Ohio Enacts Cybersecurity Safe Harbor Law

Written by

Ohio recently enacted the Ohio Data Protection Act (2018 SB 220), a law that offers a breach litigation safe harbor to businesses meeting specific cybersecurity standards. While the law does not prevent a plaintiff from filing a lawsuit following a data breach, it does provide an affirmative defense to companies defending themselves against such claims. If an entity’s data security policies conform to one of several listed cybersecurity frameworks, the entity can invoke the safe harbor as a defense, and possibly defeat a tort claim alleging that the company’s failure to comply with reasonable […] Read more

India’s Draft Data Protection Bill: Another GDPR Around The Corner?

Written by

India recently introduced the Personal Data Protection Bill 2018 (“Bill”). The transfer of personal data in India is currently governed by the SPD Rules (Sensitive Personal Data and Information, 2011), which is however considered outdated and not fully protective of personal data. The Bill comes as a result of the country’s Supreme Court recent judgment that declared privacy a fundamental right of an individual. The Srikrishma Committee (“Committee”) was responsible for drafting the Bill and coined a legal framework that is aimed to shape the country’s digital agenda. The Committee […] Read more

An Update on the California Consumer Privacy Act and Its Private Right of Action

Written by

While it remains to be seen what the final text of the California Consumer Privacy Act (CCPA) looks like when it is ultimately implemented on January 1, 2020, at present it seems likely that businesses and employers can expect an influx of lawsuits from individual consumers proceeding under the CCPA’s private right of action.  Under the current version of the CCPA, the Act provides a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and […] Read more

California Legislature Amends CCPA

Written by

Last Friday, the California Senate and Assembly passed SB-1121, amending the California Consumer Privacy Act (“CCPA”) as enacted in June. We previously issued an advisory following the June enactment, and will host a webinar discussing the law (as now amended) on September 12. This blog post highlights some of the key amendments to the CCPA. SB-1121 amends the CCPA as follows: Exemptions for Health Providers. The bill clarifies that the CCPA does not apply to protected health information (“PHI”) or medical information governed by the Health Insurance Portability and Accountability […] Read more

Brazil Transitions from Sectoral to Omnibus Privacy Regime

Written by

On August 14, Brazil adopted its new General Data Protection Law (LGPD) designed to replace and/or supplement its existing sectoral privacy framework.  Brazil’s LGPD echoes many of the components of the GDPR and will likely serve as part of Brazil’s own push for a reciprocal adequacy finding from the European Commission similar to the one Japan received this past July.  In addition to the LGPD, President Temer has stated that the government will establish a Brazilian national data protection authority (DPA) with a separate bill. Scope Like the GDPR, Brazil’s LGPD includes an expanded […] Read more

South Carolina Enacts Insurance Data Security Act

Written by

South Carolina recently enacted a prescriptive data security law for insurers. The law bears resemblance to the New York Department of Financial Services (NYDFS) cybersecurity rules that entered into force last year. In short, the South Carolina law requires licensees (defined below) to develop and implement a comprehensive written information security program (a “WISP”) and to notify the South Carolina Department of Insurance of certain cybersecurity events. Effective on January 1, 2019, the law includes extended deadlines for compliance with the requirement to implement a WISP (July 1, 2019) […] Read more

NYDFS Cybersecurity Requirements Compliance Deadline Nears for Key Provisions

Written by

September 4, 2018 marks the end of the transitional period for covered entities to comply with several key provisions of the NYDFS Cybersecurity Requirements that require certain systemic and sustained measures. These provisions include the encryption and audit trail requirements as well as ones relating to the implementation of monitoring policies, procedures, and controls, application security, and data retention limitations. Encryption (500.15): The regulation requires covered entities to encrypt Nonpublic Information held or transmitted by a covered entity both in transit over external [...] Read more

CFPB Changes Annual Notice Requirement Under Reg. P

Written by

On Friday, the Consumer Financial Protection Bureau announced its “finalized amendments” to Regulation P, an implementing regulation of the federal financial Gramm Leach Bliley Act. Regulation P governs the provision of privacy notices for covered financial institutions. In response to legislation passed by Congress in late 2015, the final rule issued Friday permits financial institutions to avoid providing annual privacy notices to customers in certain circumstances. In addition, in cases where the annual notice requirement remains, the final rule permits financial institutions additional [...] Read more

Alston & Bird Hosts Sept. 12 Webinar on California Consumer Privacy Act

Written by

Save the date! On Sept. 12, 1 – 2 PM ET, Alston & Bird will host a webinar to analyze the new California Consumer Privacy Act. (You can read our prior advisory.) The California Consumer Privacy Act has been compared to the European Union’s General Data Protection Regulation due to its creation of important new privacy rights likely to require significant compliance activity by many companies. Partners Jim Harvey, David Keating, and Senior Counsel Peter Swire will lead discussion of this comprehensive new legislation currently slated to enter into force in less than 18 months.   Registration [...] Read more

Japan and EU agree on Terms of Reciprocal Adequacy for Data Transfers

Written by

On July 17, the European Commission (the “Commission”) announced that the European Union and Japan successfully concluded talks on reciprocal adequacy and agreed to recognize each other's data protection systems as equivalent.  In its press release, the Commission explains that this adequacy agreement will create “the world's largest area of safe transfers of data based on a high level of protection for personal data.” The General Data Protection Regulation (“GDPR”) came into effect as of May 25 of this year.  Under the GDPR, “adequacy” is the simplest way for companies to [...] Read more