Notable New State Privacy and Data Security Laws – Part Two

by Snell & Wilmer

This is the second in a two-part series addressing recent developments in state privacy and data security laws.  This article addresses new laws about student privacy, enforcement/ punishment for data privacy and security violations, and miscellaneous data privacy and security-centered laws.  Part One addressed additions and revisions to definitions within these laws, adjustments to notification requirements in the event of a breach, and changes dictating the scope of these laws, controlling which entities are subject to the regulations.

Student Privacy

Several states have passed laws aimed at increasing privacy protection for student information.  For example, New Hampshire recently established a requirement to destroy personal information of students following the completion and verification of certain tests, and gives students taking college entrance exams the option to have all personal information destroyed by the testing entity following completion and verification of the test.  Additional restrictions were imposed on operators of websites, online platforms, and applications targeting students and their families, requiring the creation and maintenance of “reasonable” security procedures to protect certain information about students, and prohibit the use of covered information for targeted advertising.

Oregon, Tennessee, and Virginia enacted similar laws to New Hampshire, expanding protection of student data, prohibiting selling student information, and defining “targeted advertising” to students.  Hawaii passed a bill which restricts how a student’s information can be used by “operators” of online websites, services, and applications that are used for K-12 school purposes.  Michigan enacted two laws, one similar to Hawaii’s regarding operators’ collection of student’s information, as well as an additional law regarding how student’s information can be collected and used.  Kansas passed its “Student Online Personal Protection Act,” which, like other states, restricts how an “operator” can use student information.  Connecticut’s “Act Concerning Student Data Privacy,” went into effect on October 1, 2016 and addresses how student information, which includes a student’s personally identifiable information, can be collected and used by operators and other contractors.  Finally, California expanded its existing Student Online Personal Information Protection Act and its limits on operators’ uses of student information to apply to preschool and prekindergarten students.

Utah also established the Student Data Privacy Act, providing for student data protection at the state and local levels, enacting requirements for data maintenance and protection by both state and local education entities and third-party contractors, as well as providing penalties and enacting requirements for notice to parents or guardians before a student is required to take certain types of surveys.  West Virginia recently enacted legislation prohibiting the Department of Education from transferring confidential student information or certain redacted data to any federal, state, or local agency or other person or entity (subject to certain exceptions), requiring written consent if information classified as confidential is necessary and requiring that the consent contain a detailed list of the confidential information required and the purpose of its requirement.  Arizona added a requirement for parental consent before collecting information about a student.  Finally, Colorado passed its “Student Data Transparency and Security Act,” which made a number of changes, such as limiting how “school service contract providers” can use student information and their duties to destroy data, with the stated goal of increasing transparency and addressing limitations on the “collection, use, storage, and destruction of student data.”

Violations of Data Privacy and Security Laws

Recent Oregon statutory revisions now include making a person’s violation of privacy and data security provisions an “unlawful practice,” under which Oregon’s AG or District Attorney of the county in which the violation occurred may enforce the Oregon Consumer Identity Theft Protection Act of 2007 by utilizing enforcement powers under Oregon’s Unlawful Trade Practices Act.

Washington established requirements instructing the Office of the State Chief Information Officer to implement a process for detecting, reporting, and responding to security incidents, develop plans and procedures to ensure the continuity of commerce for information resources that support the operations and assets of State agencies in the event of a security incident, work with certain entities to develop a related strategy, and collaborate with specified entities to develop this strategy.  Washington also established the State Cybercrime Act, which addresses the crimes of computer trespass, electronic data service interference, spoofing, electronic data tampering, and electronic data theft, and creates crimes in the first and second degree related to violations of privacy and data security regulations.

Regulated Entitles & Their Responsibilities

Some states clarified which individuals are subject to data breach notification requirements.  Arizona, for example, amended its law so that “business associates,” as defined by HIPAA’s regulations, are exempt from the state’s data breach notification law.

Iowa now requires that its state credit unions “maintain an information security response program,” which includes notifying the credit union division and observing that state credit unions experiencing an information security breach may be subject to the state’s “Personal Information Security Breach Protection” law.

New York significantly revised its cybersecurity policy requirements for covered entities, including: (a) adding “asset inventory and device management” to the required components of a covered entity’s cybersecurity policy, (b) limiting the requirement for a covered entity to maintain audit trails to cover only cybersecurity events “that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity,” and (c) eliminating the obligation for covered entities to require multi-factor authentication for employees accessing internal databases.  In 2017, New York is also anticipating the development of a complex set of cybersecurity regulations covering the New York Department of Financial Services.

Rhode Island also now requires entities handling personal data to implement reasonable security practices and procedures, and put in place document retention and destruction policies.

Likewise, Kansas “clarifie[d] the duties of holders of personal information” in new legislation. There, the Kansas AG proposed legislation in an effort to ensure that “holders of personal information” are required to implement and maintain “reasonable procedures and practices” and “exercise reasonable care” with regards to information it holds, and destroy records “containing any person’s personal information when such holder no longer intends to maintain or possess such records.”

Illinois also added a new section requiring “data collectors” to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”  When doing so, Illinois’s new law explained that if a data collector is subject to and in compliance § 501(b) of the Gramm-Leach-Bliley Act of 1999, it is in compliance with the new Illinois section.  Likewise, entities and business associates subject to and in compliance with HIPAA and HITECH are in compliance with the new Illinois law, if they also provide notice to the AG when making a required notice under HITECH.

Miscellaneous Updates

Arizona created a new Office of Economic Opportunity and included requirements for protecting specific data and requiring notice to the office if information it shares is subject to an unauthorized disclosure.

Florida passed legislation relating to its Agency for State Technology, such as making changes to its Technology Advisory Council’s membership, and revising its responsibilities, some of which can be completed by private sector vendors.

Wyoming initiated new requirements for governmental agencies to adopt policies for data collection, access, security and use, directing the State Chief Information Officer to develop guidelines for local governments for data collection, access, security and use, and establishing applicable definitions.

As the states continue to add to and modify their respective data privacy and protection laws, we will keep you posted.  Stay tuned.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer

Snell & Wilmer on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.