In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law. Connecticut joins Texas in passing changes to breach notification requirements this year. There are three key changes included in this amendment.

Continue Reading Connecticut Expands Data Breach Notification Law, Changes Effective October 1, 2021

Connecticut recently enacted cybersecurity legislation that provides a safe harbor for businesses that implement a written cybersecurity program. Under the legislation, set to go in effect on October 1, 2021, punitive damages will not be assessed on a business that has suffered a data breach, in the event that there are causes of action alleging a failure to implement reasonable cybersecurity controls, which failure resulted in the breach.

Continue Reading Connecticut Enacts New Cybersecurity Safe Harbor

The Georgia Supreme Court recently concluded that Georgia’s equivalent of the CFAA should be viewed narrowly, similar to the US Supreme Court’s recent, similar decision in Van Buren. In Kinslow v. State, the Georgia Supreme Court held that even if there is unauthorized use of a computer or computer network, there must be enough evidence to prove that the defendant used the computer network knowingly without authority and with the intention of obstructing or interfering with the use of data.

Continue Reading New Decision Narrows Scope of Georgia Computer Trespass Statute

MoviePass, a movie subscription service, has agreed to a proposed settlement with the FTC over alleged deception and lack of security allegations. The now-defunct company not only allegedly marketed its service as a “one movie per day” service – yet took steps to actively deny subscribers such access – it also failed, according to the FTC, to secure subscriber’s personal data. The company also was alleged to have violated the Restore Online Shoppers’ Confident Act, which impacts the offering of “negative option” (subscription) services.
Continue Reading FTC Settles Security Claims With Both MoviePass and Its Owners

Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU

The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.
Continue Reading The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm

The Department of Labor recently issued cybersecurity guidance to retirement plans. The department’s Employee Benefits Security Administration (EBSA) issued guidance in three areas: (1) hiring and working with vendors and service providers; (2) implementing an internal cybersecurity program for the plan; and (3) online security for plan participants and end-users.
Continue Reading Cybersecurity Guidance Issued to Retirement Plan Sponsors

NYDFS Issues Supply Chain Management Guidance

The New York State Department of Financial Services recently issued recommendations to financial institutions in the aftermath of the SolarWinds cyberattack. In that attack, hackers inserted malware into SolarWinds software which was then distributed to SolarWinds’ customers (many of which were financial institutions). After discovery, SolarWinds released a series of hot fixes to address vulnerabilities in their software associated with the attack. Although NYDFS found that most companies responded quickly to patch the vulnerabilities, it did identify additional steps to reduce supply chain risk:
Continue Reading NYDFS Issues Supply Chain Management Guidance

Recently, the National Institute of Standards and Technology (NIST) requested comments to its Resource Guide for implementing the HIPAA Security Rule. (i.e., SP 800-66). This Guide, first released in 2008, summarizes the HIPAA Security Rule standards and explains the structure and organization of the Security Rule.
Continue Reading NIST Plans to Update HIPAA Security Guidance – Asks for Comments