Search right to access

On March 6, 2024, New Hampshire’s Governor signed Senate Bill 255, which establishes a consumer data privacy law for the state. The Granite State joins the myriad of state consumer data privacy laws. It is the second state in 2024 to pass a privacy law, following New Jersey. The law shall take effect January 1, 2025.

To whom does the law apply?

The law applies to persons who conduct business in the state or persons who produce products or services targeted to residents of the state that during a year period:

  • Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or,
  • Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

The law excludes certain entities such as non-profit organizations, entities subject to the Gramm-Leach-Bliley Act, and covered entities and business associates under HIPAA.

Who is protected by the law?

The law protects consumers defined as a resident of New Hampshire. However, it does not include an individual acting in a commercial or employment context.

What data is protected by the law?

The law protects personal data defined as any information linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information. Other exempt categories of data include without limitation personal data collected under the Family Educational Rights and Privacy Act (FERPA), protected health information under HIPAA, and several other categories of health information.

What are the rights of consumers?

Consumers have the right under the law to:

  • Confirm whether or not a controller is processing the consumer’s personal data and accessing such personal data
  • Correct inaccuracies in the consumer’s personal data
  • Delete personal data provided by, or obtained about, the consumer
  • Obtain a copy of the consumer’s personal data processed by the controller
  • Opt-out of the processing of the personal data for purposes of target advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. Although subject to some exceptions, a “sale” of personal data under the New Hampshire law includes the exchange of personal data for monetary or other valuable consideration by the controller to a third party, language similar to the California Consumer Privacy Act (CCPA).

When consumers seek to exercise these rights, controllers shall respond without undue delay, but no later than 45 days after receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary. A controller must establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of the decision. As with the CCPA, controllers generally may authenticate a request to exercise these rights and are not required to comply with the request if they cannot authenticate, provided they notify the requesting party.

What obligations do controllers have?

Controllers have several obligations under the New Hampshire law. A significant obligation is the requirement to provide a “reasonably accessible, clear and meaningful privacy notice” that meets standards established by the secretary of state and that includes the following content:

  • The categories of personal data processed by the controller;
  • The purpose for processing personal data;
  • How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
  • The categories of personal data that the controller shares with third parties, if any;
  • The categories of third parties, if any, with which the controller shares personal data; and
  • An active electronic mail address or other online mechanism that the consumer may use to contact the controller.

This means that the controller needs to do some due diligence in advance of preparing the notice to understand the nature of the personal information it collects, processes, and maintains.

Controllers also must:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. As with other state data privacy laws, this means that controllers must give some thought to what they are collecting and whether they need to collect it;
  • Not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer unless the controller obtains the consumer’s consent;
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue. What is interesting about this requirement, which exists in several other privacy laws, is that this security requirement applies beyond more sensitive personal information, such as social security numbers, financial account numbers, health information, etc.;
  • Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA. Sensitive data means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data;
  • Not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers;
  • Provide an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request; and
  • Not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age.  
  • Not discriminate against a consumer for exercising any of the consumer rights contained in the New Hampshire law, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

In some cases, such as when a controller processes sensitive personal information as discussed above or for purposes of profiling, it must conduct and document a data protection assessment for those activities. Such assessments are required for the processing of data that presents a heightened risk of harm to a consumer.  

Are controllers required to have agreements with processors?

As with the CCPA and other comprehensive data privacy laws, the law appears to require that a contract between a controller and a processor govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. 

Among other things, the contract must require that the processor:

  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  • At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
  • Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter;
  • After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
  • Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under the law, using an appropriate and accepted control standard or framework and assessment procedure for such assessments.  The processor shall provide a report of such assessment to the controller upon request.

Other provisions might be appropriate in an agreement between a controller and a processor, such as terms addressing responsibility in the event of a data breach and specific record retention obligations.

How is the law enforced?

The attorney general shall have sole and exclusive authority to enforce a violation of the statute.

If you have questions about New Hampshire’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On February 28, 2024, President Biden issued an Executive Order (EO) seeking to protect the sensitive personal data of Americans from potential exploitation by particular countries. The EO acknowledges that access to Americans’ “bulk sensitive personal data” and United States Government-related data by countries of concern can, among other things:

…fuel the creation and refinement of AI and other advanced technologies, thereby improving their ability to exploit the underlying data and exacerbating the national security and foreign policy threats.  In addition, access to some categories of sensitive personal data linked to populations and locations associated with the Federal Government — including the military — regardless of volume, can be used to reveal insights about those populations and locations that threaten national security.  The growing exploitation of Americans’ sensitive personal data threatens the development of an international technology ecosystem that protects our security, privacy, and human rights.

