Michigan enacted the Michigan Data Security Act on December 28, 2018, imposing stringent cybersecurity measures on any person (individual or corporate) licensed by the Michigan Department of Insurance and Financial Services. Based on the 2017 NAIC data security model law and nearly identical to the South Carolina Insurance Data Security Act, the Michigan statute will require insurance licensees to adopt a number of measures including a comprehensive written information security program (“WISP”), the submission of an annual certification of compliance to the Department of Insurance and Financial […] Read more
South Carolina’s prescriptive data security law for insurers took effect on January 1, 2019. Subject to specified exemptions, the law requires any person licensed pursuant to South Carolina insurance laws to take certain steps, including among other things notification of specified cybersecurity events to the South Carolina Department of Insurance. Covered persons are also required to implement a written information security program (by July 1, 2019) and to comply with provisions on third-party service providers (by July 1, 2020).
Please see our previous coverage of the law for additional [...] Read more
In October 2018, the Federal Trade Commission (“FTC”) published a report that summarized discussions at a December 2017 workshop discussing the potential impact to consumers of privacy and security incidents. The purpose of the workshop was to explore whether government intervention in this arena is warranted under the enforcement authority granted to the FTC under the FTC Act, 15 U.S.C. § 41 et seq.
The report reveals that the workshop participants identified several types of potential impacts that they believe consumers may face in the wake of a data security incident that could warrant [...] Read more
On September 27, 2018, the Department of Justice Computer Crime and Intellectual Property (CCIPS) Cybersecurity Unit released Version 2.0 of its “Best Practices for Victim Response and Reporting of Cyber Incidents.” Originally issued in 2015, the updated guidance seeks to help organizations better equip themselves to be able to respond effectively and lawfully to cyber incidents. The updated version distills insights from private and public sector experts, incorporating new incident response considerations in light of technical and legal developments in the past three years. While the guidance [...] Read more
Ohio recently enacted the Ohio Data Protection Act (2018 SB 220), a law that offers a breach litigation safe harbor to businesses meeting specific cybersecurity standards. While the law does not prevent a plaintiff from filing a lawsuit following a data breach, it does provide an affirmative defense to companies defending themselves against such claims. If an entity’s data security policies conform to one of several listed cybersecurity frameworks, the entity can invoke the safe harbor as a defense, and possibly defeat a tort claim alleging that the company’s failure to comply with reasonable […] Read more
Last Friday, the California Senate and Assembly passed SB-1121, amending the California Consumer Privacy Act (“CCPA”) as enacted in June. We previously issued an advisory following the June enactment, and will host a webinar discussing the law (as now amended) on September 12. This blog post highlights some of the key amendments to the CCPA. SB-1121 amends the CCPA as follows: Exemptions for Health Providers. The bill clarifies that the CCPA does not apply to protected health information (“PHI”) or medical information governed by the Health Insurance Portability and Accountability […] Read more
Save the date! On Sept. 12, 1 – 2 PM ET, Alston & Bird will host a webinar to analyze the new California Consumer Privacy Act. (You can read our prior advisory.) The California Consumer Privacy Act has been compared to the European Union’s General Data Protection Regulation due to its creation of important new privacy rights likely to require significant compliance activity by many companies. Partners Jim Harvey, David Keating, and Senior Counsel Peter Swire will lead discussion of this comprehensive new legislation currently slated to enter into force in less than 18 months.
Registration [...] Read more
Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018. For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization. On this blog, we have outlined the items we have seen as particularly time- or resource-intensive.
On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction. Germany has 16 state-run DPAs with general [...] Read more
Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified timeframe. In Oregon’s case, the amendments supplement already-existing data security requirements for companies the handle the personal data of Oregon residents.
Oregon
Broadened Definition of Personal Information
Like [...] Read more
Unique and detailed data protection legislation is currently under consideration by the Chicago City Council. If passed in its current form, the Data Collection and Protection Ordinance (the “Ordinance”) would impose consent, notification, and registration obligations on regulated companies, as well as require a prescribed notice to users of location services on mobile devices and express consent for use of geolocation data by mobile applications.
Consent requirements
The consent provisions would apply to “operators,” defined to include any entity that (1) “owns a website on the [...] Read more
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy
