On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading
On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading
The US elections on November 3, 2020 included three states with privacy-related ballot initiatives: California, Massachusetts, and Michigan. Voters supported all three initiatives.… Continue reading
Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by … Continue reading
In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New … Continue reading
As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.… Continue reading
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading
Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all … Continue reading
The bar is to be raised yet again for privacy compliance in Australia. Cyber-risk has become a key agenda item for boards for the public sector, and the impending mandatory data breach notification regime is set to propel cyber-risk to the top of the agenda.… Continue reading
On 13 October 2015, substantial amendments to the Australian Telecommunications (Interception and Access) Act 1979 (Cth) (TIA) took effect to introduce a new metadata retention scheme into the TIA. This scheme requires telecommunications carriers and internet service providers (telcos) operating in Australia to maintain records of certain telecommunications data, known as ‘metadata’, for a period … Continue reading
On June 11, 2015, Connecticut Governor Dannel Malloy signed Senate Bill 949 (“S.B. 949”) into law. This new law imposes a various new requirements relating to data breach response and notification, including imposing a hard 90-day deadline for data breach reporting and requiring that entities regulated by the Connecticut Insurance Department to implement and maintain … Continue reading
On March 2, 2015, Wyoming signed into law Senate Bills S.F. 35 and S.F. 36, which amend the content requirements for breach notifications in W.S. 40-12-502, and the definition “Personal Identifying Information” in W.S. 40-12-501. These amendments will take effect on July 1, 2015.… Continue reading
On May 13, 2015, Governor Brian Sandoval of Nevada signed Assembly Bill No. 179 (“AB 179”) into law. AB 179 amends Nevada Revised Statutes § 603A.040, which defines “Personal Information” for Nevada’s laws on the security of personal information. This amendment will take effect on July 1, 2015.… Continue reading
Today the European Council approved its version of the General Data Protection Regulation (GDPR). The next stage is for the European Commission, European Parliament and European Council (each has its own preferred version of the regulation) to jointly agree on the final text of the regulation. These discussions will commence officially on June 24, 2015, and … Continue reading
On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require … Continue reading