State Legislatures

Arizona Strengthens and Expands Data Breach Notification Law

By David M. Stauss & Gregory P. Szewczyk on April 18, 2018

Posted in Arizona law, Data Breach, State Law, State Legislatures

The Arizona Legislature has significantly expanded and strengthened the state’s data breach notification law. The legislation was signed by Arizona Governor Doug Ducey on April 11, 2018.

Members of Ballard Spahr’s Privacy and Data Security Group will host a webinar on Wednesday, April 25, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide in-depth analysis of the new law and place it into context with similar legislation enacted by other states over the past few months. Visit www.ballardspahr.com/AZwebinar to register and for more information.

Below we discuss the most notable changes:

Continue Reading Arizona Strengthens and Expands Data Breach Notification Law

Oregon Amends Data Breach Notification and Information Security Laws

By David M. Stauss on April 3, 2018

Posted in Consumer Protection, Data Breach, Data Protection, Health Insurance Portability and Accountability Act (HIPAA), Incident Response, Information Security Standards, Legislation, Personal Information, State Law, State Legislatures

In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor. A copy of the new law is available here. The most notable changes are as follows:

Continue Reading Oregon Amends Data Breach Notification and Information Security Laws

Alabama Becomes 50th State to Enact Data Breach Notification Law

By Edward J. McAndrew on April 2, 2018

Posted in Compliance, Data Breach, Incident Response, Legislation, State Attorneys General, State Law, State Legislatures, Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)

Alabama has officially joined the data breach notification party. Alabama Governor Kay Ivey signed Act No. 2018-396 into law on March 28, 2018. The law will take effect on June 1, 2018. Although it was last in the country to enact such a data security law, Alabama’s new law will immediately take its place among the most stringent in the nation.

The Alabama law generally can be categorized into four obligations:

All entities subject to the law (covered entities and third-party agents) must “implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.”
A “covered entity shall conduct a good faith and prompt investigation” into “a breach of security that has or may have occurred in relation to sensitive personally identifying information.”
A covered entity must notify each affected Alabama resident, and a third-party agent must notify the covered entity, of a “breach of security involving sensitive personally identifying information;”
A covered entity must notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.

Continue Reading Alabama Becomes 50th State to Enact Data Breach Notification Law

South Dakota Enacts Data Breach Notification Law

By Edward J. McAndrew on March 23, 2018

Posted in Compliance, Cybersecurity, Data Breach, Incident Response, Information Security Standards, Legislation, Personal Information, Regulatory Compliance, State Attorneys General, State Law, State Legislatures, Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)

South Dakota (site of Ballard’s newest office) has become the 49^th State to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed SB 62 into law on March 21, 2018. The law will take effect on July 1, 2018.

As with similar measures pending in other state legislatures, SB 62 was introduced in the South Dakota Senate on January 9, 2018, in the wake of the disclosures relating to the Equifax breaches. The law generally mirrors those of many other states, but includes a few new wrinkles. Continue Reading South Dakota Enacts Data Breach Notification Law

Oregon, New York, Alabama, and Rhode Island Join List of States Considering Data Breach Legislation Post-Equifax

By David M. Stauss, Gregory P. Szewczyk & J. Matthew Thornton on March 5, 2018

Posted in Consumer Protection, Data Breach, Data Protection, Legislation, Privacy Law and Regulation, State Law, State Legislatures

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers. Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a reaction to Equifax’s data breach disclosure last summer. In prior alerts and articles, we discussed proposed legislation in Arizona, Colorado, North Carolina, and South Dakota. In this post, we examine legislation being considered in Oregon, New York, Alabama, and Rhode Island.

To put the discussion into context, 48 states already have laws requiring entities to notify affected individuals if the entity suffers a loss or compromise of the individuals’ confidential information. Those laws differ in many respects, resulting in a complex web of legal responsibilities that creates headaches for entities required to comply with them.

The challenge will become even more complex if the proposed bills become law, because, generally speaking, they would:

expand the types of confidential information covered under state breach notification requirements;
implement specific deadlines for when affected individuals must be notified;
require businesses to implement and maintain reasonable security procedures to prevent data breaches; and
authorize state attorneys general to enforce these provisions through substantial fines and penalties for non-compliance.

Continue Reading Oregon, New York, Alabama, and Rhode Island Join List of States Considering Data Breach Legislation Post-Equifax

Colorado Legislature Continues to Push Privacy and Data Security Legislation in Wake of Equifax

By David M. Stauss on February 18, 2018

Posted in Colorado Law, Cybersecurity, Data Breach, Identity Theft, State Law, State Legislatures

As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.

Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach. If enacted, Colorado would have the shortest time frame for disclosure in the country. Continue Reading Colorado Legislature Continues to Push Privacy and Data Security Legislation in Wake of Equifax

South Dakota and North Carolina Consider New Data Security Legislation

By Edward J. McAndrew on January 30, 2018

Posted in Compliance, Consumer Protection, Cybersecurity, Data Breach, Data Protection, Incident Response, Legislation, Personal Information, Ransomware, Regulatory Compliance, State Attorneys General, State Law, State Legislatures, Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)

Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49^th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.

Will South Dakota Become No. 49?

The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.” Continue Reading South Dakota and North Carolina Consider New Data Security Legislation

Colorado Legislature Considers Sweeping Data Security Legislation

By David M. Stauss & Gregory P. Szewczyk on January 23, 2018

Posted in Colorado Law, Consumer Protection, Cybersecurity, Data Breach, Data Protection, Information Security Standards, Legislation, Personal Information, State Law, State Legislatures

A bipartisan group of Colorado legislators proposed legislation that, if enacted, would significantly change the requirements for how Colorado entities protect, transfer, secure, and dispose of documents containing personal identifying information. The proposed legislation also would expand the types of information covered by the Colorado Breach Notification Law and add additional requirements for companies that have suffered a data breach, such as a 45-day deadline to provide notice to affected individuals. Click here for a discussion of the proposed legislation.

New 2018 Data Breach Compliance Obligations Begin Going into Effect

By Edward J. McAndrew on January 18, 2018

Posted in Compliance, Cybersecurity, Data Breach, Data Protection, Enforcement, Health Care, Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability and Accountability Act (HIPAA), Identity Theft, Incident Response, Legislation, Personal Information, Regulatory Compliance, State Attorneys General, State Law, State Legislatures

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here. Continue Reading New 2018 Data Breach Compliance Obligations Begin Going into Effect

Data Privacy Cases to Watch in 2018

By Philip N. Yannella, Gregory P. Szewczyk, Zaven A. Sargsian & Fred G. DeRitis on January 18, 2018

Posted in Class Action, Data Breach, Electronic Communications Privacy Act, Enforcement, Federal Trade Commission (FTC), Fourth Amendment, Identity Theft, Personal Information, Privacy Law and Regulation, State Legislatures, U.S. Supreme Court, Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)

2018 is shaping up to be a potentially momentous year for data privacy, with a number of pending cases whose impact could fundamentally alter the scope of future privacy lawsuits and criminal investigations. This post will take a look at some of these cases and their potential impact.

Carpenter v. United States

We’ll start with Carpenter, which is pending in the U.S. Supreme Court and focuses on whether the Fourth Amendment requires the government to secure a search warrant to obtain a criminal defendant’s cell phone records from his or her cellular service provider. Continue Reading Data Privacy Cases to Watch in 2018

CyberAdviser