Policy & RESEARCH

Capitol Ideas

CSG Knowledge Center

Research Services

MLC Policy Resolutions

Stateline Midwest

States Perform

policy

Keeping private data secure: Midwestern states among the vanguard when it comes to laws and measures to secure residents’ private electronic information

by Jon Davis~ October 2018 ~ Stateline Midwest »
From birth to death, states collect terabytes of personal information on their residents, all of which must be kept secure. One successful hack or one employee clicking on one link in one em ail could reveal personal information on hundreds, thousands or even millions of citizens.
Search the web for “information breach” and a state; you’ll find plenty of examples (not to mention myriad incidents in the private sector), but in 2018 alone:
According to the law firm Norton Rose Fulbright, which monitors data privacy laws, all 50 U.S. states have enacted breach-notification laws that require businesses to notify consumers if their personal information has been compromised.
And to secure their information systems against external threats, all 50 states also have chief information security officers. Only nine — including Indiana and Ohio — have taken the additional step of hiring a chief privacy officer whose job is to protect the privacy rights of the people whose information is held by the state, says Amy Glasscock, a senior policy analyst at the National Association of State Chief Information Officers.
“States collect a lot of personal information” such as driver’s license and Social Security numbers, tax information, mortgage and business filings, voting records, etc., Glasscock says. “And as citizens of a state, you don’t often get a lot of choice [about that].”
Rita Heims, general counsel and research director at the International Association of Privacy Professionals, says this position is common in the private sector. However, there is no single definition for it because privacy needs can be quite different from one company to the next. Generally, however, private-sector chief privacy officers ensure the company’s data-handling practices are in accordance with laws and privacy norms, Heims adds.
A focus on privacy protection
In Ohio, the position of chief privacy officer was created in 2007 by then-Gov. Ted Strickland and then codified by the General Assembly in 2008 (HB 46), following a data breach involving improper access to personal information by state employees.
Under the law, the Ohio Office of Information Technology must “employ a chief privacy officer” to advise the office and other state agencies on policies and procedures for handling personal information, and to develop education and training programs regarding the state’s data-security procedures.
Ted Cotterill, Indiana’s chief privacy officer, says Indiana’s Open Data Act (HB 1470), signed into law in May 2017) created a legal framework for executive agencies to share data; as interagency discussions about interaction and data-sharing cooperation evolved, so did the desire for a chief privacy officer.
The job was subsequently created by administrative fiat as a position within the Indiana Management Performance Hub, the state’s interagency data portal, he adds.
“If you’re going to have a chief privacy officer, and it is a legitimate statewide role, at least in Indiana we haven’t had to rely on legislative action,” Cotterill says.
Either way, Glasscock says CPOs “take an enterprise view of privacy protections in the state, and in state agencies.”
For example, she adds, they often work to educate state employees on best practices for handling data and reducing the risk of a data breach.
“When you think about privacy as opposed to data security, you think about how that information is used” as opposed to how it’s stored and secured, she says.
Daren Arnold, Ohio’s CPO, agrees.
His job is more operational than policymaking, more “fundamentalizing privacy at the IT level”; meaning he doesn’t just oversee annual privacy training and awareness programs, but also helps agencies to understand how the information is to be used and to think through the privacy implications of those uses, Arnold says.
“State government serves in a unique place in terms of personal information; we create [people’s] identities with birth certificates and end their identities with death certificates” and collect all manner of information in between, from education data to tax, benefits eligibility, child support, adoptions, Medicaid records and more, he says.
“State governments collect a huge amount of personal information on people, even more than the federal government,” he adds. “There’s significant value in having someone who looks at privacy from a systems-implementation perspective.”

