RSS Print Email


New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception.  The bill will become effective January 1, 2015.  Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.  

Read More

HIPAA Audit Program Phase 2: Delayed

A representative of the U.S. Department of Health and Human Services’s Office for Civil Rights (OCR) has recently revealed that OCR has delayed the start of phase 2 of its HIPAA Audit Program – and has revised its plans for phase 2.

Read More

Delaware Passes Fiduciary Access to Digital Assets and Digital Accounts Act

August 26, 2014 | Posted by Bruce Sarkisian | Topic(s): Online Privacy, Legislation, US State Law

On August 12, Delaware Governor Jack Markell enacted the nation’s first law that covers access to digital accounts of the deceased. The Delaware statute, which is modeled after the Uniform Fiduciary Access to Digital Assets Act, gives the deceased’s executors, or fiduciaries, “control over any and all rights in digital assets and digital accounts of an account holder, to the extent permitted under applicable state or federal law or regulations or any end user license agreement.”

Read More

Florida Enacts One of Nation’s Most Stringent Data Breach Notification Laws; Includes 30-Day Notice Requirement

June 24, 2014 | Posted by Bruce Sarkisian | Topic(s): Legislation, Security Breach, US State Law, Data Breach

On June 20, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014, which updates Florida’s data breach notification law. The changes will take effect on July 1 of this year.

Read More

Kentucky Becomes 47th State To Require Data Breach Notification; Adds Restrictions on use of “Student Data”

Kentucky Governor Steve Beshear signed a data breach notification bill on April 10, adding Kentucky to the ranks of U.S. states requiring notice to individuals in the event of a data breach and leaving Alabama, New Mexico and South Dakota as the only states that do not require such notice.

Read More

Iowa Updates Data Breach Notification Law to Add Paper Records, AG Notice Requirement

Iowa Governor Terry Brandstad has signed Senate File 2259, an act modifying provisions applicable to personal information security breach notification requirements.

Iowa’s law will now require notice of breaches of unauthorized acquisition of information that is on paper (in addition to computerized data) and to require notice to the consumer protection division of the state Attorney General’s office if a data breach affects more than 500 residents. Notice to the Attorney General’s office must be made within five days of notice to individuals. The changes take effect on July 1, 2014.

Written by Bruce Sarkisian, Associate, Privacy & Data Security | Alston & Bird LLP

Kim Peretti to Speak at Georgetown Law’s Cybersecurity Law Institute

April 7, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Legislation, International, Security Breach, Data Security, Cybersecurity, Regulation

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, will be a featured speaker during the second annual Cybersecurity Law Institute sponsored by the Georgetown University Law Center. Cybersecurity continues to stay in the news in 2014 as the White House calls for a "Consumer Privacy Bill of Rights" for the digital age. What does this mean for your company or organization? The following topics will be covered during the May 21-22 program in Washington, D.C: 

--Learn how an effective Enterprise Security Program drastically reduces cyber risks within your organization. 
--Debate the value of insurance in the cyber context; learn about coverages and what risk mitigation strategies may lower premium costs. 
--Participate in simulations that animate the complexity and speed of data breach response, including from a global perspective. 
--Hear from top general counsel regarding the evolving role of legal counsel and their relationship with the board of directors. 
--Discover how the brand-new NIST Framework may potentially impact you even if you are not in a critical infrastructure sector.

For more information and to register, please click here.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

HIPAA Audit Program Returning?

We previously blogged about the Office for Civil Rights’ (OCR) HIPAA Privacy, Security and Breach Audit Program (HIPAA Audit Program) on November 30, 2011, March 7, 2012, and June 26, 2012.  On Monday, OCR published a notice in the Federal Register in which it essentially announces the return of its HIPAA Audit Program. In the notice, OCR announces that it plans to submit a new information collection request (ICR) – a HIPAA Audit Program survey – to the Office of Management and Budget (OMB) for approval under the Paperwork Reduction Act of 1995, and seeks comments on the proposed survey and the burden imposed by it. The title of the survey is “HIPAA Covered Entity and Business Associate Pre-Audit Survey.” OCR proposes to survey up to 1200 HIPAA covered entities and business associates to determine suitability for the OCR HIPAA Audit Program. OCR plans to use the survey to assess the size, complexity, and fitness of the surveyed covered entities and/or business associates for a HIPAA audit. The survey will collect information about the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

