RSS Print Email

US State Law

New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception.  The bill will become effective January 1, 2015.  Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.  

Read More

Delaware Passes Fiduciary Access to Digital Assets and Digital Accounts Act

August 26, 2014 | Posted by Bruce Sarkisian | Topic(s): Online Privacy, Legislation, US State Law

On August 12, Delaware Governor Jack Markell enacted the nation’s first law that covers access to digital accounts of the deceased. The Delaware statute, which is modeled after the Uniform Fiduciary Access to Digital Assets Act, gives the deceased’s executors, or fiduciaries, “control over any and all rights in digital assets and digital accounts of an account holder, to the extent permitted under applicable state or federal law or regulations or any end user license agreement.”

Read More

Florida Enacts One of Nation’s Most Stringent Data Breach Notification Laws; Includes 30-Day Notice Requirement

June 24, 2014 | Posted by Bruce Sarkisian | Topic(s): Legislation, Security Breach, US State Law, Data Breach

On June 20, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014, which updates Florida’s data breach notification law. The changes will take effect on July 1 of this year.

Read More

A+B Privacy Team Provides Analysis of California AG Privacy Report: New Best Practices Guidance Applies to all Businesses Collecting Personal Information from California Residents

In follow up to our previous blog, California AG Kamala Harris Issues Privacy Policy Guidance: Making Your Privacy Practices Public Contains Draft Tips for Website and Online Service Privacy Policies, regarding the release of the AG’s report, please see our recently released client advisory providing a detailed analysis of the new privacy guidance: California Attorney General Kamala Harris Releases Long-Anticipated Guidance Regarding Privacy Policy Notices . As conceived, the Report is designed to apply to all businesses, regardless of the country or state in which they operate, based on the California AG’s position that the California Online Privacy Protection Act (Cal-OPPA) applies to all companies that collect personal information about California residents through their websites, online services or mobile apps, even if the business has no other connection to California.

Written by Dominique Shelton, Partner, Privacy & Data Security and Litigation and Trial Practice and Paul Martino, Partner, Privacy & Data Security and Legislative & Public Policy| Alston & Bird LLP

California AG Kamala Harris Issues Privacy Policy Guidance: Making Your Privacy Practices Public Contains Draft Tips for Website and Online Service Privacy Policies

Today, California Attorney General Kamala Harris released her long-anticipated guidance on privacy policies for companies collecting information from California residents in a report entitled Making Your Privacy Practices Public (the “Report”). While the Report exceeds existing law in many respects, affected companies should take heed to review the report and be familiar with its contents as it sets forth a blue print for how the CA AG’s office views “best practices” in connection with privacy policy drafting in the areas of “Big Data,” behavioral tracking, data security, and the “readability” of privacy disclosures. Further, the CA AG takes the position that California’s Online Privacy Protection Act (Cal-OPPA) applies to all companies that collect information from California residents – and as such applies to companies operating outside of California.

Read More

Kim Peretti Quoted in Law360 Article “Post-Target Breach Laws Ratchet Up Pressure On Companies”

May 13, 2014 | Posted by Privacy & Data Security Team | Topic(s): US State Law, Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in the Law360 article “Post-Target Breach Laws Ratchet Up Pressure On Companies.” The article discussed how Florida, Minnesota and several other states have moved to amend their data breach notification laws to tighten reporting timelines in response to the Target data breach and other high-profile intrusions. The amendments also expand on covered personal information, which adds pressure to companies that are trying to comply with a patchwork of state laws.

“We're definitely seeing the fallout from highly visible recent payment card breaches, especially the one at Target,” Peretti said. “States feel like they need to do something about it, and the developments are only continuing to fuel the already very active role that states are...taking in responding to data security concerns.”

Posted by Privacy & Data Security Team | Alston & Bird LLP

Kentucky Becomes 47th State To Require Data Breach Notification; Adds Restrictions on use of “Student Data”

Kentucky Governor Steve Beshear signed a data breach notification bill on April 10, adding Kentucky to the ranks of U.S. states requiring notice to individuals in the event of a data breach and leaving Alabama, New Mexico and South Dakota as the only states that do not require such notice.

Read More

Iowa Updates Data Breach Notification Law to Add Paper Records, AG Notice Requirement

Iowa Governor Terry Brandstad has signed Senate File 2259, an act modifying provisions applicable to personal information security breach notification requirements.

Iowa’s law will now require notice of breaches of unauthorized acquisition of information that is on paper (in addition to computerized data) and to require notice to the consumer protection division of the state Attorney General’s office if a data breach affects more than 500 residents. Notice to the Attorney General’s office must be made within five days of notice to individuals. The changes take effect on July 1, 2014.

