CA - Sen. Simitian (D) introduced S.B. 20, which creates additional security breach notification requirements. Existing law requires any agency, and any person or business conducting business in California that owns or licenses computerized data that includes personal information, to disclose any data security breach, following the discovery to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
S.B. 20 specifically requires an agency, business or person that must issue a security breach notification to: write the notification in plain language and include the name and contact information of the reporting entity; list of types of personal information that were or are the subject of the breach; the date, estimated date or date range when the breach occurred; whether the notification was delayed as a result of a law enforcement investigation; a general description of the breach incident; the estimated number of the persons affected by the breach; and toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a bank account or credit card number, a social security number or a driver’s license or California identification card number. The notification may also include information about what the entity had done to protect individuals whose information has been breached and advice on steps the person whose information has been breached may take to protect themselves. The legislation also requires that if an entity must issue a security breach notification to more than 500 California residents, then the notification must be sent to the attorney general. If subject to a security and data breach, survey and opinion researchers would be expected to comply with S.B. 20.
Survey and opinion researchers would be expected to comply with H.B. 1005. MRA recommends that research professionals should already be crafting and deploying their privacy policies in a similar fashion. This bill is likely to become law in the state of Washington.
Financial and Data Privacy
MO - Rep. Wildberger (D and Chairman of the House Democratic Caucus) has pre-filed H.B. 100, which would add new sections to existing law on the release of personal information to unauthorized persons. H.B. 100 seeks to prohibit financial institutions, their officers, employees, agents and directors from disclosing any personal financial information relating to a customer without consent. Valid consent must be in writing and signed by the customer. H.B. 100 also provides that any person or business that conducts business in the state of Missouri, that owns or licenses computerized data, which includes personal information, is required to disclose any data security breach following the discovery. Notification is to be made to any resident of Missouri whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure is to be made in no more than 30 days after the breach has been discovered.
MO - Sen. Rupp (R) has pre-filed S.B. 65., which would expand existing law on telephone calls. The proposed legislation prohibits a person or entity from making any telephone solicitation or automated call to any Missouri subscriber who has given notice to the attorney general of their objection to receiving such calls. The proposed legislation also requires a person or entity making a political solicitation to provide a disclosure including the phrase, “This message is paid for by.” Survey and opinion research is explicitly exempted under the law, defined under an automated call as a communication, “from a person or entity requesting the residential subscriber’s personal opinion regarding a public policy matter, political candidate or issue before the voters or which may come before the voters, where the request for an opinion is made for a bona fide information-gathering purpose.” Therefore, S.B. 65 should have no negative impact on the research profession.