2018-08-15 Wednesday - U.S. Data Privacy Laws

I recently became aware of new changes that are occurring in the United States, at the State level, with regards to new data privacy laws that are mirroring (or exceeding?) the European GDPR laws.

This posting is a placeholder for me to gather links to resources and articles related to these concerns - that may be relevant to some of the consulting work I do - and may be of interest to others.

California
California Consumer Privacy Act (CCPA)

• https://www.caprivacy.org/

• https://oag.ca.gov/system/files/initiatives/pdfs/Title%20and%20Summary%20%2817-0039%29_0.pdf
• https://oag.ca.gov/system/files/initiatives/pdfs/17-0039%20%28Consumer%20Privacy%20V2%29.pdf
• https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.80.&lawCode=CIV
• https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81 
• Effective Date: 2020-01-01

Highlights:

• Right to know all data collected by a business on you.
• Right to say NO to the sale of your information.
• Right to DELETE your data.
• Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection. 
• Mandated opt-in before sale of children’s information (under the age of 16).
• Right to know the categories of third parties with whom your data is shared.
• Right to know the categories of sources of information from whom your data was acquired.
• Right to know the business or commercial purpose of collecting your information.
• Enforcement by the Attorney General of the State of California.
• Private right of action when companies breach your data, to make sure these companies keep your information safe.
• On 2020-01-01, companies must also comply with being able to verify (or provide) twelve month's of history (going back to 2019-01-01) 

Assumed Reporting/Governance/Compliance Implications:

• Businesses will be required to track and report, at the category > field/data element level (e.g. of a database, log file, blob storage) - data collected about customers and visitors to their site 
• Compliance departments will need to be able to produce reports (e.g. for audit/legal purposes) - identifying what field/data elements are involved in storing such data; when requests are received for such information (or requests for deletion); and when such data is deleted/purged (either by specific request - or by normal operational data management policies)
• Compliance (and Security teams) will need to be able to produce reports identifying what customer-related tables/fields/data elements are stored (identifying with or without encryption ?)

Trigger Criteria [see page-10, 798.106. Definitions, (b), (1) and (2)]

•  Illustrative, not exhaustive:
• For-Profit legal entity that does business in California and meets one of the following thresholds:
• $50M+ in annual gross revenue;
• Or, sells information, annually, for 100K consumers or devices (combined or separately);
• Or, derives 50% or more of its annual revenues from selling consumers personal information.

GDPR 

• https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
• https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
• http://www.sqlservercentral.com/articles/GDPR/165180/

• https://datagrail.io/blog/is-it-time-for-an-american-gdpr

Massachusetts 
{To Be Research}


New York

NYDFS

• https://www.dfs.ny.gov/about/cybersecurity.htm
• https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
• 23 NYCRR 500:  CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES  
• https://www.dataprivacymonitor.com/tag/nydfs/
• https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial 
• http://f.datasrvr.com/fr1/017/12004/Cybersecurity_Alert_2.23.17.pdf
• https://www.hldataprotection.com/2017/08/articles/cybersecurity-data-breaches/a-guide-to-nydfs-cybersecurity-regulations-august-28-implementation-deadline/ 
• "...your policy or policies must apply specifically to your entity and cover the following topics, as relevant to your organization:"
• Information security
• Data governance and classification
• Asset inventory and device management
• Access controls and identity management
• Business continuity and disaster recovery planning and resources
• Systems operations and availability concerns
• Systems and network security and monitoring
• Physical security and environmental controls
• Customer data privacy
• Incident response
• https://www.hldataprotection.com/2018/10/articles/cybersecurity-data-breaches/new-obligations-under-the-nydfs-cybersecurity-regulation-came-online-in-september/  
• As of Tuesday, September 4, 2018, covered entities are required to be in compliance with additional requirements relating to:
• Audit Trail (Section 500.06);
• Application Security (Section 500.08);
• Limitations on Data Retention (Section 500.13);
• Monitoring of Authorized Users (Section 500.14(a)); and
• Encryption of Non-public Information (Section 500.15).

Washington

• https://www.geekwire.com/2019/washington-state-considers-new-privacy-law-regulate-data-collection-facial-recognition-tech