Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified […]
Data Security
Chicago City Council Considers Data Collection and Protection Legislation
Unique and detailed data protection legislation is currently under consideration by the Chicago City Council. If passed in its current form, the Data Collection and Protection Ordinance (the “Ordinance”) would impose consent, notification, and registration obligations on regulated companies, as well as require a prescribed notice to users of location services on mobile devices and […]
Colorado Enacts Expanded Data Breach Notification Law
Consistent with recent expansions to state data breach notification laws, Colorado recently enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures concerning the protection and destruction of personal identifying information (“PII”). The law applies to any individual or commercial entity that maintains, owns, or […]
Georgia Court of Appeals Reaffirms Lack of Duty to Safeguard Personal Information
The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Ga. Dep’t of Labor, — S.E.2d —-, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal […]
Belgian Privacy Commission Issues DPIA “Black” and “White List” Recommendation
On February 28, 2018, the Belgian Privacy Commission issued a recommendation on the position it takes with regard to data protection impact assessments (or “DPIAs”) as foreseen in the GDPR. A DPIA under the GDPR is similar in scope and impact to its predecessor, the PIA (or “privacy impact assessment”) and requires businesses to assess […]