Read More

Energy and Commerce Committee to Hold First U.S. House of Representatives Hearing in 2014 on Protecting Consumer Information and Preventing Data Security Breaches

Following the recent announcement of two U.S. Senate committee hearings on data security breaches, the House Energy and Commerce Committee announced the first U.S. House of Representatives hearing to examine the issue. During the same week as the Senate hearings, the committee’s Subcommittee on Commerce, Manufacturing and Trade (CMT), chaired by Rep. Lee Terry (R-NE), will hold a hearing entitled “Protecting Consumer Information: Can Data Breaches Be Prevented?” on Wednesday, February 5, 2014, at 9:30 a.m. EST in 2123 Rayburn House Office Building. According to the hearing notice released yesterday, witnesses will include executives from Target and Neiman Marcus, as well as government officials from the United States Secret Service and Department of Homeland Security. The Subcommittee will examine the preparations made by businesses to prevent data security breaches and the resources that exist to identify threats and improve the security of consumer information. The CMT Subcommittee notice also referenced the subcommittee’s recently issued data breach resource guide, which is a webpage that provides consumers with information they can use to help protect themselves against identity theft and take action when they learn of potential fraudulent charges on their accounts.

Read More

U.S. Senate Banking and Judiciary Committees to Hold Hearings Examining Data Security Breaches, Identity Theft, and the Safeguarding of Consumers’ Financial Data

January 28, 2014 | Posted by | Topic(s): Online Privacy, US Congress, Legislation, Identity Theft, Data Security, Cybersecurity, Financial Privacy, Hearing, Data Breach, Senate, Cybercrime

The U.S. Senate Committees on Banking and the Judiciary will each host hearings during the week of February 3, 2014, to examine the impact on consumers from recently reported data security breaches and what measures may be taken to protect sensitive information of consumers, including customer financial information, from criminal acquisition and misuse. Consistent with the assigned jurisdiction and oversight authority of each committee, the Banking Committee will examine the protection of consumer financial data, whereas the Senate Judiciary Committee will focus on the prevention of data security breaches and combating cybercrime. While these hearings will be open to the public at the Senate office buildings in Washington, D.C., each hearing will also be webcast live to the public via the committees’ hearing web pages at the links provided below. Witness testimony will not be made publicly available until the hearings start, but will be posted and available at the same committee web pages. (Please click on “Read More” to see more detailed information on each hearing and links to the committee webpages.)

Read More

Senator Leahy Reintroduces “Personal Data Privacy and Security Act”: Federal Data Breach Notification Law Includes Criminal Penalties for Failure to Notify

On January 8, 2014, Senator Leahy (D-VT) reintroduced the “Personal Data Privacy and Security Act” (S. 1897) in an effort to both enhance criminal penalties for computer hacking, and create a tough Federal data breach notification statute. The bill was originally cosponsored (at the time of its introduction) by Senators Chuck Schumer (D-NY), Al Franken (D-MN) and Richard Blumenthal (D-CT), and has since been cosponsored by Senator Robert Menendez (D-NJ). The bill has been referred to the Senate Judiciary Committee for consideration, and the committee is expected to hold a hearing on data security breach issues within the coming weeks.

Read More

House of Representatives Passes Health Exchange Security and Transparency Act of 2014: HR 3811 Would Require HHS to Notify Affected Individuals of a Breach of a Health Insurance Exchange Within 2 Days of Discovery

On Friday, January 10, 2014, the House of Representatives passed H.R. 3811, the “Health Exchange Security and Transparency Act of 2014” by a vote of 291 to 122. The bill was introduced on January 7, 2014 by Representative Joe Pitts (R-PA), and has a total of 75 cosponsors. Under the bill, the Secretary of Health and Human Services would be required to provide notice to each individual “[n]ot later than two business days after the breach of security of any system maintained by an Exchange established under section 1311 or 1321 of [the Affordable Care Act] which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed.” By contrast, the HITECH Act requires HIPAA covered entities to provide breach notifications to individuals, to HHS (if the breach involves the PHI of 500 or more individuals), and/or to the media (if required) “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved.” The bill would require HHS to notify individuals not only with respect to breaches of security of a federally facilitated health insurance exchange – a health insurance exchange established and operated by HHS that is accessed through – but also with respect to breaches of security of any health insurance exchange established and operated by a State under the Affordable Care Act.” 

