Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws.  Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account.  Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified.  These changes are summarized in additional detail below.
Continue Reading Round-Up of Recent Changes to U.S. State Data Breach Notification Laws

On April 24, 2019, the Supreme Court issued its opinion in Lamps Plus, Inc., et al. v. Varela, addressing the question of whether an ambiguous arbitration agreement can be read to compel class arbitration under the Federal Arbitration Act, 9 U.S.C. §§ 1-16 (2000). Underscoring the controversial nature of this decision, the case was decided by a 5-4 split that included dissenting opinions authored by Justices Ginsburg, Breyer, Sotomayor, and Kagan. The majority opinion, authored by Chief Justice Roberts, held that contract ambiguity did not suffice to compel class arbitration.

Continue Reading U.S. Supreme Court Affirms the Necessity of Express Authorization for Class Arbitration

On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”).  A previous version of the Guideline was released for public comments on November 30, 2018.

Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting cybersecurity and combating cybercrime.  Following the issuance of the draft Regulations on Cybersecurity Multi-level Protection Scheme (the “Draft MLPS Regulation”, discussed in our previous post available here) and the Regulation on the Internet Security Supervision and Inspection by Public Security Agencies (also discussed in a previous post, available here) last year, the release of this new Guideline represents the latest efforts made by MPS to implement the CSL.

The stated goal of the Guideline is to “protect cybersecurity and individuals’ legitimate interests” and to “effectively prevent cybercrime involving personal information.”  Although not issued as a legally binding administrative regulation, this Guideline sets out the best practices recommended by MPS and will likely serve as an important reference for cybersecurity inspections that will be carried out by the agency and its local counterparts (i.e., local public security bureaus, “PSBs”).

To a large extent, this Guideline overlaps with China’s national standard on personal information protection, GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (the “Standard”), which took effect on May 1, 2018.  The Guideline referred to the Standard as its “indispensable” reference, although at this stage, it is unclear how this Guideline will interact with other existing regulations and national standards.  Furthermore, this new Guideline provides more prescriptive requirements relating to a company’s cybersecurity infrastructure, both in terms of organizational support and technical measures to be implemented.

This post summarizes key requirements of the Guideline.


Continue Reading China’s Ministry of Public Security Issues New Personal Information Protection Guideline

The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law.  In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers.  The amendments, which will enter into force on April 11, 2019, are discussed in greater detail below.
Continue Reading Massachusetts Amends Data Breach Notification Law to Require Free Credit Monitoring

Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception.  Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing data breach notification laws during 2018 to expand their scope and implement additional notification requirements.  Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year.
Continue Reading State Data Breach Notification Laws: 2018 in Review

As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case.  While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation.  More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018.  As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance. 
Continue Reading Standing Issues in Data Breach Litigation: An Overview

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.


Continue Reading Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The GDPR establishes some of the most robust privacy requirements globally and is likely to be a model followed by other jurisdictions. Airlines are uniquely affected by the GDPR with passenger data being at the heart of their business and international operations. As new technologies allow airlines to pursue new and innovative uses of customer data, it is imperative that airlines continue to conduct their operations with GDPR compliance in mind, particularly given the financial and other reputational issues that can arise for a failure to meet the GDPR’s strict requirements.

Below are 5 key issues for airlines to consider in relation to the GDPR post-implementation.
Continue Reading GDPR: Top 5 Post-Implementation Issues for Airlines

On July 27, 2018, the Government of India’s Committee of Experts released a draft Protection of Personal Data Bill. Together with an accompanying report, the draft bill moves India one step closer towards enacting a comprehensive data protection regime.

Last year, the Supreme Court of India issued a landmark decision holding that privacy is a fundamental right under India’s Constitution. In that opinion, the Court invited the Government of India to formulate “a regime for data protection.” As a result, the Government established the Committee of Experts “to study various issues relating to data protection in India, make specific suggestions on principles underlying a data protection bill and draft such a bill.”

In November 2017, that Committee released a White Paper that outlined its views on data protection and solicited public comments. The draft bill incorporates those comments as well as the Committee’s own analysis.
Continue Reading India’s Committee of Experts Releases Draft Personal Data Protection Bill

On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is aimed at strengthening consumer privacy rights and data security protections.  The CCPA takes effect on January 1, 2020 and is considered the most stringent privacy law in the country.

The CCPA applies to for-profit entities that conduct business in