems that the company may need to keep. And that is a category of personal information for non-California residents. So you can begin to see how this can become a challenge for organizations. Covered businesses in California are obligated to honor deletion requests unless it's necessary to maintain the PII for certain purposes set forth in the statute and among those statutes are, among those reasons are what I noted before the requirement to keep the information for other business purposes. Importantly the CCPA created a private right of action arising out of a data breach. Covered businesses are liable in lawsuit for the unauthorized access and exfiltrations kept or disclosure of certain categories of non-encrypted, or non redacted personal information. Now the statute actually limited the private right of action to the more traditional aspects of PII, including social security number and things of that nature. But importantly, the statute mandated that consumer harm isn't necessary to sue under CCPA's private right of action. So it's almost a strict liability threshold. Outside of the private right of action, the California attorney general under the CCPA, and that actually evolved with the CPRA, which we'll talk about in a second, has enforcement power under the act. As I mentioned, you'll see in the next slide that liability under the private right of action in the CCPA, as I mentioned, only deals with social security number, driver's license, account number, medical information, or health insurance information. In 2020, there was a ballot initiative that was approved by California voters that goes into effect on January 1st, 2023. This is called the CPRA, which amends and broadens, if not replaces the CCPA. Many of the elements are the same, but there are some that are new. Well, who's covered by the CPRA? If you're an organization that has annual gross revenue of over $25 million a year, or sales will share the personal information of 100,000 or more consumers or households or derives 50% more of its annual revenue from selling or sharing California consumers' personal information, you are subject to the CPRA. Notably the threshold in the CCPA was 50,000 or more consumers or households. And that's been changed in the CPRA. So organizations, before they really become, I guess, nervous about the CPRA, should ensure that they're actually subject to the CPRA given these minimum thresholds. The CCPA was also changed by the CPRA to the extent that the CCPA only dealt with the sale of personal information and the CPRA deals with the sharing of personal information. So the CCPI defines sale as you would expect, the selling, renting, releasing, disclosing of information from one business to another business for monetary or other valuable consideration. And the CC, I'm sorry, the CPRA defines sharing as the renting, releasing, disclosing, transferring, or communicating personal information, whether or not for monetary or valuable consideration to another third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. So what this does, it brings more and more businesses under the purview of the CPPA, now the CPRA. Most of the rights under the CCPA were extended to the CPRA, including the right to opt out of businesses selling data. But as you would expect, the CPA expanded that right of opt out to the sharing of personal information. And as discussed, we just went over that definition. The CPRA also requires businesses to send any deletion request of third parties that bought or received, in other words, if the information was shared, the consumer's personal information. The CPRA also mandates that a consumer can request that a business transfer specific personal information to another entity. The CPRA, as did the CCPA also, had certain provisions for information belonging to a minor. The CCPA required that businesses obtain opt-in consents to all the personal information of a California consumer under 16 years old. And the CPRA requires that businesses wait 12 months before even asking a minor consumer for consent, and selling or sharing their personal information after the minor has declined and states that the opt-in right must explicitly include the sharing, again, this is sharing in the CPRA, of data for cross-context behavioral advertising. A consumer also has the right, under the CPRA, to request that a business correct any inaccurate, personal information. The CPRA also followed the GDPR in a few other ways. It'll knock you to purpose limitation. Organizations may only collect consumers' personal information for specific, explicit and legitimate disclosed purposes, and should not further collect views or disclose the information for reasons incompatible with those purposes. So the disclosures that these companies, or that any companies put out that a public facing need to show what exactly they're doing with information and how it's going to be used. There's also a storage limitation requirement that addresses the length of time the business intends to retain each category of personal information, including sensitive personal information. And if that's not possible, the criteria used to determine such a period, provided that the business shall not retain a consumer's personal information or sensitive PII for each explored purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose. That's a bit of a mouthful, but it's essentially purpose limitation that keep the information for as long as needed. That's essentially a short way of putting what that provision means. A few other things we'll run through real quick. The CCPA entitled consumers to know about the categories and pieces of information collected and installed by a business as noted, and is important. The CPRA expanded that to sharing. It's also important, under the CPRA, that businesses include the retention period for each category of personal information. And we sort of just went through that, but it's definitely worth repeating here. Organizations that are subject to the CPRA must have a do not sell link on their website. I'm sorry, that was under the CCPA. Under the CPRA, that has to be changed to do not sell or share my personal information. The CPRA also maintained the private right of action and uses a definition of personal information from California's data security law. Not the definition which is found in the