UPDATES TO THE SECOND EDITION

12.2.12A Kentucky

On April 4, 2024, the governor of Kentucky signed the Kentucky Consumer Data Protection Act, to be codified in KRS Chapter 367. Like other state privacy laws, the act requires data controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” The data security practices shall be appropriate to the volume and nature of the personal data at issue. Also like the other state laws, it requires processors “[t]aking into account the nature of processing and the information available to the processor” to assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732. Controllers shall conduct and document a data protection impact assessment of certain activities, including any processing of personal data that presents a heightened risk of harm to consumers. The Attorney General shall have exclusive authority to enforce violations of the Act. Further, the Act expressly states that “[n]othing in Sections 1 to 10 of this Act or any other law, regulation, or the equivalent shall be construed as providing the basis for, or give rise to, a private right of action for violations of Sections 1 to 10 of this Act.” The Act takes effect January 1, 2026.

12.2.14 Maryland

In April 2024, the Maryland legislature adopted and sent to the governor a comprehensive consumer privacy law that contained a data security requirement. If signed by the governor, the statute will require covered businesses to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.” The bill also requires a controller to contractually require its processors to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, considering the volume and nature of the personal data.” Further, a processor must assist the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of a system, as defined in § 14–3504.

Like other recent state privacy laws, the Maryland law requires a controller to conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that present a heightened risk of harm to a consumer. Such assessment shall identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, the consumer, other interested parties, and the public against the potential risks to the rights of the consumer as mitigated by safeguards that may be employed by the controller and the necessity and proportionality of processing in relation to its stated purpose.

Maryland already had a reasonable security measures law, but the new statute has its own definition of personal information and its own extensive set of exclusions and exemptions.

12.2.18A New Hampshire

On March 6, 2024, Governor Chris Sununu signed into law SB 255, making New Hampshire the 15th state with a comprehensive privacy law. Like other recent state comprehensive privacy laws, it requires controllers to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue. Also like other state laws, it requires data processors, “[t]aking into account the nature of processing and the information available to the processor,” to assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security or of the system of the processor, in order to meet the controller's obligations.

Under 507-H:11, nothing in new law shall be construed as providing the basis for, or be subject to, a private right of action for violations under this chapter or any other law. A violation of the new law shall constitute an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce under RSA 358-A:2 and shall be enforced by the attorney general. The act takes effect January 1, 2025.

12.5 Equipment and App Bans

In December 2023, a federal district court upheld the Texas TikTok ban against a First Amendment challenge. Coalition for Independent Technology Research v. Abbott (W.D. Tex. Dec. 11, 2023). Plaintiff, a group of “academics, journalists, civil society researchers, and community scientists,” brought suit challenging Texas's TikTok ban “as applied to faculty at public universities.” The court found that the plaintiff’s members had First Amendment rights as academics and public employees. Indeed, the court said, “academic freedom receives extra protection under the law.” However, the court found that the ban is not a restraint on speech in a public forum, but rather a restriction on a nonpublic forum, subject to much less searching scrutiny: “Texas's TikTok ban is limiting the use of an app on state-provided devices and networks, which is not a blanket prohibition. Public university faculty—and all public employees—are free to use TikTok on their personal devices (as long as such devices are not used to access state networks).” “[T]he ban relates to Texas's regulation of its own governmental property.” The touchstone of nonpublic forum analysis is whether the restriction is reasonable in light of the purpose which the forum at issue serves. Within that framework, the court easily found the restriction, which it emphasized was viewpoint-neutral, to be reasonable, in light of Texas’ concerns about privacy and security.

______________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION (last updated: January 13, 2023), INCORPORATED INTO THE SECOND EDITION

12.2.3.1 Statutory Damages under California’s Cybersecurity Law

In Gardiner v. Walmart Inc., 2021 U.S. Dist. LEXIS 75079, 2021 WL 2520103 (N.D. Ca. March 5, 2021), the court dismissed a CCPA claim where the plaintiff had not adequately alleged the disclosure of personal information as defined by the statute.

