In Connecticut and Virginia, new consumer privacy laws that fully embrace the principles of fair information practices, including data security, have left large swaths of data exempt from cybersecurity requirements. States using the same consumer privacy model as Connecticut and Virginia should consider very carefully the wording of exceptions lest, while advancing consumer rights, they fall behind other states in privacy protections. cybersecurity.
Section 6(3) of the Connecticut Law signed on May 10, 2022, states that a data controller must “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of data adapted to the volume and nature of the personal data in question.” Virginie has adopted almost exactly the same language in its Consumer Data Protection Act 2021. While only five states have comprehensive consumer privacy laws, at least 21 states, including the District of Columbia, in addition to Connecticut and Virginia, have similar provisions in the books requiring action. “reasonable” cybersecurity measures for personal information.
Until the recent wave of comprehensive state privacy laws, most states enacting provisions requiring reasonable data security did so either as stand-alone laws or as part of privacy notice laws. breach. Their scope was broad and their exceptions limited.
However, Connecticut and Virginia the laws provide very broad exemptions. Some make sense. For example, using nearly identical wording, they exempt financial institutions or data subject to the US Gramm-Leach-Bliley Act, which contains a security requirement, and entities covered by the US Portability and Accountability Act. health insurance, which also requires data security.
But Connecticut and Virginia laws also exempt state and local government agencies, nonprofits, and institutions of higher learning. Most higher education institutions may be subject to cybersecurity requirements through their financial aid contracts with the federal government, but it does not appear that government agencies or nonprofits are subject to them. any legal obligation in Connecticut or Virginia to protect the large amounts of personal data they collect. On the other hand, for example, the provision relating to reasonable security measures in the Alabama Notice of Violation Act covers any “person, sole proprietorship, partnership, government entity, corporation, nonprofit organization, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifiable information.” The cover of Autonomous Kansas Reasonable Measures Act Is similar. Maryland Reasonable Security Measures Act covers any business, defined as “a sole proprietorship, partnership, corporation, association or other business entity, whether or not organized to operate for profit”. In my view, of the other 21 reasonable safeguards laws, 13 apply to government entities, 20 apply to nonprofits, and 20 apply to institutions of higher education, leaving Connecticut and Virginia as outliers.
Another huge exception in Connecticut and Virginia laws is for employee and job applicant data, an exemption not found in any other state data security law. There are good reasons to exempt candidate and employee data from consumer privacy law, but there is no reason to exempt it from data security obligations, especially more than employment records likely include financial and health data.
And the Connecticut and Virginia laws continue with other exceptions. In very similar language, they exempt a wide range of health data outside of the HIPAA bubble (which may be the majority of health-related data), most of which is not subject to any data security requirements. For example, laws in Connecticut and Virginia exempt personally identifiable information for purposes of the federal policy for the protection of human subjects under 45 CFR Part 46, the so-called Common Rule. But this rule focuses on informed consent and says nothing about data security. (It also does not address many other privacy issues – access, right of correction, data minimization or right of deletion). security component, and personal data collected, processed, sold, or disclosed pursuant to the U.S. Driver’s Privacy Protection Act, a 1994 law that also does not contain a data security requirement.
Like the exemptions for governments, nonprofits, and higher education, these broad exemptions leave Connecticut and Virginia out of step with the other 21 states that have passed general cybersecurity laws. These stand-alone cybersecurity laws have much narrower exceptions. the New Mexico Status only exempts entities subject to GLBA or HIPAA. Arkansas cybersecurity law has a more generalized exclusion exception, but it focuses on the key question of whether there is, in fact, a federal security rule: information and at least as thorough disclosure requirements for security breaches of personal information as provided by this chapter. The wording of the Nebraska exception it’s even better. It states that an individual or business entity complies with the reasonable security requirement of Nebraska law if it complies with a state or federal law that provides better protection for personal information than Nebraska law or Complies with regulations promulgated under GLBA or HIPAA. This means that the entity must actually comply with the federal rule, not simply be covered by it. Massachusetts Law comes to the same point by stating that any person or agency that fails to comply with applicable federal laws or guidelines will be subject to Massachusetts law. Other state laws are equally careful in wording their exemptions.
Given that states adopting the current wave of consumer privacy laws appear to be working from a similar model, it would be unfortunate if the exceptions in the Connecticut and Virginia laws were adopted more widely. (Utah new consumer privacy law has equally broad exemptions, but Utah has another autonomous data security requirement which remains intact.)
Security was an element of the fair information practices from the earliest stages, it therefore makes sense that the principle of security should be enshrined in comprehensive privacy laws. But lobbying around exemptions to national privacy laws produces exemptions for data or entities that are not subject to any other cybersecurity obligations. As more states pass comprehensive consumer privacy laws, it would be far better to put reasonable safeguards language in a standalone section not subject to the broad exemptions or in the statute. existing on notices of violation that each state already has. (Beware, though: the definitions of personal information or sensitive information in many breach notices and reasonable security laws are outdated in their narrowness.) In any case, states should be much more careful in ensuring that the exemptions to the privacy rules of these exceptions) do not create data sets or classes of data controllers subject to any security obligation.
Photo by John-Mark Smith on Unsplash