On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.


Continue Reading EDPB Publishes Draft Guidelines on Data Breach Notification Examples

Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws.  Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account.  Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified.  These changes are summarized in additional detail below.
Continue Reading Round-Up of Recent Changes to U.S. State Data Breach Notification Laws

On July 25, New York Governor Andrew Cuomo signed two data security and breach notification bills into law.  The first bill, the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act,” will impose specific data security requirements on businesses that own or license private information of New York residents, in addition to amending New York’s data breach notification statute to broaden the circumstances under which notification may be required.  The second bill, meanwhile, will require consumer reporting agencies to offer identity theft prevention and mitigation services.  Both bills are described in further detail below.
Continue Reading New York Passes New Data Security and Breach Notification Requirements

At a February 27, 2019 hearing on “Privacy Principles for a Federal Data Privacy Framework in the United States,” Republican and Democratic members of the Senate Commerce, Science, & Transportation Committee offered different perspectives on whether new federal privacy legislation should preempt state privacy laws.

Continue Reading Republicans, Democrats Offer Different Views on Preemption During Senate Privacy Hearing

The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law.  In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers.  The amendments, which will enter into force on April 11, 2019, are discussed in greater detail below.
Continue Reading Massachusetts Amends Data Breach Notification Law to Require Free Credit Monitoring

Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception.  Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing data breach notification laws during 2018 to expand their scope and implement additional notification requirements.  Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year.
Continue Reading State Data Breach Notification Laws: 2018 in Review

As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case.  While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation.  More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018.  As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance. 
Continue Reading Standing Issues in Data Breach Litigation: An Overview

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.


Continue Reading Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

This spring has seen significant legislative activity with regards to state data breach notification laws, ranging from new laws in Alabama and South Dakota to amendments to existing laws in Oregon, Arizona, and elsewhere.  Continuing this trend, three states recently passed legislation to amend their existing data breach notification laws.  Legislation recently passed in Colorado will require notification of affected individuals and the state Attorney General within 30 days, while recent amendments to Louisiana’s data breach notification law will expand the scope of personally identifiable information (“PII”) covered by the law.  In addition, Vermont recently passed legislation that will create specific data breach notification requirements for “data brokers.”  This post examines each state’s amendments in greater detail below.

Colorado

Through the passage of H.B. 1128, which takes effect on September 1, 2018, Colorado has broadened the definition of PII under its existing data breach notification law, in addition to requiring notification of the state Attorney General and imposing strict notification timelines.  Once the new provisions enter into force, covered entities will be required to notify affected individuals within 30 days of the determination that a breach has occurred.  Colorado joins Florida as the only states that have imposed a 30-day notification deadline for notice to individuals, although Colorado’s law, unlike Florida’s, will not include a provision that allows for an extension of this deadline under certain limited conditions.  In addition, Colorado’s amendments will require notification of the state Attorney General if a covered entity believes that more than 500 state residents have been affected by a breach.  As with individual notifications, the notification to the state Attorney General must be provided within 30 days  after the date of determination of a breach.


Continue Reading Colorado, Louisiana, and Vermont Add to Recent Trend of Changes to State Data Breach Notification Laws

On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018.  The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.

“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”

Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place.  Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.” 
Continue Reading Senators Klobuchar and Kennedy Introduce Privacy Legislation