Read More

Alston & Bird Webinar: The Cybersecurity Framework: Understanding Its Structure, Content and Potential Impact

January 6, 2014 | Posted by Privacy & Data Security Team | Topic(s): Events, Legislation, Cybersecurity, Privacy, National Institute for Standards and Technology (NIST)

On Tuesday, January 21, join Alston & Bird in a lively discussion on the NIST Preliminary Cybersecurity Framework. The release of the NIST Preliminary Cybersecurity Framework in October marks one of the final steps in creating the “voluntary” framework envisioned in the Obama administration’s Executive Order on Improving Critical Infrastructure Cybersecurity. While the development of the framework involved significant input by the private sector, questions remain of how to understand and interpret its structure, content and potential impact.

This program brings together Alston & Bird privacy partners Kim Peretti and Todd McClelland and a panel of experts to discuss these topics as companies prepare for a finalized version of the framework to be issued in February.

Webinar - The Cybersecurity Framework: Understanding Its Structure, Content and Potential Impact
Tuesday, January 21
1 to 2 p.m. (ET)

To learn more about this Webinar and to register, please click here.

Posted by the Privacy & Data Security Team | Alston & Bird LLP

Privacy Partners Paul Martino and Dominique Shelton Author Law360 Article on Proposed California Guidance for Do-Not-Track Disclosures

December 19, 2013 | Posted by Privacy & Data Security Team | Topic(s): Online Privacy, Legislation, Behavioral Advertising, US State Law, Privacy, Mobile Privacy, Regulatory Enforcement , Tracking

Today, Paul Martino and Dominique Shelton, partners in Alston and Bird’s Privacy and Security practice and respective members of the firm’s Legislative & Public Policy and Litigation and Trial Practice groups, co-authored the Law360 article, “Inside Calif.'s Proposed Guidance For Do-Not-Track Law." In the article, Martino and Shelton address the potential impact of the meeting held for interested stakeholders on December 10, 2013, by the Privacy Enforcement and Protection Unit of the California Office of the Attorney General (“CA AG”) to discuss the AG’s proposed guidance on corporate privacy policy disclosures regarding behavioral tracking and do-not-disclose. To learn more about what CA AG staff and industry stakeholders discussed at the December 10, 2013 meeting, please see Alston & Bird’s client advisory entitled On Eve of New Law Taking Effect, California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures. For further information about the requirements of A.B. 370, California’s new Do-Not-Track disclosure law that takes effect on January 1, 2014, please see our previous client advisory entitled California Adopts Do-Not-Track Disclosure Law, Reflecting a Significant New Development in a National Trend to Improve the Transparency of Online and Mobile Privacy Practices, which provides an in-depth analysis of A.B. 370’s CalOPPA amendments and its potential impact on businesses with websites, mobile apps or online services used by California residents.

Written by the Privacy & Data Security TeamAlston & Bird LLP

FTC Chairwoman Reiterates Support for National Data Breach Law with FTC Enforcement Powers

December 16, 2013 | Posted by Louis Dennig | Topic(s): Federal Trade Commission (FTC), Legislation, Enforcement, Cybersecurity, Data Breach, Regulatory Enforcement

At the National Consumers League Conference on identity theft, held on December 12, 2013 in Washington, D.C., Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez pushed for a federal data breach law featuring the FTC as the “enforcer.” Chairwoman Ramirez engaged in a keynote discussion with former FTC Chairwoman Deborah Platt Majoras and made her position clear that a federal data breach notification law that complements existing state laws would benefit consumers. The keynote can be viewed in its entirety here (the discussion related to a national data breach notification law begins at 21:35).

Read More