Arkansas: Digital Responsibility and Data Safety
In Arkansas, the Digital Responsibility, Safety and Trust Act would add a chapter to state consumer protection codes, requiring organizations, businesses and their affiliates to steward users’ private and personal data. The act covers textual information, and artificial intelligence (AI) and biometric data.
Arkansas would join at least 20 states that have passed consumer privacy laws, with California being the first in 2018. Several of these laws will take effect this year. State Senate Bill 258, co-sponsored by state Sen. Clint Penzo and Rep. Stephen Meeks, is under review by the Senate Transportation, Technology and Legislative Affairs Committee.
It would require consumers consent to the sale of their data, and mandate stringent data management guidelines for businesses. The act includes numerous safeguards around biometrics, such as requiring consent, disclosure and retention policies.
The bill requires developers of so-called “high-risk” artificial intelligence to exercise “reasonable care” to protect consumers from algorithmic discrimination, and also guards consumers against machine learning bias. And it delves into “dark patterns” — tactics that entrap end users into making purchases, giving away unnecessary data and which make it difficult to end subscriptions. Enforcement would fall to the state attorney general.
Texas: Water Utility Cybersecurity
In Texas, state Senate Bill 1034 would make so-called “retail” public utilities eligible for cybersecurity services from the state Department of Information Resources.
Notably, the bill would tighten cybersecurity for these utilities, barring their “supervisory control and data acquisition systems” from accessing the Internet and requiring them to connect only via intranet or site-to-site virtual private networks. It would set stricter identification requirements for employees accessing systems; implement mandatory cybersecurity training; mandate incident reporting within 48 hours; and could require cyber audits and assessments.
Per state code, retail public utilities, generally, provide potable water service, sewer service or both. The designation includes hundreds of providers, servicing everything from mobile home parks to counties, according to Texas Public Utility Commission data.
Missouri: Insurance Cyber and Data Security
The proposed Insurance Data Security Act would require insurance companies and others licensed by the state Department of Insurance to implement information security programs appropriate to each licensee’s “scope of activities.” SB 385, sponsored by state Sen. Curtis Trent, was recently sent to the state Senate Committee on Insurance and Banking for consideration.
Requirements for companies include conducting risk assessments, identity management, setting up privacy safeguards, data breach reporting, disaster recovery planning, employee cybersecurity training, and other cyber-hygiene measures. The state Department of Commerce and Insurance would be tasked with overseeing compliance.
The act also specifies how consumers’ private data should be handled and how breaches should be reported — indicating nonpublic “documents, materials or other information” may not be released to third parties; protecting access to private information; and requiring consumers be notified of cybersecurity incidents.
