U.S. Data Protection and Privacy Laws: Brand-new Updates in State Regulations (Part1)
Let’s examine the first two quarters of the year to understand where we are heading regarding real-world data security incidents and breaches.
Recent research trends indicate several disruptive events where the public and consumers were intentionally targeted by threat actors. Their personal data was compromised by hacking into healthcare systems and business organizations. The first six months of 2024 saw a torrent of data extortion and ransomware.
Verizon’s latest Data Breach Investigation Report finds that 62% of financially motivated incidents involved ransomware, accounting for a median loss of $46,000 per breach. 68% of breach incidents were due to human errors or falling victim to social engineering attacks. And 15% of cases involved a third-party or software services vendor, hosting and infrastructure partner, and data custodian.
Rounding Up Data Breach Incidents Since the Beginning of 2024
- Trello’s Massive User Data Leak: On January 16, 2024, nearly 15 million (almost 20 GB) user data of Trello, a project management software provider, was exposed by an attacker under the name ’emo’. The threat actor reportedly shared leaked data, including usernames, legal names, membership details, and email addresses, on July 16. In addition, ‘Emo’ shared details about breaking into Trello using an open API endpoint. Trello’s investigation into the data leak found that the hacker used a pre-existing email list gathered from earlier breaches.
- Leading American Bank’s Third-Party Incident: A leading bank in the U.S. suffered a third-party data breach that compromised tens of thousands of its customers’ names, social security numbers, date of birth, addresses, and banking information. The attackers belonged to a ransomware group, LockBit, and hacked into the third-party service provider’s systems, encrypting over 2,000 vendor applications. The incident occurred in February, three months after the bank encountered another ransomware attack.
- Vans Ransomware Attack: Prominent apparel and shoe brand Vans emailed its customers in March 2024 about an external security attack on their system involving personal information, purchase history, and payment details. The attack occurred in December last year by the ALPHV/BlackCat ransomware group, which infiltrated Vans systems and stole an average of almost 35.5 million customer data.
- Breach of Space Eyes by IntelGroup: Space Eyes, the U.S. government agencies’ geospatial intelligence firm, was hacked in April by IntelGroup and accessed sensitive data. Space Eyes works with U.S. government agencies, including the U.S. armed forces, the National Geospatial Agency (NGA), the Department of Justice, and the Department of Homeland Security.
- Dropbox Hackers Access Customer Passwords: Dropbox announced in May that it suffered unauthorized access to the Dropbox Sign’s production environment, exposing its customer information, login credentials, hashed passwords, and multi-factor authentication data.
- Ticketmaster’s Cloud Database Theft: Ticketmaster shared a data breach notification claiming that a third party has infiltrated their cloud database, Snowflake, which hosted millions of user data. The company cautioned its customers to ‘remain’ vigilant’ against potential identity theft and announced a year of free identity monitoring.
- Disney Slack Leak: A Cybercriminal group called NullBulge recently downloaded the Slack channels of Disney’s development teams and accessed data that included customer information, credentials, raw codes, images, links to internal API, and unreleased projects. The group left a message declaring the attack and the details of the compromised data. The attack pattern resembled it being assisted by an insider.
What’s New in State Data Protection and Privacy Regulation?
The U.S. has no unified data privacy dictum like the EU’s General Data Protection Regulation (GDPR). However, almost 15 states have enacted their own data privacy laws. A few more are yet to implement their data protection and privacy regulations. Below are the interesting updates on U.S. data security and privacy regulations.
- Amendment of the Colorado Privacy Act: The Colorado Privacy Act recently amended its laws by including biological and neural data under sensitive information that companies must process only after they have performed data protection assessments and have customers’ consent. Colorado also passed strong regulations on processing employees’ biometric data and protecting minors’ data.
- Florida’s Digital Bill of Rights: This law went into effect in July 2024 and applies to businesses and entities making $1 billion in gross revenue and 50% of global annual revenue coming from online advertisement sales.
- Illinois State Amends the Biometric Information Privacy Act (BIPA): Illinois signed a bill amending the BIPA to hold companies accountable for violations on a per-person basis rather than each instance of biometric data misuse and breach. The law update is expected to curb cases of companies sued over BIPA breaches and requires obtaining written consent for collecting customers’ biometric information electronically.
- Kentucky’s Comprehensive Privacy Law: Kentucky’s Governor, Andy Beshear, recently signed the Kentucky Consumer Data Protection Act, which will take effect on January 1, 2026. The Kentucky CDPA outlines the legal obligations of entities that act as controllers to determine the purpose of data processing actions. This regulation does not apply to government agencies, financial firms regulated under the Gramm-Leach Bliley Act, nonprofit companies, HIPPA-covered entities, and businesses.
- Montana Consumer Data Privacy Act: The state’s privacy act will go into effect in October 2024 and apply to all businesses in Montana or entities selling their products or services to residents and processing their personal data.
- Nebraska’s Data Privacy Act: Nebraska Governor Jim Pillen signed the Nebraska Data Privacy Act, officially making it the 17th state with a comprehensive data privacy law. The regulation will take effect in January 2025. The state’s data privacy regulation is like the Texas Data Privacy and Security Act. It applies to all individuals or entities conducting business in Nebraska irrespective of their revenue threshold or number of consumers whose personal data is processed or sold. Consumer data privacy rights under Nebraska’s Data Privacy Act are consistent with other state laws.
- New Jersey Data Protection Act: New Jersey’s Data Protection Act was enforced on January 16, 2024, to regulate Individuals and entities conducting businesses that sell products or services to the state’s residents.
- Oregon Consumer Privacy Act: The Oregon Consumer Privacy Act (OCPA) took effect in July 2024 and applies to businesses, including nonprofit companies, that fall within its customer data threshold.
- Texas Data Privacy and Security Act: This law became effective in July 2024 and includes privacy protection standards for companies conducting business or selling a product or service to Texas residents. The law includes critical definitions of personal data, sensitive data, biometric data, deidentified data, consent, child, and more.
Let Us Ease Your Privacy Impact Assessment with OpenPages Data Privacy Management
Stay tuned for part two of the blog on updates to the federal level of U.S. data protection and privacy regulations!
Are you looking to ease your privacy impact assessments? iTech GRC’s OpenPages implementation expertise and GRC professionals’ experience with data privacy management can help your enterprise keep up with changing data privacy regulations.
Let’s use OpenPages Data Privacy Management to help your firm achieve invaluable certainty while avoiding data breaches and legal fines for non-compliance.
Connect with our team to streamline privacy reporting and risk management with iTech GRC’s Data Privacy Management Solution.