Technology

States Step Up to Fill the Privacy Void

July 2018

The theme in cybersecurity for 2018 has clearly been personal privacy. Laws and regulations have been enacted to protect consumers, particularly in the financial services industry, including the New York Department of Financial Services’ (NYDFS) cybersecurity regulation, NYCRR 500, and the European Union General Data Protection Regulation (GDPR).

However, with frequent and significant data breaches continuing to occur, consumers’ frustration over the lack of control over their data and data collected about them has only grown. Recent incidents from companies such as Sun Trust Bank, Equifax, and Facebook were the catalyst for legislators in Arizona, Colorado and California to update and implement laws to fill the gaps in the patchwork of data privacy legislation. These new laws provide defined examples of what the states identify as personal identifiable information, consumer data, and the difference between a cybersecurity incident and a confirmed data breach. This legislation also establishes new expectations on how companies are expected to prevent incidents and react when a breach occurs, as well as details about the fines that organizations may face in the event of a data breach. Many of these also establish civil penalties for failure to act as required, avoiding the toothless consequences of previous “paper tiger” laws.

Arizona HB 2154

In 2018, Arizona expanded the coverage of their existing data breach notification law via House Bill 2154. This updated legislation expands the definition of personally identifiable information, consumer data, and differentiates between security incidents and data breaches. HB 2154 specifically defines a cybersecurity incident as any event that creates reasonable suspicion that a person’s information systems or computerized data may have been comprised and/or counter measures put in place to protect consumers’ information have failed. A breach is defined as an unauthorized acquisition of and/or unauthorized access of a consumer’s data that compromises the security or confidentiality of unencrypted and unredacted computerized information. This is important to remember, since like many other state data privacy laws, if the data was encrypted and confidentiality was not lost, civil penalties against your organization can be limited.

HB 2154 outlines consumer data as:

• Social Security or Tax Identification Number
• Driver’s License number
• Any private key that is unique to an individual that can be used to authenticate an electronic record; meaning any unique number that can tie the consumer back to other account details is in scope
• Financial payment details such as routing numbers, credit card numbers and debit card numbers
• Medical information
• Passport number
• Biometric data used for authentication

Companies with Arizona consumer data must take appropriate steps to protect the expanded data elements through the use of security controls, including strong encryption. However, in the event of a confirmed breach impacting 1,000 or more records, companies must notify the Arizona State Attorney General, all three credit reporting agencies and consumers within 45 days. Failure to do so opens the organization up to a $10,000 civil penalty with a maximum fine of up to $500,000.

Colorado House Bill 18-1128

Colorado has also passed expanded privacy and cybersecurity legislation requiring covered entities to deploy and maintain reasonable security controls around the personally indefinable information of Colorado residents. Colorado also requires defined controls that manage the data life cycle of consumer data from inception, during use, at rest and destruction at end of life. The new law, which goes into effect on September 1, 2018, requires firms to develop a formal cybersecurity program focused on protecting information appropriate to the nature of the personal information collected and the size of the business. Additionally, covered entities are required to cascade these controls to 3^rd party vendors, with which the firm shares data as part of normal business operations.

Colorado HB 18-1128 defines consumer data as first name and or last name, along with the following data elements:

• Social Security or Tax Identification Number
• Driver’s License number
• Any private key that is unique to an individual that can be used to authenticate an electronic record
• Financial payment details such as routing numbers, credit card numbers and debit card numbers
• Medical information
• Passport number
• Biometric data used for authentication
• Passwords and or passcodes

Companies collecting information on Colorado residents must take appropriate steps to protect the expanded data elements through the use of strong encryption and other technical controls, as well has have formal policies and procedures for destroying data and physical documents. These controls must be documented and an established audit trail should be maintained to demonstrate the use of the associated controls.

Additionally, in the event of a breach of 500 or more consumer data records, companies must notify the Colorado State Attorney General. If 1,000 or more residents are impacted, all three credit reporting agencies, along with the Federal Trade Commission (GLBA) and consumers must be notified within 30 days. It’s very important to remember that reporting requirements do not supersede any additional Federal requirements based on the type of data collected, meaning that some data may require even shorter reporting times.

Califonia Consumer Privacy Act; Assembly Bill 375

Assembly Bill 375 is new legislation that passed unanimously within the the California State Assembly. Often referred to as GDPR for Califonia, it provides California consumers specific inalienable rights associated with their data privacy. Going into effect January 1^st of 2020, companies hosting or storing consumer data of Califonia residents must take resonable precautions to protect the privacy of the data collected and stored as part of the course of business.

AB 375 takes a very broad defintion to consumer data, labeling any information that identifies, relates to, describes, is capable of being associated with, or could resonably be linked, directly or indirectly, with a specific consumer or household. The law does set a base size requirement for companies to be in scope for protecting consumer data: companies must take resonable precautions to protect consumer data if they have annual gross revenues in excees of $25,000,000, if they buy or share the data of 50,000 or more consumers or if they derive 50% or more of their annual revenues from selling consumers’ personal information.

The new law also establishes a formal privacy “bill of rights” to provide Californians the right to control their personal information by:

• Knowing what personal information is collected about them
• Knowing whether their personal information is sold or disclosed, and to whom
• The right to say NO to the sale of their personal information (opt out)
• The ability to access their personal information
• And the right to equal service and price if they decide to opt-out and exercise their privacy rights

Many organizations are looking at a “pay now or pay later” decision as it relates to cybersecurity and compliance. These new laws only make it much harder for organizations to continue to ignore the needs of establishing formal cybersecurity programs and spending money on the necessary resources.

The best starting point is to have a formal maturity assessment completed that identifies the current state of your cybersecurity program, followed by the development a functional roadmap to meet the demands of these and other legal requirements. Developing a holistic strategy not only helps control costs, but also limits risk exposure to cybersecurity incidents. However, as we continue to experience a significant industry shortage in cybersecurity talent, many mortgage and financial services companies may find it difficult to recruit and retain qualified internal security professionals to develop and execute these strategies.

JT Gaietto is Executive Director, Cybersecurity Services for Richey May. He focuses on providing clients with critical security and regulatory compliance support, including incident response, third-party risk management, business continuity and customer and government due diligence oversight. Learn more about our cybersecurity advisory and compliance services here or reach out to JT directly at jgaietto@richeymay.com.