select
This is a tooltip for the edit command button
Robert M. Ferm, Esq.
Robert M. Ferm, Esq.
HALL & EVANS, L.L.C.
(303) 628-3380
View Profile
Ayshan Ibrahim, Esq.
Daniel Furman, Esq.
Daniel Furman, Esq.
HALL & EVANS, LLC
(303) 628-3483
View Profile

DATA BREACH LEGISLATION AND
THE INSURANCE INDUSTRY

State and Federal Legislative Action Regarding Data Breaches

Following various national personal data security breaches, there has been significant legislative activity at federal and state levels of government to strengthen consumers’ personal information protection. At the state level, legislatures have enacted legislation regarding security breaches in general as well as more specific bills requiring businesses to provide notification to its affected residents after a security breach occurs.

The National Conference of State Legislatures (NCSL) shows that, currently, all 50 states have enacted security breach notification laws that require businesses or governmental agencies to notify consumers whose personal information has been involved in a security breach. Security breach laws typically provide for who must comply with the law, definitions of personal information, what constitutes a breach, requirements for notice, and if there are any exemptions for these categories. An entity that is covered under a security breach statute is typically defined as a business or governmental entity that owns or licenses data that contains personal information. Within the notification requirements, states are setting timeframes by when consumers must be notified of a breach; typically, the statutes call for notification “as soon as possible” or “in the most expedient time possible” but otherwise within 30, 45, or 90 days. Penalties for non-compliance of a state’s notification procedures include fines, actions in law or equity brought by the state’s attorney general, and sometimes private causes of action.[1]

States are also requiring businesses that own, license, or maintain personal information to implement and maintain security procedures and practices in case of a data breach. Most of the laws require only that “reasonable” security practices be followed, but some requirements are more detailed. Trends in security breach legislation include expanding definitions of “personal information.” A breakdown of each state’s security breach legislation can be found in the cybersecurity legislation section of the National Conference of State Legislatures website at www.ncsl.org.

These breaches have also triggered federal action in an attempt to consolidate or standardize the many different state data breach notification laws, in order to prevent confusion among businesses and/or consumers. Though none have yet to reach a vote, U.S. Congress has introduced several data breach notification laws; notably, the Data Security and Breach Notification Act which was re-introduced by three U.S. Senators in November of 2017.[2]

The purpose of this legislation is to protect consumers by requiring security policies and procedures to protect data containing personal information and to provide for nationwide notice in the event of a security breach.[3] The bill requires any entity that owns data containing personal information, or that contracts with a third party for this purpose, to develop security policies regarding the collection and use of this information.[4] Other features of the bill include methods for notification, a requirement that consumers affected by the breach be notified no later than 30 days after the breach is discovered, penalties for non-compliance, and a directive ordering the FTC to issue data security rules.[5] Similar bills to set a national standard for implementation of comprehensive consumer data security programs were introduced by the House, such as the Consumer Privacy Protection Act of 2017.[6] These bills can be read directly by searching their titles at www.congress.gov.

The NAIC’s version of a Data Security Breach Law

These state and federal data security breach bills to protect consumers’ personal information directly affect the insurance industry. In 2017, the National Association of Insurance Commissioners (NAIC) put forth its own version of a data security breach law titled: Insurance Data Security Model Law. Up to date, South Carolina is the only state to adopt a law that is substantially similar to the most recent version of the NAIC model. 

The purpose of the NAIC model is to set standards for: data security, investigation, and notification to the commissioner (the chief insurance regulatory official of a state) of a cybersecurity event applicable to licensees (someone licensed pursuant to the insurance laws of a state). The NAIC defines a covered entity as an “authorized individual” or someone who has access to nonpublic information held by a licensee. The model also provides guidelines for the establishment of a comprehensive security program that provides administrative, technical, and physical safeguards for the protection of nonpublic information.

As well as setting forth procedures for investigation of a cybersecurity event, the model sets the notification deadline at 72 hours after a determination that an event has occurred. The event must have occurred in the state that is the licensee’s state of domicile or there must be a reasonable belief that the nonpublic information of 250 or more consumers was involved. The model provides for exemptions from these requirements as well as penalties for non-compliance in accordance with the licensee’s state data breach law. The Insurance Data Model Law can be found at www.naic.org under cybersecurity.

