Each week we look at the most recent events and trends related to data security and privacy. Last week we talked about the possibility of Georgia’s legislature passing the strongest state privacy law in the country. Since then, two other states have moved closer to adopting state privacy laws, and a major federal regulator has put down a marker sure to get the attention of publicly traded companies.

Show Notes

Follow on LinkedIn: www.linkedin.com/company/idtheftcenter/

Follow on Twitter: twitter.com/IDTheftCenter

Show Transcript

* NOTE: On 3/14/22 the proposed Florida privacy law died in Commerce and Tourism

Things That Come in Threes

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 11, 2022. Our podcast today is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. Last week we talked about the possibility of Georgia’s legislature passing the strongest state privacy law in the country. Since then, two other states have moved closer to adopting state privacy laws, and a major federal regulator has put down a marker sure to get the attention of publicly traded companies. The proposed *Florida and Utah privacy laws give us the inspiration for this week’s episode title, in the form of a Jeopardy category – I’ll take “Things that come in Threes.”

Proposed Utah Privacy Law

First, let’s talk about Utah. Both chambers in the Utah legislature have approved a new state privacy bill that is a bit of a mixed bag. Utah’s proposed privacy law contains provisions to give Utah residents more access and control over personal information shared with organizations. However, it lacks a right to correct information, a strong enforcement provision, and a requirement for routine privacy and cybersecurity audits. Under the proposed legislation, only the state Attorney General can enforce the law, and there are no specific penalties for violations outlined in the bill.

Proposed Florida Privacy Law

That’s different from a *Florida privacy law introduced in the state’s legislature that would allow Florida residents to file a lawsuit to enforce a new state privacy law. We’ve talked about this before on the Weekly Breach Breakdown – the ability of consumers to enforce the provisions of a state law known as the Private Right of Action. Florida becomes the second state where the conservative leadership supports private lawsuits in the event of privacy violations.

While the proposed Utah privacy law is likely to be signed into law and go into effect in December 2023, the *Florida privacy law bill may already be dead for this legislative season by the time you listen to this podcast.

New Proposed Regulations from the SEC

This week, the big privacy and security news is from the Securities and Exchange Commission (SEC). A month after the SEC Chair signaled that new cybersecurity-focused regulations were on the way, the Commission released a proposal that affects all publicly traded companies.

The SEC tied the new proposed regulations to the growing threat of serious cybersecurity attacks and the need to provide investors with information about cyberattacks.

The proposals would require companies to disclose certain cybersecurity incidents within four business days. There are already well-established procedures for reporting “material events,” which would be the standard used to report cyber incidents. A cyber incident is defined in the proposal and the kind of information that must be disclosed. The SEC draft notes that “there is a possibility a registrant would be required to disclose the incident, even though it could delay incident reporting under a particular state law.”

The proposed regulation would also require companies to disclose a more comprehensive array of information about their cybersecurity programs, including how frequently they assess risks and who on the Board of Directors has cybersecurity expertise, if anyone.

Like all proposed government regulations, the public is invited to submit comments. At the end of the comment period, the Commission may amend the proposal or vote to put the regulation into effect. If you want to learn more about the proposal, visit SEC.gov.     

Contact the ITRC

If you want to learn more about protecting your personal or business information or if you think you have been the victim of an identity crime or compromise, visit our new website at our old web address www.idtheftcenter.org. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our regular business hours (Monday-Friday 6 a.m.-5 p.m. PST).

Be sure to check out the most recent episode of our sister podcast, The Fraudian Slip. ITRC CEO Eva Velasquez and cryptocurrency expert Seth Sattler talk about the identity risks and rewards of digital currency.

Thanks again to Experian for supporting the ITRC and this podcast. We’ll be back next week with a new episode of the Weekly Breach Breakdown.