For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation. Continue Reading Analyzing the California Consumer Privacy Act’s Private Right of Action

On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). To date, most organizations under PIPEDA’s purview have not been subject to mandatory privacy breach notification requirements. While organizations in the United States are familiar with breach notification statutes, organizations both within and outside of Canada will need to pay careful attention to the new requirements imposed under PIPEDA and assess any changes that need to be made to ensure compliance when the final regulations go into effect on November 1, 2018. Continue Reading Mandatory Data Breach Notification in Canada: Understanding Your New Obligations

A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter. Continue Reading Proposed House Bill Would Set National Data Security Standards for Financial Services Industry

Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.

Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director of Legislative Affairs who ushered the law through the state legislature. The Summit will also feature panel discussions on the current state of GDPR, how the new California Consumer Privacy Act will affect businesses, and innovative ways to mitigate risk in a world with quickly changing technology.

The Summit is co-sponsored by IMA Financial Group, Kivu Consulting, Noosa Yogurt, and Colorado = Security.

CO CLE and IAPP CPE credits are pending. Uniform Certificates of Attendance will also be made available for the purpose of seeking CLE credit in other jurisdictions.

For more information and to register please click here.

 

Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR.  Continue Reading Using the GDPR to Comply with the California Consumer Privacy Act

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Continue Reading Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements. Continue Reading South Carolina Enacts First Insurance Data Security Act

In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor.  A copy of the new law is available here. The most notable changes are as follows:

Continue Reading Oregon Amends Data Breach Notification and Information Security Laws

Alabama has officially joined the data breach notification party. Alabama Governor Kay Ivey signed Act No. 2018-396 into law on March 28, 2018. The law will take effect on June 1, 2018. Although it was last in the country to enact such a data security law, Alabama’s new law will immediately take its place among the most stringent in the nation.

The Alabama law generally can be categorized into four obligations:

  • All entities subject to the law (covered entities and third-party agents) must “implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.”
  • A “covered entity shall conduct a good faith and prompt investigation” into “a breach of security that has or may have occurred in relation to sensitive personally identifying information.”
  • A covered entity must notify each affected Alabama resident, and a third-party agent must notify the covered entity, of a “breach of security involving sensitive personally identifying information;”
  • A covered entity must notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.

Continue Reading Alabama Becomes 50th State to Enact Data Breach Notification Law

South Dakota (site of Ballard’s newest office) has become the 49th State to enact a data breach notification law.  South Dakota Governor Dennis Daugaard signed SB 62 into law on March 21, 2018.  The law will take effect on July 1, 2018.

As with similar measures pending in other state legislatures, SB 62 was introduced in the South Dakota Senate on January 9, 2018, in the wake of the disclosures relating to the Equifax breaches. The law generally mirrors those of many other states, but includes a few new wrinkles. Continue Reading South Dakota Enacts Data Breach Notification Law