Written by Bruce Sarkisian, Associate, Privacy & Data Security | Alston & Bird LLP

Retail Breaches: Investigating Payment Card Breaches

"Challenges in Conducting Breach Investigations: Part 2," was published in April 2013 by Law360, however, given the recent spate of retail breaches involving payment cards, it is highly relevant to entities experiencing these types of incidents. The article describes some of the challenges to conducting breach investigations in response to increasingly sophisticated attacks. In particular, the article takes a closer look at how to investigate and respond to payment card breaches—both because of their unique nature and their potentially grave implications.

Written by Kimberly Peretti, Partner, Security Incident Management & Response Team | Alston & Bird LLP

Privacy Partners Paul Martino and Dominique Shelton Author Law360 Article on Proposed California Guidance for Do-Not-Track Disclosures

December 19, 2013 | Posted by Privacy & Data Security Team | Topic(s): Online Privacy, Legislation, Behavioral Advertising, US State Law, Privacy, Mobile Privacy, Regulatory Enforcement , Tracking

Today, Paul Martino and Dominique Shelton, partners in Alston and Bird’s Privacy and Security practice and respective members of the firm’s Legislative & Public Policy and Litigation and Trial Practice groups, co-authored the Law360 article, “Inside Calif.'s Proposed Guidance For Do-Not-Track Law." In the article, Martino and Shelton address the potential impact of the meeting held for interested stakeholders on December 10, 2013, by the Privacy Enforcement and Protection Unit of the California Office of the Attorney General (“CA AG”) to discuss the AG’s proposed guidance on corporate privacy policy disclosures regarding behavioral tracking and do-not-disclose. To learn more about what CA AG staff and industry stakeholders discussed at the December 10, 2013 meeting, please see Alston & Bird’s client advisory entitled On Eve of New Law Taking Effect, California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures. For further information about the requirements of A.B. 370, California’s new Do-Not-Track disclosure law that takes effect on January 1, 2014, please see our previous client advisory entitled California Adopts Do-Not-Track Disclosure Law, Reflecting a Significant New Development in a National Trend to Improve the Transparency of Online and Mobile Privacy Practices, which provides an in-depth analysis of A.B. 370’s CalOPPA amendments and its potential impact on businesses with websites, mobile apps or online services used by California residents.

Written by the Privacy & Data Security TeamAlston & Bird LLP

California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures; Guidelines Will Not Delay New A.B. 370 Do-Not-Track Disclosure Requirements from Taking Effect on January 1, 2014

December 16, 2013 | Posted by Paul Martino & Dominique Shelton | Topic(s): Online Privacy, Legislation, Behavioral Advertising, Marketing, US State Law, Privacy, Mobile Privacy, Regulatory Enforcement , Tracking

On December 10, 2013, the Privacy Enforcement and Protection Unit of the California Office of the Attorney General (CA AG) held a meeting in San Francisco for interested stakeholders to discuss best practices in light of the Assembly’s enactment of A.B. 370, California’s new do-not-track disclosure law that goes into effect on January 1, 2014. A.B. 370 amended the California Online Privacy Protection Act (CalOPPA) to require operators of websites, online services and mobile applications to amend their privacy policies as of the new year to either (1) disclose how they respond to do-not-track signals from Internet browsers or other consumer choice mechanisms regarding the collection of behavioral tracking data; or (2) link to an online location containing a description of a consumer choice program the operator follows and explain the effects of that program. The new law also requires these operators to disclose the type and nature of any third-party tracking occurring on their sites, services or apps. The CA AG staff focused the discussion with stakeholders on what should constitute “best practices” regarding do-not-track disclosures, rather than on what would be required for businesses to simply comply with the new disclosure requirements created by passage of A.B. 370. To learn more about what CA AG staff and industry stakeholders discussed at the December 10, 2013 meeting, please see Alston & Bird’s client advisory entitled On Eve of New Law Taking Effect, California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures.

Read More

A+B Privacy Litigation Partner Dominique Shelton Quoted by BNA Bloomberg "Privacy Law Watch"

October 11, 2013 | Posted by Privacy & Data Security Team | Topic(s): Online Privacy, Federal Trade Commission (FTC), US State Law, Data Security, Privacy, Mobile Privacy, Regulation

Several comments made by Dominique Shelton, a partner in the firm’s Litigation & Trial Practice Group, as part of the International Association of Privacy Professionals Privacy Academy in Bellevue, Washington, were included in a BNA Bloomberg Privacy Law Watch article discussing the conference panelists’ discussion on achieving mobile privacy compliance goals.