The EO also acknowledges that due to advances in technology, combined with access by countries of concern to large data sets, data that is anonymized, pseudonymized, or de-identified is increasingly able to be re-identified or de-anonymized. This prospect is significantly concerning for health information warranting additional steps to protect health data and human genomic data from threats.

The EO does not specifically define “bulk sensitive personal data” or “countries of concern,” it leaves those definitions to the Attorney General and regulations. However, under the EO, “sensitive personal data” generally refers to elements of data such as covered personal identifiers, geolocation and related sensor data, biometric identifiers, personal health data, personal financial data, or any combination thereof.

Significantly, the EO does not broadly prohibit:

United States persons from conducting commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services, with entities and individuals located in or subject to the control, direction, or jurisdiction of countries of concern, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries. 

Instead, building on previous executive actions, such as Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities), the EO intends to establish “specific, carefully calibrated actions to minimize the risks associated with access to bulk sensitive personal data and United States Government-related data by countries of concern while minimizing disruption to commercial activity.”

In short, some of what the EO does includes the following:

  • Directs the Attorney General, in coordination with the Department of Homeland Security (DHS), to issue regulations that prohibit or otherwise restrict United States persons from engaging in certain transactions involving bulk sensitive personal data or United States Government-related data, including transactions that pose an unacceptable risk to the national security. Such proposed regulations, to be issued within 180 days of the EO, would identify the prohibited transactions, countries of concern, and covered persons.  
  • Directs the Secretary of Defense, the Secretary of Health and Human Services, the Secretary of Veterans Affairs, and the Director of the National Science Foundation to consider steps, including issuing regulations, guidance, etc. to prohibit the provision of assistance that enables access by countries of concern or covered persons to United States persons’ bulk sensitive personal data, including personal health data and human genomic data.  

At this point, it remains to be seen how this EO might impact certain sensitive personal information or transactions involving the same.

Jackson Lewis will continue to track developments regarding the EO and related issues in data privacy. If you have questions about the Executive Order or related issues contact a Jackson Lewis attorney to discuss.

On February 13, 2024, Nebraska’s Governor signed Legislative Bill 308, which enacts additional consumer protections for consumers in the state. It is similar to another genetic information law passed by Montana last year.

The law takes effect July 17, 2024 (90 days after the legislature adjourns on April 18, 2024).  

Covered Businesses

The law applies to direct-to-consumer genetic testing companies which are defined as an entity that:

  • Offers consumer genetic testing products or services directly to a consumer; or,
  • Collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by the consumer.

The law does not cover entities that are solely engaged in collecting, using, or analyzing genetic data or biological samples in the context of research under federal law.

Covered Consumers

The law applies to an individual who is a resident of the State of Nebraska.

Obligations Under the Law

Under the new law covered businesses would be required to:

  • Provide clear and complete information regarding the company policies and procedures for the collection, use, or disclosure of genetic data
  • Obtain a consumer’s consent for the collection, use, or disclosure of the consumer’s genetic data
  • Require a valid legal process before disclosing genetic data to any government agency, including law enforcement, without the consumer’s express written consent
  • Develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data from authorized access, use, or disclosure

Similar to several comprehensive consumer privacy laws, the company must provide a consumer with:

  • Access to their genetic data
  • A process to delete an account and genetic data
  • A process to request and obtain written documentation verifying the destruction of the consumer’s biological sample

Enforcement

Under the new law, the Nebraska Attorney General may bring an action on behalf of a consumer to enforce rights under the law. There is no private right of action specified within the statute.

A violation of the act is subject to a civil penalty of $2,500 per violation, in addition to actual damages, costs, and reasonable attorney’s fees.

If you have questions about Nebraska’s genetic privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

For healthcare providers and health systems covered by the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), a breach of unsecured protected health information (PHI) likely triggers obligations to notify affected individuals, the federal Office of Civil Rights (OCR), potentially the media and other entities. The breach also may require notification to one or more state Attorneys General, an obligation that depends on state law. Currently, the state data breach notification law in Michigan does not provide for Attorney General notification, something Michigan Attorney General Dana Nessel wants to change, according to reporting earlier this month from the HIPAA Journal.