Colorado: “Concerning Strengthening Protection for Consumer Data Privacy”

Leading up to the 2018 legislative session in Colorado, the Attorney General sought to strengthen existing protections for consumers whose personal information had been compromised in a security breach.  However, the proposed bill would have placed significant regulatory burden on Colorado businesses. After active participation by the business community, through negotiation and compromise with the bill’s sponsors, the Attorney General’s Office struck a balance between protecting consumer information and limiting the extent of these regulatory burdens with HB 1128: Protections for Consumer Data Privacy.

Under this law, businesses must notify the affected Colorado residents no later than 30 days after determination that a data breach has occurred.[7] However, the law also provides that if a business regulated by state or federal law is in compliance with the guidelines established by that regulator, then that business is considered also in compliance with this.[8] The Colorado statute also sets guidelines for the disposal of personal information that a covered entity maintains, and that  covered entities must have a written policy for disposal.[9] Similar to other state data breach bills and the NAIC model, the Colorado law required that business must maintain security procedures in order to protect personal identifying information of an individual residing in the state.[10] The security procedures must be appropriate for the nature of the personal identifying information and the nature and size of the business.[11]

Finally, a business must also notify the Colorado Attorney General’s Office of a security breach within 30 days after the date of determination that a security breach occurred if the security breach is reasonably believed to have affected at least 500 residents.[12] Also, a breach of encrypted or secured personal information does not have to be disclosed to the Attorney General unless the means used to decipher the encrypted information was also acquired or was reasonably believed to have been acquired.[13]

California: “California Consumer Privacy Act of 2018”

Assembly member Ed Chau introduced AB 375 in the California legislature to address provisions set forth in a ballot initiative that would have enacted a different and distinct consumer privacy statute. California Governor Edmund G. Brown Jr. signed into law AB 375, which will enact the “California Consumer Privacy Act of 2018” (“CCPA”) on January 1, 2020. The CCPA expands the generally understood definition of “personal information” in the United States. Also, the law’s broad scope means it will affect a large number of companies that operate in California and engage in data-driven advertising and marketing activities.

The CCPA broadly defines the term “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.[14] Additionally, the CCPA applies its requirements to any “business,” which it defines as any company that does business in California for a profit that collects personal information from a California resident; and that either: (1) has annual gross revenue over $25 million; (2) annually buys, sells, receives, or shares for a commercial purpose the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.[15] Additionally, the law states that it is not limited to information collected electronically or over the Internet, but applies to the collection and sale of all personal information.[16] The law will not affect commercial conduct that takes place wholly outside of California, which is defined as when a business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California was sold.[17]

The CCPA provides California residents with a broad range of consumer rights, including new access and opt-out rights. When responding to consumer requests, businesses cannot rely exclusively on general statements of applicability like those made in current privacy notices. The CCPA creates the following specific consumer rights: (1) right to data access; (2) right to deletion; (3) right to know where data is collected from to whom it is sold; (4) right to opt-out; and (5) right to equal service.[18]

The CCPA sets forth specific steps that businesses are required to take to provide consumers with notice of their rights through new privacy policy requirements, and for how to respond to those rights requests. Specifically, the statute requires that companies: (1) respond to these requests within 45 days of receipt; (2) disclose information for consumers on the business’s website; (3) provide employee training; and (4) inform consumers about their opt-out rights by including a link on their homepage titled “Do Not Sell My Personal Information.”[19] The CCPA provides a private right of action for data breaches in specified circumstances and allows the Attorney General to bring a civil action to enforce any provision of the statute.[20]

