2020 saw further development of comprehensive privacy protections in the United States. The consumer data protection and cybersecurity landscape continued to evolve as individual states enacted new legislation and revised already existing statutes, aimed at further protecting consumers’ personal information and data. Some highlights are below.
The California Consumer Protection Act of 2018 (CCPA)
On January 1, 2020, the long-awaited CCPA became effective, giving California residents certain rights over their personal information and requiring businesses that meet certain thresholds to affirmatively implement data protection policies and practices – think “California GDPR.”
Regulatory enforcement of the CCPA began on July 1, 2020. Meanwhile, even before the CCPA regulations were finalized, California voters strengthened the CCPA’s privacy protections when they approved the California Privacy Rights Act of 2020 (CPRA) during the November elections. Although most of the CPRA’s requirements do not take effect until January 1, 2023, certain consumer access requests provisions have a look-back period for personal information collected on or after January 1, 2022.
State Data Breach Law Updates
In 2020, changes to state data breach laws included namely:
• The District of Columbia (D.C.), Oregon, Vermont and Washington expanded the definition of personal information requiring protection and notification to individuals if part of a breach of security under those laws.
• D.C., Illinois, Texas and Vermont amended requirements on how and when to notify the state attorney general (AG) or individuals.
Some of the more notable changes include:
• Oregon now requires vendors to notify covered entities no later than ten (10) days after they discover or have reason to believe a breach of security occurred. A breach of security means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.
• Illinois’ AG must receive notification of a breach impacting more than 500 Illinois residents and may publish details about data breaches. Like Oregon, Illinois defines breach to mean the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information that a data collector maintains.
• Texas requires notification to individuals within 60 days of a breach and notification must be provided to the Texas Attorney General if 250 or more residents are impacted as a result of a breach. Texas also defines “breach of system security” to mean unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of sensitive personal information that a person maintains, including encrypted data if the person accessing the data has the required decryption key.
• Washington shortened its notification timeline for individuals from 45 to 30 days.
• D.C. now requires entities to offer identity protection for at least 18 months if a breach involves a Social Security or tax identification number, and entities must provide notification to the Attorney General if a breach impacts 50 or more D.C. residents. D.C. defines “breach of the security of the system” to mean unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality or integrity of personal information that the person or entity who conducts business in D.C. maintains.
Sector-Specific State Law Updates
Insurance Data Security Laws
Virginia, Louisiana and New Hampshire enacted insurance data security laws that became effective in 2020, joining Alabama, Connecticut, Delaware, Michigan, Mississippi, Ohio and South Carolina. These laws are based off the 2017 Model Insurance Data Security Law that the National Association of Insurance Commissioners (NAIC) adopted.
While there are state-specific nuances, generally, these laws:
• Require licensees to notify state insurance regulators about applicable cybersecurity events, often within a 72-hour window;
• Include exceptions for certain state-defined businesses or licensees subject to federal or state regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA) or the New York Department of Financial Services (DFS) Cybersecurity Regulations; and
• Give insurance regulators investigative, enforcement and rulemaking powers.
Student Privacy Laws
Following a trend, Vermont enacted a proactive student data privacy law that requires website and mobile services or application operators that provide services for pre-K through 12th grade students to:
• Implement reasonable security procedures and practices;
• Delete students’ covered information within a reasonable period;
• Not engage in advertising based on any information acquired while providing the school service.
Notable Proposed State Data Breach Notification and Other Privacy Laws
While there were too many proposed laws to list, two proposals that failed in Washington and Indiana were notable because other states eventually implemented them:
• Washington thought it would be the second state to pass a comprehensive privacy law, but its efforts did not pan out before Virginia enacted its Consumer Data Protection Act (CDPA) in early 2021. The CDPA grants consumers a broad range of control over their personal data, including sensitive personal data, which is defined as “a category of personal data that includes biometric data, data collected from children, precise geolocation data and personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status.”
• Indiana Governor Eric Holcomb “disapproved” of a proposed safe harbor rule for database owners that implement “reasonable data” security plans and report corrective action plan to the Attorney General’s office, but asked the legislature to review its data breach laws. Utah’s enacted Cybersecurity Affirmative Defense Act gives companies an affirmative defense against data breach lawsuits if they implement a written information security program that reasonably conforms with a recognized cybersecurity framework.
What’s On the Horizon in 2021
As noted above, Virginia enacted their own comprehensive consumer data privacy and security law, and Utah enacted the Cybersecurity Affirmative Defense Act, so things will not be boring in 2021.
Our third and final part of this three-part series will look back at notable case law and ethics opinions from 2020 and what we expect to see in 2021. Our first part of the series was a high-level lookback on the federal data privacy and security activity from 2020.
If you have further questions or would like additional information about the changes from 2020 or pending state legislation, please contact Jeffrey J. Boogay (; 267.930.4784) or Melissa J. Sachs (; 267.930.4747).
 Or. Rev. Stat. Ann. § 646A.604(2)(a).
 Id. § 646A.602(1)2(a).
 815 Ill. Comp. Stat. Ann. 530/10.
 Id. 530/5.
 Tex. Bus. & Com. Code Ann. § 521.053.
 Wash. Rev. Code Ann. § 19.255.010.
 D.C. Code Ann. § 28-3852b.
 Id. § 28-3851(1)(A).
 Michigan’s insurance data security legislation, which the governor signed in 2018, took effect on January 20, 2021. While most of South Carolina’s law took effect in 2019, covered entities had until July 1, 2020, to implement the provisions related to third-party service provider oversight and management obligations. Indiana also enacted legislation based off the NAIC model law that will take effect June 30, 2021. New York also regulates insurance licensees through its New York DFS Cybersecurity Regulations.
 The model law, MDL-668, defines cybersecurity event as an event that results in unauthorized access to, disruption or misuse of an information system or the information that it stores. It specifically excludes: (1) unauthorized acquisition of encrypted nonpublic information if the required decryption process or key is not also compromised and (2) events in which the licensee determines that any nonpublic information subject to unauthorized access: (a) has not been used or released, or (b) has been returned or destroyed. Id.