Spurring the Michigan AG are concerns about the timing of notification to patients about recent breaches involving health systems but which were breaches experienced by downstream vendors. These are important concerns considering the increasing identity crimes and overall data risk individuals face, which can be mitigated to some degree with timely notification. However, health systems and entities in other industries can find themselves caught in a tough spot from a notification perspective when dealing with a breach experienced by a vendor.

On the one hand, quickly putting notification in the hands of individuals about a compromise of their personal data is critical to helping those individuals take measures to protect themselves from ID theft and other harms. Notification may prompt individuals to be more vigilant about their personal information, review credit reports, set up a fraud alert, check their bank statements and other measures to protect themselves from cyber criminals.  On the other hand, as a practical matter, the time between the date the breach occurred (as experienced by a downstream vendor) and the date of notification to patients can be affected by many factors, several of which may be outside the control and sometimes the knowledge of the covered entity. Looking solely to that metric in some cases may not be the most appropriate measure of timeliness to assess a covered entity’s performance and compliance when responding to a breach. If it is a metric upon which enforcement can be based, covered entities may need to revisit their incident response plans and vendor relationships to that timeframe as much as possible.

Let’s unpack this a little.

  • Recall that under HIPAA, a breach must be reported “without unreasonable delay and in no case later than 60 calendar days after discovery.” 45 CFR 164.404(b) (emphasis added).
  • A downstream vendor experiencing a breach of PHI likely is (but not always) a business associate of the covered healthcare provider. Of course, the relationship may not be that close. The vendor may be the subcontractor of the subcontractor of the business associate of the covered entity.
  • The general rule under the HIPAA Breach Notification rule is that business associates are obligated to notify the covered entity of a breach, not the affected individuals. See 45 CFR 164.410(a)(1). When there are multiple layers of business associates, a chain of notification commences where one business associate notifies the next business associate upstream and so on until getting to the covered entity. In many cases, the business associate experiencing a breach may not know what entity or entities are the ultimate covered entity(ies). See more on that below.
  • Under the HIPAA Breach Notification rule, business associates are not obligated to notify affected individuals. That obligation, unless delegated, remains with the covered entity. 45 CFR 164.404(a)(1).
  • The HIPAA Breach Notification rule also provides that when a business associate has a breach it must report “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.” 45 CFR 164.410(c)(1).
  • In some cases, vendors effectively have no access to the PHI that they maintain or store for the ultimate covered entities, but still may be considered business associates. Other similar vendors may fall under a “conduit exception” and not be considered business associates under HIPAA. In either case, they may nonetheless have obligations other than HIPAA (statutory or contractual) to notify their customers of a breach. In these cases, however, the vendors simply may not be in a position to provide critical information upstream, such as identity of the affected individuals.
  • As the reporting of the data breach travels upstream, the covered entity may be completely unaware of the breach. It could be weeks or even months after the breach actually occurred before news of the breach reaches the covered entity. Consider that the vendor that experienced the breach may not have discovered it for some time after the attack happened, further expanding the time between the breach occurring and ultimate notification to patients.
  • Upon discovery of a security incident from a business associate, which already could be long after the breach actually occurred and several layers downstream, the covered entity must initiate its incident response plan. One of the first tasks will be to understand what happened and what data was affected. This news often does not come with a spreadsheet from which the affected individuals could easily be identified. It may instead arrive in the form of a long list of files and folders that contain thousands and thousands of documents, images, records, etc. Many of these items may have no PHI whatsoever. The challenge is to find those documents, images, records, etc. that do, and to pull from those items the individuals affected and the kind of information involved. This process, sometimes referred to as data mining and document review, often is complex, time-consuming, and costly.
  • On completion of the data mining and document review process, the covered entity will begin to have a better sense of the individuals affected, the type of information compromised, the state(s) in which those individuals reside, etc. At this point, covered entities will work quickly to arrange for notification to individuals, the OCR, and, if applicable, the media, state agencies, others. 

There is no doubt that breach notification laws serve an important purpose, namely, to alert affected individuals about a compromise to their sensitive data so that they can take steps to protect against ID theft and other risks. However, the promptness of notice can and often is hampered by factors outside of the covered entity’s control, particularly if the measure of promptness is the time between the date the breach occurred (regardless of what entity experienced the breach) and the date of notification to individuals.

