Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation.
Breach notice becomes law in the Netherlands; 11 things to know
On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require data controllers to update agreements with their data processor to account for breach notice obligations. The law also increases fines for violations of the Dutch Data Protection Act (DPA) to up to €810,000 or 10% of the company’s net annual turnover. Both data controllers and data processors (who may be deemed “accomplices” in the breach) may be subject to the fines.
PCI DSS 3.0 Requires Some Service Provider Contract Changes
On April 15, 2015, the PCI Security Standards Council issued Payment Card Industry Data Security Standards (PCI DSS) version 3.1 (PCI DSS v3.1), which contains some “minor updates and clarifications” to PCI DSS v3.0, which went into effect on January 1, 2015.