 12.2.4 – Colorado

In 2021, Colorado’s governor signed a comprehensive privacy law, Senate Bill 21-190. It added a new part 13 to article 1 of title 6 of the Colorado Revised Statutes. Section 6-1-1308(5) states:

(5) Duty of care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.

Section 6-1-1310 specifies that the new law does not authorize a private right of action, nor does it relieve any party from any duties or obligations imposed, nor alter any independent rights that consumers have, under other laws. Under 6-1-1311, the state attorney general and district attorneys have exclusive authority to enforce the new law. Twenty-one categories of data are exempted from the law, mostly data regulated under other laws, state or federal. A violation of the new law is a deceptive trade practice, but only for purposes of enforcement by the state AG or district attorney.

Under Section 6-1-1309 of the law, a controller shall not conduct processing of sensitive data (defined in 6-1-1303(24)) without conducting and documenting a data protection assessment that identifies and weighs the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks.

The new law includes a cure provisions:

Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d) is repealed, effective January 1, 2025.

The new law sits parallel to Colorado’s existing data security law, 6-1-713.5. The difference is that the new Colorado law has a much broader definition of personal data:

“Personal data”: (a) means information that is linked or reasonably linkable to an identified or identifiable individual; and (b) does not include de-identified data or publicly available information.

[New subchapter:] 12.2.4A – Connecticut

12.2.4A.1 Reasonable Security Provision

In June 2022, Connecticut became the 23rd state to adopt a reasonable security measures requirement. The cybersecurity language is included in “An Act Concerning Personal Data Privacy and Online Monitoring,” Connecticut’s new comprehensive consumer privacy law. Like other recent state consumer privacy laws, the Act uses the controller/processor language of the EU. Section 6(3) of the Act states that a controller shall:

establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue;

Section 7 of the Act states a processor shall, “taking into account the nature of processing and the information available to the processor, [assist] the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security … of the system of the processor, in order to meet the controller's obligations.”

The law has very expansive exemptions. See James Dempsey, Exceptions in new US state privacy laws leave data without security coverage, IAPP (May 17, 2022).

The Act becomes effective on July 1, 2023. There is no private right of action: “The Attorney General shall have exclusive authority to enforce violations of sections 1 to 10, inclusive, of this act.” Further: “Nothing in sections 1 to 10, inclusive, of this act shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law.” Still further: “A violation of … this act shall constitute an unfair trade practice for purposes of section 42-110b of the general statutes and shall be enforced solely by the Attorney General, provided the provisions of section 42-110g of the general statutes shall not apply to such violation.”

During the period July 1, 2023 through December 31, 2024, prior to initiating any action for a violation of the Act, the Attorney General must issue a notice of violation to the controller if the Attorney General determines that a cure is possible. Only if the controller fails to cure the violation within sixty days may the Attorney General bring an enforcement action. Beginning on January 1, 2025, the Attorney General will have discretion to grant controllers and processors the opportunity to cure, based on a variety of factors spelled out in Section 11(c) of the Act.

12.2.4A.2 Safe Harbor

A separate Connecticut law, PA 21-119, tries to answer the question of how much security is “reasonable.” It does so, not unwisely, by referencing in subsection (c) some familiar standards: the NIST Framework for critical infrastructure, NIST SP-800-171, NIST SP 800-53 and 53a, the FedRAMP Security Assessment Framework, the Center for Internet Security’s Critical Security Controls, or the ISO/IEC 27000-series. (This is the same list in the Ohio law discussed in Chapters 7.5 and 12.2.18.)  But the Connecticut provision is confusing, in that it protects businesses only against punitive damages if they comply with one of the listed standards:

In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework, as described in subsection (c) of this section and that such covered entity designed its cybersecurity program in accordance with the provisions of subsection (d) of this section. The provisions of this subsection shall not apply if such failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.