CCPA, but included username and email address together with password or security question and answer that would permit access to the account to augment the prior definition. So the CCPA, I'm sorry, it gets a little confusing with the acronym, the CPRA corrected that apparent deficiency in the CCPA. If a business collects sensitive personal information, consumers have the right to direct that business to limited use of that sensitive personal information to what's necessary or reasonably expected in order to perform the service or provide the goods to which it's collected. In that regard, the CPRA created a new right relating to sensitive personal information. And when a business uses or discloses sensitive personal information beyond what is necessary or reasonably expected, the business must provide notice to the consumer of the additional specified purpose and of the right to limit the use of that disclosure. It must be a clear and conspicuous link on the business's internet homepage, titled limit the use of my sensitive personal information. So again, you will see this starting to pop up, if not already, on different websites as you browse them. Now as the CCPA was enforced by the California Office of the Attorney General, as I mentioned before, the CPRA establishes the Consumer Privacy Protection Agency which is really the first agency of its kind in the United States dedicated to the consumer protection of personal data. We're going to be wrapping up shortly. But before we do that, it's important to note that the CPRA and the CCPA, for all intents and purposes, has been mimicked throughout the country in many states and will continue to be. Virginia has introduced the Consumer Data Protection Act effective in January 1st of 2023. Colorado has also introduced a similar act which will be effective July 1st, 2023. On that date, Connecticut has a similar act which will be enacted. And Utah has an act that will be enacted in the end of December of 2023. These statutes all share a number of similarities. They all have the right to access, which we spoke about earlier. They all have the right to correct, the right to deletion, the right to data portability, the right to opt out of the sale of information, and the right of non-discrimination. These statutes modeled their provisions on the CCPA, so you'll see many similarities in the language and tone of these statutes to the CCPA. For example, these statutes all have purpose limitation requirements, data minimization requirements, de-identified data requirements, disclosure of sale of information requirements, privacy notice requirements, and assessments regarding data protection. Now there are data protection elements built into the statutes, but as I mentioned before, these statutes are inherently designed to allow consumers control over their data. However, there are some differences among these statutes, in that one size fit all in all respects. For example, sensitive PII consent, affirmative consent by a consumer for the use of sensitive PII is necessary in Connecticut, Colorado, and Virginia. And it's a known Utah where consumers can opt out and in California where consumers can limit what is reasonably necessary. All of these statutes have special requirements for the use of the information of minors with different age requirements. It's 16 years of age in Connecticut and California, and 13 years of age in Utah, Virginia, and Colorado. All states, with the exception of Utah, have data protection assessment requirements. It's important to also look to the statute to see where the exemptions lie. As in California, there's a resident and money threshold. There's exemptions for FCRA information, the GOBA institutions or data, some of these statutes have exemptions if you're an institution regulated by the GOBA, other statutes, in other statutes, it just concerns GOBA data. HIPAA-covered entity, a business-associated data may be exempted. Business to business data is exempted. Higher education information may be exempted. Nonprofit information may be exempted. An employee or applicant data may be exempted. So where does all of this leave us? It leaves us in a situation where organizations are going to be subject to many different statutes. This patchwork of requirements throughout the country which can lead to a lot of headaches. Compliance with one statute, for example, the CCPA and CPRA takes a lot of work. But when you're dealing with many statutes, it can become an overwhelming task. And it's important for organizations to get ahead of these issues. Some of these statutes aren't coming into effect until the beginning or end of 2023, but the work on implementation and how organizations are going to deal with these statutes should begin now. Organizations should make sure they have a reliable insurance broker, an attorney available to answer questions that they may have regarding any of these statutes. Even doing a incident response, requires an in-depth look at circumstances surrounding whether response or notification is required in the first place. And if so, which states need to be notified. It may be state residents. It may be state attorney generals. Then an analysis has to be undertaken of the requirements under each state's laws and make sure it's being done properly. I always tell organizations that the first step in their analysis is to see if they're subject to any industry or state-specific data security requirements. And if so, of course comply with them. And they have to get a handle on the states in which they're collecting data. Not just the states in which they're collecting data, but where the residency of the consumers or individuals are, where the data is that they collected. Now we've gone through a lot of information today. As I mentioned before, one of these statutes lends itself to an entire CLE, but what I hoped to give in this presentation was a very high-level overview of where data protection and privacy law is in the United States. And I think we've done that in giving an analysis and overview of just about every statute which exists. If you have any questions on this presentation, I'm sure my email address will be provided. I'll also give it to you now. It's [email protected]. I'm always happy to discuss either this presentation or data privacy and protection issues in general. Thank you for joining today.