All that being said, there may be some ways that covered entities might tighten up this process. One consideration, of course, is to adopt, regularly assess, and practice an incident response plan. Another is to have a more granular understanding of the data certain vendors are handling for the covered entity. Still another consideration is to revisit the entity’s vendor management program. Looking more closely at downstream service providers beyond direct business associates might be helpful in assessing the notification process and timing should a breach take place downstream. Having more information about downstream vendors, their roles, and the data they process may serve to shorten the notification timeline. Ultimately, even if there is a delay downstream, before the covered entity discovered the breach, a well-executed incident response plan, one that results in a shortened timeframe between discovery and notification, could help to improve the covered entity’s defensible position whether facing a litigation or government agency enforcement action.

On January 16, 2024, New Jersey’s Governor signed  Senate Bill (SB) 332, which establishes a consumer data privacy law for the state.  New Jersey becomes the 13th state to pass a comprehensive data consumer privacy law. The law would take effect one year after its enactment, on January 15, 2025.

To whom does the law apply?

The law applies to controllers defined as an individual or legal entity that alone or jointly with others determines the purpose and means of processing personal data that do business in New Jersey or produce products or services targeted at New Jersey residents and that during a calendar year either:

  • Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely to complete a payment transaction; or
  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

Who is protected by the law?

Under the law covered consumer is defined as a person who is a resident of New Jersey acting only in an individual or household context. Like several other states, excluding California, the consumer does not include a person acting in a commercial or employment context.

What data is protected by the law?

The law will protect data that qualifies as “personal data” which is information that is linked or reasonably linkable to an identified or identifiable person. It does not include de-identified data or publicly available information.

What are the rights of consumers?

Under the law, a consumer has the following rights:

  • To confirm whether a controller processes the consumer’s personal data and access such personal data.
  • To correct inaccuracies in the consumer’s personal data.
  • To delete personal data concerning the consumer.
  • To obtain a copy of the consumer’s data.
  • To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

What obligations do businesses have?

A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that shall include but may not be limited to:

  • The categories of the personal data that the controller processes.
  • The purpose of processing personal data.
  • The categories of all third parties to which the controller may disclose a consumer’s personal data.
  • The categories of personal data that the controller shares with third parties, if any
  • How consumers may exercise their consumer rights.
  • The process by which the controller notifies consumers of material changes to the notification.
  • An active e-mail address or other online mechanism that consumers may use to contact the controller.

If the controller sells personal data to third parties or processes personal data for purposes of targeted advertising, the sale of personal data, or profiling on a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may opt out of the sale or processing.

A controller must respond to a verified consumer rights request from a consumer within 45 days of the controller’s receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary considering the complexity and number of the consumer’s requests.

How is the law enforced?

The attorney general shall have sole and exclusive authority to enforce a violation of the statute.

If you have questions about New Jersey’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular topics from 2023.

  1. States Passing Comprehensive Privacy Laws

There was a landslide of comprehensive state privacy laws passed in 2023, from coast to coast. The laws are similar in mandating requirements for businesses to allow consumers to access, correct, delete, and opt out of the collection of, their personal data.

  • Delaware – Effective January 1, 2025
  • Indiana – Effective January 1, 2026
  • Iowa – Effective January 1, 2025
  • Montana – Effective October 1, 2024
  • Oregon – Effective July 1, 2024
  • Tennessee – Effective July 1, 2025
  • Texas – Effective July 1, 2024
  1. California Superior Court Put the Brakes on Enforcement of California Privacy Rights Act

In March 2023, the California Chamber of Commerce filed a Petition for Writ of Mandate and Complaint for Declaratory and Injunctive Relief against the California Privacy Protection Agency (CPPA), the agency tasked with implementation and enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA).

The writ sought to compel the CPPA to promptly adopt final regulations and seek to enjoin enforcement actions under the CPRA until 12 months after the adoption of final implementing regulations.

The hearing on the petition for Writ of Mandate was on June 30, 2023, the last day before enforcement was set to commence for the CPRA. Specifically, the superior court’s opinion discusses that the CPPA adopted the first set of regulations in 12 of the 15 areas needed on March 29, 2023.

  1. New York AG Releases Guide for Businesses on Effective Data Security

New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide

  1.      Data Protection Update: Q4 Noteworthy Dates

From UK Data Transfers to the NIST draft documents regarding cybersecurity, the fourth quarter wrap-up covered wide-ranging developments in data protection.