Shouldn’t compliance with one of the designated standards constitute reasonable security, such that an entity is not liable at all in tort if it complies? As written, the provision suggests that an entity could comply with one of the referenced standards and still be liable for actual damages, just not punitive damages.

Key phrases in the law are “complied with” and “conforms to.” If an entity did not comply with its own cybersecurity program (and many entities don’t) or if the program falls short of the referenced standard, punitive damages are still available. And whether a program in fact conforms with one of the referenced standards and whether the program was in fact complied with seem to be litigable issues. The language about “gross negligence or wilful or wanton conduct” seems inapplicable if the basic standard of the safe harbor—“complied with” and “conforms to”—is not met.

The statute also protects against punitive damages entities regulated under HIPAA, Gramm-Leach-Bliley, the Federal Information Security Modernization Act, or the HITECH Act.

The law took effect October 1, 2021.

12.2.22.1 Utah Cybersecurity Affirmative Defense

In March, 2021, Utah’s governor signed into law H.B. 80, the Cybersecurity Affirmative Defense Act. The bill added a new Part 7 to Chapter 4 of Title 78B of the Utah Code,  78B-4-701 through 78B-4-706. It provides a series of affirmative defenses to companies that create, maintain, and reasonably comply with a written cybersecurity program meeting certain criteria. The bill in some ways is similar to Ohio’s, but it is more complicated:

• A person that creates, maintains, and reasonably complies with a written cybersecurity program that meets certain requirements specified in the statute has an affirmative defense to a claim that alleges that its failure to maintain reasonable information security controls resulted in a breach. 78B-4-702(1). 

• A person has an affirmative defense to a claim that the person failed to appropriately respond to a breach of system security if the person (a) creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements specified in the statute, and (b) its security program at the time of the breach included breach response protocols that reasonably complied with the cybersecurity program under (a) and the person followed the protocol. 78B-4-702(2). 

• A person has an affirmative defense to a claim that the person failed to appropriately notify individuals whose data was compromised in a breach if the person (a) creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements specified in the statute and (b) the written cybersecurity program had protocols at the time of the breach for notifying an individual about a breach that reasonably complied with the requirements for a written cybersecurity program under (a) and the person followed the protocols. 78B-4-702(3). 

From there it gets complicated. Under 78B-4-702(4), in order to provide the basis for an affirmative defense, a written cybersecurity program must provide administrative, technical, and physical safeguards to protect personal information, including:

(a) being designed to:

(i) protect the security, confidentiality, and integrity of personal information;

(ii) protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and

(iii) protect against a breach of system security;

(b) reasonably conforming to a recognized cybersecurity framework as described in Subsection 78B-4-703(1); and

(c) being of an appropriate scale and scope in light of specified factors, including the size and complexity of the person and the cost and availability of tools to improve information security and reduce vulnerability

Under Subsection 78B-4-703(1), a person has four options for proving that its written cybersecurity program reasonably conforms to a recognized cybersecurity framework:

(1)  if it reasonably conforms to the current version of any of the following frameworks or publications, or any combination of the following frameworks or publications:

(A) NIST special publication 800-171; (B) NIST special publications 800-53 and 800-53a; (C) the Federal Risk and Authorization Management Program Security Assessment Framework;

(D) the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
(E) the International Organization for Standardization/International Electrotechnical Commission 27000 Family - Information security management systems;

(2)  if information obtained in the breach is regulated by the federal government or state government and the person’s program reasonably complies with the requirements of the regulation, including:

(A) the HIPAA security rule;
(B) GLB;
(C) FISMA;
(D) the HITECH Act ;
(E) the Utah Protection of Personal Information Act; or
(F) any other applicable federal or state regulation;

 (3)  if information obtained in the breach is the type of information intended to be protected by the PCI data security standard and the person’s program reasonably complies with the current version of the PCI DSS;

 (4)  if —

(a)  the person coordinates, or designates an employee of the person to coordinate, a program that provides the administrative, technical, and physical safeguards described in Subsections 78B-4-702(4)(a) and (c);

