Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 43 Many of these state data security laws are recent enact- ments that provide a comprehensive approach to security.359 Some provide specific measures to protect sensitive information from unauthorized access, use, modification, disclosure, or de- struction.360 Many of these laws provide for the development of standards and guidelines, training for employees, and security audits.361 B. Data Security Laws Regulating the Private Sector Roughly half of the states have passed legislation to ensure that private sector entities provide security for data they col- lect and retain. These enactments are in addition to measures required for government organizations that collect and retain data. The adoption of these measures has rapidly expanded in the past five years largely in response to concerns over iden- tity theft and data breaches. The National Conference of State Legislatures maintains a running reference of states with data security laws applicable to private sector entities.362 The thrust of most of these laws is to require ââreasonable procedures and practicesââ regarding sensitive or personal information (PI) in the possession or control of private entities.363 The definition of what information is covered and the determination of what measures are required vary by statute.364 In 2010, the Commonwealth of Massachusetts became the first state to mandate specific security requirements for busi- nesses that maintain electronic data on state residents with the Massachusetts Standards for the Protection of Residents of the Commonwealth.365 The Massachusetts law requires user identification, access control measures, encryption, system monitoring, firewalls, anti-malware, and employee training.366 However, the statute requires that these security measures be implemented only if âtechnically feasible.â367 This regulation has resulted in relatively weak enforcement of otherwise rigorous requirements. In contrast, the New York Stop Hacks and Improve Electron- ic Data Security (SHIELD) Act368 mandates detailed data secu- rity requirements. The SHIELD Actâs obligations apply to â[a]ny person or business which owns or licenses computerized data 359 See, e.g., Conn. Gen. Stat. Â§ 4e-70 (requiring a comprehensive data security program applicable to any state agency with a department head and any state agency disclosing confidential information to a con- tractor pursuant to a written agreement with such contractor for the provision of goods or services for the state). 360 See, e.g., Ala. Code Â§ 8-38-8. 361 See, e.g., Ariz. Rev. Stat. Â§ 18-105; Cal. Govt. Code Â§ 11549.3 et seq.; Cal. Govt. Code Â§ 8592.30-8592.45; Cal. Govt. Code Â§ 8586.5. 362 Data Security Laws: Private Sector, Natâl Conf. of State Legis. (May 29, 2019), https://www.ncsl.org/research/telecommunications- and-information-technology/data-security-laws.aspx#DataSecLaws. 363 See id. 364 See id. 365 Mass. Gen. Laws Ch. 93H Â§ 2. 366 201 Mass. Code of Regs. 17.00-17.04. 367 201 Mass. Code of Regs. 17.04. 368 N.Y. CLS Gen. Bus. Â§Â§ 899aa-899bb. trine to conclude that the provisions in their state constitutions, though similar to the Fourth Amendment to the U.S. Constitu- tion, offer more expansive protections. Campbell, Jackson, Connolly, and Weaver demonstrate the real possibility that state courts can and will extend provisions creating privacy rights beyond those provided by the U.S. Con- stitution.356 These cases highlight the possibility that as technol- ogy develops, states may interpret their constitutions to provide enhanced privacy protection. Thus, understanding state law is essential to crafting sufficient privacy protections with respect to data collection. These enhanced standards will have to be ac- commodated in the collection and use of any unified data col- lection and analysis system. Analysis of state court decisions on state constitutional privacy protections is necessary to assess state requirements for data collection and technology imple- mentation. This is especially true for governmental entities like airports whose collection of data is restricted by legal protec- tions for individual privacy at both state and federal levels. For example, airports in Oregon will have to satisfy any federal privacy requirements, but also that stateâs higher constitutional standards that govern the collection of surveillance data.357 VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS At the state level, there has been significant activity in address ing issues of data privacy. State measures have served to address both government and private use of data. The types of data addressed by state regulations are also expanding to include private consumer data. Looking at these state law de- velopments offers both a mandatory compliance requirement for airports within certain states as well as serves as a potential guide for airports in states without regulation or that lack suffi- cient court guidance. While every state law cannot be examined, understanding the types of regulatory schema developed within various states will assist in determining trends and frameworks that may eventually govern airport activity. A. Data Security Laws Regulating the Public Sector While all states have measures in place governing personal data they collect and retain, in well over half of the states, those requirements are imposed by statute. In most states, these laws apply only to state government. In some states, however, the laws also apply to other public entities like public educational institutions and other local governmental entities. The National Conference of State Legislatures maintains a running reference guide to state data security laws.358 356 It should be noted that U.S. Supreme Courtâs 2012 decision in Jones, supra, footnote. 88, extended protections to require a warrant before placement of a GPS tracking device on a suspectâs vehicle. 357 See State v. Campbell, 759 P.2d 1040 (Or. 1988). 358 Data Security Laws: State Government, Natâl Conf. of State Legis. (Feb. 14, 2020), https://www.ncsl.org/research/ telecommunications- and-information-technology/data-security-laws-state- government.aspx.
