Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a similar provision.)
Data breach notification places cyber-risk at the top of the agenda
The bar is to be raised yet again for privacy compliance in Australia. Cyber-risk has become a key agenda item for boards for the public sector, and the impending mandatory data breach notification regime is set to propel cyber-risk to the top of the agenda.
Australia: Metadata retention commences, but breach notification is delayed
On 13 October 2015, substantial amendments to the Australian Telecommunications (Interception and Access) Act 1979 (Cth) (TIA) took effect to introduce a new metadata retention scheme into the TIA. This scheme requires telecommunications carriers and internet service providers (telcos) operating in Australia to maintain records of certain telecommunications data, known as ‘metadata’, for a period of two years.
New data security law in Connecticut imposes new requirements on businesses, regulated entities, and state contractors
On June 11, 2015, Connecticut Governor Dannel Malloy signed Senate Bill 949 (“S.B. 949”) into law. This new law imposes a various new requirements relating to data breach response and notification, including imposing a hard 90-day deadline for data breach reporting and requiring that entities regulated by the Connecticut Insurance Department to implement and maintain a “comprehensive information security program” to protect personal information. The various sections of S.B. 949 take effect in stages, with some having taken effect on July 1, 2015, and others becoming effective as late as October 1, 2017.
Wyoming amends data security law to expand definition of “Personal Identifying Information” and notification content requirements
On March 2, 2015, Wyoming signed into law Senate Bills S.F. 35 and S.F. 36, which amend the content requirements for breach notifications in W.S. 40-12-502, and the definition “Personal Identifying Information” in W.S. 40-12-501. These amendments will take effect on July 1, 2015.
Nevada amends data security law to expand definition of “Personal Information”
On May 13, 2015, Governor Brian Sandoval of Nevada signed Assembly Bill No. 179 (“AB 179”) into law. AB 179 amends Nevada Revised Statutes § 603A.040, which defines “Personal Information” for Nevada’s laws on the security of personal information. This amendment will take effect on July 1, 2015.
European Council approves EU General Data Protection Regulation draft; final approval may come by end of 2015
Today the European Council approved its version of the General Data Protection Regulation (GDPR). The next stage is for the European Commission, European Parliament and European Council (each has its own preferred version of the regulation) to jointly agree on the final text of the regulation. These discussions will commence officially on June 24, 2015, and are currently scheduled to produce the final version of the GDPR by December 2015.
Breach notice becomes law in the Netherlands; 11 things to know
On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require data controllers to update agreements with their data processor to account for breach notice obligations. The law also increases fines for violations of the Dutch Data Protection Act (DPA) to up to €810,000 or 10% of the company’s net annual turnover. Both data controllers and data processors (who may be deemed “accomplices” in the breach) may be subject to the fines.