Now that the European Union’s General Data Protection Regulation has taken effect, many businesses are dealing with the inevitable post-compliance hangover, while others are breathing a sigh of relief that they were not impacted. For those businesses not impacted, it is important to remember that although they may not be subject to the GDPR, and there is no universal federal data protection law in the United States akin to the GDPR, there is still a significant number of federal and state data privacy laws to which they may be subject. In the health care industry, for example, there are data privacy rules baked into the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The same holds true for the financial services industry with respect to the Gramm-Leach-Bliley Act. In addition, the impact of the New York State Department of Financial Services’ Cybersecurity Regulation has been widely felt across the insurance and financial services sectors, and South Carolina just passed the nation’s first insurance industry cybersecurity law based upon the National Association of Insurance Commissioner’s Data Security Model Law.
While the foregoing laws are better known, what is less well-known is that many states have enacted their own data protection laws which are applicable to all businesses, and in the absence of action by Congress on a federal law, the list is growing. Arkansas, California, Connecticut, Florida, Indiana, Kansas, Maryland, Massachusetts, Minnesota, Nevada, New Mexico, Oregon, Rhode Island, Texas and Utah already have their own data protection laws which require companies that are in the possession of the personal information of state residents to safeguard such information. Colorado will join that list on September 1, 2018, when its just signed/revised HB1128 goes into effect. Also, Vermont just passed legislation that will require data brokers (those companies in the business of aggregating and selling data about consumers with whom the business does not have a direct relationship) to register with the state, give consumers more control over their data, and implement a comprehensive written data security program. And in a November ballot initiative, Californians will vote on the California Consumer Privacy Act, which, if enacted, would become the broadest data privacy law in the United States. While some state statutes are very general and a few are quite specific, they all require organizations to implement safeguards to protect the personal information of state residents.
On the general end of the state data protection law spectrum are states such as Utah and Rhode Island. The Utah Protection of Personal Information Act provides that “any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to “prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business…” Rhode Island’s Identity Theft Protection Act of 2015 similarly states that “a person who stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures…” As can be seen, Utah and Rhode Island both set forth general requirements based on an undefined “reasonableness” standard, leaving businesses to determine on their own what is needed to meet that standard.
On the other end of the spectrum is Massachusetts (and also Nevada!), which has arguably the toughest state data protection law in the country. In particular, Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth provides that “every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program…” that shall include, but shall not be limited to:
- designating one or more employees to maintain the comprehensive information security program
- having a means for detecting and preventing security system failures
- developing security policies for employees relating to the storage, access
- and transportation of records containing personal information outside of business premises
- imposing disciplinary measures for violations of the comprehensive information security program rules
- preventing terminated employees from accessing records containing personal information
- overseeing service providers, including requiring them, by contract, to implement and maintain appropriate security measures for personal information
- reasonably restricting physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers
- reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information
- documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information
The Massachusetts statute goes even further by setting forth security requirements for businesses’ computer systems, that, at a minimum, must contain:
- secure user authentication protocols
- secure access control measures
- encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly
- reasonable monitoring of systems, for unauthorized use of or access to personal information
- encryption of all personal information stored on laptops or other portable devices
- reasonably up-to-date firewall protection and operating system security patches
- reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis
- training of employees on the proper use of the computer security system and the importance of personal information security
The contrast between the Massachusetts statute and the Utah and Rhode Island statutes is striking, and businesses that are looking to implement or enhance a cybersecurity program should look to states such as Massachusetts as a baseline. The Massachusetts requirements are, for the most part, becoming standard practices for those businesses that are implementing or revising their cybersecurity programs. Given the impact of the GDPR, as well recent newsworthy data breaches and privacy concerns, it is likely that eventually, every state in the country will enact a data protection statue. It is even more likely that those states with statutes already enacted will continue to amend and strengthen them.
Most companies that conduct business in the United States are likely holding the personal information of residents of one or more of the states that already have data protection laws on the books. Thus, the takeaway here is that for those U.S. based businesses that are not subject to the GDPR, and are not in the financial services or insurance industry, there is still a high probability that they are subject to one or more state data protection laws, and they should act accordingly. As more and more states enact their own laws, the implementation of a strong cybersecurity and data protection program will be an absolute necessity for every business in the United States (some, like me, would argue that it already is). That being said, having a strong program must be viewed as both a required risk-mitigation tool as well as an essential business practice; if such a program is in place, regulatory and statutory compliance will be a natural by-protect, obviating the need to scramble each time a new data protection statute is revised or enacted.