For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still face privilege issues. For this reason simply moving to asynchronous forms of communication (email, chat, etc.) may not suffice, or may increase legal risk and exposure. Teams will thus need to be prepared for coming together virtually. Turning on the camera to converse remotely with video can be an impactful and important way to effectively handle a breach situation. To prepare, here are three key questions companies can consider:
Continue Reading Turn on the Camera Part Two: Are You Prepared to Handle a Breach Remotely and Do You Know Your Legal Security Obligations?

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:
Continue Reading NY SHIELD Act Data Security Requirements Effective This Month

Israel’s investment industry has been reported as growing, and not surprisingly it has received interest from the Israeli Securities Authority. Late last year the ISA surveyed several funds and found that they were not following the requirements of Israel’s privacy laws. This resulted in a recent letter sent by the ISA to fund managers, warning the managers to take steps to protect customer information. Israel, like most countries around the globe, has a privacy law and corresponding regulations. Unlike many other jurisdictions, though, its privacy law has been deemed “adequate” by the EU, and as such, compliance can be a fairly rigorous exercise.  Accompanying the ISA letter were “insights” on how to protect information, including things like software updates and user authentication. Included in the insights were recommendations that are not included in Israel’s privacy law or regulation. However, the insights do mirror requirements that exist under Israeli laws for banks and insurance companies.
Continue Reading Israel Expresses Concerns Over Investment Fund Security Measures

Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11, 2019. As most know, already under MA’s breach notice law, companies that suffer a breach that impacted Massachusetts individuals are obligated to tell the MA AG. As part of that notice, they needed to explain the nature of the breach, number of residents impacted, and mitigation steps taken. Now, the MA AG will also need to be told if the company has a written information security program, as well as greater detail about the breach itself. These details include the person responsible for the breach of security, if known, as well as the name and title of the person reporting the breach and relationship to the entity that was breached. A sample copy of the notice sent to consumers also needs to be provided to the MA AG. That sample notice will be posted on the MA AG website within one day of receipt, provided that doing so does not “impede an active investigation” by either the MA AG or other law enforcement agency. The law also provides additional requirements on the AG to post information to its website about breaches.
Continue Reading US State Breach Law Modifications Begin in 2019 with Massachusetts

Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.
Continue Reading Vermont Is First Mover Regulating Data Brokers

Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).
Continue Reading Colorado Enacts Stringent Data Breach Notification Law

Colorado’s recently passed breach notice law, which goes into effect on September 1, includes a data security requirement. This mirrors the change to the Louisiana breach notice law we reported about yesterday. Under the law, companies will need to have “reasonable” security practices and procedures that protect personal information. Personal information is defined as social security numbers, personal identification number, a password or pass code, state ID numbers, and biometric data. The law also will require companies to ensure that third parties with whom they share personal information have reasonable security protections.
Continue Reading Colorado Joins States in Passing Data Protection Requirements

Louisiana has joined the growing list of states updating their data breach notification law in 2018.  Others include, as we have reported, Arizona and Oregon. The law has now been amended to include biometric information, state ID number, and passport number in the definition of personal information. It also adds a 60-day notice timeline from “the discovery of the breach.” If the 60-day timeline is not met because of a law enforcement request or because it takes longer to find out the scope of the breach and restore company’s systems, the law requires that the company explain the delay to the state Attorney General. The law now also permits companies not to notify if, after a reasonable investigation, they determine that “there is no likelihood of harm to the residents of this state.” Companies must keep a written record – for five years – of breaches it did not report.  This record must be given to the AG, if requested, within 60 days. The amendments to the Louisiana law go into effect on August 1st, 2018.
Continue Reading Louisiana Joins the Breach Notice Update Law Fray

Louisiana’s breach notice law has been amended to require companies to protect personal information. The definition of personal information matches that which -if breached- would give rise to a duty to notify. This includes name combined with social security numbers, drivers’ license (and state ID/passport numbers) or financial account numbers. The law applies to companies that “maintain computerized information” and require that entities (1) have reasonable security procedures and practices “appropriate to the nature of the information” that protects against unauthorized access, destruction, use, modification and disclosure and (2) destroy personal information or make it unreadable when it is no longer needed by “shredding, erasing” or making the information otherwise unreadable.  Louisiana joins a growing list of states that have such data protection requirements, including California, Connecticut, Delaware, Florida, Massachusetts, Nevada, and New Jersey to name but a few. The requirement goes into effect August 1, 2018.
Continue Reading Louisiana Adds Data Security Requirements to Breach Notice Law