Data Security
CA - Sen. Simitian (D) introduced S.B. 20, which creates additional security breach notification requirements. Existing law requires any agency, and any person or business conducting business in California that owns or licenses computerized data that includes personal information, to disclose any data security breach, following the discovery to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

S.B. 20 specifically requires an agency, business or person that must issue a security breach notification to: write the notification in plain language and include the name and contact information of the reporting entity; list of types of personal information that were or are the subject of the breach; the date, estimated date or date range when the breach occurred; whether the notification was delayed as a result of a law enforcement investigation; a general description of the breach incident; the estimated number of the persons affected by the breach; and toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a bank account or credit card number, a social security number or a driver’s license or California identification card number. The notification may also include information about what the entity had done to protect individuals whose information has been breached and advice on steps the person whose information has been breached may take to protect themselves. The legislation also requires that if an entity must issue a security breach notification to more than 500 California residents, then the notification must be sent to the attorney general. If subject to a security and data breach, survey and opinion researchers would be expected to comply with S.B. 20.

Privacy Policies
WA - Rep. Morris (D) has pre-filed H.B. 1005, which expands the role of Internet privacy policies. This bill requires an operator of a commercial Web site that collects personally identifiable information about an individual consumer residing in Washington who uses or visits its commercial Web site to conspicuously post its privacy policy on its Web site. Personally identifiable information is defined as information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form including: the first and last name, a home or other physical address, including street name and name of a city or town, an e-mail address, an Internet protocol address, a telephone number, a social security number, any other identifier that permits physical or online contact with a specific individual or information concerning a user that the Web site or online service collects from the user and maintains in personally identifiable form in combination with another identifier. The privacy policy must: identify the categories of personally identifiable information that the operator collects through the Web site or online service about consumers who use or visit its commercial Web site and shares to third parties; provide a description of a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service and, if available, describe the process through which the operator notifies consumers who use or visit its commercial Web site or online service of material changes o the operator’s privacy policy and identify its effective date.

Survey and opinion researchers would be expected to comply with H.B. 1005. MRA recommends that research professionals should already be crafting and deploying their privacy policies in a similar fashion. This bill is likely to become law in the state of Washington.

Financial and Data Privacy
MO - Rep. Wildberger (D and Chairman of the House Democratic Caucus) has pre-filed H.B. 100, which would add new sections to existing law on the release of personal information to unauthorized persons. H.B. 100 seeks to prohibit financial institutions, their officers, employees, agents and directors from disclosing any personal financial information relating to a customer without consent. Valid consent must be in writing and signed by the customer. H.B. 100 also provides that any person or business that conducts business in the state of Missouri, that owns or licenses computerized data, which includes personal information, is required to disclose any data security breach following the discovery. Notification is to be made to any resident of Missouri whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure is to be made in no more than 30 days after the breach has been discovered.

Political Calls
MO - Sen. Rupp (R) has pre-filed S.B. 65., which would expand existing law on telephone calls. The proposed legislation prohibits a person or entity from making any telephone solicitation or automated call to any Missouri subscriber who has given notice to the attorney general of their objection to receiving such calls. The proposed legislation also requires a person or entity making a political solicitation to provide a disclosure including the phrase, “This message is paid for by.” Survey and opinion research is explicitly exempted under the law, defined under an automated call as a communication, “from a person or entity requesting the residential subscriber’s personal opinion regarding a public policy matter, political candidate or issue before the voters or which may come before the voters, where the request for an opinion is made for a bona fide information-gathering purpose.” Therefore, S.B. 65 should have no negative impact on the research profession.