In Connecticut and Virginia, the new consumer privacy laws that comprehensively adopt the fair information practice principles, including data security, have left large swaths of data exempt from any cybersecurity requirements. States using the same consumer privacy template as Connecticut and Virginia should consider the exceptions language very carefully lest, while advancing consumer rights, they actually fall behind other states in protecting cybersecurity.

Section 6(3) of the Connecticut law signed May 10, 2022, states a data controller shall “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.” Virginia adopted almost exactly the same language in its 2021 Consumer Data Protection Act. While only five states have comprehensive consumer privacy laws, at least 21 states, counting the District of Columbia, in addition to Connecticut and Virginia, have similar provisions on the books requiring “reasonable” cybersecurity measures for personal information.

Until the recent surge of comprehensive state privacy laws, most of the states adopting provisions requiring reasonable data security did so either as freestanding laws or as part of breach notice laws. Their coverage was broad, and their exceptions were narrow.

However, the Connecticut and Virginia laws have very broad exemptions. Some make sense. For example, using almost identical wording, they exempt financial institutions or data subject to the U.S. Gramm-Leach-Bliley Act, which contains a security requirement, and entities covered under the U.S. Health Insurance Portability and Accountability Act, which also requires data security.

But the Connecticut and Virginia laws also exempt state and local government agencies, nonprofit organizations, and institutions of higher education. Most institutions of higher education may be subject to cybersecurity requirements through their financial aid contracts with the federal government, but it does not seem that government agencies or nonprofits are subject to any statutory obligation in Connecticut or Virginia to protect the vast quantities of personal data they collect. In contrast, for example, the reasonable security measures provision in the Alabama breach notice law covers any “person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.” The coverage of Kansas’ freestanding reasonable measures law is similar. Maryland’s reasonable security measures law covers any business, defined as “a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit.” By my count, of the 21 other reasonable security measures laws, 13 apply to governmental entities, 20 apply to nonprofits and 20 apply to institutions of higher education, leaving Connecticut and Virginia as outliers.

Another huge exception in the Connecticut and Virginia laws is for employee and job applicant data, an exemption found in no other state data security law. There are some good reasons to exempt job applicant and employee data from a consumer privacy law, but there is no reason at all to exempt it from data security obligations, especially since employment records likely include financial and health data.

And the Connecticut and Virginia laws go on with further exceptions. In very similar language, they exempt a wide range of health data outside the HIPAA bubble (which may be the majority of health-related data), much of which is subject to no data security requirement. For example, the Connecticut and Virginia laws exempt identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, the so-called Common Rule. But that rule focuses on informed consent and says nothing about data security. (It doesn’t address many other privacy issues — access, right to correct, data minimization or right to delete — either.) Both Connecticut and Virginia laws exempt personal data regulated by the U.S. Family Educational Rights and Privacy Act, which has no data security component, and personal data collected, processed, sold or disclosed in compliance with the U.S. Driver's Privacy Protection Act, a 1994 law that also contains no data security requirement. 

Like the exemptions for governmental, nonprofits and higher education, these broad exemptions leave Connecticut and Virginia out of step with the 21 other states that have adopted general cybersecurity laws. Those freestanding cybersecurity laws have much narrower exceptions. The New Mexico statute exempts only entities subject to GLBA or HIPAA. The Arkansas cybersecurity law has a more generalized carve-out exception, but it focuses on the key question of whether there is, in fact, a federal security rule: “The provisions of this chapter do not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this chapter.” The wording of the Nebraska exception is even better. It states an individual or a commercial entity complies with the reasonable security requirement of Nebraska law if it complies with a state or federal law that provides greater protection to personal information than the Nebraska law or complies with the regulations promulgated under GLBA or HIPAA. This means the entity has to actually comply with the federal rule, not merely be covered by it. Massachusetts law comes to the same point by stating that any person or agency that does not comply with applicable federal laws or guidelines shall be subject to Massachusetts law. Other state laws are similarly careful in the wording of their exemptions.

Since the states adopting the current wave of consumer privacy laws seem to be working from a similar template, it would be unfortunate if the exceptions in the Connecticut and Virginia laws were to gain more widespread adoption. (Utah’s new consumer privacy law has similarly broad exemptions, but Utah has a separate freestanding data security requirement that remains untouched.) 

Security has been an element of the fair information practices from the earliest stages, so it is logical that the security principle is being written into comprehensive privacy laws. But the lobbying around exemptions to state privacy laws is producing exemptions for data or entities that are not subject to any other cybersecurity obligations. As more states move to adopt comprehensive consumer privacy laws, it would be far better to put the reasonable security measures language into a freestanding section not subject to the broad exemptions or into the existing breach notice law that every state already has. (Caution, however: The definitions of personal information or sensitive information in many breach notice and reasonable security laws are outdated in their narrowness.) In any case, states should be much more careful in ensuring that exemptions to the privacy rules (leaving aside the privacy merits of those exceptions) do not create datasets or classes of data controllers subject to no security obligation at all.

Photo by John-Mark Smith on Unsplash