On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach. … Continue Reading
In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.
Below is a roundup of recent and significant changes.… Continue Reading
On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading
The UK Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants  EWCA Civ 2338.… Continue Reading
This week, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations.… Continue Reading
On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.… Continue Reading
After a district court dismissed a lawsuit filed by customers of restaurant chain P.F. Chang’s China Bistro whose payment card information was stolen during a data breach, the 7th Circuit Court of Appeals has revived the suit. In a ruling last week, the appellate panel found that customers whose payment card information was stolen in the breach have standing to sue, even if they don’t allege any actual losses from identity theft or payment card fraud.… Continue Reading
On July 6, 2015, China’s top legislative body – the National People’s Congress – published a draft Cyber Security Law that, if enacted in its current form, will have far-reaching consequences for businesses operating in China.
The draft expressly provides that the law will apply equally to both Chinese and international businesses.… Continue Reading
On June 18, 2015, Canada’s Senate and House of Commons passed the Digital Privacy Act to amend the country’s federal Personal Information Protection and Electronic Documents Act (PIPEDA). Many of the amendments are scheduled to come into force on a date to be determined by the government. The revised requirements (highlighted below) will have a significant impact on the treatment of personal information by organizations that are subject to PIPEDA. These are organizations that either are federally regulated and fall under the legislative authority of the Parliament of Canada, or operate within a province that does not have in place … Continue Reading
On March 2, 2015, Wyoming signed into law Senate Bills S.F. 35 and S.F. 36, which amend the content requirements for breach notifications in W.S. 40-12-502, and the definition “Personal Identifying Information” in W.S. 40-12-501. These amendments will take effect on July 1, 2015.… Continue Reading
The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of … Continue Reading
A more robust data breach notification law looks to make its way onto the books in the state of Washington as newly passed legislation was sent to Governor Jay Inslee’s desk earlier this week for final approval. House Bill 1078, which has now passed both legislative houses by unanimous vote, if ultimately signed by the Governor, will bring about several notable changes to Washington State’s breach notification law, if and when it is signed into law.
Late afternoon last Friday, the White House released its draft Consumer Privacy Bill of Rights Act (the “Act”). This follows on the heels on the President’s announcement of cybersecurity as a top priority of the administration, which foreshadowed the release of the Act and included other initiatives, including one for a single national breach notification standard. It also comes at a time when consumers may be feeling particularly interested in addressing cybersecurity threats, given healthcare insurer Anthem Inc.’s data breach and Sony Pictures Entertainment’s hack in November.
What Does the Act Govern?
Organizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem.
The hackers who perpetrated the Anthem breach are likely to use the personal information they took for further cyberattacks against affected individuals and employers, including to gain access to business information using social engineering attacks and other methods. Anthem’s business customers are advised to take immediate steps to harden their cybersecurity defenses, raise cybersecurity awareness among employees concerning likely secondary attacks, and remain vigilant against further … Continue Reading
Leading up to the President’s State of the Union, the White House previewed several potentially sweeping cybersecurity initiatives—including a proposed federal law that would create a single national breach notification standard, entitled the Personal Data Notification & Protection Act (the “Act”). The President argued that the proposed law will benefit consumers and alleviate the confusion and cost born by companies that must navigate the “patchwork” of differing state laws that currently governs the area of breach notification. In our view, the national breach law proposal may receive bipartisan support, but as always it is very difficult to handicap the … Continue Reading
Media outlets previewing the President’s upcoming State of the Union Address (to be delivered on Tuesday, January 20 at 9 pm ET) have reported that the President will name cybersecurity as one of the top issues that businesses and the government must tackle in 2015. The President has characterized cyberattacks and cyber warfare as a “direct threat” to the American economy.
Setting out the Administration’s agenda, the President, speaking at the FTC, called on Congress to enact privacy and cybersecurity bills that the White House views as critical, but which have languished in the legislative gridlock for years.
Among … Continue Reading