.png)
The previous delayed response by modern society to acknowledge the negative “yin” to the positive “yang” of technological developments is quickly accelerating. Whether attributable to the significant increase in the cost and frequency in cyber-crime, the lapse of non-renewable cyber insurance coverage, or industry imposed due diligence requirements, the result is the same: 7 states are poised to pass or institute new cyber laws:
1. WASHINGTON: Consumer Health Data Act
Formerly House Bill 1155, Washington State’s new consumer health bill takes effect between March 31, 2024, and June 30, 2024, depending on the size/type of business. This new law imposes access controls to health data within a business, restricting access to need-to-know employees and requires consent to sell consumer health data. Small businesses are required to maintain a consumer health data privacy policy with minimum content requirements and prohibits geofences around facilities that provide health care services. Washington residents further receive the benefit to treat health data similar to other types of personal information, including the right to correct and delete health information.
2. TEXAS: Consumer Data Protection Act
Passed by the Texas State Senate and heading to the Governor’s desk for signature is H.B.4,. by which Texas enacts a consumer privacy bill with definitions and exemptions resembling California Consumer Privacy Rights Act and Europe’s GDPR. The new Texas laws permits residents to enforce 5 common rights against processors of personal information: 1) confirm processing activities are performed; 2) correct personal data inaccuracies; 3) delete personal information; 4) obtain a copy of personal information being processing; and 5) opt-out of processing.
Entities subject to HIPPA and Gramm-Leach Bliley Act requirements, as well as guardians of major and minor persons, are exempt from the law’s application, which shall initiate on March 1, 2024.
In addition to rudimentary consumer protection mechanisms, Texas goes further and imposes a civil penalty, not to exceed $7,500.00, for each violation. Unlike Illinois, which has a similar statutory penalty structure, only the Texas Attorney General may enforce this penalty, keeping Texas state courts protected from an influx of lawsuits. The new Texas law is well-written, spanning 89 pages. More to follow.
3. NEW YORK: Crypto Act (Crypto currency regulation)
On May 5, 2023, the NY Attorney General announced the introduction of the proposed Crypto Regulation, Protection, Transparency, and Oversight (CRPTO) Act to regulate the purchase and exchange of digital currency and introduce public protection in the form of imposing requirements found in the federal Electronic Fund Transfer Act, mandating that digital asset platforms to reimburse customers who are the victims of fraud. Furthermore, every digital asset issuer, digital asset broker, digital asset marketplace, and digital asset investment adviser must create, implement, and maintain an effective cybersecurity program that satisfies the requirements of applicable state and federal data privacy and cybersecurity laws. More to follow.
4. MONTANA: Consumer Data Privacy Act
Pending submission to the Governor’s Office, John Dutton’s playground passed SB0384, which offers exemptions for non-profits, institutions of higher education and entities regulated by HIPPA, the SEC, and GLBA, and the Lanham Act. Consumers have the same five rights to protect, correct, or delete their personal data and the attorney general is vested with enforcement power. If passed as written, the act becomes effective on October 1, 2024.
However, the bill limits the scope of application of the act to persons or business providing products or services to the State and its citizens that exceed $25,000,000 in revenue (total, not annual); control or process data of 25,000 consumers and derive at least 50% of its revenue from sale of personal information; or during a calendar year, control or process personal information of at least 175,000 consumers. Given the heft of the scope requirements, Montana seems to be targeting only large organizations.
Like Texas, New York, Colorado, Connecticut, Utah, Virginia, and Ohio, only the Montana Attorney General may enforce this act. However, unlike Texas, there are no pre-set civil penalties for violations.
5. TENNESSEE: Information Protection Act
Senate Bill 73, substituted for HB 1101, the Tennessee Information Protection Act was signed by the Governor on May 11, 2023. The new law becomes effective on July 1, 2025. Very similar to the legislation pending signature in Texas, the new act is only enforceable by the Tennessee Attorney General’s Office and permits a $15,000 fine for each violation – twice the amount permitted in Texas. Additionally, if the violation was willfully violated, a court may impose treble damages, regardless of whether the victim suffered damages.
Businesses in Tennessee – Watch out!
6. INDIANA: Consumer Protection Act
Pending as Senate Bill 5, Indiana is set to pass its own Consumer Data Protection Act through additions to the Indiana code, matching Texas’ maximum civil penalty with exclusive enforcement by the state Attorney General’s office.
7. IOWA: Consumer Protection Act
Earlier this year, on March 28, 2023, Iowa’s Governor executed Senate File 262, a consumer privacy act also enforced by the Iowa Attorney General’s Office, tracking language similarly produced by Utah, Colorado, and Virginia.