Aiming to enhance cybersecurity

In Kansas, legislators approved the Kansas Cybersecurity Act (SB 56), signed by Gov. Jeff Colyer in May, which creates an “Executive Branch Chief Information Security Officer” to coordinate cybersecurity efforts among executive branch agencies.
Kansas Rep. Tom Sloan, chairman of the House Committee on Government, Technology and Security, says the committee didn’t consider adding a chief privacy officer because system security was the primary concern.
“We were more concerned with the fact that large state agencies have large staffs in [information technology], so they can have someone who focuses on security. But the Board of Barbers doesn’t,” Sloan says.
“There are multiple entry points [into state systems], some of which may be more secure than others, and we wanted to have one agency be ultimately responsible for securing our residents’ personal information.”
Illinois’ General Assembly and Gov. Bruce Rauner found common ground in the state’s Department of Innovation and Technology, and the position of Statewide Chief Information Security Officer. Both were originally created by a 2016 executive order, then codified this year by HB 5611 (which passed unanimously).
Gov. Rauner’s executive order aimed to consolidate the state’s information technology spending and security in one office, and under one “secretary of innovation and technology.”
HB 5611, signed by Rauner in July, enshrined the new agency and position in law to provide a framework and overall vision for the state’s 38 agencies, says Illinois Rep. Jaime Andrade Jr., who sponsored the legislation.
“As you know, when you have 38 agencies, all with their own vision … everyone’s going their own way,” he adds. “I felt it was important to codify.”
Under a separate measure signed into law in August 2017 (HB 2371), Illinois now requires its state employees to take part in annual cybersecurity training.
“The biggest problem we have is phishing, or human error in clicking on the link,” Andrade says. “No matter how many times we say, ‘Don’t click on the link,’ human error still does it.”

Private sector, private information

All states require businesses to notify consumers if their personal information has been compromised. Illinois and California have each gone one step beyond in separate trailblazing fashions.
Illinois’ Biometrics Information Privacy Act, signed into law in 2008, is still deemed by the Electronic Frontier Foundation as “the gold standard for biometric privacy protection nationwide.” It covers the use of body-based identifying information such as fingerprints or retinal/facial geography scans, and requires private entities
The law also allows parties injured by violations of these rules to file lawsuits to hold businesses accountable.
Texas and Washington have since enacted similar laws, but Illinois is the only state that allows individuals to sue over violations. (Facebook is fighting such a lawsuit over its photo-tagging function. A federal judge granted the suit class-action status in May, but a U.S. Appellate Court subsequently agreed to review that decision.)
In Michigan, HB 5019 was introduced in September 2017 and is similar to Illinois’ law, but it remains in the House Commerce and Trade Committee.
California’s new Consumer Privacy Act (AB 375), which comes into force on Jan. 1, 2020, might have the larger national impact, however.
It gives people the right to know what data about them is being collected, and why. It also gives people the right to request deletion of their personal information and to opt out of the sale of that information.
The California law’s definition of personal information includes a person’s personal identifiers, geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might make about the consumer.
The state attorney general is charged with enforcing protections over this data, but consumers maintain a private right of action if companies fail to maintain reasonable security practices, resulting in unauthorized access to the personal data. Among the California law’s other provisions:
Another new California law (SB 327), also taking effect on Jan. 1, 2020, is the first state law to directly regulate the “Internet of Things.” (Often abbreviated “IoT,” it’s the network of devices, appliances, vehicles and other items like Amazon’s Echo or Google’s Home, which are capable of collecting and sharing data.)
The new law will make it illegal to manufacture or sell internet-connected “smart” devices — any device that connects to the internet, directly or indirectly (like a “smart” appliance), and has an IP address or Bluetooth address — that aren’t equipped with a unique password, or a feature that forces the consumer to set a personal password when the device is first used.

 

Examples of recent legislation and other activity in Midwest related to data privacy, cybersecurity

