Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.

Will South Dakota Become No. 49?

The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.” Continue Reading South Dakota and North Carolina Consider New Data Security Legislation

A bipartisan group of Colorado legislators proposed legislation that, if enacted, would significantly change the requirements for how Colorado entities protect, transfer, secure, and dispose of documents containing personal identifying information. The proposed legislation also would expand the types of information covered by the Colorado Breach Notification Law and add additional requirements for companies that have suffered a data breach, such as a 45-day deadline to provide notice to affected individuals. Click here for a discussion of the proposed legislation.

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here. Continue Reading New 2018 Data Breach Compliance Obligations Begin Going into Effect

With the May 2018 deadline for compliance with the General Data Protection Regulation (GDPR) inching closer, U.S. multinational companies have been eagerly awaiting guidance from the Article 29 Working Party on key provisions, such as the use of algorithms to make processing decisions, the new 72-hour response period for data breaches, the meaning of consent under the GDPR, and the appointment of a Data Protection Officer. Over the next few weeks, we will be providing our analysis of recent WP29 guidance.

Today, we begin with new guidelines addressing the use of algorithmic processing engines – what the GDPR calls “automated decision-making.” According to the Guidelines, profiling is an automated form of processing, carried out on personal data, the objective of which is to evaluate personal aspects about a natural person. Continue Reading Analysis: Article 29 Working Party Guidelines on Automated Decision Making Under GDPR

The Arizona legislature is considering legislation that would significantly change its data breach notification statute. The proposed legislation would expand the statute’s definition of personal information, modify the timing requirements for providing notice to affected individuals, and specify what information must be provided in the notice. To read more about this proposed legislation, click here.