GDPR Wave Hits the U.S.

Written by: Rich Sheinis, Esq.

The wave of data protection that is the EU General Data Protection Regulation (“GDPR”) has hit the shores of the U.S. with states passing GDPR look-a-like legislation. All 50 states have data breach notification statutes, which require notification of affected individuals after a breach. The new trend, following the lead of GDPR, is statutes that require companies to proactively implement data security programs to prevent breaches from occurring.

The two latest states swept up in the GDPR wave are Colorado and South Carolina. South Carolina has passed the “South Carolina Insurance Data Security Act”. Although the Act, which is to be effective January 1, 2019, is only applicable to persons licensed, authorized to operate, or registered under the insurance laws of South Carolina, it requires “licensees” to implement a comprehensive written information security program with administrative, technical and physical safeguards to protect consumer information. “Consumer” information includes not only the usual social security number, D/L number and payment card information, but it also includes biometric records and health information of any applicant, policy holder, insured, beneficiary, claimant, or any family member of a “consumer”.

The list of required security measures is lengthy and burdensome. Similar to the newly effective EU GDPR, licensees are required to monitor third-party service providers who access the licensee’s computer system. Licensee’s must have a written incident response plan, monitor developments in cybersecurity, maintain records for 5 years, and report any unauthorized access to, or misuse of an information system or the information stored on the system. Any violation of the Act subjects insurers to fines up to $30,000 and/or revocation of their authority to do business in South Carolina.

Colorado has passed House Bill 18-1128, an Act “concerning strengthening protections for consumer data privacy”. Businesses are required to implement and maintain reasonable security procedures and practices to protect personal information. “Reasonable” security procedures and practices is a sliding scale based on the nature of the personal information held by the business, and the nature and size of the business and its operations. If a business discloses personal information to a third-party service provider, they must require the third-party to also have reasonable security policies and procedures.

Colorado has expanded the definition of personal information to include biometric data, medical information and health insurance identification numbers. Notification of affected persons is required within thirty (30) days after the date of determination that a security breach occurred. The statute is effective September 1, 2018, which leaves even less time to prepare than does the South Carolina law.

There are still only a few states that require businesses to proactively protect personal information. Most states are only focused on notification after a security breach occurs. However, make no mistake, no matter where you are in the U.S., the wave of new data protection legislation is coming so don’t get caught underwater!