The New Year Brings New Data Breach Laws

Clark Hill PLC
Contact

[co-author: Keisha M. McClellan]

Complying with changing state-level privacy laws will be a business priority in 2020. Because the United States does not have a uniform Federal privacy law, a patchwork of state rules based on where customers live poses new challenges to companies in the New Year.

Here are seven (7) data breach updates in 2020 you should know:

JANUARY

California

The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and applies to companies that do business in California and collect personal information from California residents. Considered to be one of the broadest state-level privacy laws in U.S. history, the CCPA creates four primary consumer rights: (1) the right to know what information a company has on you; (2) the right to request companies delete information about you; (3) the right to opt-out of the sale of your information; and (4) the right to receive equal service and pricing from a business if you exercise your CCPA rights. However, the Attorney General is prohibited from initiating an enforcement action until July 1, 2020.

Illinois

SB 1624

Effective January 1, 2020, businesses must notify the Attorney General of breaches involving more than 500 people. The notice must include a description of the nature of the breach of security or unauthorized acquisition, the date of the breach, the number of Illinois residents affected by the incident at the time of notification, and any steps the entity took or plans to take relating to the data security incident. Of note, the Attorney General may publish data collector’s names, types of personal information disclosed, and the date range of the breach.

Oregon

SB 684

As of January 1, 2020, the Oregon Consumer Information Protection Act expands the scope of data breach notification rules for vendors. Vendors will have to notify any contracted entity within ten (10) days of discovering a breach and notify the Attorney General if the breach involves more than 250 individuals or if the affected number of people is unknown. The law also expands the definition of personal information to include user names, or information necessary to authenticate a user, for the purpose of providing access to the consumer’s account.

Texas

HB 4390

Effective January 1, 2020, the amended data breach notification statute requires that notice of a breach be provided to all affected parties within sixty (60) days of determining when a breach has occurred. For incidents involving 250 Texas residents or more, notice must also be provided to the Texas Attorney General. Additionally, the bill establishes a new Texas Privacy Protection Advisory Council which will study data privacy laws in different jurisdictions.

MARCH

Washington

HB 1071

Beginning March 1, 2020, Washington’s definition of personal information is expanded, and the window of time within which a notification of a breach must be made is reduced from 45 days to 30 days.

New York

As of March 21, 2020, the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD”) data security requirements take effect. The Act requires specific protections of New York residents’ private information. Any person or business that owns or licenses this private information must implement a data security program which includes reasonable administrative, technical, and physical safeguards, and enumerates certain standards companies are required to implement. Previously the Act just applied to companies doing business in New York.

JULY

Maine

LD 946

Effective July 1, 2020, “An Act to Protect the Privacy of Online Customer Information” will become enforceable in Maine. This Act prohibits broadband internet access providers from using, disclosing, selling or permitting access to customers’ personal information unless the customer expressly consents. It also prohibits companies from charging customers more if they do not allow access to their personal information. Under the Act, the definition of personal information includes identifiers such as web browsing history and geolocation data.

The patchwork quilt of privacy laws can be difficult for businesses to navigate and maintain compliance in the various jurisdictions, especially as various jurisdictions adopt new or revised data privacy laws or promulgate regulations regarding the specific laws.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC
Contact
more
less

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.