Recently, Maura Healey, the Massachusetts Attorney General announced that Yapstone, a California-based company that processes payments for rental and vacation properties, was fined $155,000 because the company violated privacy protection by exposing personal information of over 6,800 Massachusetts residents.
Additionally, Yapstone is required to take additional steps to ensure the protection of personal data and the settlement requires the company to retain a Chief Information Security Officer (CISO), assess and implement security policies to its internal and external systems, and train employees on data security.
The office of the Massachusetts Attorney General was notified of this incident in 2015 and the investigation revealed the following:
In July 2014, while modifying Yapstone’s website, the company’s engineers accidentally removed password protections from public-facing websites used to sign users up for Yapstone’s service. These websites stored consumers’ personal information, such as bank account and social security numbers, addresses, and driver’s license numbers. The mistake rendered the webpages publicly viewable to anyone on the internet for more than a year. The investigation found that Yapstone employees appeared to have been aware of the vulnerability in August 2014 but neglected to fix it until August 2015, when another employee discovered it.
The MA Attorney General’s office enforces the Massachusetts Data Security Regulations, which require businesses and organizations to assess, implement, and maintain an information data security program and to protect personal information of Massachusetts consumers.
There are many laws at U.S. state levels that regulate the collection and use of personal data and the number of state laws are growing.
California was the first state to enact a security breach notification law (see California Civil Code §1798.82) and recently passed the California Consumer Privacy Act of 2018set to go into effect in 2020.
California is not alone in paving the way for new data regulations. Vermont recently became the first in the nation to regulate “data brokers” which are the companies that buy and sell personal information. Data brokers in Vermont must now disclose what data they collect and allow customers to opt out, along with other security requirements and breach notifications. Also, consumers can sue brokers if the data they sell causes illegal discrimination.
Additionally, legislators in Colorado recently enacted “a new law targeted at frequently ill-defined data protection practices within companies”.
In the National Conference of State Legislatures (NCSL) report last fall of 2018, there are many new state laws related to data privacy. Click here to read this report on the state laws.
As of this writing, the United States does not have any centralized, formal legislation of data protection to the level as the European Union’s General Data Protection Regulation (GDPR); however, the U.S. does safeguard the privacy and protection of data to a certain degree through the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act (HIPAA).
Under the Federal Trade Commission Act, the U.S. Federal Trade Commission (FTC) is broadly empowered to bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations.
However, stay tuned because cybersecurity will be a hot topic on Capitol Hill in 2019 and both Democrats and Republicans agree that consumers need stronger U.S. privacy laws. For now, the state laws from coast to coast are getting tougher because of the need for this consumer data protection.