44 ACRP LRD 42 D. Data Breach Laws Also consistent with the growing concern over data security is the increase in state law provisions governing actions in the event of data breach. All fifty states now have laws that guide public and private entities in the event of data breaches involv- ing personally identifiable information. These laws generally outline the parties that must comply, provide definitions of crit- ical terms like personally identifiable information and breach, and establish requirements for notice (who, when, and how). The National Conference of State Legislatures maintains a refer- ence index of state security breach notification laws.383 For example, Vermont has a robust regulatory scheme gov- erning data breaches.384 It requires entities subject to a breach to provide notice of the breach to either the state Attorney General or the Department of Financial Regulation depend- ing on the type of data accessed.385 It has specific requirements as to the type of notice and the timing of notice required for con sumers.386 It has provisions for substitute notice and also for various exemptions from the notice requirement.387 Lastly, it contains an enforcement provision.388 Vermont amended its data breach notification law to expand the definition of what constitutes PII.389 The changes are effec- tive on July 1, 2020, and provide that, when combined with a consumerâs first name or first initial and last name, PII now in- cludes the following: â¢ Individual taxpayer identification number; â¢ Passport number; â¢ Military identification card number; â¢ Any identification number that originates from a govern- ment identification document commonly used to verify identity for a commercial transaction; â¢ Biometric data generated from measurements or tech- nical analysis of human body characteristics used by the owner or licensee to identify or authenticate the consumer; â¢ Genetic information; and â¢ Health records or a health insurance policy number.390 Vermont may be a good example for an airport or airport stakeholder to review in developing a data breach notification policy due to its complex and evolving data privacy regulatory regime. 383 Security Breach Notification Laws, Natâl Conf. of State Legis. (July 17, 2020), https://www.ncsl.org/research/telecommunications- and-information-technology/security-breach-notification-laws.aspx. 384 9 V.S.A. Â§ 2435. 385 Id. Â§ 2435(b)(3). 386 Id. Â§ 2435(b)(4). 387 Id. Â§ 2435(b)(5). 388 Id. Â§ 2435(g). 389 Id. 390 Id. Â§ 2430. which includes private informationâ of a New York resident.369 The SHIELD Act contains a comprehensive definition of PI.370 A business is in compliance with the SHIELD Act if it imple- ments a data security plan that includes reasonable administra- tive, technical, and physical safeguards.371 Businesses that fail to comply with the SHIELD Actâs security requirements are liable for civil penalties of up to $5,000 per violation, and there are no penalty caps.372 There is a $250,000 penalty cap for failure to notify authorities when a breach occurs.373 Enforcement of the SHIELD Act is limited to the Office of the New York Attorney General; there is no limited private cause of action under the SHIELD Act.374 C. Data Disposal/Destruction Laws Consistent with concerns over data security, there are a growing number of state laws concerning data disposal and destruction or otherwise deleting personal information from records. These laws frequently apply to both government and private organizations. In 2019, the National Conference of State Legislatures reported the existence of data disposal laws applying to public and private entities in 35 states and in Puerto Rico.375 These laws are in addition to data disposal requirements set out by the FTC Disposal Rules376 that apply to persons and entities that use consumer reports. The FTC Disposal Rules apply to the reports themselves and the information derived from them.377 These state data disposal laws vary as to whom they apply as well as what documents are covered.378 For instance, the Delaware data disposal law applies to businesses, but does not apply to government entities except in their capacities as em- ployers.379 The Wisconsin statute only applies to financial in- stitutions, medical business, or tax preparation entities.380 The Arizona statute only applies to paper records.381 One common aspect of state data disposal laws is specificity as to methods of disposal/destruction.382 This is a point that air- ports and airport stakeholders should specifically note. 369 N.Y. CLS Gen. Bus. Â§ 899bb(1)(b). 370 N.Y. CLS Gen. Bus. Â§ 899bb(1). 371 N.Y. CLS Gen. Bus. Â§ 899bb(2). 372 N.Y. CLS Gen. Bus. Â§ 899bb(2)(d). 373 Id. 374 N.Y. CLS Gen. Bus Â§ 899bb(2)(e). 375 Data Disposal Laws, Natâl Conf. of State Legis. (Jan. 4, 2019), https://www.ncsl.org/research/telecommunications-and-information- technology/data-disposal-laws.aspx. 376 Disposing of Consumer Report Information? Rule Tells How, FTC (June 2005), https://www.ftc.gov/tips-advice/business-center/ guidance/ disposing-consumer-report-information-rule-tells-how. 377 Id. 378 Id. 379 Id. 380 Id. 381 Id. 382 Id.