(b)  the program under Subsection (2)(a) has practices and procedures to detect, prevent, and respond to a breach of system security;

(c)   the person, or an employee of the person, trains, and manages employees in the practices and procedures under Subsection (2)(b);

(d)  the person, or an employee of the person, conducts risk assessments to test and monitor the practice and procedures under Subsection (2)(b), including risk assessments on:

(i) the network and software design for the person; (ii) information processing, transmission, and storage of personal information; and

(iii) the storage and disposal of personal information; and

(e)  the person adjusts the practices and procedures under Subsection (2)(b) in light of changes or new circumstances needed to protect the security, confidentiality, and integrity of personal information.

Finally, a person may not claim an affirmative defense under the statute if​ ​the person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information;​ ​the person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and​ ​the threat or hazard resulted in the breach of system security.

The purpose of the law, for defendants that invoke it, seems to be to shift the focus of litigation from the specific error that caused a breach to the totality of the defendant’s cybersecurity program. In effect, it allows an entity to argue that yes, we made a mistake and the bad guys exploited it, but it was an isolated mistake and overall we had a solid cybersecurity program. The reasonableness of the defendant’s conduct, informed by a cost-utility analysis, should be the focus of a claim in negligence anyhow, but the Utah law specifically allows the defendant to broaden the inquiry from one action or failing to the totality of the defendant’s cybersecurity program. For example, viewed in isolation, the failure to deploy a patch that would have avoided a breach may look unreasonable (see Equifax) and that is where the plaintiff will want to focus (assuming the defendant otherwise had pretty good practices). But with this law the defendant can show that it had a good security program that included patch management and it normally followed its program quite well, but just dropped the ball on that one patch, and that may support the affirmative defense. Overall, such laws are intended to incentivize entities collecting personal information to adopt comprehensive cybersecurity programs. Plaintiffs will then focus on “reasonably complies” and argue that the failure giving rise to the breach was not an isolated incident and defendant is not entitled to the affirmative defense.

12.2.22.2 Utah Consumer Privacy Act

On March 3, 2022, the Utah legislature approved a comprehensive consumer privacy law, the Utah Consumer Privacy Act (thus joining California, Colorado and Virginia in adopting comprehensive consumer privacy laws). The Utah law would add to Title 13 of the Utah Code a new Section 13-61-302 stating --

(2) (a) A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to:

(i) protect the confidentiality and integrity of personal data; and

(ii) reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.

(b) Considering the controller’s business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue.

This seems to run parallel to the data security requirement already imposed by Utah Code 13-44-201, as discussed in the book.

The new law also addresses the duty of processors (third parties who provide any kind of data storage or other processing to a consumer-facing entity), requiring that, “taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably practicable, [they] assist the controller in meeting the controller's obligations, including obligations related to the security of processing personal data and notification of a breach of security system.” In addition, a controller must enter into a contract with any processor it uses that requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

Unlike similar privacy laws adopted by Virginia and Colorado, the Utah law does not require controllers to perform data protection assessments.

The attorney general has the exclusive authority to enforce the law. At least 30 days before initiating an enforcement action, the attorney general must provide the controller or processor written notice of the alleged violation, and the attorney general may not initiate an action if the controller or processor cures the noticed violation within 30 days after receiving the notice.

The law will take effect on December 21, 2023.

12.3.9 Insurance

According to one count, the April 8, 2022 signing of Kentucky House Bill 474 brought to 21 the number of states that have adopted a version of the NAIC model law. The April 21, 2022 signing of Maryland Senate Bill 207 would bring the total to 22. Like other enactments of the NAIC model, these may have small departures from the language of the model. For example, the Maryland law requires notification to the state insurance commissioner only if the cybersecurity event has a reasonable likelihood of harming a consumer residing in the state or any material part of the normal operations of the carrier (unless notice is otherwise required to any government body, self–regulatory agency, or any other supervisory body under state or federal law).