The CCPA provides certain exceptions to its requirements. These exceptions include allowances for sharing with law enforcement, service providers, and for activity taken wholly outside of California. Additionally, the law provides exceptions for compliance with sector specific laws such as health and banking regulations. Generally, the CCPA does not restrict the ability of a business to: (1) comply with federal, state, or local laws; (2) comply with a civil, criminal, or regulatory investigation; (3) cooperate with law enforcement where there is a reasonable good faith belief that activity may violate the law; (4) exercise or defend legal claims; (5) collect, use, retain, sell, or disclose personal information that is deidentified or in the aggregate; or (6) collect or sell personal information is all conduct takes place wholly outside California.[21] Additionally, Sections 1798.110 to .135 do not apply if the business would violate an evidentiary privilege under California law.[22] The law also does not apply to: (1) protected or health information by a covered entity covered by the Confidentiality of Medical Information Act or subject to Health Insurance Portability and Accountability Act; (2) to the sale of personal information to or from a consumer reporting agency that is used to create a consumer report; (3) to personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing regulations if it is in conflict with that law or regulation; or (4) to personal information collected or sold pursuant to the Driver's Privacy Protection Act.[23] The Attorney General is also authorized by the CCPA to adopt additional regulations as necessary to further the purposes of the law.[24]

Conclusion

As technology continues to evolve, the need to protect consumers’ personal information is sure to increase. Legislation regarding data breach security will continue to develop and compromises with the stakeholders, as part of the legislative process, will continue to ensure that the concerns of various interested parties are taken into account. The 2019 legislative year appears indicative of what we can continue to expect to see in 2020 and beyond.  Data security and related issues will remain high visibility legislative and regulatory topics for the foreseeable future.

According to the NCSL all 50 states, DC, Guam, the Virgin Islands and Puerto Rico have enacted security breach notification laws.[25] This year at least 19 states are considering, considered, have amended and or enacted security breach laws. At latest count, Connecticut, Mississippi, New Hampshire and Nevada introduced bills similar to the NAIC Model. Others are modeling their proposals on the California Consumer Privacy Act or a hybrid of various consumer or business trades recommendations. The NCSL observed  four general  trends in proposals introduced in 2019.  There are bills aimed at expanding the definition of “ personal information”;  bills to address time frames for reporting breach;  bills requiring reporting of breach to the attorney general and consumer protection bills for victims of data breach.[26]

As of July 1st 2019 states enacting or amending existing legislation this year include Arkansas, Florida, Illinois, Maryland, New Jersey, Oregon, Utah and Washington.  Numerous bills remain pending in states currently in session.

[1] Pam Greenberg, Taking Aim at Data Breaches and Cyberattacks, National Conference of State Legislatures, Vol. 25, No. 43 (Nov. 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/taking-aim-at-data-breaches-and-cyberattacks.aspx.

[2] Edward Holman et al., A Look Ahead at Privacy and Data Security in 2018, The Wilson Sonsini Goodrich & Rosati Data Advisor (Jan. 24, 2018), https://www.wsgrdataadvisor.com/2018/01/privacy-and-data-security-in-2018/.

[3] Data Security and Breach Notification Act, S. 2179, 115th Cong. (2017).

[4] Id.

[5] Id.

[6] Consumer Privacy Protection Act of 2017, H.R. 4081, 115th Cong. (2017).

[7] See HB 18-1128, enacting new Colo. Rev. Stat. 6-1-713.5.

[8] Colo. Rev. Stat. 6-1-713.5(4).

[9] Colo. Rev. Stat. 6-1-713.

[10] Colo. Rev. Stat. 6-1-713.5.

[11] Id.

[12] Colo. Rev. Stat. 6-1-716(2)(f)(I).

[13] Colo. Rev. Stat. 6-1-716(2)(g).

[14] Cal. Civ. Code § 1798.140(o)(1).

[15] Cal. Civ. Code § 1798.140(c).

[16] Cal. Civ. Code § 1798.175

[17] Cal. Civ. Code § 1798.145(a)(6).

[18] Cal. Civ. Code §§ 1798.140(t)(1), 1798.105, 1798.115, 1798.120,1798.125.

[19] Cal. Civ. Code §§ 1798.130, 1798.135

[20] Cal. Civ. Code § 1798.150

[21] Cal. Civ. Code § 1798.145.

[22] Id.

[23] Id.

[24] Cal. Civ. Code § 1798.185.

[25] Digital Guardian: The Definitive Guide to U.S. State Data Breach Laws

[26] NCSL:  2019 Security Breach legislation  6/13/2019


References