On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.” The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.
Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification. Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
In addition, no later than October 1, 2017, health insurers, pharmacy benefit managers and certain other entities regulated by the Connecticut Insurance Department must implement and maintain a “comprehensive information security program” to protect personal information. While the requirements generally track HIPAA obligations that will likely already apply to these entities, the new requirements go further, for example by requiring encryption of all personal information transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a portable device, specified secure authentication and access protocols, and imposition of disciplinary measures for employees who violate the security policies or procedures. Under the security program, the entities must also prevent terminated, inactive, or retired employees from accessing personal information.
New requirements with respect to state contractors will also take effect. Beginning in July 2015, state agencies must require in every written agreement that private contractors implement and maintain a “comprehensive data-security program.” Among other requirements, contractors will be prohibited from storing data on stand-alone devices (such as flash drives or laptop notebooks) unless expressly permitted to do so in the state contract, and contractors, not the State, must bear any added expense associated with implementing the data security program. In addition, the written agreement must stipulate how costs of data breach notification will be allocated between the state agency and the contractor.
With respect to enforcement, the Attorney General continues to have authority over data breach notification. The Act also newly empowers the Attorney General to bring civil suit against a contractor in breach of the new comprehensive data-security program law, while the Secretary of Office Policy and Management may require contractors to take additional security protections where the type and amount of information warrants such protection. With respect to health insurance entities, the Insurance Commissioner will enforce the new data security requirements.
Companies doing business in Connecticut or contracting with the State of Connecticut should carefully review the added data security and breach notification measures and consider whether revisions of current policies are necessary to comply with the state’s stringent new requirements.
Special thanks to Proskauer summer associate Krista L. White for her contributions to this post.
 S.B. 949 (Ct. 2015).
 “Statement from AG Jepsen on Final Passage of Data Breach Notification and Consumer Protection Legislation,” Connecticut Office of the Attorney General, http://ct.gov/ag/cwp/view.asp?A=2341&Q=566508 (last visited July 13, 2015).
In City of Los Angeles v. Patel, the Supreme Court invalidated a Los Angeles law that allowed law enforcement officials to inspect hotel and motel guest registries at any time, without a warrant or administrative subpoena. The Court ruled that the law violated hotel owners’ Fourth Amendment rights because it “penalizes them for declining to turn over their records without affording them any opportunity for pre-compliance review.”
In reaching its decision, the Court also announced two findings with implications for future lawsuits brought under the Fourth Amendment:
- Facial challenges to statutes are permitted under the Fourth Amendment
- Hotels and motels do not fall under the “pervasively regulated” exception to the warrant requirement
When are U.S. social media companies subject to European data privacy laws? As we reported in 2013, the answer is often contingent on geographic location – where the relevant data is processed. In 2013, for example, a German court ruled that Facebook was not subject to German data protection laws because the relevant data was processed in Ireland, not Germany.
However, in 2014, a different German court at the same level found, in a separate case, that Facebook could be subject to German data protection laws, finding that the relevant data was processed outside the E.U. in the United States rather than Ireland.
But geography isn’t everything. As an Austrian court decision last week makes clear, the location of data processing is not the only potential hurdle for would-be plaintiffs bringing suit against U.S. companies in the E.U. The Vienna Regional Court dismissed a case against Facebook, not because of national borders, but because of the identity of the plaintiff and how he used his Facebook accounts. Continue Reading
Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation is pending in a number of other states. Continue Reading
A brief rundown of developments in recent weeks in the area of EU data protection law:
EU Data Protection Regulation
On Monday, June 15, the EU Council (comprised, for purposes of data protection reform, of the justice ministers from each of the EU member states) reached an agreement on a draft data protection regulation, marking an important milestone in the ongoing effort to reform and modernize data protection law in the EU. (This development follows the European Commission’s publication of a proposed regulation in January 2012 and the European Parliament’s official agreement to a “compromise” version in March 2014.) Beginning this week, these bodies will begin negotiations to reconcile the three versions with a stated goal of promulgating a final regulation by the end of the year. The regulation will replace the 1995 Data Protection Directive and, once it comes into force, will apply directly in each of the EU member states, creating greater uniformity across the EU in respect of data protection standards.
Check back here next week for an overview of the key differences (and, thus, areas for negotiation) among the positions promulgated by the Commission, Parliament and Council.
As we recently reported, the US and EU continue to negotiate reforms to the US-EU Safe Harbor. It was announced earlier in June that progress is being made, and one EU official told the Wall Street Journal at that time that US officials were being given “another month” to address the EU’s concerns. As we’ve reported in the past, US government access to personal data appears to remain a sticking point.