Read More

California Privacy Ballot Initiative Moves Forward: Act Would Amend California Constitution to Set Standards for Collection and Protection of Personally Identifying Information, including Financial and/or Health Information

October 4, 2013 | Posted by Nick Stamos and Claire Lucy Readhead | Topic(s): Online Privacy, Legislation, Behavioral Advertising, Health Privacy, US State Law, Privacy, Financial Privacy, Privacy Class Actions, Privacy Litigation

California Secretary of State Debra Bowen has allowed signature collection to commence for a ballot initiative, named the Personal Privacy Protection Act, that could drastically alter the California privacy regime. The initiative, led by former state Senator Steve Peace and retired attorney Michael Thorsnes, seeks to amend the California Constitution to define personally identifiable information as “any information which can be used to distinguish or trace a natural person's identity which is linked or linkable to a specific natural person” but excludes information that is publicly available from government records. The definition of personally identifying information would also explicitly include “financial and/or health information.”

Read More

Update: California Governor Brown Signs into Law A.B. 370, "Do Not Track Disclosure Law"

September 30, 2013 | Posted by Claire.Readhead@alston.com | Topic(s): Online Privacy, Legislation, Behavioral Advertising, Marketing, US State Law, Privacy, Tracking

On September 27, 2013, California Governor Brown signed into law A.B. 370, amending the California Online Protection Act (CalOPPA) to require two new privacy policy disclosures for websites and online services regarding behavioral tracking. California Assembly member Al Muratsuchi (D-Torrance), who introduced A.B. 370, released a statement in which he said the amended law “will protect Californians' right to privacy by providing transparency that will allow consumers to know when their online activity is being tracked. The consumer can then make an informed decision about their use of a particular website or service. The support for AB 370 resonated statewide as Californians expressed their concern with entities tracking their information, many times without their knowledge or consent. While we must continue to foster innovation, we must likewise ensure that consumer protection and privacy are key priorities as technology advances. Further, Attorney General Kamal Harris, the sponsor for this Legislation, worked tirelessly alongside me and stakeholders to make this law a reality. I commend Governor Brown for joining us as we work to ensure transparency in online commerce and interaction.” The new law will become effective as of January 1, 2014. For more information on A.B. 370, please see our previous blog posting entitled California Adopts Do-Not-Track Disclosure Law: A.B. 370 Amends the California Online Privacy Protection Act (CalOPPA) to Require New Privacy Policy Disclosures for Websites, Online Services and Mobile Apps about Behavioral Tracking.

For more detailed information on the new law, please refer to our full-length client advisory entitled
California Adopts Do-Not-Track Disclosure Law, Reflecting a Significant New Development in a National Trend to Improve the Transparency of Online and Mobile Privacy Practices.

Written by Claire Lucy Readhead, Associate, Privacy & Data SecurityAlston & Bird LLP

Update: California Governor Brown Signs into Law S.B. 46, New Notification Requirements for Data Security Breaches

September 30, 2013 | Posted by Claire.Readhead@alston.com | Topic(s): Online Privacy, Legislation, US State Law, Data Security, Privacy, Data Breach, Data Protection

On September 27, 2013, California Governor Brown signed into law S.B. 46, amending California’s data security breach notification law California Civil Code Section 1798.82. The new law builds upon existing requirements for prompt consumer notification whenever individuals have had their passwords, usernames or security question and answers compromised. It expands the definition of personal information to include, “A user name or email address, in combination with a password or security question and answer that would permit access to an online account.” California Senate Majority Leader Ellen M. Corbett (D-San Leandro), who authored S.B. 46, released a statement in which she said, “SB 46 protects online consumers by ensuring that they are promptly notified if and when their passwords, usernames or security question and answers are compromised or stolen. Many consumers now conduct their day-to-day personal business online, including banking and paying bills, which creates more opportunities for sophisticated cybercriminals to access and steal their personal information. I am grateful that Governor Brown has signed S.B. 46 since it will allow consumers to take steps to minimize potential identity theft and other criminal activity whenever their information is stolen.” The new law will become effective as of January 1, 2014. For more information on S.B. 46, please see our previous blog posting entitled California S.B. 46 Expands Data Breach Notification Law to Include Breaches of User Names and Email Addresses for Online Accounts.

For more detailed information on the new law, please refer to our full-length client advisory entitled
S.B. 46 Adds Notification Requirements for Breaches of an Individual’s User Name or Email Address in Combination with a Password or Security Question and Answer that Permit Access to an Online Account.

Written by Claire Lucy Readhead, Associate, Privacy & Data SecurityAlston & Bird LLP

123