Thursday, October 25, 2018

The Year In Review: a Privacy and Data Security Law Update

The pace of change in privacy and data security law continues at grow, and even though this is one of the most rapidly-developing areas of law, the law simply cannot keep up with the speed of technology and business. 

Today, I delivered a continuing legal education presentation on behalf of the North Carolina Bar Association summarizing the changes in privacy and data security law over the past year, along with Elizabeth Johnson.

This post contains a brief outline of the items we described, and it might serve as a helpful checklist for those of you who are taking a moment near the end of the year to look back to ensure you have kept up with the many, many developments:

North Carolina Law Update
  • NC narrowly avoided the shortest breach reporting timeframe in US 
  • Amendment to Revenge Porn statute (Session Law 2017-93) 
  • NC DHHS ordered to develop telemedicine policy including data security standards. (Session Law 2017-133) 
  • Transfer of data to CIO conditioned on adequate data security protocols. (2018 appropriations bill; Session Law 2017-204) 
  • Secretary of Revenue ordered to establish information security program for tax information. (Session Law 2018-5)
  • NC Bank Commission records receive enhanced privacy protection. (Session Law 2017-165.) 
  • Privacy and data security training mandated for opioid diversion investigators and supervisors. (SL 2018-44.)
Other States’ Data Breach Laws
  • Alabama and South Dakota become 49th and 50th states to enact data breach notification statutes in 2018
  • Reminder of interplay between state, federal, local, and international data breach laws, as well as private requirements (contracts and PCI rules)
Trends in State Data Breach Law
  • Substantial majority of laws amended/enacted in 2018 added reporting deadline
  • Slight majority of laws amended/enacted in 2018 added regulator reporting requirement
  • Substantial majority of laws amended/enacted in 2018 expanded coverage of personal information
New Breach Notification Timelines
  • 30 days: Colorado
  • 45 days: Alabama, Arizona, Maryland, Oregon
  • 60 days: Delaware, Louisiana, South Dakota,
New Law: Healthcare or Health Insurance Data
  • States’ data breach laws that cover healthcare data
New law: Login Credentials
  • States that Cover Login Credentials
New law: Biometric Data
  • States that Cover Biometric Data
  • Specific requirements of Illinois, Texas, Washington: notice, consent, disclosure limitation, retention limitation
  • Illinois’ BIPA private right of action (multiple class actions against employers)
Expanding data covered by breach laws
  • Arizona (passport number; TIN; private, unique key used to authenticate/sign electronic record)
  • Delaware (passport number; TIN)
  • Maryland (passport number; TIN)
  • Oregon (any data that could be used to access financial account)
  • Virginia (for tax preparers, income tax information such as deductions and exceptions)
  • Ohio safe harbor for post-breach action
  • Colorado data protection requirements and vendor oversight
  • New Hampshire constitutional amendment
  • Iowa and Nebraska data security laws for EdTech
  • Credit freeze changes in Kentucky, Massachusetts, Minnesota, Oregon, Louisiana
  • California website privacy class actions proliferating
The California Consumer Privacy Act
  • History
  • Requirements
  • Ambiguities
  • Enforcement and Penalties

EU General Data Protection Regulation (GDPR)
  • Quick recap of GDPR
  • Max penalty is €20mm or 4% of global turnover
  • Scope of application
  • What have we learned since 25 May 2018?
  • Extraterritorial jurisdiction
  • Early enforcement
  • Contract battles
  • Data mapping pains
  • Privacy Shield update
HIPAA Update
  • No major rule developments
  • Steady flow of guidance documents
  • Cyber newsletters
  • Family access to PHI
  • Emergencies and business continuity
  • Enforcement continues at steady pace
  • Cases, settlements and penalties
  • Requests for information
  • OCR Priorities
Hot Topics and Miscellaneous Developments
  • Trends in breaches/causes/losses: Identity Theft Resources Center, IBM Ponemon Institute reports
  • Lessons from the Uber Breach
  • FTC Update
  • Social Media – third party sharing (Cambridge Analytica), Facebook breach
  • Minors
  • Internet of Things
  • Equifax (one year later)
  • New NIST privacy framework
  • US v. Microsoft (Stored Communications Act)
  • CLOUD Act
  • GLBA (Regulation P) amendments from CFPB
  • Data broker issues (Vermont)
  • Cyberinsurance issues
  • International developments:
  • China
  • Canada, Alberta
  • Australia
  • New Zealand
  • Brazil
  • Argentina
  • Chile
  • India
  • Kenya
  • Hungary
  • Vietnam