Freshman Delegate Hala Ayala recently introduced House Bill 2793 in this session of the Virginia General Assembly.  If enacted, the legislation will impose new requirements on businesses with regard to the disposal of certain consumer records and manufacturers in the design and maintenance of devices that connect to the internet.

Care and Disposal of Customer Records

House Bill 2793 would require a business to “take all reasonable steps to dispose of, or arrange for the disposal of, consumer records” of which the entity has control or custody.  The legislation requires “shredding, erasing, or otherwise modifying” personally identifiable information when a business chooses to no longer retain customer information.  Additionally, the legislation requires businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” it retains “to protect the personal information of customers from unauthorized access, destruction, use, modification or disclosure.”

The legislation provides definitions for the terms business, customer, personal information and records.  It also provides that the required security procedures and disposal mandates do not apply to businesses subject to the privacy and security rules of HIPAA or those that are “regulated by state or federal law providing greater protection to personal information than that provided by” the proposed state law. Additionally, the legislation creates a private cause of action allowing an individual who is damaged by a violation of the act to recover damages and seek attorney fees.

Security for Connected Devices

The legislation mandates manufacturers of devices that are capable of connecting to the internet and sold in the Commonwealth to include in those products “reasonable security features.”  Among other requirements, the security features must be in compliance with “current standards and best practices as found within industry standards for cybersecurity and resiliency.”  The legislation imposes a requirement that manufacturers offering products in Virginia to provide to the Commonwealth’s Chief Information Officer (CIO) an “annual report of compliance with industry-recognized best practices.”

Under the bill, manufacturers must make available to customers an “opt-in forum” or provide a registration capability so that customers are aware of a breach event and make “patch notification and end-of-life support events easily obtainable by registered users of the manufacturer’s connected devices.”  Additionally, if a manufacturer is “aware of existing vulnerabilities that put more than 500 users at risk” the bill imposes an obligation to notify the Commonwealth’s CIO and provide remediation, patches and updates to the device “without unreasonable delay.”

Violations of the proposed legislation would be enforced by the state Attorney General or a local prosecutor by bringing an action seeking injunctive relief against the manufacturer.

House Bill 2793 takes a unique approach by mandating various interactions between manufacturers of connected devices and the Commonwealth’s CIO.  The Commonwealth’s CIO is responsible for overseeing Virginia’s state government IT infrastructure.  While the interaction between the CIO and manufacturers in the proposed bill is limited to a reporting function, it is unclear why such reporting is needed if the law provides for enforcement by the Attorney General.  Moreover, the bill does not appear to offer any protection from Virginia’s Freedom of Information Act.  That omission could come into the play when a manufacturer files its annual security compliance report and when a notice of an existing vulnerability with a product that affects 500 or more users is provided to the Commonwealth’s CIO. Those documents would likely be considered public records under the Virginia Freedom of Information Act and subject to disclosure to competitors if properly requested under the public records act.

The House Commerce and Labor Committee will consider the legislation later this week in subcommittee.  Although there are several exceptions written into the House Bill 2793, the legislation imposes another regulatory scheme and compliance burden for businesses and manufacturers of connected devices.