Washington State is considering sweeping legislation (SB 5376) to govern the security and privacy of personal data similar to the requirements of the European Union’s General Data Protection Regulation (“GDPR”). Under the proposed legislation, Washington residents will gain comprehensive rights in their personal data. Residents will have the right, subject to certain exceptions, to request that data errors be corrected, to withdraw consent to continued processing and to deletion of their data. Residents may require an organization to confirm whether it is processing their personal information and to receive a copy of their personal data in electronic form.

Covered organizations will be required to provide consumers with a conspicuous privacy notice disclosing the categories of personal data collected or shared with third parties and the consumers’ rights to control use of their personal data. Significantly, covered businesses must conduct documented risk assessments to identify the personal data to be collected and weigh the risks in collection and mitigation of those risks through privacy and cybersecurity safeguards.

Washington’s proposal follows the recent enactment of the California Consumer Privacy Act (see EBG’s Act Now AdvisoryCalifornia’s Consumer Privacy Act What Employer’s Need to Know). Washington’s legislation, however, will grant rights beyond those contained in the California Act and is more closely aligned with the GDPR’s framework. The heightened protections are grounded in the sponsors’ recognition of the detrimental effect of data breaches and the resulting loss of privacy. The Act cites to the GDPR as providing for “the strongest privacy protections in the world” and adopts the GDPR’s expansive definition of “personal data” – any information relating to any identified or identifiable natural person.

Businesses that process the personal data of more than 100,000 Washington residents are covered, as well as “data brokers” that derive 50 percent of their revenue from the brokered sale of personal information. Notably, “data sets” (i.e., Protected Health Information (“PHI”)) regulated by the federal Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health (“HITECH”) Act, or the Gramm-Leach-Bliley Act of 1999 are not covered. Financial and health care institutions may need to comply as to other personal data not protected under these statutes. If a health care or financial institution collects or processes other personal data and meets the thresholds above, then it is likely covered.

Employers should take note that data sets maintained only for employment records purposes are excluded. Notably, the Act excludes from coverage “an employee or contractor of a business acting in their role as an employee or contractor.” The Act will impact organizations that use facial recognition technology for profiling consumers with effects on “employment purposes” and “health care services” requiring human review prior to final decisions. Organizations who contract with facial recognition firms may see pass through contractual restrictions prohibiting use for unlawful bias.

There is no private right of action. Enforcement actions may be brought by the Attorney General to obtain injunctive relief and to impose civil penalties. If enacted, the Act, scheduled to become effective December 31, 2020, will have wide-ranging impacts requiring significant advance planning, risk assessments and consideration of privacy and security by design principles.

Today, Law360 published our article “Considering Best Data Practices for ERISA Fiduciaries.” (Download the full article in PDF format.)

In this article, we outline steps that ERISA plan fiduciaries can take to develop a policy concerning protection of plan data and prudent selection and monitoring of plan service providers who handle PII.  Benefit plan service providers, including technology-based outsourcing companies, should also consider these important guidelines and implement the appropriate safeguards to protect against infringement of plan and participant data.  These issues must be addressed in service arrangements and will continue to evolve.

Following is an excerpt:

Employee benefit plan fiduciaries are charged with meeting a prudence standard when discharging their duties solely in the interest of plan participants and beneficiaries. With increasing regulation of benefit plans, these duties and associated responsibilities are mounting. With advancements in technology, online enrollment and access to account information, as well as benefit plan transaction processing, participant identifiable information and data have become increasingly more vulnerable to attack as it travels through employer and third-party systems.

Earlier this year, the attack on Anthem Inc.’s information technology system, which compromised the personal information of individuals under numerous health plans (including personally identifiable information, bank account and income data, and Social Security numbers), raised questions of privacy and security under the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act, and there have been other similar attacks.

These cases remind us that in today’s world, plan participant information, whether it be protected health information, personally identifiable information or retirement savings account information, is vulnerable to theft. Employee Retirement Income Security Act plan fiduciaries must not only act prudently in responding to a breach of their plan participants’ PHI, but should also consider developing prudent policies and procedures with respect to the handling and transmission of all PII and participant data in the regular course.

In 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans studied the importance of addressing privacy and security issues with respect to employee benefit plan administration. The council examined issues and concerns about potential breaches of the technological systems used in the employee benefit industry, the misuse of benefit data and PII and the impact on all parties, including plan sponsors, service providers, participants and beneficiaries. The council recognized several potential causes of breaches relating to benefit plan information, including hacking into retirement plan financial data, and recommended that the U.S. Department of Labor provide guidance on the obligation of plan fiduciaries to secure PII and develop educational materials. To date, the the Department of Labor has issued no such guidance.