Page 21 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 21

both the Ninth and Third Circuits have applied the ordinary person test to the VPPA’s definition of PII – “information which identifies a person as having requested ... video materials.”
PUTTING IT INTO PRACTICE: Eichenberger is a reminder that what information is considered “personal” is hotly contested in courts, and will likely continue to be for the foreseeable future. Companies should take this into account when developing their information collection and use practices.
DATA BREACH
US Breach Laws Are Coming: Vermont
Posted on December 21, 2018
On January 1, 2019 Vermont’s breach notice law will include obligations specific to data brokers. A “data broker” is defined as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Under the law, data brokers must keep a record of “data broker breaches” and annually tell this information to the state. Brokers will need to provide this as part of a new annual registration process. The registration also requires data brokers to explain how they let individuals opt-out of having information collected, stored or sold. Finally, data brokers also have to develop and maintain a comprehensive information security program.
Data broker breaches are defined as unauthorized acquisition of “broker personal information.” This is broader than personal information that triggers general breach notice obligations. For broker breaches, personal information also includes name, address, date of birth, place of birth, mother’s maiden name, and name or address of family members. The “broker breach” definition (i.e., when there is a duty to notify the state) imposes notice obligations when there is an unauthorized acquisition. It does, though, contain encryption and good faith exceptions.
PUTTING IT INTO PRACTICE: This law is one of the first to have specific disclosure obligations for data brokers, and will require telling the state about a broader category of data breaches than what exists under the general breach notice obligations.
US Breach Laws Are Coming: South Carolina
Posted on December 19, 2018
In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is going into effect on January 1, 2019. South Carolina joins others states, including Connecticut and New York, to have breach notice requirements for insurance companies. The law will be a supplement to the requirements that financial companies, including insurance companies, already face under Gramm-Leach-Bliley Act.
Companies must promptly investigate potential breaches under this new law. If a breach has occurred, they will often also have to notify the Director of Insurance within 72 hours. This notification must happen either if the company is regulated by the director or if the information of 250 South Carolina residents is affected. The same obligations apply when a vendor is impacted.
                          Eye on Privacy 2018 Year in Review 20






















































































   19   20   21   22   23