Recently, the governor of the state of Colorado signed the HB18-1128 bill entitled “Protections for Consumer Data Privacy”. It will oblige organizations to notify customers and state authorities of data “leaks” within 30 days of the occurrence of such incidents. Under the cut - our brief overview of this bill, taking into account the general situation around the input of GDPR.
/ Flickr / Chad Cooper / CC BYWhat is required
30 days is the shortest notice period among all states. It applies to all companies without exception, but with one amendment. Companies may not report a “sink” if this is necessary in the interests of the investigation [page 9, clause (c) in the
text of the draft law]. In such a case, law enforcement agencies must first warn the company. As soon as the restrictions on their request are lifted, the report of 30 days for notification is resumed.
In addition, the law requires companies to provide information to the affected Colorado residents about the date of the leak, and exactly what data was compromised, as well as contacts of company representatives to clarify all information about the incident. All this must be provided to the owners of PD as follows (depending on the available data):
- send a notification by mail;
- report by phone;
- send email.
Moreover, if the cost of providing these data and notifying the victims exceeds 250 thousand dollars (or the number of victims exceeds 250 thousand people or the company does not have the necessary information to use such methods of communication with customers, you can notify the owners of PD with:
- messages on the company's website page (if any);
- regional media that broadcast throughout the state.
Situation
Tighter regulations for working with PD associated with a number of high-profile cases. For example, with a case
Equifax . Under the new bill, it falls under the mass drain and requires public notification of victims through the media. Recall that in the case of Equifax, the public learned about the leak only a month and a half after what happened.
Moreover, the organization acknowledged that it was known about the problems with information security in March of the same year, but it could not “close” the vulnerability (and kept silent about it).
A more recent case is a hacking service for Ticketfly events
sold by Eventbrite for $ 200 million in 2017. Troy Hunt (Troy Hunt), creator of the project “Have I Been Pwned”,
calculated that 26 million users of the site were victims of the leak. In a correspondence with the Motherboard, the alleged cybercriminal
stated that he had warned Ticketfly about vulnerabilities and requested 1 Bitcoin for additional information, but the company showed no interest. As a result, the service was unavailable for several days, and only a week after the incident, the company
published a message with information about the leak, resuming the service.
/ Flickr / korona lacasse / cc byIn order to prevent such incidents, senators began to “promote” a
bill that sets
fines for companies that allowed PD leaks. For example, for Equifax, the penalty would be $ 1.5 billion. The draft law on fines has not yet been approved, but it can be assumed that the new deadlines for notifications are a step towards its active consideration.
Where else
Colorado is not the first state to update the requirements for personal data operators. For example, in 2017 in Maryland, a 45-day deadline was introduced to alert owners of PD. This is the US
average notice period.
On the other hand, in Louisiana it is 60 days (
text of the bill , page 3, clause E). Here the bill expands the very concept of PD (personally identifying information). For example, now it will include, among other things, biometric data and a passport number (page 2 of the
text of the draft law ).
If we talk about the concept of the PD operator, then in Vermont it was proposed to be extended to those companies that process personal data without the knowledge of their owners.
The bill should
come into force on January 1, 2019 and will oblige such companies to report annually: provide general information about themselves, disclose ways of obtaining PD and information about the leaks that occurred and their scale.
By the way, the European notification requirements set a more rigid framework -
72 hours from the moment of leak detection.
Article 33 of the official document states that the notification of supervisory authorities should include:
- a description of the nature of the leak, indicating the approximate number of owners of PD;
- a description of the possible effects and measures taken to mitigate them;
- and contact information for the company that leaked.
What they say
According
to one of the drafters of the bill in Colorado, the state chose the optimal deadline that matches potential risks and common sense. However, this bill caused outrage of companies that focused on the
HIPAA (Health Insurance Portability and Accountability Act) when working, for example, with the number honey. insurance. They will have to shorten the notice period from 60 days (as required by HIPAA) to 30 days.
Law firm representatives
point out that the thirty-day period of notice of a leak is a requirement that organizations still have to get used to. However, few people doubt that over time, the requirements for PD operators will only become stricter. Many states can adopt the European approach and reduce the deadline to dozens of hours.
What else do we write in the 1cloud corporate blog:
Our more popular format is on Yandex.DZen blog: