This summer, several states enacted legislation addressing a broad range of privacy issues including data breach notification, health care privacy, employer access to employees’ and applicants’ social networking accounts, the collection of Social Security numbers, and telemarketing. The following is a brief summary of some of these recent state law privacy regulation developments.
Vermont Amends Data Breach Notification Law
On June 1, Vermont Attorney General William H. Sorrell announced a series of legislative enactments (H. 254), which he described as “the most important enhancements to the state’s consumer protection laws in years.” These enactments included amendments to the state’s Security Breach Notice Act, which went into effect on May 8.
The most significant changes to the Act are: (1) a new requirement that notification be provided to consumers within 45 days after discovery of a breach (providing clarification to the phrase “in the most expedient time possible and without unreasonable delay”); (2) a modification to the content requirements for consumer notice to require the inclusion of the approximate date of the breach, if known; (3) the addition of an obligation to notify the Vermont Attorney General of a breach; and (4) a modified definition of the term “security breach,” along with the inclusion of a set of factors to help businesses determine what constitutes a security breach. On July 26, the Vermont Attorney General issued updated breach notification guidance that takes into account the amendments to the Act.
Vermont becomes the fourth state to impose a 45-day deadline for the provision of consumer notice, joining Florida, Ohio, and Wisconsin, and joins a growing number of other states that require notification to the Attorney General or other state entities.
With regard to the amended law’s obligation to notify the Attorney General, preliminary notice of a breach must be provided to the Attorney General within 14 business days of discovery of the breach or when notice is provided to consumers, whichever is sooner. The preliminary notice must include the date of the breach, the date of discovery, and a preliminary description of the breach. In addition, a business must also notify the Attorney General of the number of affected Vermont residents, if known, and provide a copy of the consumer notice at the time notice is provided to consumers.
The obligation to provide a preliminary notice within 14 days of discovery of the breach is waived if a business has, prior to the date of the breach, sworn in writing and on a form provided by the Attorney General that it maintains written policies and procedures to maintain the security of personally identifiable information and to respond to a breach in a manner consistent with Vermont law. If a business has made such a prior sworn statement, it is only required to notify the Attorney General prior to providing notice of the breach to consumers.
The amendments to the law change the definition of “security breach” so that the law no longer applies to the unauthorized “access” of data, but, rather, calls for notification upon “unauthorized acquisition . . . or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity of a consumer’s personally identifiable information.” The amended law offers some guidance concerning what constitutes an “unauthorized acquisition.” Factors to consider include:
- indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information;
- indications that the information has been downloaded or copied;
- indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or
- that the information has been made public.
Connecticut Amends Data Breach Notification Law
Connecticut also amended its data breach notification law, and the amended law takes effect on October 1. Although the bill that contained the amendments to law did not emerge successful from the 2012 General Session, it survived—and was passed during a General Assembly Special Session—as an attachment to section 130 of the budget bill (H.B. 6001). While much of the new law, which Connecticut Governor Dan Malloy signed on June 15, is the same as the prior version, it will require the reporting of security breaches to the Connecticut Attorney General in addition to the existing obligation to notify consumers. The Attorney General must be notified no later than the time that notification is provided to consumers, which must be done “without unreasonable delay.”
Hawaii Defers to HIPAA
The Hawaiian legislature passed the “Health Care Privacy Harmonization Act” (H.B. 1957), which harmonizes Hawaii’s state health care privacy laws with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In the text of the bill, the legislature acknowledges that Hawaii’s more than 50 different laws and rules that govern health care privacy create a “complex array of state laws and rules [that] unduly burden health care providers . . . and [impose] unnecessary administrative costs and daunting regulatory burdens without countervailing benefits.” To alleviate this burden, the Act states that covered entities and business associates that are subject to and that comply with the HIPAA Privacy Rule are deemed as acting in compliance with Hawaii’s health care privacy laws and regulations.
Illinois Becomes Second State to Restrict Employer Access to Employees’ and Applicants’ Social Network Profiles and Accounts
On August 1, Illinois Governor Pat Quinn signed legislation (H.B. 3782) that amends the Illinois Right to Privacy in the Workplace Act to prohibit an employer from: (1) requesting or requiring an employee or job applicant to provide a password or other account information in order to gain access to that individual’s account or profile on a social networking website; and (2) demanding access, in any manner, to an employee’s or job applicant’s social networking account or profile. Illinois becomes the second state to enact such a law, joining Maryland. In addition, several other states and Congress are considering similar legislation.
Despite the new prohibitions, the amended law makes clear that an employer is not prohibited from maintaining policies that govern the use of the employer’s electronic equipment – such as policies regarding use of the Internet, social networking websites, and email – or from monitoring the use of the employer’s electronic equipment and email. In addition, employers are not prohibited from obtaining information about an employee or job applicant that is in the public domain (which likely includes information obtained from social networking website profiles that an employee or job applicant makes publicly available).
New York Enacts Privacy Laws Governing Social Security Numbers and Telemarketing
On August 14, New York Governor Andrew Cuomo signed several pieces of legislation, including bills that protect Social Security numbers, place additional restrictions on pre-recorded telemarketing messages, and expand the scope of the state’s telemarketing laws to include telemarketers located outside of New York that do business in the state.
Pursuant to A. 8992, which takes effect 120 days after it became law, individuals and businesses (but not government entities) are prohibited from requiring an individual to disclose his or her Social Security number or refusing any service, privilege, or right to an individual because such individual refuses to disclose his or her Social Security number. However, the bill contains 13 exceptions to this general prohibition, including instances where the number is to be used for fraud investigation, purposes of employment, collection of child or spousal support, or verifying an individual’s identity or age in order to allow enrollment in a marketing program that is restricted to individuals of a certain age. The Attorney General is tasked with enforcing the law and may obtain an injunction, restitution, and civil penalties of up to $500 for the first violation and $1000 for each additional violation.
In addition, A. 10569, which takes effect 90 days after it became law, requires telemarketers to obtain the prior express written consent of the recipient of a call to send a pre-recorded telemarketing message and imposes new requirements designed to make it easier for consumers to opt out of future calls. Under the new law, prior express written consent must: (1) be obtained after a “clear and conspicuous” disclosure that the purpose of the consent is to authorize telemarketing sales calls; (2) evidence the willingness of the customer to receive telemarketing sales calls; and (3) include the customer’s telephone number and signature. In addition, the law prohibits telemarketers from requiring, directly or indirectly, that consent be provided as a condition of purchasing any good or service. The law also expands the scope of the state’s telemarketing laws to require out-of-state telemarketers doing business in New York to register with the New York Department of State.