Part III of our 2015 predictions series comes from Of Digital Interest editor and McDermott partner, Heather Sussman, who predicts that states will be active with privacy and data security legislation during 2015.
States Active with Privacy and Data Security Legislation
With comparatively little movement from the federal government in 2014, state legislatures around the country have been working to take an active role in addressing the ever-increasing public concern over the collection, use, disclosure and disposal of personal information. Of the 23 states that introduced or considered security breach notification legislation in 2014, at least 11 enacted their bills into law. There remain several bills pending in 2015 in state legislatures across the United States. that may amend or impact the breach notification landscape.
For 2015, we predict action in the following states:
- Both Massachusetts and New Jersey have pending bills that aim to further protect financial information, focusing on the breach of “access devices” associated with electronic transactions. Massachusetts SB 132 and New Jersey AB 1239 propose to add restrictions on data retention of certain financial information collected from access devices, as well as dictate how financial institutions will recover costs after a breach.
- In Pennsylvania, the legislature is considering AB1329, which increases penalties for failure to report a breach to $5,000 for a first offense, $10,000 for a second offense, and $15,000 for a third or subsequent offense, AB2480, which requires certain notifications and free credit reports for six months following breach, and AB3146/SB2188, which requires notification of a breach of online account credentials.
- Two Rhode Island bills impact existing breach laws: HB 5769, which enumerates additional patient’s rights, including the right to be notified in the event of a breach of confidential health care information, and HB 7519 which mandates specific content in breach notifications to consumers. Notifications now must include contact information for consumer reporting agencies and the Federal Trade Commission (FTC), a statement that an individual can obtain information regarding fraud alerts and security freezes, and a statement that warms against possible imposters who attempt to fraudulently notify individuals of security breaches. This latter bill would also require providing one year of credit monitoring at no cost to individuals whose data are impacted in the breach.
- Delaware also has two bills pending: SB101 which would clarify that a person who is a victim of a “Digital Data Breach” shall have seven years from the date the personal information is posted in which to bring a civil action for damages, and SB102 which would add name, birth date and address to the definition of personal information. The latter bill also provides either of the following specific damages for breach victims, whichever is greater: consequential damages, profits derived from the unauthorized use, or both; or $1,000 per breach per person if no actual damages can be proven. Punitive damages may be awarded against a person found to have willfully violated this Chapter