Presenter(s)

DM
Daniel Marvin
Partner
Kennedys Law LLP

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
    Not Offered
    Alaska
    • 1.0 voluntary
    Pending
    Arizona
    • 1.0 general
    Pending
    Arkansas
    • 1.0 general
    Pending
    California
    • 1.0 general
    Pending
    Colorado
    • 1.0 general
    Unavailable
    Connecticut
    • 1.0 general
    Pending
    Delaware
      Not Offered
      Florida
      • 1.0 technology
      Pending
      Georgia
      • 1.0 general
      Unavailable
      Guam
      • 1.0 general
      Pending
      Hawaii
      • 1.0 general
      Pending
      Idaho
        Not Offered
        Illinois
        • 1.0 general
        Pending
        Indiana
          Not Offered
          Iowa
            Not Offered
            Kansas
            • 1.0 general
            Pending
            Kentucky
            • 1.0 general
            Pending
            Louisiana
            • 1.0 general
            Pending
            Maine
            • 1.0 general
            December 31, 2026 at 11:59PM HST Pending
            Minnesota
              Not Offered
              Mississippi
                Not Offered
                Missouri
                • 1.0 general
                Pending
                Montana
                  Not Offered
                  Nebraska
                    Not Offered
                    Nevada
                    • 1.0 general
                    December 31, 2025 at 11:59PM HST Approved
                    New Hampshire
                    • 1.0 general
                    Pending
                    New Jersey
                    • 1.2 general
                    January 16, 2025 at 11:59PM HST Approved
                    New Mexico
                      Not Offered
                      New York
                      • 1.0 areas of professional practice
                      Pending
                      North Carolina
                      • 1.0 general
                      Unavailable
                      North Dakota
                      • 1.0 general
                      Pending
                      Ohio
                      • 1.0 general
                      December 31, 2024 at 11:59PM HST Approved
                      Oklahoma
                        Not Offered
                        Oregon
                        • 1.0 general
                        August 31, 2025 at 11:59PM HST Approved
                        Pennsylvania
                        • 1.0 general
                        Pending
                        Puerto Rico
                          Not Offered
                          Rhode Island
                            Not Offered
                            South Carolina
                              Not Offered
                              Tennessee
                              • 1.0 general
                              Pending
                              Texas
                              • 1.0 general
                              Unavailable
                              Utah
                                Not Offered
                                Vermont
                                • 1.0 general
                                Pending
                                Virginia
                                  Not Offered
                                  Virgin Islands
                                  • 1.0 general
                                  Pending
                                  Washington
                                  • 1.0 law & legal
                                  August 31, 2027 at 11:59PM HST Approved
                                  West Virginia
                                    Not Offered
                                    Wisconsin
                                      Not Offered
                                      Wyoming
                                        Not Offered
                                        Credits
                                          Available until
                                          Status
                                          Not Offered
                                          Credits
                                          • 1.0 voluntary
                                          Available until
                                          Status
                                          Pending
                                          Credits
                                          • 1.0 general
                                          Available until
                                          Status
                                          Pending
                                          Credits
                                          • 1.0 general
                                          Available until
                                          Status
                                          Pending
                                          Credits
                                          • 1.0 general
                                          Available until
                                          Status
                                          Pending
                                          Credits
                                          • 1.0 general
                                          Available until
                                          Status
                                          Unavailable
                                          Credits
                                          • 1.0 general
                                          Available until
                                          Status
                                          Pending
                                          Credits
                                            Available until
                                            Status
                                            Not Offered
                                            Credits
                                            • 1.0 technology
                                            Available until
                                            Status
                                            Pending
                                            Credits
                                            • 1.0 general
                                            Available until
                                            Status
                                            Unavailable
                                            Credits
                                            • 1.0 general
                                            Available until
                                            Status
                                            Pending
                                            Credits
                                            • 1.0 general
                                            Available until
                                            Status
                                            Pending
                                            Credits
                                              Available until
                                              Status
                                              Not Offered
                                              Credits
                                              • 1.0 general
                                              Available until
                                              Status
                                              Pending
                                              Credits
                                                Available until
                                                Status
                                                Not Offered
                                                Credits
                                                  Available until
                                                  Status
                                                  Not Offered
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until
                                                  Status
                                                  Pending
                                                  Credits
                                                  • 1.0 general
                                                  Available until