  1. Getting Healthcare in 2023 and Beyond…Virtually…and Securely

For many reasons, using digital information and communication technologies to deliver healthcare services can provide enormous benefits to the overall healthcare system. Indeed, predictions from many leaders in healthcare see expanded use of remote patient care and monitoring, along with other technologies such as artificial intelligence, robotics, and wearables.

  1. Immigration and Citizenship Status Add to Definition of Sensitive Information under California’s Consumer Privacy Act

California’s Governor Newsom signed Assembly Bill (AB) 947. Effective January 1, 2024, the bill will revise the California Consumer Privacy Act (CCPA) definition of “sensitive personal information” to include personal information that reveals a consumer’s citizenship or immigration status.

  1. HHS and FTC Send Joint Letter to 130 Hospital Systems, Telehealth Providers Re: Tracking Technologies

The Department of Health and Human Services and the Federal Trade Commission have sent a joint letter to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities.

  1.   Virginia Passes Legislation Prohibiting the Use of Employees’ Social Security Numbers as Identifiers

Virginia’s governor approved Senate Bill 1040, which prohibits an employer from using an employee’s social security number or any derivative as an employee’s identification number. The bill also prohibits including an employee’s social security number or any number derived from the social security number on any identification card or badge.

  1. SEC Cyber Enforcement and SEC New Cybersecurity Disclosure Requirements

 The SEC has had a particular interest in cybersecurity in 2023, driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches.

  1. President Biden Issues Executive Order Regarding the Development and Use of AI

On October 30, 2023, President Biden issued an Executive Order regarding the Development and Use of Artificial Intelligence across the federal government. The Executive Order (EO) is intended to establish new standards for AI safety and security. The EO builds on principles set forth last year in the White House’s Blueprint for an AI Bill of Rights.

The EO comes as states, like Connecticut, are also looking to address AI

Jackson Lewis will continue to track important developments in privacy, data management, and cybersecurity in the new year. If you have questions about these or other related issues contact a Jackson Lewis attorney to discuss.

Cross Border Transfers of Data.

UK Data Transfers. The UK government has published a U.S. “adequacy decision” which permits U.S. organizations that have certified to the EU-US Data Privacy Framework (DPF) and UK Extension to receive personal data transferred from the UK to the U.S. after October 12, 2023.

China Data Transfers. November 30, 2023 ends the grace period for coming into compliance with China’s final Measures for the Standard Contract for Cross-Border Transfer of Personal Information (“SCCs Measures”) under China’s Personal Information Protection Law (PIPL). The PIPL SCCs facilitate the transfer of personal data to a third country where the transfer is not subject to a security assessment requirement. In September, the Cyberspace Administration of China (CAC) published draft Provisions on Regulating and Promoting Cross-Border Data Flows for public comment. Of note for employers, the draft exempts from the SCCs requirement any transfers of employee personal information necessary for certain human resources management activities. The public comment period ended on October 15, 2023, and the final Provisions may be published prior to November 30th.       

State Consumer Data Protection Laws.

Utah. The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. Utah joins California, Connecticut, Colorado, and Virginia in enacting comprehensive consumer data protection laws that include notice obligations and consumer rights. Unlike the California Consumer Privacy Act, the UCPA does not apply to personal data collected in the employment or commercial context.   

California. Effective January 1, 2024, an amendment to the CCPA expands the definition of Sensitive Personal Information to include personal information that reveals a California resident’s citizenship or immigration status. Organizations that collect or process these data elements should review their data mapping and update Privacy Policies and Notices at Collection to include this information, as needed.

Genetic Information.

Montana. Effective October 1, 2023, Montana’s state privacy law is amended to address the collection, use, and disclosure of genetic information and includes notice and consent requirements. This amendment applies to businesses that offer consumer genetic testing products or services directly to a consumer or collect, use, or analyze genetic data.

Cybersecurity.

Securities and Exchange Commission (SEC). The SEC has adopted rules to enhance and standardize disclosures by public companies related to cybersecurity practices including risk management and security incidents. The new rules, which took effect September 5, 2023, require incident disclosures after December 18, 2023 (smaller companies will have additional time). Companies whose fiscal years end on or after December 15, 2023, will be required to provide the annual disclosures beginning with their 2023 Form 10-K or 20-F.