Concurrent with these negotiations, the European Court of Justice (“ECJ”) also has been considering a broad challenge to the Safe Harbor in the case of Schrems v. Facebook Ireland Ltd. The plaintiff in that case has argued that, given the NSA/Snowden revelations, the Safe Harbor (upon which Facebook—like many other US-based companies—relies to transfer and hold users’ personal data in the US) could not provide adequate protection as a matter of EU law. The ECJ is considering, among other questions, whether a data protection authority can investigate an individual’s claim that the US does not adequately protect data transferred from the EU or whether it must accept as a matter of law that Safe Harbor compliance means data is adequately protected. The case has the potential to have far-reaching effects if the ECJ were to reach the merits of the sufficiency of the Safe Harbor program (as opposed to simply addressing whether the Irish data protection authorities may investigate and/or punting in light of the ongoing reform negotiations). An opinion was originally scheduled to be issued on June 24, 2015, but it was disclosed last week that the opinion will be delayed, and no new publication date has yet been announced.
**This post also appears on Proskauer’s International Labor and Employment Law Blog.**
On Thursday, the Digital Advertising Alliance (“DAA”) announced that it will enforce its previously issued “Application of Self-Regulatory Principles to the Mobile Environment” (the “Mobile Guidance”) beginning September 1, 2015.
Although the Mobile Guidance was initially issued in July 2013, enforcement was delayed pending the DAA’s implementation of an effective choice mechanism for the mobile environment. In February 2015, the DAA released two mobile tools for consumers – the “AppChoices” mobile application and the “DAA Consumer Choice Page for Mobile Web.”
The Mobile Guidance clarifies how the existing Self-Regulatory Principles for Online Behavioral Advertising and MultiSite Data (collectively, the “Self-Regulatory Principles”) apply to mobile web sites and applications. In particular the Mobile Guidance addresses:
- privacy notice, enhanced notice, and controls (opt-out mechanism) for data collected from a particular device regarding application use over time and across non- affiliate applications (“Cross-App Data”);
- privacy notice, enhanced notice, and controls (opt-in consent) for data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device (“Precise Location Data”); and
- transparency and controls (opt-in consent) for calendar, address book, phone/text log, or photo/video data created by a user that is stored on or accessed through a particular device (“Personal Directory Data”).
After September 1, any entity that collects and uses Cross-App Data, Precise Location Data or Personal Directory Data will be required to demonstrate compliance with the Mobile Guidance, or risk being subject to the DAA accountability mechanisms. The Mobile Guidance will be enforced by the Council of Better Business Bureaus (“CBBB”) and the Direct Marketing Association, the same two entities which have had oversight of the Self-Regulatory Principles since 2011. During that period the CBBB has issued 29 Accountability Program decisions regarding advertisers, ad publishers and ad networks.
On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:
- Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:
- both computerized and hard copy data that contain personal information that is not “secured;” and
- encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption. Continue Reading
In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ personal information and encouraging the industry to “look to this agreement as guidance.” Continue Reading
The past few years have seen exponential growth in the use of technology in the classroom, with applications ranging from the increased availability and use of e-books to the displacement of physical classrooms through Massive Open Online Courses (also known as MOOCs). One of the fastest growing segments of the education technology market relates to online educational services and applications, which are designed to track individual student progress and use the data gathered to deliver an individualized learning experience to each user. However, while online educational services and applications hold significant potential, the gathering of massive amounts of data has also sparked fears about what data will be collected, from whom, how it will be used, and whether, if at all, it will be deleted. This fear is especially prevalent when it comes to online educational services and applications targeted at children.
Last week, Australia became the latest country to pass a mandatory data retention law. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which amends Australia’s Telecommunications (Interception and Access) Act 1979, requires telecommunications and Internet service providers (ISPs) to store customer metadata for two years. This means that Australian ISPs and telecom providers will have to store data associated with electronic communications, such as the names and addresses of account holders, the names of the recipients of any communications, the time and duration of communications, the location of equipment used to make the communication (such as cell towers), and computers’ IP addresses. Although the law does not require ISPs and telecoms to store the contents of customers’ electronic communications, metadata still can provide a picture of an individual’s identity, interests, and even location, which makes it of great interest to law enforcement and national security agencies seeking to prevent crime and terrorist attacks. Indeed, the law was promoted as a national security measure designed to give law enforcement access to information that could allow them to prevent terrorist attacks, but its opponents have decried it as a means to subject Australians to mass government surveillance.