The Maryland law takes effect October 1, 2022, but a carrier shall have until October 1, 2023, to develop, implement, and maintain a comprehensive written information security program based on the carrier’s risk assessment, and until October 1, 2024 to require their third–party service providers to implement appropriate protections for systems and information they access. Smaller carriers have an extra year on each compliance date.

The Kentucky law takes effect on January 1, 2023. Carriers have until January 1, 2024 to comply with the investigation and notification requirements and until January 1, 2025 to adopt and implement their information security programs.

12.4 Laws on Ransomware

In November 2021, North Carolina became the first jurisdiction to ban ransomware payments. The ban, limited to state and local government entities, including the University of North Carolina, prohibits even communicating with the ransomware attacker:

(a) No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.

N.C. Gen. Stat. § 143-800, added by 2021 N.C. Sess. Laws 180,s. 38.13-a, effective 11/18/2021.

12.5 Equipment and App Bans

In response to concerns about the vulnerability of products and services developed by China-based companies—TikTok being the poster child—states have begun to ban their use within state government. The first such action was in 2020, when the governor of Nebraska announced in a press release that the state would block TikTok on all state electronic devices. A wave of bans began in November 2022, with about half the states acting by mid-January 2023, including Alabama, Georgia, Idaho, Iowa, Kansas, Maryland, New Hampshire, New Jersey, North Carolina, North Dakota, Oklahoma, Pennsylvania, South Carolina, South Dakota, Texas, Utah, and Wisconsin. The states utilized a variety of legal authorities. Here are some details and links on a few of the bans:

In December 2022, the Chief Information Security Officer of Maryland issued an emergency cybersecurity directive banning the use of TikTok and certain other China and Russia-based products or services in the state’s executive branch.

The directive was issued under Md. Code, State Fin. & Proc. (SF&P ) § 3.5-2A-04, which states that the Office of Security Management, headed by the State Chief Information Security Officer, is responsible for establishing security requirements for information and information systems used by the state government. Pursuant to SF&P § 3.5-2A-04(b)(6), if the State CISO determines that there are security vulnerabilities or deficiencies in any information systems, the CISO may direct or take actions necessary to correct or remediate the vulnerabilities or deficiencies, which may include requiring the information system to be disconnected.

The directive is broadly worded, stating that —

“The following vendors and products … are subject to this directive.

• Huawei Technologies

• ZTE Corp

• Tencent Holdings, including but not limited to:

  • Tencent QQ

  • QQ Wallet

  • WeChat

• Alibaba products, including but not limited to:

  • AliPay

• Kaspersky

• TikTok.”

The directive states that, within fourteen days of issuance, units must: remove any referenced hardware or software products from the state networks; implement measures to prevent the installation of referenced hardware and software products on State-owned or managed technology assets, and implement network-based restrictions to prevent the use of, or access to, prohibited services.

• In December 2022, the governor of Texas directed that every state agency in Texas shall ban its officers and employees from downloading or using TikTok on any of its government-issued devices. The ban extended to all state-issued cell phones, laptops, tablets, desktop computers, and other devices capable of internet connectivity. The governor also ordered the Texas Department of Public Safety and the Texas Department of Information Resources to develop a model plan that other state agencies could deploy with respect to the use of TikTok on personal devices. Among other potential TikTok vulnerabilities, this model plan must address the use of personal devices by agency employees or contractors to conduct state business, such as a TikTok-enabled cell phones with remote access to an employee’s .gov email account and network-based restrictions to prevent the use of TikTok on any personal device while it is located on agency property.

• In November 2022, the governor of South Dakota issued an executive order directing that no state employee or agency shall download or use the TikTok app or visit the TikTok website on government-issued devices and that no person or entity that contracts with the state shall download or use TikTok on state-owned or state-leased equipment.

• In December 2022, the governor of South Carolina wrote a letter to the executive director of the state Department of Administration requesting that the social media platform TikTok be permanently removed, and access blocked from all state government electronic devices that are managed by the department.

Last updated: April 9, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.