Photo of Elfin Noce

Elfin Noce is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office. He also is a member of the Privacy and Cybersecurity Team.

One of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021.
Continue Reading What To Do About Employees Under CCPA: An Update

As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019.
Continue Reading New York SHIELD Act Expands Breach Notice Requirements Starting in October

New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required by the Act go into effect in March 2020. Companies that are already subject to and compliant with data security requirements under HIPAA, GLBA, or the NYDFS will be deemed compliant with this new law. Between now and March companies will want to think about these new data security provisions.
Continue Reading Preparing for New York’s New Data Security Requirements

Maryland has amended its breach notification law to require businesses that maintain data, not just those that own or license the data, to conduct “a reasonable and prompt investigation” into whether personal information has been or will be misused. This requirement will go into effect in October 2019. Starting then, vendors who maintain information will also have a duty to investigate, not just data owners. This is unlike other states with “duty to investigate” requirements, like Connecticut, Delaware, New Hampshire, and Wyoming, among others. In those states (and others), only the data owner is statutorily required to investigate. To the extent that vendors have been obligated to investigate, that obligation falls under other provisions of breach notice laws, namely requirements for the vendor to “cooperate” with the data owner. Or, in some cases, companies may have contractually required their vendors to conduct investigations in the event of a breach or potential breach.
Continue Reading Maryland Adds Requirements to Breach Notice Law

New requirements to the Texas data breach statute, including a requirement to notify the Texas attorney general of a breach, are set to go into effect January 1, 2020. The legislation, signed by Texas Governor, Greg Abbot, on June 14, 2019, requires that the Texas attorney general be notified of a breach within 60 days. The AG notification is required only if 250 or more Texas residents are affected. The notification to the attorney general must include a description of the breach, number of residents affected, measures taken in response to the breach, measures planned to be taken after notification and whether law enforcement has been engaged with the investigation.  The legislation also adds a 60 day timing requirement for notice, from the current “as quickly as possible” standard.
Continue Reading Texas Breach Law Will Change in 2020, To Require Attorney General Notification

Maine entered the privacy fray last week when Governor Janet T. Mills signed legislation targeting internet service providers by prohibiting the sale of information about customers’ internet use. The new restriction covers, in part, customer web browsing history, application usage history, and geolocation information. An internet service provider may only use, disclose, sell or permit access to such information with either the customer’s consent or by complying with one of the few outlined exceptions in the statute.
Continue Reading Maine Passes Broadband Privacy Bill

Washington State will have new restrictions on what employers can ask applicants regarding their wage and salary history starting July 28, 2019. The new legislation will prohibit employers from seeking wage or salary history from job applicants in the state. Additionally, employers will not be able to require that an applicant’s prior salary history meet certain criteria. There are some limited exceptions to this general rule. First, employer can confirm an applicant’s wage or salary if the applicant has voluntarily disclosed that history. Second, the employer can confirm the information after having negotiated and made an employment offer.
Continue Reading Washington Enacts Restrictions on Applicant Wage and Salary Questions

“Internet of Things” devices are listening.  And now the federal government is taking notice. As we reported in our Government Contracts and Investigations blog, to date, federal cybersecurity regulations for government contractors focus on implementing safeguards to protect sensitive government data. A gap has emerged where the federal government purchases IoT devices. Those devices collect and send data online, and are thus are susceptible to hacking and listening in. Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage these cybersecurity risks. This legislation would affect a wide range of IoT devices. I.e., a device connect to the internet that is not a “general purpose computing device.”
Continue Reading Feds Want New IoT Guidance to Address Security Vulnerabilities

New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota and Wyoming. This legislation was recently signed by Governor Phil Murphy and will be effective September 1, 2019.
Continue Reading New Jersey Breach Notice Law Expands To Cover Online Account Breaches