                                                  December 31, 2026 at 11:59PM HST

                                                  Status
                                                  Pending
                                                  Credits
                                                    Available until
                                                    Status
                                                    Not Offered
                                                    Credits
                                                      Available until
                                                      Status
                                                      Not Offered
                                                      Credits
                                                      • 1.0 general
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                        Available until
                                                        Status
                                                        Not Offered
                                                        Credits
                                                          Available until
                                                          Status
                                                          Not Offered
                                                          Credits
                                                          • 1.0 general
                                                          Available until

                                                          December 31, 2025 at 11:59PM HST

                                                          Status
                                                          Approved
                                                          Credits
                                                          • 1.0 general
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                          • 1.2 general
                                                          Available until

                                                          January 16, 2025 at 11:59PM HST

                                                          Status
                                                          Approved
                                                          Credits
                                                            Available until
                                                            Status
                                                            Not Offered
                                                            Credits
                                                            • 1.0 areas of professional practice
                                                            Available until
                                                            Status
                                                            Pending
                                                            Credits
                                                            • 1.0 general
                                                            Available until
                                                            Status
                                                            Unavailable
                                                            Credits
                                                            • 1.0 general
                                                            Available until
                                                            Status
                                                            Pending
                                                            Credits
                                                            • 1.0 general
                                                            Available until

                                                            December 31, 2024 at 11:59PM HST

                                                            Status
                                                            Approved
                                                            Credits
                                                              Available until
                                                              Status
                                                              Not Offered
                                                              Credits
                                                              • 1.0 general
                                                              Available until

                                                              August 31, 2025 at 11:59PM HST

                                                              Status
                                                              Approved
                                                              Credits
                                                              • 1.0 general
                                                              Available until
                                                              Status
                                                              Pending
                                                              Credits
                                                                Available until
                                                                Status
                                                                Not Offered
                                                                Credits
                                                                  Available until
                                                                  Status
                                                                  Not Offered
                                                                  Credits
                                                                    Available until
                                                                    Status
                                                                    Not Offered
                                                                    Credits
                                                                    • 1.0 general
                                                                    Available until
                                                                    Status
                                                                    Pending
                                                                    Credits
                                                                    • 1.0 general
                                                                    Available until
                                                                    Status
                                                                    Unavailable
                                                                    Credits
                                                                      Available until
                                                                      Status
                                                                      Not Offered
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until
                                                                      Status
                                                                      Pending
                                                                      Credits
                                                                        Available until
                                                                        Status
                                                                        Not Offered
                                                                        Credits
                                                                        • 1.0 general
                                                                        Available until
                                                                        Status
                                                                        Pending
                                                                        Credits
                                                                        • 1.0 law & legal
                                                                        Available until

                                                                        August 31, 2027 at 11:59PM HST

                                                                        Status
                                                                        Approved
                                                                        Credits
                                                                          Available until
                                                                          Status
                                                                          Not Offered
                                                                          Credits
                                                                            Available until
                                                                            Status
                                                                            Not Offered
                                                                            Credits
                                                                              Available until
                                                                              Status
                                                                              Not Offered

                                                                              Become a Quimbee CLE presenter

                                                                              Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                              Become a Quimbee CLE presenter image