New state laws that took effect January 1, 2019 likely will have a broader impact on how U.S. companies collect, process, and secure consumers' personal information, in addition to how and when they report data breaches. With the EU's General Data Protection Regulation (GDPR) now in force and no omnibus U.S. federal law yet in place to protect all individuals' personal information, state legislators have begun to pave the way for new data regulations and stronger consumer protections that carry serious implications for U.S. firms operating across various industries. Vermont and South Carolina are the latest states to enact their own unique data protection legislation regulating data brokers and licensed insurers, respectively, which other states may likely imitate in the very near future. For these reasons, now is the time for your organization to start addressing and adopting policies, procedures, and processes that ensure the privacy and security of the consumer data you maintain to better protect yourself when similar state-level legislation is enacted.
VERMONT – First State Law to Regulate Data Brokers
On January 1, 2019, Vermont became the first state in the nation to regulate data brokers that collect and sell personal information about consumers, attempting to add a new layer of accountability to data trading companies that often operate without much oversight. The law was passed in response to reported risks associated with the widespread aggregation and sale of data about consumers, and is intended to provide consumers with more information about data brokers and their data collection practices. Under this new law, data brokers will now have to register annually with the state, adopt comprehensive security measures, and publicly disclose information regarding their data collection practices, opt-out policies, purchaser credentialing practices, and security breaches. In addition to imposing these obligations on data brokers (discussed below), the law also requires credit reporting agencies to provide and remove "security freezes" prohibiting the release of consumer credit reports at no charge.
To Whom Does the Law Apply?
The law narrowly defines a "data broker" as "a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship."
Personal information (or "Brokered PI") in this context is defined broadly, and includes one or more computerized data elements about a consumer that are categorized or organized for dissemination to third parties, such as a Vermont resident's name, address, Social Security number or other government-issued identification number, date or place of birth, mother's maiden name, biometric data, name or address of a member of the consumer's immediate family or household, as well as "other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer (with reasonable certainty) to a third party."
Importantly, the law does not apply to businesses that collect data in the course of providing a consumer-facing product or service, such as websites, apps, or e-commerce platforms, so long as the business maintains a direct relationship with the consumer. Examples of direct relationships include past or present customers, clients, subscribers, users, registered users, employees, contractors, agents, investors, and donors. Similarly, because data brokers must "collect" and "sell or license" data, a business that acquires lists of individuals for its own use or analysis (e.g., to market to them or customize its product offerings), but does not resell the data, is not a data broker. On the other hand, "a business that collects information about consumers and then adds additional data elements, cleans up the data, or categorizes the data into lists in order to sell or license the data ... is a data broker."
What Does the Law Require?
Annual Registration and Disclosures
Data brokers must pay $100 and register annually with the Vermont Secretary of State. Upon registering, a data broker must also provide information about its business practices, including:
- Whether and how consumers can opt out of the broker's data collection, databases, or certain sales of data;
- The data collection, databases, or sales activities from which a consumer may not opt out;
- Whether the broker implements a purchaser credentialing process;
- If the broker knows it possesses Brokered PI about minors, a separate statement detailing any data collection practices, databases, sales activities, and opt-out policies applicable to that information; and
- The number of "data broker
security breaches" the broker experienced in the last year,
including how many consumers were affected (if known):
- A "data broker security breach" is defined as the unauthorized acquisition of two or more elements of Brokered PI maintained by a broker, or the reasonable belief that such unauthorized acquisition has occurred, when the data is not encrypted, redacted, or protected by another method that renders it unreadable or unusable by an unauthorized person.
- As noted above, Brokered PI is a much broader category than the more focused definition of personally identifiable information ("PII") that can trigger consumer notifications under Vermont's generally applicable data breach reporting statute. Accordingly, a breach that involves only a name, address, and date of birth would not trigger notice requirements under Vermont's traditional data breach reporting statute, but would require a data broker to disclose the incident in its annual registration under this new Vermont law.
A data broker that is required to register and fails to do so will be subject to a penalty of $50 for each day it fails to register, beginning February 1, 2019, up to a maximum of $10,000 per year.
Prohibitions on Acquisition and Use
Data brokers may not acquire Brokered PI by fraudulent means, and may not acquire or use Brokered PI for the purposes of stalking or harassing someone, committing fraud (including identity theft), or engaging in unlawful discrimination. Noncompliance with this prohibition is considered a violation of the state's Consumer Protection Act that could result in an enforcement action brought by the attorney general for penalties of up to $10,000 per violation, in addition to other relief. A consumer may also bring a private right of action for injunctive relief, damages, and attorneys' fees.
Information Security Program
Data brokers must develop, implement, and maintain a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards. The law specifically requires a number of minimum features that closely track existing requirements under the neighboring Massachusetts regulation (201 CMR 17.00 et seq.), such as ongoing employee training, a means for detecting and preventing security system failures, security policies, disciplinary measures for violations, and supervision of service providers. Notably, failure to implement and maintain the required information security requirements constitutes an "unfair and deceptive act" for which the attorney general is authorized to bring an enforcement action. In addition, the attorney general may adopt rules to implement the new security provisions.
The Vermont law comes amid growing concerns over online privacy and covers a lesser-known part of the data business. Although Vermont's law addresses "third-party" data brokers (that is, data mining by companies that have no direct relationship with consumers), but not "first-party" brokers (i.e., companies that do have a direct relationship with consumers, such as a social media platform or retailers, when those companies gather information about how consumers interact with their own websites), the Vermont attorney general is holding hearings regarding whether the state should next regulate first-party data mining, among other issues.
With that said, the recent enactment of Vermont's law should not go unnoticed, as it marks the first state-wide regulation of data brokers that parallels some of the Federal Trade Commission's (FTC) recommendations made in a landmark 2014 report that studied the data broker industry and its practices, as well as GDPR principles, such as promoting consumer transparency, adding accountability to data brokering companies, and offering more protections towards minors. (It is worth noting that the FTC has urged Congress to regulate data brokers since at least 2012, but nothing has come of it up until the recent enactment of Vermont's law, which also comes nearly eight years after the U.S. Supreme Court's landmark decision in Sorrell v. IMS Health Inc.). Together with the recent congressional signals concerning a potential federal privacy law and the recent passage of the California Consumer Privacy Act of 2018, Vermont's law reflects a common trend in data privacy regulation towards heightened scrutiny of businesses that collect, use, and sell consumer data.
Other states may soon follow Vermont in regulating consumer data collection and information security practices, irrespective of the industry in which your business operates. Accordingly, now is the time to review and revise your company's data handling and information security policies and procedures as needed to ensure compliance.
- On or before January 31, 2019: Covered "data brokers" must register with the Secretary of State, pay the $100 registration fee, and disclose all requisite information as prescribed under the new law to avoid incurring a civil penalty.
- Determine if you qualify as a "data broker" under Vermont's new law.
- Register and disclose all requisite information with the Secretary of State on or before the January 31, 2019 registration deadline.
- Ensure that you are lawfully acquiring and using Brokered PI in compliance with Vermont law.
- Develop an information security program and implement appropriate safeguards to protect any PII that you maintain.
SOUTH CAROLINA – First State to Adopt Breach Notification and Cybersecurity Requirements Based on the NAIC Model Law
On January 1, 2019, South Carolina imposed new breach notification and information security requirements on insurers, agents, and other licensed entities authorized to operate under the state's insurance laws (i.e., "licensees"). These requirements are based on the National Association of Insurance Commissioners' Insurance Data Security Model Law ("NAIC Model Law") after South Carolina became the first state to adopt the model text into law last year under the South Carolina Insurance Data Security Act ("Act"). Although the NAIC Model Law is only applicable to entities licensed under state insurance regulators, it represents an attempt to enact consistent policies across multiple states. As such, South Carolina's enactment is at the forefront of a movement towards consistent cybersecurity laws. As more states enact cybersecurity laws, they are likely to follow the NAIC Model Law and New York's cybersecurity regulation that entered into force in 2017. Licensees found to be in violation of the South Carolina Act could face monetary fines of up to $30,000 and/or suspension or revocation of authority to do business in the state.