FTC Safeguards Rule. The Federal Trade Commission announced on October 27, 2023 that it approved an amendment to the Safeguards Rule that would require non-banking institutions to notify the FTC as soon as possible but no later than 30 days after discovering a security incident impacting 500 or more consumers. The FTC’s Safeguards Rule applies to non-banking financial institutions (e.g., mortgage brokers, motor vehicle dealers, and payday lenders) and requires these institutions to develop, implement, and maintain a comprehensive security program to safeguard customer information. The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

Maryland. Effective October 1, 2023, HB622 establishes the Industry 4.0 Technology Grant Program in the Department of Commerce to provide grants of at least $25,000 to qualifying small and medium-sized manufacturing enterprises to assist with implementing new Industry 4.0 technology or related infrastructure for certain purposes.

Threat Actor Alert. On October 11, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Joint Cybersecurity Advisory advising organizations to take precautions to mitigate cyber threats from AvosLocker’s ransomware. Recommended actions include 

  1. Securing remote access tools
  2. Restricting RDP and other remote desktop services
  3. Securing PowerShell and/or restricting usage
  4. Update software to the latest version and apply patching updates regularly

NIST. NIST has released draft documents for public comment.

ICYMI

Canada. On September 23, 2023, the second set of amendments to Quebec’s Privacy Act went into effect. These amendments impose new compliance obligations, including placing a strong emphasis on the requirement to obtain consent prior to the collection, use, and disclosure of personal information. Other obligations imposed by these amendments include, but are not limited to, the following: (1) development of internal governance policies covering personal information; (2) limitations regarding transfers of personal information outside of Quebec; (3) limitations regarding the use of personal information for marketing purposes; (4) implementation of cookie consent tools when personal information is collected using technology; and (5) disclosure of use of automated processing of personal information when used to make decisions that impact an individual.

Texas. The amended Texas Data Breach Notification law went into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For more information, see our post Texas Tightens State’s Data Breach Notification Law.

Looking Ahead to Q1 2024

Washington My Health, My Data Act.  Regulated entities that are not small businesses must fully comply with the Act by March 31, 2024 (e.g., maintain a consumer health data privacy policy, obtain consumer consent to collect health data, recognize certain consumer rights, implement safeguards, and obtain consumer consent to sell health data). A regulated entity is a legal entity that (a) conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. For more information see our recent blog.

Nevada Health Data Privacy Act.  Nevada’s Health Data Privacy Act becomes operative on March 31, 2024. The law applies to any person who conducts business in Nevada or produces or provides products or services targeted at consumers in Nevada and, alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data. Similar to the Washington law, the Data Privacy Act requires notice, gives consumers rights regarding their health data, and obligates covered businesses to safeguard collected consumer data.  For more information see our recent blog.

On September 11, 2023, Delaware’s Governor signed House Bill 154 which enacts the state’s comprehensive consumer data privacy statute. Delaware joins  CaliforniaColoradoConnecticutIndianaIowaMontanaOregon, TennesseeTexasUtah, and Virginia in enacting a comprehensive consumer privacy law. 

The law will take effect on January 1, 2025.

To whom does the law apply?

The statute applies to persons who conduct business in the state or persons who produce products or services that are targeted to residents of the state and who during the prior calendar year did any of the following:

  • Controlled or processed the personal data of 35,000 consumers or more, excluding personal data controlled or processed for the purpose of completing a payment transaction.
  • Controlled or processed personal data of 10,000 consumers or more and derived more than 20 percent of their gross revenue from the sale of personal data.

Hereafter, covered businesses are referred to as controllers.

However, the statute does not apply to the following entities:

  • Any regulatory, administrative, advisory, executive, legislative, or similar body of Delaware.
  • Any financial institution subject to Title V of the Gamm Leach Bliley Act.
  • Any non-profit organization dedicated exclusively to preventing and addressing insurance crime.

Who is protected by the law?

The law protects consumers which is defined under the law as an individual who is a resident of Delaware but does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor whose communications or transaction with the controller occur solely within the context of the individual’s role with the entity.

What data is protected by the law?

The law protects personal data which means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

The statute does not apply to certain health data including protected health information under the Health Insurance Portability and Accountability Act (HIPAA).

What are the rights of consumers?

Under the statute, consumers have the following rights:

  • To confirm whether a controller is processing the consumer’s personal data.
  • To access personal data processed by a controller.
  • To correct inaccuracies in the consumer’s personal data.
  • To delete personal data provided by or obtained about the consumer.
  • To obtain a copy of the consumer’s personal data processed by the controller.
  • To obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.
  • To opt out of the processing of the personal data for purposes of targeted advertising and profiling.