Illinois Gov. Bruce Rauner in July signed HB 5611, creating a Department of Innovation and Technology, as well as a position of statewide chief information security officer, to: 1) coordinate security in state agencies, including identifying threats to third-party providers and state vendors; 2) implement a statewide risk-management program on information security; and 3) ensure state information systems comply with state and federal data-privacy laws. One year ago, Illinois legislators passed a bill (HB 2371) requiring annual cybersecurity training for state employees.
<img src="file:///Macintosh%20HD/Users/tanderson/Library/Application%20Support/Adobe/Contribute%20CS5/en_US/Sites/Site2AssetsTemp/in-map.png" width="415" height="463" />
In April 2017, Indiana Gov. Eric Holcomb signed SB 549, which allows the state attorney general to sue health care providers whose negligent or reckless handling of health records leads to a data security breach. SB 549 also removes exemptions from database owners who follow federal HIPAA (Health Insurance Portability and Accountability Act) guidelines, unless they implement and maintain “reasonable procedures” to protect health care records.
Iowa Gov. Kim Reynolds in March signed HF 2354, which bans the operators of school-related websites or apps from using school district data to create profiles of students or to target advertising to students. The new law also bans these operators from “knowingly selling” such information. In addition, they must maintain “reasonable security precautions” and must delete student data upon the request of a school district.
Kansas Gov. Jeff Colyer signed the Cybersecurity Act (SB 56) into law in May. It creates a new office and position within the executive branch to implement risk-management programs for state agencies. The law also allows agency directors to require criminal background checks every five years of people (including contractors) who handle or have access to personal information. State agencies will now be required to have information security programs in place, and to conduct annual assessments of them.
Last year, with the passage of HB 4508, Michigan legislators established in statute a “Cyber Civilian Corps.” Working through the state’s Department of Technology, Management and Budget, the corps is comprised of residents with expertise and/or training in cybersecurity issues who volunteer as a “rapid response” team to help municipalities, schools, nonprofits or business organizations when needed under a gubernatorial declaration of a “cyber-emergency.” Volunteers undergo criminal background checks and are (mostly) immune from civil liability while on deployment.
The Minnesota Legislature in 2014 created a Legislative Commission on Data Practices and Personal Data Privacy. Comprised of four representatives and four senators, the commission: 1) researches and analyzes emerging issues related to government data practices and security, as well as personal data privacy; 2) reviews and makes recommendations on legislation amending the Minnesota Government Data Practices Act; and 3) reviews and advises on legislation regarding personal data privacy rights, data security and related issues.
In February, Gov. Pete Ricketts signed Nebraska’s LB 757. It requires companies amassing data on the state’s residents to implement and maintain “reasonable” security measures “appropriate to the nature and sensitivity” of the information — similar to requirements under the state’s Credit Report Protection Act. (It also requires third-party contractors to do likewise). LB 757 also bars companies from charging customers a fee for those security measures.
In March 2017, North Dakota Gov. Doug Burgum signed HB 1104, which allows him to call out the National Guard in the event of a cyberattack; HB 1106, which includes virtual networks and systems in the state’s definition of “critical industry sectors” and cyber attacks to its definition of “disaster”; and HB 1108, which states that unless records relating to a cyberattack are made confidential for trade secrets or proprietary reasons, they are subject to disclosure under North Dakota’s open-records law.
Ohio’s SB 220, passed this year, encourages the private sector to attain a higher level of data security by creating an affirmative defense, or “safe harbor,” in a lawsuit against businesses struck by data breaches — if those businesses have a qualifying cybersecurity plan in place for personal and restricted information (data that can directly or indirectly identify someone) and are complying with it. These cybersecurity plans must meet specific benchmarks in state law and “reasonably conform” with industry-recognized security frameworks.
South Dakota Gov. Dennis Daugaard signed SB 62 in March after it passed both houses unanimously. SB 62 requires companies to notify residents affected by a data breach within 60 days of discovery of the breach. It also requires companies to notify the attorney general if 250 or more residents are affected, and to notify all credit reporting agencies regardless of the number of people affected. All states now have some version of a data breach notification law.
Under SB 233, introduced this year, Wisconsin internet service providers would need to get a customer’s permission before using, disclosing or permitting access to his or her personal information (Social Security numbers, financial or health data, information on a child, geolocation, browsing histories and content of communications). The bill also would ban ISPs from refusing broadband service to anyone who did not grant permission. These providers, too, would need to report security breaches to the state within seven days of a breach affecting 5,000 or more customers (or 30 days if fewer than 5,000).

 

Federal data privacy legislation: Legislation abounds but, so far, is going nowhere

In April 2017 President Trump repealed broadband privacy regulations adopted under President Obama that would have required internet service providers to obtain users’ permission before using their web browsing history, geolocation and other personal information to create targeted advertisements. (The regulations from the Federal Communications Commission had not yet gone into effect before Trump signed the repeal.)
In the U.S. Congress, several bills have been introduced during the current session, but none have advanced beyond an initial committee assignment.

 

Also in 2017, at least three “Internet of Things”-related bills were introduced in Congress, but none has yet made it to a vote. (Often abbreviated “IoT,” Internet of Things refers to the network of devices, appliances, vehicles and other items that are capable of collecting and sharing data.)