Arizona’s Notice Law Now In Effect

As we wrote when the law passed, Arizona has expanded its data breach notification law. The law’s effective date was July 20, and now includes several new elements. Included is a requirement to notify the state attorney general if more than 1,000 individuals have been impacted, and gives an expanded ability to notify by email. Timing of notification has changed from “most expedient” to within 45 days. The Arizona law also now has content requirements for notifications, and do not need to notify if an independent forensic firm or law enforcement determine that there has been no risk of “substantial economic loss.”

Putting it Into Practice: Companies should keep in mind these new elements of Arizona’s law for their nationwide breach notice plans.

 

FTC Pursuing, and Getting More Specific, About Privacy Post-LabMD Finding

The Eleventh Circuit recently issued a long awaited ruling in the LabMD case. In that case, the FTC had gone after a cancer detection facility that suffered a data breach.  The agency criticized the company for lax data security and in July 2016 issued a broad order against the company requiring changes to the company’s systems.  Unlike most other companies that find themselves in the FTC’s crosshairs, LabMD fought back.  It objected to the FTC’s original administrative complaint on both substantive and procedural grounds and prevailed before an Administrative Law Judge, who was then overruled by the FTC.  This led LabMD to appeal to the Eleventh Circuit, which punted on some key issues it could have addressed, including what type of injury is cognizable when it comes to data breaches, a question that is posing itself frequently in data privacy cases of all types, not just those relating to Section 5. It also did not discuss what type of notice the FTC must provide for companies to know what it considers “reasonable” security measures.  Instead, it issued a relatively narrow ruling relating to the vagueness of the FTC’s order. Namely, that requiring LabMD to cease and desist its prior practices and revise and replace its data security program was not specific enough.  Because of this ruling, we expect to see more specific orders from the FTC, along the lines of the BLU settlement we reported on recently. Continue Reading

Vermont Is First Mover Regulating Data Brokers

Vermont recently enacted a data broker security law, one of the first of its kind. The law, which went into in May, requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship. Continue Reading

FTC Provides Insight into COPPA Deletion Requirements

The Federal Trade Commission recently posted a blog entry reminding companies about the deletion requirements under the Children’s Online Privacy Protection Act. Namely, that companies under the Act must give parents the right to review and delete their children’s information. In addition COPPA also requires companies to delete children’s personal information when the information is no longer necessary to fulfill the purpose for which it was originally requested. An example given is when a parent decides not to renew a subscription on behalf of their child. In that case, the company must delete the information even if the parent has not specifically requested deletion. The FTC recommends that companies make sure that their document retention policies take into account the stated purposes for which children’s personal information is collected, and under what circumstances the information will no longer be needed for those purposes. The FTC also recommends that companies ensure that they have secure deletion practices in place. Continue Reading

Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific incidents related to the theft of an unencrypted laptop and the loss of unencrypted USB flash drives, both of which contained electronic personal health information. Continue Reading

FTC Signals that It Will Enforce Statements of GDPR Compliance

Just as companies may be catching their breath after sprinting to get ready for GDPR in time for its recent implementation date, the FTC has now entered the enforcement fray. It has stated that, where companies are choosing to apply GDPR protections to American consumers, the FTC may enforce any failures to abide by those commitments. What does this mean for US companies? As many implemented compliance with GDPR, a number of companies stated publicly that they would be providing some -or all- of the same protections to their other customers. It made sense for the companies – once they were reconfiguring their policies and systems to meet the GDPR requirements for European customers, why not offer the same protections to individuals outside the EU? It was comparatively easy to do and it was good consumer PR. But now the FTC plans to hold them to it. Continue Reading

South Dakota’s Breach Notice Law Now In Effect

As we wrote when the law passed, South Dakota now has a data breach notification law, making it the last state to have a data breach notification statute on the books. (The breach notification law of the other hold-out state, Alabama, went into effect on June 1.) The law is now in effect, and as we reported, mirrors many facets of other states’ breach laws. Notification is required when there is an unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised).  Encryption is defined in South Dakota (unlike many other states), and notification must occur within 60 days. If notification to more than 250 South Dakota residents is required a company must notify state authorities as well. Continue Reading

Colorado Enacts Stringent Data Breach Notification Law

Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).

Continue Reading

Colorado Joins States in Passing Data Protection Requirements

Colorado’s recently passed breach notice law, which goes into effect on September 1, includes a data security requirement. This mirrors the change to the Louisiana breach notice law we reported about yesterday. Under the law, companies will need to have “reasonable” security practices and procedures that protect personal information. Personal information is defined as social security numbers, personal identification number, a password or pass code, state ID numbers, and biometric data. The law also will require companies to ensure that third parties with whom they share personal information have reasonable security protections.

Continue Reading

Louisiana Joins the Breach Notice Update Law Fray

Louisiana has joined the growing list of states updating their data breach notification law in 2018.  Others include, as we have reported, Arizona and Oregon. The law has now been amended to include biometric information, state ID number, and passport number in the definition of personal information. It also adds a 60-day notice timeline from “the discovery of the breach.” If the 60-day timeline is not met because of a law enforcement request or because it takes longer to find out the scope of the breach and restore company’s systems, the law requires that the company explain the delay to the state Attorney General. The law now also permits companies not to notify if, after a reasonable investigation, they determine that “there is no likelihood of harm to the residents of this state.” Companies must keep a written record – for five years – of breaches it did not report.  This record must be given to the AG, if requested, within 60 days. The amendments to the Louisiana law go into effect on August 1st, 2018.

Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree