This is the second in a two-part series addressing recent developments in state privacy and data security laws. This article addresses new laws about student privacy, enforcement/ punishment for data privacy and security violations, and miscellaneous data privacy and security-centered laws. Part One addressed additions and revisions to definitions within these laws, adjustments to notification requirements in the event of a breach, and changes dictating the scope of these laws, controlling which entities are subject to the regulations.
Several states have passed laws aimed at increasing privacy protection for student information. For example, New Hampshire recently established a requirement to destroy personal information of students following the completion and verification of certain tests, and gives students taking college entrance exams the option to have all personal information destroyed by the testing entity following completion and verification of the test. Additional restrictions were imposed on operators of websites, online platforms, and applications targeting students and their families, requiring the creation and maintenance of “reasonable” security procedures to protect certain information about students, and prohibit the use of covered information for targeted advertising.
Oregon, Tennessee, and Virginia enacted similar laws to New Hampshire, expanding protection of student data, prohibiting selling student information, and defining “targeted advertising” to students. Hawaii passed a bill which restricts how a student’s information can be used by “operators” of online websites, services, and applications that are used for K-12 school purposes. Michigan enacted two laws, one similar to Hawaii’s regarding operators’ collection of student’s information, as well as an additional law regarding how student’s information can be collected and used. Kansas passed its “Student Online Personal Protection Act,” which, like other states, restricts how an “operator” can use student information. Connecticut’s “Act Concerning Student Data Privacy,” went into effect on October 1, 2016 and addresses how student information, which includes a student’s personally identifiable information, can be collected and used by operators and other contractors. Finally, California expanded its existing Student Online Personal Information Protection Act and its limits on operators’ uses of student information to apply to preschool and prekindergarten students.
Utah also established the Student Data Privacy Act, providing for student data protection at the state and local levels, enacting requirements for data maintenance and protection by both state and local education entities and third-party contractors, as well as providing penalties and enacting requirements for notice to parents or guardians before a student is required to take certain types of surveys. West Virginia recently enacted legislation prohibiting the Department of Education from transferring confidential student information or certain redacted data to any federal, state, or local agency or other person or entity (subject to certain exceptions), requiring written consent if information classified as confidential is necessary and requiring that the consent contain a detailed list of the confidential information required and the purpose of its requirement. Arizona added a requirement for parental consent before collecting information about a student. Finally, Colorado passed its “Student Data Transparency and Security Act,” which made a number of changes, such as limiting how “school service contract providers” can use student information and their duties to destroy data, with the stated goal of increasing transparency and addressing limitations on the “collection, use, storage, and destruction of student data.”
Violations of Data Privacy and Security Laws
Recent Oregon statutory revisions now include making a person’s violation of privacy and data security provisions an “unlawful practice,” under which Oregon’s AG or District Attorney of the county in which the violation occurred may enforce the Oregon Consumer Identity Theft Protection Act of 2007 by utilizing enforcement powers under Oregon’s Unlawful Trade Practices Act.
Washington established requirements instructing the Office of the State Chief Information Officer to implement a process for detecting, reporting, and responding to security incidents, develop plans and procedures to ensure the continuity of commerce for information resources that support the operations and assets of State agencies in the event of a security incident, work with certain entities to develop a related strategy, and collaborate with specified entities to develop this strategy. Washington also established the State Cybercrime Act, which addresses the crimes of computer trespass, electronic data service interference, spoofing, electronic data tampering, and electronic data theft, and creates crimes in the first and second degree related to violations of privacy and data security regulations.
Regulated Entitles & Their Responsibilities
Some states clarified which individuals are subject to data breach notification requirements. Arizona, for example, amended its law so that “business associates,” as defined by HIPAA’s regulations, are exempt from the state’s data breach notification law.
Iowa now requires that its state credit unions “maintain an information security response program,” which includes notifying the credit union division and observing that state credit unions experiencing an information security breach may be subject to the state’s “Personal Information Security Breach Protection” law.
New York significantly revised its cybersecurity policy requirements for covered entities, including: (a) adding “asset inventory and device management” to the required components of a covered entity’s cybersecurity policy, (b) limiting the requirement for a covered entity to maintain audit trails to cover only cybersecurity events “that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity,” and (c) eliminating the obligation for covered entities to require multi-factor authentication for employees accessing internal databases. In 2017, New York is also anticipating the development of a complex set of cybersecurity regulations covering the New York Department of Financial Services. You can find our blog’s post on that here.
Rhode Island also now requires entities handling personal data to implement reasonable security practices and procedures, and put in place document retention and destruction policies.
Likewise, Kansas “clarifie[d] the duties of holders of personal information” in new legislation. There, the Kansas AG proposed legislation in an effort to ensure that “holders of personal information” are required to implement and maintain “reasonable procedures and practices” and “exercise reasonable care” with regards to information it holds, and destroy records “containing any person’s personal information when such holder no longer intends to maintain or possess such records.”
Illinois also added a new section requiring “data collectors” to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” When doing so, Illinois’s new law explained that if a data collector is subject to and in compliance § 501(b) of the Gramm-Leach-Bliley Act of 1999, it is in compliance with the new Illinois section. Likewise, entities and business associates subject to and in compliance with HIPAA and HITECH are in compliance with the new Illinois law, if they also provide notice to the AG when making a required notice under HITECH.
Arizona created a new Office of Economic Opportunity and included requirements for protecting specific data and requiring notice to the office if information it shares is subject to an unauthorized disclosure.
Florida passed legislation relating to its Agency for State Technology, such as making changes to its Technology Advisory Council’s membership, and revising its responsibilities, some of which can be completed by private sector vendors.
Wyoming initiated new requirements for governmental agencies to adopt policies for data collection, access, security and use, directing the State Chief Information Officer to develop guidelines for local governments for data collection, access, security and use, and establishing applicable definitions.
As the states continue to add to and modify their respective data privacy and protection laws, we will keep you posted. Stay tuned.