Trends in Privacy, Breach Notification, Data Security Legislation in 2019

by Sarah Harvey / December 6th, 2019

It’s hard to keep track of the different privacy, breach notification, and data security laws that exist in each state – but that’s the job of a thorough, expert auditor. Because of technology advancements and the implementation of GDPR, the momentum to update, amend, and create new legislation is elevated right now. Our mission is to educate you on the latest trends, legislation, and threats so that you can meet the requirements ahead of you.

Trends in Legislation

All 50 states now have breach notification laws, and many states are following suit for privacy and data security. In 2019, the trends in privacy, breach notification, and data security legislation revolved around three areas. How is your business addressing these trends?

Expanding the Definitions of Personal Information

Many states have amended their current laws to include a wider scope of what constitutes personal information. The definitions vary from state to state; for example, Maine’s LD 946 focuses on information derived from the customer’s use of the ISP services because the law specifically relates to ISPs. Many others have expanded to include biometric data, PII of children, health insurance information, financial information, or web browsing data.

Adjusting Timeframe for Data Breach and Security Incident Reporting

State legislation is enacting more stringent timelines for breach notification to the affected consumers and to regulatory bodies. Washington’s deadline is within 30 days of discovery, Maryland’s is within 45 days, and Texas’ is within 60 days. For vendors of businesses in the state of Oregon, though, the deadline to report to their covered entity is 10 days.

Reporting Requirements to the State Attorney General

A third trend from legislation in 2019 is involvement from state attorney generals. This regulatory notification provides businesses with more oversight and accountability at the state-level. While the notice requirements are different from state to state, businesses must generally include a detailed description of the data breach, information about how many consumers were impacted, steps taken so far to contain the breach in the present and future, and if law enforcement has been notified. For states like Oregon and Texas, this requirement begins when 250 residents are affected and in Washington, it’s not required unless 500 or more residents are affected.

State Legislation and Amendments in 2019

While the California Consumer Privacy Act has garnered the most attention in the industry, most states have enacted or amended their own laws to include the same information or trends as CCPA and GDPR. Do you do business in, collect data from, or a serve a vendor in the following states? You may need to consider how you’re tackling the privacy, breach notification, and data security laws at a state-level.

• Amendments to Arkansas’ Personal Information Protect Act
• Connecticut Insurance Data Security Law
• Amendments to Illinois’ Personal Information Protection Act
• New Privacy Taskforce for the Louisiana Public Service Commission
• Maine’s Act to Protect the Privacy of Online Consumer Information
• Amendments to MPIPA
• Massachusetts’ Enhancement of Credit Data Security
• Minnesota’s Common Law Includes Privacy
• Nevada’s Online Privacy Law
• Breach Disclosure in New Jersey
• New York SHIELD Act
• PII Law in North Dakota
• Amendments to OCIPA
• Digital Data in South Carolina
• Amendments to TITEPA
• Protection of Personal Information Act in Utah
• Washington’s Breach Notification Law

Proposed Federal Legislation in 2019

Considering that a number of states have adopted or amended data privacy legislation, it’s become clear that a federal privacy law is needed. Recognizing this and the dangers associated with ineffective privacy laws at the federal level, legislators in both the Senate and the House introduced federal privacy bills, including the following:

• Mind Your Own Business Act: In October, Sen. Ron Wyden (D-OR) released his own privacy act that “protect Americans’ privacy, allows consumers to control the sale and sharing of their data, give the FTC the authority to be an effective cop on the beat, and spur a new market for privacy-protecting services.”
• Online Privacy Act of 2019: On November 5^th, two Silicon Valley Congresswomen, Congresswomen Anna Eshoo (CA-18) and Zoe Lofgren (CA-19), introduced this bill intended to create user rights, place clear obligations on companies, strengthen enforcement of privacy violations, and place clear obligations on businesses. What’s more, under this law, a new federal agency would be created to enforce privacy rights.
• Consumer Online Privacy Rights Act (COPRA): On November 28^th, U.S. Sen. Maria Cantwell (D-WA) introduced COPRA, a bill that gives citizens many of the same rights as CCPA, but takes it a bit further, stressing affirmative consent, rights to access and transparency, language, right to delete, and duty of loyalty.
• United States Consumer Data Privacy Act of 2019: On December 4^th, U.S. Sen. Roger Wicker (R-MS) introduced an opposing federal privacy bill to COPRA. In his federal privacy bill, the United States Consumer Data Privacy Act of 2019 would override many of the state laws listed above, like CCPA.

In 2020, we expect to see an even heavier focus on consumer privacy rights. Want to discuss what state-level legislation applies to your business? Need to know how close you are to gaining compliance? Let’s talk today so we can begin mapping your compliance journey.

More Resources

IAPP’s State Comprehensive-Privacy Law Map

4 Things to Know About the AG’s Proposed CCPA Regulations

GDPR: One Year In