Tag Archives: US State Law

Irish High Court refers Facebook’s data case to the European Court of Justice

Written by
In what it considered “an unusual case” (available here), the Irish High Court has referred the issue of the way data is transferred between the EU and countries outside the EU to the Court of Justice of the European Union (“CJEU”). Ms. Justice Caroline Costello will ask the CJEU for a preliminary ruling on the validity of the Standard Contractual Clauses (“SCCs”) as an adequate data transfer mechanism. Justice Costello did not comment on the laws of the EU or the US, but rather on the validity of SCCs as a data transfer measure between the EU and the US. The case arose from a complaint [...] Read more

New York Attorney General Announces Record Number of Data Breach Notices in 2016

Written by
On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from [...] Read more

California Updates Data Breach Notification Statute for 2017

Written by
California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information [...] Read more

Illinois Makes Extensive Changes to Data Breach Notification Law

Written by
  On May 6, 2016, Illinois Governor Bruce Rauner signed HB1260, which significantly updates the state’s Personal Information Protection Act. The changes take effect on January 1, 2017. When the new law becomes effective, Illinois’ data breach notification statute will include one of the broader definitions of the information which, if breached, will trigger notification to individuals. Starting in 2017, the definition of personal information in the Act will include an individual’s full name, or first initial and last name in combination with their health insurance policy number [...] Read more

Nebraska Makes Changes to Data Breach Statute

Written by
Nebraska Governor Pete Ricketts has signed LB835 into law, updating the state’s data breach notification statute. The changes take effect on July 20, 2016. With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information which, if acquired by an unauthorized person, would require notice. In addition, the statute has been modified to require notice to the state’s Attorney General concurrent with notice provided [...] Read more

Tennessee Updates Data Breach Statute

Written by
On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes three principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within 45 days of discovery. The second update to the statute adds employees of the [...] Read more

Illinois Governor Vetoes Data Protection Bill; Suggests Revisions

Written by
Illinois Governor Bruce Rauner vetoed a bill amending the state’s data breach notification law on August 21, 2015, saying in a letter to the General Assembly that the bill “goes too far, imposing duplicative and burdensome requirements that are out-of-step with other states.”  The bill, S.B. 1833, would have amended Illinois’ Personal Information Protection Act (“PIPA”).  Gov. Rauner took issue only with a few specific provisions and promised to sign the bill if the issues were addressed by the General Assembly. In particular, the Governor disagreed with the addition of “consumer [...] Read more

Rhode Island Updates Identity Theft Protection Act; Requires Notice Within 45 Days of Data Breach

Written by
In the absence of action by the U.S. Congress to pass a national data breach notification law, many states stepped into the breach to update their laws this year to add more specific notice guidelines, a requirement to notify the state’s attorney general or another state official, and to require entities that maintain personal information to implement risk-based data security standards. Rhode Island has now joined that group. On June 26, Rhode Island Governor Gina Raimondo signed Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the “2015 Act”), which substantially [...] Read more

Oregon Updates and Expands Data Breach Statute

Written by
Oregon has updated its data breach notification statute to broaden the definition of personal information that will trigger notice to individuals and add the requirement to notify the state’s Attorney General of certain breaches. Oregon Governor Kate Brown signed into law SB601 on June 10, and it was enrolled on June 15. The bill updates the Oregon Consumer Identity Theft Protection Act of 2007 (the “Act”). The changes to the Act become effective on January 1, 2016 and apply only to data breaches that occur on or after that date. The expanded definition of “personal information” that [...] Read more

Connecticut Passes Bill to Require Identity Theft Protection Services In Certain Breaches

Written by
On June 11, Connecticut SB949 became a Public Act, after being passed by both chambers of the state legislature. Governor Dannel Malloy can now either sign the bill or take no action for it to become law. SB949 will, among other provisions, require companies that experience a security breach requiring notice to individuals under Connecticut law and involving the individual’s Social Security Number to offer “applicable identity theft prevention services, and, if applicable, identity theft mitigation services” at no cost for at least twelve months. This requirement will take effect on October [...] Read more