Changes in Data Breach and Privacy Laws – Sticks Vs. Carrots
An article by Ironshore (a Liberty Mutual insurance company) officials David Standish and Vivian Beqaj Freedman, originally published in the Professional Liability Underwriting Society PLUS Journal surveys changing data breach and privacy laws and their implications. The complete article can be found at www.ironshore.com/blog/the-changing-face-of-data-breach-and-privacy-laws.
Standish and Freedman see a number of factors motivating state law changes:
- Current laws are primarily focused on post-breach notifications when damage has already been done.
- The European Union General Data Protection Regulation (GDPR) with strict privacy regulation enforced through heavy fines is an example for states.
- Biometric data compromise is increasingly recognized as a privacy threat. Since this information cannot be changed, it must be protected to prevent a breach.
States have taken two approaches to deal with these concerns. Most use the “stick” approach, strict regulation similar to the GDPR. The alternative is the “carrot” of encouraging businesses to adopt high security standards.
Examples of new and proposed state laws:
- California: The California Consumer Privacy Act scheduled to go into effect 1/1/20 follows the GDPR with broader definitions of personal information and broad consumer rights. Both the attorney general and consumers have the right to bring actions for violations. A proposal for even broader privacy protection made earlier this year was withdrawn.
- Massachusetts breach notification standards were updated as of 4/11/19 to strengthen consumer protection and designate biometric information as personally identifiable information but with differences from the controversial Illinois Biometric Information Privacy Act.
- Washington D.C.’s attorney general has proposed new legislation closer to the GDPR and expanding protected information including biometric information.
- Vermont now regulates data brokers, requiring registration and compliance with data protection standards.
- Ohio’s data protection act takes the incentive approach, offering businesses a safe harbor if they had a written cybersecurity program that reasonably conforms to industry standards.
Businesses must be aware of the various approaches and make sure their data protection practices at least meet legal requirements in the states where they do business. Standish and Freedman believe the goal of data protection laws should be to incentivize consumer protection. The strict GDPR-type approach may be more likely to lead to class action suits, while safe harbor legislation will result in better data protection. No matter which approach wins out, the best advice for businesses is to adopt best data practices rather than minimum compliance.