What Does the Law Require?
Notification of Cybersecurity Events
The Act includes stringent requirements for investigating and disclosing certain "cybersecurity event[s]" within 72 hours of their discovery. The clock starts ticking as soon as licensees confirm, after conducting a prompt investigation of the event pursuant to the Act's requirements, that nonpublic information in their system or in the system of a third-party provider was disrupted, misused, or accessed without authorization.
Under South Carolina's law, the definition of a "cybersecurity event" does not include unsuccessful cyberattacks and has an encryption safe harbor built into the term's definition. The definition also contains a good faith mistake safe harbor, as it expressly excludes "an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed." In addition, the term "nonpublic information" is broadly defined to include business information, the tampering or unauthorized disclosure or use of which would cause the entity "material adverse impact" to its business, operations, or security; consumer personal information, as defined by enumerated data elements (e.g., Social Security number, driver's license number); or protected health information (PHI). The law requires documentation of all cybersecurity events to be maintained for a period of five years from the date of the event and to be produced upon demand.
Licensees must notify the director of the Department of Insurance within 72 hours after determining that a cybersecurity event has, in fact, occurred if:
- the licensee is domiciled in South
- the nonpublic information of more than 250 South Carolina residents is involved and
- notice is required to any other governmental or supervisory body, or
- the event has a reasonable likelihood of materially harming either a South Carolina consumer or a material part of the licensee's normal operations.
Information Security Program
Another part of the law takes effect on July 1, 2019 when licensees are required to have an incident response plan and also implement and maintain a written information security program ("WISP") based on their own risk assessment that is commensurate with the company's size, activities, and sensitivity of its data assets. Licensees will also need to encrypt information stored on a portable device or transmitted over an external network, regularly test systems, and offer cybersecurity awareness training for employees, among other requirements.
Additionally, the Act establishes "minimum" requirements for boards of directors, which must oversee the development and implementation of the information security program. The board also must require executive management to report to it in writing at least annually on: (1) the overall status of the program and compliance with the Act; and (2) "material matters," including risk assessments, third-party service provider arrangements, testing results, cybersecurity events and responses thereto, and recommended changes to the program.
Oversight of Third-Party Service Providers
By July 1, 2020, each licensee must implement and subsequently monitor a third-party service provider program. As part of this program, licensees must exercise "due diligence" (not defined or described) in selecting service providers, as well as require each of its providers to implement security measures to protect and secure any information systems and nonpublic information accessible to or held by the provider.
South Carolina's new law is a significant development. Other state legislatures are currently considering similar legislation, and the requirements of this Act (and the NAIC Model Law) will likely be cited in cybersecurity matters beyond the insurance industry. Following South Carolina's example, Rhode Island has introduced a cybersecurity law based on the NAIC Model Law (Bill 2018–H 7789), with similar legislation passed by Nevada (Assembly Bill 471) and Vermont (4:4 Vt. Code R. § 8:8-4) covering the financial service industry. If South Carolina offers any indication, as more and more states implement similar laws, licensees may have as few as 14 months from the date the law is enacted to implement an information security program. Given the significant amount of work that goes into such a program, licensees may find themselves scrambling when their home state passes similar regulations. The best approach, to both avoid an expensive data breach and prepare for future regulation, is to stay ahead of the upcoming wave of cybersecurity regulation and start developing a WISP now.
- January 1, 2019: 72-hour breach notification requirement applies to licensees covered under South Carolina's Act.
- July 1, 2019: Develop and/or update your organizational incident response plan and WISP (if you have not done so already).
- July 1, 2020: Establish policies and procedures for monitoring the activities of your third-party service providers.
- Ensure that you have an incident response plan, WISP, and related policies and procedures in place to comply with the 72-hour breach notification requirement.
- Educate your company's board of directors and executive management team on their respective obligations under the Act and involve them in the compliance process as early as possible.
- Confirm that executive management can comply with its annual reporting responsibilities to the board of directors.
- Implement policies, procedures, and processes (and adjust them, as needed) for overseeing your third-party service providers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.