What obligations do businesses have?

Generally, a covered controller shall respond to a consumer exercising their rights under the statute without undue delay but not later than 45 days after receipt of the request. The controller may extend the response person by 45 additional days when reasonably necessary based upon the complexity and number of requests and other factors.

Information provided to a consumer in response to a request shall be provided free of charge, once per consumer during any 12-month period.

If the controller declines to take action in response to a consumer request they must inform the consumer without undue delay, but not later than 45 days after receipt of the request.

Moreover, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed.

Controllers must also establish and maintain reasonable administrative, technical, and physical data security practices to protect personal data.

Further, controllers must provide reasonably accessible, clear, and meaningful privacy notices that include the following:

  • The categories of personal data processed by the controller.
  • The purposes for processing the personal data.
  • How consumers may exercise their rights under the statute.
  • The categories of personal data that the controller shares personal data.
  • An active electronic mail address or the online mechanism that the consumer may use to contact the controller.

Processors of data also have enumerated obligations under the statute.

How is the law enforced?

Delaware’s Department of Justice has enforcement authority over the statute and may investigate and prosecute violations.

There is no private right of action under the statute.

If you have questions about Delaware’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On October 8, 2023, Governor Newsom signed Assembly Bill (AB) 947. Effective January 1, 2024, the bill will revise the California Consumer Privacy Act (CCPA) definition of “sensitive personal information” to include personal information that reveals a consumer’s citizenship or immigration status.

Under the CCPA, consumers have certain rights with regard to their personal information, including enhanced notice, access, and disclosure; the right to deletion; the right to restrict the sale of information; and protection against discrimination for exercising these rights. The CCPA was amended by the California Privacy Rights Act (CPRA) which created a new category of “sensitive personal information” and provides rights with regard to this information including restricting businesses’ use of sensitive information.

Companies covered by the CCPA/CPRA should review privacy policies and procedures to ensure that immigration and citizenship are covered as sensitive information.

If you have questions about AB 947 or related issues, reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

This year, Indiana joined several other states to pass a comprehensive consumer privacy law, that becomes operative on January 1, 2026. Like other consumer privacy laws, Indiana’s law requires businesses to establish reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data, which implicates cybersecurity concerns. However, the privacy law is not the only data protection/cybersecurity law in Indiana.  

Data Breach Notification for All Businesses

Indiana passed a security breach notification statute in 2006, which provides Indiana residents with the right to know about a security breach that has resulted in the exposure of their personal information.

Under the law, personal information includes social security number or an individual’s name in combination with any one or more of the following data elements: driver’s license number, account number, a state identification card number, a credit card number, a financial account number, or a debit card number in combination with any required security code.

In the event of a breach the business must notify affected consumers, consumer reporting agencies (if more than one thousand consumers are impacted) and the Attorney General’s office.

In 2022, the state modified the statute to require notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.

Reasonable Procedures to Secure

Under the state’s data breach notification requirements, database owners are required to maintain their own data security procedures in compliance with federal statutes. Moreover, they must implement and maintain reasonable procedures, including taking appropriate corrective action to protect and safeguard from unlawful use or disclosure of any personal information.

Cyber Incident Reporting for Public Entities

In 2021, Indiana adopted a Cyber Incident Reporting Law, to empower the Indiana Office of Technology to coordinate warning and preparation efforts to avoid and combat cybersecurity threats.

Under the law, public sector entities must report incidents such as ransomware, software vulnerability exploitations, denial of service attacks, and more within 48 hours of discovery to the Office of Technology. This law covers counties, municipalities, townships, school corporations, library districts, local housing authorities, fire protection districts, public transportation corporations, local building authorities, local hospital authorities or corporations, local airport authorities, special service districts, special taxing districts, or other separate local governmental entities.

Data Destruction

Indiana also has specific requirements for the protection of data when disposing of it. Under the statute, a person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction. Class C infractions carry a $500 fine. However, the offense is a Class A infraction if:

(1) the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or

(2) the person has a prior unrelated judgment for a violation of this section.

A Class A infraction can carry up to a $10,000 fine.

Further State Resources

The State of Indiana has also established a Cybersecurity Hub with resources for public and private entities, that includes practical guidance.

If you have questions about cybersecurity or related issues contact a member of our Privacy, Data, and Cybersecurity practice group.