The French Data Protection Authority announced a €600,000 fine against Groupe Canal+ over concerns with the media company’s direct marketing activities. According to the CNIL, the company sent users email marketing without getting consent, in violation of both GDPR and French privacy law. In particular, the CNIL noted, the company sent marketing emails to individuals who had provided their personal information not to Canal+, but instead to one of its partners. When doing so, they were not told by the partner that the information would be share with -and used by- Canal+ for Canal+’s marketing activities. Canal+ should have ensured that the partners had gotten appropriate consent, according to the CNIL.Continue Reading CNIL Fines Canal+ Over Marketing and Data Security Concerns
Data Breach
Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles
The FTC’s second attempt to pursue the data broker, Kochava, continues to move forward. The amended complaint, which was just unsealed and thus available for the public to review, gives insight into the agency’s perspective on the harm that results when companies create profiles with sensitive information, and use that information to target ads to individuals. The amended complaint provides more detail about Kochava’s alleged practices; allegations the company strongly disagreed with. (Thus, why it sought -unsuccessfully- to have it sealed.)Continue Reading Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles
SEC Gives Finality on Cybersecurity Disclosures for Public Companies
The SEC has now finalized its much anticipated rules for public companies’ cybersecurity disclosures. The final rules, published this month, require disclosure of certain cybersecurity incidents much sooner than under many other breach notification regimes. Additionally, the final rules require new periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks and about the roles of management and the board of directors in managing or overseeing those cybersecurity risks. These new requirements vary from the SEC’s prior (2018) guidance, and unlike in the past, are now codified under the Securities Exchange Act of 1934 and the Securities Act of 1933.Continue Reading SEC Gives Finality on Cybersecurity Disclosures for Public Companies
Texas Amends Data Breach Notification Law, Updates Effective September 1
Texas recently enacted an amendment to its data breach notification law. As of September 1, 2023, there are two changes to the requirements when notifying the Texas Attorney General. In Texas, breaches of 250 residents or more must be reported to the Attorney General. Now, as amended, this will need to be done so as soon as practicable, and not later than 30 days from determination of the breach (previously, it was 60 days). Texas joins Colorado, Florida, and Washington in requiring notice within a 30-day time frame. Notification in Texas must also be submitted electronically using a form on the AG’s website.Continue Reading Texas Amends Data Breach Notification Law, Updates Effective September 1
Iowa Joins Growing List to Offer Potential Safe Harbor for Companies With Security Programs
Iowa recently became the fifth state to offer businesses a safe harbor if they have a written cybersecurity program. Others are Connecticut (October 1, 2021), Ohio (effective November 2, 2018), Oregon (effective January 1, 2020), and Utah (effective March 5, 2021). Like these, as of July 1, 2023, businesses that have a written cybersecurity program and suffer a breach may have an affirmative defense in Iowa against tort claims for inadequate security measures.Continue Reading Iowa Joins Growing List to Offer Potential Safe Harbor for Companies With Security Programs
EyeMed Data Breach Multistate Settlement
EyeMed recently entered into a settlement with the Attorneys General of Oregon, New Jersey, Florida and Pennsylvania around a 2020 breach of an EyeMed email account that contained the data of more than 2 million individuals. As we previously reported, EyeMed entered into settlement with NYDFS over this breach in October of 2022. Continue Reading EyeMed Data Breach Multistate Settlement
May 2nd Marks Effective Date of Pennsylvania Breach Law Amendments
As we wrote in November, Pennsylvania amended its data breach notification laws last year, and those changes go into effect tomorrow (May 2, 2023). Beginning tomorrow, if a breach of username/email accounts and their respective passwords occurs, companies can provide electronic notification to the impacted individual. That notice will need to tell individuals to change their passwords or take other proactive measures. The law also amends the definition of personal information. It will now include, as of tomorrow, medical and health insurance information. Continue Reading May 2nd Marks Effective Date of Pennsylvania Breach Law Amendments
Utah Amends Data Breach Law, Creates Cyber Center
Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents. If the breach involves 1,000 or more residents, then notification to each consumer reporting agency is also required.Continue Reading Utah Amends Data Breach Law, Creates Cyber Center
72 hours: The NCUA’s New Cyber Incident Reporting Requirement
Three days. Starting September 1, 2023, that is all federally insured credit unions will have to report cyber incidents.Continue Reading 72 hours: The NCUA’s New Cyber Incident Reporting Requirement
Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities
The New York and Pennsylvania AGs settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information.Continue Reading Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities