If the New York State Department of Financial Services (“DFS”) has its way, come January 1, 2017, financial services companies that require a form of authorization to operate under the banking, insurance, or financial services laws (“Covered Entities”) will be required to comply with a new set of comprehensive cybersecurity regulations aimed at safeguarding information systems and nonpublic information.
TCPA Class Actions Coming To New York
A recent decision by the U.S. Court of Appeals for the Second Circuit may lead to a wave of class action litigation in New York under the Telephone Consumer Protection Act (“TCPA”). See Bank v. Independence Energy Grp. LLC, No. 13-1746-cv (2d Cir. Dec. 3, 2013).
California: Age-Appropriate Design Code Act Partially Blocked, New Social Media Law Signed
California has been active in the kids space. First, the Ninth Circuit’s recently ruled on the California’s Age-Appropriate Design Code Act. Second, the governor has just signed a new law aimed at social media sites.
Continue Reading California: Age-Appropriate Design Code Act Partially Blocked, New Social Media Law Signed
Impact of NYC’s New Delivery Service Data Sharing Requirement
New York City recently amended its law governing third party delivery services, with the changes going into effect December 27, 2021. The revised law specifically permits restaurants to ask for customers’ personal information from the delivery service. The delivery service, in turn, must tell consumers about the potential sharing “in a conspicuous manner” on its website and give people the ability to opt-out of such sharing. That notice needs to indicate that the person’s information will be shared with the restaurant, and needs to identify the restaurant.
Continue Reading Impact of NYC’s New Delivery Service Data Sharing Requirement
Call Me Maybe?: The New TCPA Position Announced by The Federal Communications Commission in Nigro v. Mercantile Adjustment Bureau
As federal courts continue to grapple with the explosion of litigation brought by plaintiffs under the Telephone Consumer Protection Act (“TCPA”), the Federal Communications Commission (“FCC”) is increasingly being called upon to address complex questions arising from the application of this analog statute to the digital world. The latest example is a brief amicus curiae filed by the FCC in Nigro v. Mercantile Adjustment Bureau, LLC. In that case, Albert Nigro contacted a power company in New York to discontinue the service of his recently deceased mother-in-law and provided the company with his cell phone number in doing so. Thereafter, a debt collector (acting on behalf of the power company) called Nigro 72 times over a nine month period to collect on a $67 delinquency that remained on his mother-in-law’s account.
The Ghost of Employees Past: The Data Breach Risks from User-Credential Management
A recent settlement with an education service provider and three states – California, Connecticut, and New York – serves as a reminder to deactivate the credentials of departed employees. The case arose following a data breach suffered by Illuminate Education, which provides assessment software to K-12 school systems. As part of its services, the company stores sensitive details like students’ special education and accommodation needs.
Continue Reading The Ghost of Employees Past: The Data Breach Risks from User-Credential Management
2026 Data Breach Law Updates – California and Oklahoma
California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals “without unreasonable delay.” Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a data breach impacts over 500 residents. The law also calls for a copy of the notice sent to consumers to be submitted to the California Attorney General within 15 days of notifying individuals. Previously, there were no specific deadlines for sending a copy of the notice to the AG office.
Continue Reading 2026 Data Breach Law Updates – California and Oklahoma
Behind the Pixel: Not Always Personal Information Under VPPA
Many courts have held that that information gathered by video-related pixels are not “personal” for purposes of the Video Privacy Protection Act. Nevertheless, plaintiff class action attorneys continue to file these VPPA actions in federal court.
Continue Reading Behind the Pixel: Not Always Personal Information Under VPPA
Insurance Cybersecurity Certifications: An (Updated) State Roundup
Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.
Continue Reading Insurance Cybersecurity Certifications: An (Updated) State Roundup
US State AI Legislation: Virginia Vetoes, Colorado (Re)Considers, and Texas Transforms
Virginia’s Governor, Glenn Youngkin, vetoed a bill this week that would have regulated “high-risk” artificial intelligence systems. HB 2094, which narrowly passed the state legislature, aimed to implement regulatory measures akin to those established by last year’s Colorado AI Act. At the same time, Colorado’s AI Impact Task Force issued concerns about the Colorado law, which may thus undergo modifications before its February 2026 effective date. And in Texas, a proposed Texas Responsible AI Governance Act was recently modified.
Continue Reading US State AI Legislation: Virginia Vetoes, Colorado (Re)Considers, and Texas Transforms