States Amend Data Privacy Laws (California, Connecticut, Illinois, Texas and Vermont)

Share this

Newly amended state laws on data privacy and data breach notification will come into effect in the next couple of months or have recently been enacted. Survey researchers are reminded to update their existing policies to reflect the changes in these laws in cases of activity that may warrant action for the subjects covered under the new amendments. These new amendments and recent enactments impact the states of Texas, Connecticut, Vermont, Illinois and California. Some of the laws are not limited to residents of the specific states and should be carefully examined for further compliance considerations.

Texas: Texas H.B. 300, passed in 2011, sets strict requirements for healthcare privacy and data breach notification. The healthcare provisions will primarily impact “covered entities” who are required to comply the scope of the law. The breach notification amendments apply to “any person who conducts business in Texas and owns or licenses computerized sensitive personal information about individuals.” The law is not limited to “individuals” who are Texas residents and applies to any individuals. The law goes into effect on September 1, 2012.

Connecticut: Connecticut passed House Bill 6011. Provisions incorporated from H.B. 5427 into the new law amend the data breach notification requirements to also require notice to the Attorney General. Under the new law, companies that are required to notify residents of a data breach, and are now required to notify the Attorney General. The time of the notification must be provided in a timeframe no later than the time notice is provided to residents, which is summarily stated under the law “without unreasonable delay”. Delays to notice are subject to a safe harbor as a result of law enforcement investigations, and company investigations to determine the scope and nature of the security breach, to identify the consumers impacted by the breach and restore the integrity of the system subject to the breach.  Connecticut’s amended law will take effect on October 1, 2012.

Vermont: Vermont amended its data breach law, Act 109, to change the notification requirements and adopt a standard personally identifiable information (PII) label. The notification requirements have been amended to require that consumer notification of a data breach must now occur no later than forty-five days after an incident and must include the approximate date of the incident. Notification must also be provided to the Vermont Attorney General within fourteen days of notice to the consumers or discovery of the breach and must include the date in which the breach occurred, date of discovery of the breach and a preliminary description of the breach. Act 109 now refers to the label of PII, which was formerly “personal information,” and provides factors in order to determine whether PII has been acquired. This law is currently in effect.

Illinois and California both have recently amended their data security laws, now in effect.

The Illinois law, passed as H.B. 3025 and effective January 1, 2012, requires that specific information must be included in a data breach notification and adds new requirements for “data collectors that maintain or store, but do not own or license, computerized data." The law also covers the disposal of data to make it “unreadable, unusable and undecipherable”.  Violations of the disposal requirements can range from $100 for each individual’s personal information disposed to a maximum of penalty of $50,000 for the disposal.

In California, S.B. 24 also came into effect on January 1, 2012, expanding what must be included in a data notification breach letter and providing specific detailed information to include. The law further requires that if more than 500 people are affected by the breach, then the entity must notify the California Attorney General.

Conclusion

State data security laws are changing at a rapid pace. Companies are specifically reminded to remain diligent and active in updating business practices (and legal agreements) in light of these changes.