US State Law

Proposed Amendment to California Consumer Privacy Act Would Expand Private Right of Action

Written by

On February 25, California's Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced new legislation to amend the California Consumer Privacy Act (CCPA).  The CCPA as currently enacted establishes a private right of action for consumers impacted by cyber security breaches.  The amendment, known as SB-561, would expand the private right of action to cover any violation of a consumer’s rights under the CCPA.  This would materially increase the risk to businesses of class action litigation from failures to comply with the privacy standards in the new law. The amendment [...] Read more

Time for a General Federal Privacy Law? Peter Swire Opens the Discussion on Potential Preemptive Effects

Written by

The IAPP article, “US federal privacy preemption part 1: History of federal preemption of stricter state laws,” written by Alston & Bird Senior Counsel Peter Swire and published on January 9, 2019, discusses the potential for a general U.S. privacy law and whether and to what extent this new federal law would “preempt” state privacy protections. This article, the first of two parts, primarily focuses on the history of federal privacy legislation. Swire looks at the arguments for and against a general federal privacy law in light of the historical trends of federal privacy legislation […] Read more

South Carolina Insurance Data Security Law Now Effective

Written by

South Carolina’s prescriptive data security law for insurers took effect on January 1, 2019. Subject to specified exemptions, the law requires any person licensed pursuant to South Carolina insurance laws to take certain steps, including among other things notification of specified cybersecurity events to the South Carolina Department of Insurance. Covered persons are also required to implement a written information security program (by July 1, 2019) and to comply with provisions on third-party service providers (by July 1, 2020). Please see our previous coverage of the law for additional [...] Read more

An Update on the California Consumer Privacy Act and Its Private Right of Action

Written by

While it remains to be seen what the final text of the California Consumer Privacy Act (CCPA) looks like when it is ultimately implemented on January 1, 2020, at present it seems likely that businesses and employers can expect an influx of lawsuits from individual consumers proceeding under the CCPA’s private right of action.  Under the current version of the CCPA, the Act provides a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and […] Read more

Landmark New Privacy Law in California to Challenge Businesses Nationwide

Written by

Following our June 4 and July 2, 2018 blog posts tracking California's November 2018 ballot measure turned hastily enacted new California privacy law titled The California Consumer Privacy Act of 2018 (CCPA), Alston & Bird's Privacy & Data Security Group released a more detailed "first look" review of California’s sweeping new law.  The advisory provides an overview of the new law, which establishes an array of privacy rights for state residents and worries for businesses nationwide, and concludes with key initial takeaways for business. Read the advisory here. [...] Read more

Oregon and Arizona Amend Breach Notification Laws

Written by

Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified timeframe. In Oregon’s case, the amendments supplement already-existing data security requirements for companies the handle the personal data of Oregon residents. Oregon Broadened Definition of Personal Information Like [...] Read more

Vermont Passes New Data Broker Law

Written by

Under a Vermont law, data brokers that process information regarding Vermont residents are now subject to registration and security requirements beginning January 1, 2019. Included in the new law are three notable components: (1) a broad statutory definition of a “data broker,” (2) an annual registration requirement for data brokers, and (3) reporting on data broker security breaches. Definition of a “Data Broker” The law takes a technology-neutral approach to its definition of a “data broker,” instead defining the term based on the normal functions of the business. The statute [...] Read more

Colorado Enacts Expanded Data Breach Notification Law

Written by

Consistent with recent expansions to state data breach notification laws, Colorado recently enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures concerning the protection and destruction of personal identifying information (“PII”).  The law applies to any individual or commercial entity that maintains, owns, or licenses “personal information” or PII, as applicable, in the course of its business, vocation, or occupation, and also contains largely identical provisions that apply to state and local governments.  [...] Read more

Georgia Court of Appeals Reaffirms Lack of Duty to Safeguard Personal Information

Written by

The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law.  In McConnell v. Ga. Dep’t of Labor, --- S.E.2d ----, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure. In urging that the Court of Appeals should recognize such [...] Read more

Seventh Circuit Affirms Dismissal of Schnuck Markets Data Breach Lawsuit

Written by

The United States Court of Appeals for the Seventh Circuit recently affirmed the dismissal of a putative class action brought by financial institutions against Schnuck Markets, Inc., following a data breach impacting Schnuck beginning late 2012. The plaintiffs attempted to assert claims of negligence, negligence per se, various contract claims, and violation of Illinois consumer protection laws, alleging damages in the form of employee time to investigate and resolve fraud claims, payments to indemnify customers for fraudulent charges, and lost interest and transaction fees based on changes in [...] Read more