48 ACRP LRD 42 password or a security question-and-answer that would permit access to the account.454 â¢ The CPRA would create new requirements for data re- tention that must be disclosed in a companyâs privacy notice.455 â¢ The CPRA would expand a consumerâs right to know and access specific pieces of personal information and includes a portability-type requirement similar to the GDPR.456 â¢ The CPRA would create a new category of âcontractorâ along with the CCPAâs âservice providerâ category. There would be mandatory written contract and auditing re- quirements for both contractors and service providers.457 â¢ Perhaps most significantly, the CPRA provides for a new agency to be established, the California Privacy Protec- tion Agency (CPPA), which will assume the authority currently held by the California Attorney General to issue regulations, bring enforcement actions, and determine administrative fees. The CPRA provides that the CPPA would issue regulations requiring companies determined to be involved with high-risk data processing to have annual audits and providing for consumer access and opt-out rights with respect to automated profiling and decision-making, similar to GDPR requirements.458 The focus of attention on the CPPA and the subsequent CRPA ballot initiative is reflective of the influence that California has had on the development of privacy law in the U.S. The docu- mented âCalifornia Effect,â459 owing to the size of the stateâs economy and the predominance of technology companies located in the state, has influenced both large corporate enti- ties in shaping their data protections and privacy policies as well as the protections offered in other states. Thus, the influence of prior statutes like CalOPPA and now the CCPA and anticipated influence of CPRA, are factors airports and airport stakeholders should consider in trying to discern legal trends. G. Other State Legislative Bills Nine other states have introduced draft bills that would im- pose varying requirements on business in the consumer data privacy area.460 Hawaii, Maryland, Massachusetts, Mississippi, 454 Id. Â§ 16. 455 Id. Â§Â§ 3-4. 456 Id. Â§ 7. 457 Id. Â§ 13. 458 Id. Â§ 24. 459 See, e.g., Anupam Chander, Margot E. Kaminski, & William McGeveran, Catalyzing Privacy Law, Georgetown L. Fac. Publâns & Other Works 2190, at 27 (2019), available at https://scholarship.law. georgetown.edu/facpub/2190. 460 S.B. 418, 2019 Leg., 30th Sess. (Haw. 2019); S.B. 613, 2019 Reg. Sess. (Md. 2019); S.D. 341, 191st Leg., Reg. Sess. (Mass. 2019); H.B. 1253, 2019 Leg., Reg. Sess. (Miss. 2019); S.B. 176, 54th Leg., 1st Sess. (N.M. 2019); S. 224, 2019-2020 Gen. Assemb., Reg. Sess. (N.Y. 2019); H.B. 1485 2019 Leg., 66th Sess. (N.D. 2019) (enacted); S. 0234, 2019 Gen. Assemb., Reg. Sess. (R.I. 2019); S.B. 6281, 66th Leg., 2020 Reg. Sess. (Wash. 2020). CPRA.447 Among the differences between the CCPA and the proposed CPRA are the following: â¢ The CPRA would raise one of the threshold tests of appli- cability from processing personal information of 50,000 or more California consumers or households to process- ing personal information of 100,000 or more California consumers or households.448 â¢ The CPRA would create a new right for data subjects to correct inaccurate personal data held by a business.449 â¢ The CPRA would establish a new category of âsensitive personal information,â which would include govern- ment identification, such as social security numbers and driverâs license numbers; precise geolocation; and racial, ethnic, genetic, and biometric data. Significantly, the contents of a consumerâs mail, email, and text messages would also be in this category unless the business is the intended recipient. Consumers would be allowed to limit the use of sensitive personal information to what is neces- sary to provide the goods or services requested and other compatible purposes. A business would be required to display clearly and conspicuously a âLimit the Use of My Sensitive Informationâ link on its website unless it allows consumers to exercise this option using a preference sig- nal from a browser.450 â¢ The CPRA would expand CCPAâs right to know obliga- tions to include âsharingâ and disclosure of personal information by a covered business and also expands the opt-out for sale of such personal information. A business would be required to clearly and conspicuously display a âDo Not Sell or Share My Personal Informationâ link on its website unless it allows consumers to opt out from both selling and sharing by using a preference signal from a browser.451 â¢ The CPRA would extend a consumerâs right to know beyond the twelve-month lookback provided under CCPA.452 â¢ The CPRA would increase administrative fines to up to $7,500 for an intentional violation or one where the vio- lator has actual knowledge that the personal information involved someone under the age of 16.453 â¢ The CPRA would grant a private cause of action for data breaches caused by a companyâs failure to use reason- able security measures for additional types of personal information, specifically an email address and either a 447 Cal. Const. art. II, Â§ 10(c). 448 Cal. Privacy Rights Act of 2020, Version 3, No. 19-0021, Cal. Office of A.G. (received Nov. 13, 2019), Â§ 14, https://oag.ca.gov/system/ files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20 Version%203%29_1.pdf. 449 Id. Â§ 6. 450 Id Â§ 13. 451 Id. 452 Id. 453 Id. Â§ 17.