Tag Archives: breach notification

NY Data Breaches Reached Record Levels in 2016

New York Attorney General Eric T. Schneiderman announced this week that there were a record number of data breach notices in New York in 2016, with nearly 1,300 reported data breaches exposing the personal records of 1.6 million New Yorkers.  These numbers represented a 60 percent year-over-year increase in the number of data breaches reported, … Continue Reading

Updated OMB Breach Response Policy Includes Required Breach-Related Provisions for Federal Agency Contracts

Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007.  The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII).   In addition to setting forth requirements … Continue Reading

FTC Issues Guidance for Responding to Data Breaches

On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video.  The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity … Continue Reading

G-7 Publishes Fundamental Elements of Cybersecurity for the Financial Sector

On October 11, 2016, the finance ministers and central bank governors of the Group of 7 (G-7) countries announced the publication of the Fundamental Elements of Cybersecurity for the Financial Sector, a non-binding guidance document for financial sector entities.  The publication  describes eight fundamental “elements” of effective cybersecurity risk management to guide public and private … Continue Reading

EU Cyber Security Directive To Enter Into Force In August

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities: designated* “operators of essential services” within … Continue Reading

Verizon Releases 2016 Data Breach Investigations Report

Verizon recently released its 2016 Data Breach Investigations Report (“DBIR”) that outlines cybersecurity threats, vulnerabilities, and trends from 2015.  Verizon, with the assistance of more than 60 contributors, analyzed over 64,000 information security incidents (security events that affect the integrity of an information system) and 2,200 data breaches (incidents that result in the “confirmed disclosure … Continue Reading

Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed

Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants.  In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that … Continue Reading

Tennessee Amends Breach Notification Law to Cover Breaches of Encrypted Information

Last week, Tennessee Governor Bill Haslam (R) signed S.B. 2005 into law, amending Tennessee’s breach notification law to broaden the scope of information covered and require quicker notifications of the state’s residents.  Most notably, when the amendments enter into force on July 1, 2016, Tennessee will become the only U.S. state that could require notification … Continue Reading

The New EU Data Protection Law: Key Elements for Business

The General Data Protection Regulation (GDPR) (see the latest text here), which was approved at the political level last week, heralds a new era of data protection in the EU and beyond.  The GDPR imposes numerous new obligations on companies both within and outside the EU, strengthens the rights of individuals and foresees stiff penalties … Continue Reading

Three-Bill Package Makes Revisions to California’s Data-Breach Notification Statute

By Brandon Johnson On October 6, 2015, California Governor Jerry Brown signed into law a trio of bills that is intended to clarify key elements of the state’s data-breach notification statute and provide guidance to persons, businesses, and state and local agencies that deal with electronically stored personal information.  The bills, which were passed together … Continue Reading

Dutch Parliament Adopts Data Breach Notification Obligation and Increases Fines

On May 26th, 2015, the Dutch Senate passed a new law (“the Law”) (legislative proposal, as adopted, is accessible here), which introduces an obligation to notify the Dutch DPA ‘without delay’ in case of a data breach.  The law also broadens the powers of the Dutch DPA, enabling it to impose significantly higher fines for … Continue Reading

House Focuses on Data Breach Bills

By Ani Gevorkian The issues of data breach notification and data security issued received a fair amount of attention in the House this week:  On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep.  Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release … Continue Reading

Data Breach Notification Bills Introduced in House and Senate

By Caleb Skeath Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives.  The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as … Continue Reading

House Debates Federal Data Breach Legislation

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in … Continue Reading

House Subcommittee to Hold Hearing and Begin Drafting Data Breach Bill

Tomorrow at 10:00 a.m., the House Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing to determine what elements should be included in federal data-breach legislation.  The following witnesses are scheduled to testify: Elizabeth Hyman, Tech America Executive Vice President of Public Policy Jennifer Glasgow, Acxiom Chief Privacy Officer Brian Dodge, Retail Industry Leaders Association … Continue Reading

Ten Ways the 2014 Election May Affect Privacy and Data Security Law

When Republicans take over the Senate in January, new leaders will control key committees that oversee privacy and data security issues, and their priorities will differ significantly from those of their predecessors.  Privacy issues, however, generally tend not to break neatly along party lines and there will remain bipartisan support – and bipartisan opposition – … Continue Reading

Internet of Things Poses a Number of Significant Data Protection Challenges, Say EU Watchdogs

The Article 29 Data Protection Working Party (“Working Party”), the independent European advisory body on data protection and privacy, comprised of representatives of the data protection authorities of each of the EU member states, the European Data Protection Supervisor (the “EDPS”) and the European Commission, has identified a number of significant data protection challenges related … Continue Reading

Florida Enacts Stringent Breach Notice Law

Last Friday, Florida’s governor signed into law the Florida Information Protection Act of 2014 (“FIPA”), a bill repealing Florida’s existing data security breach notice law and replacing it with what will be one of the nation’s most stringent breach notice laws.  This post summarizes the key aspects of the new law, which becomes effective July … Continue Reading

Kentucky Enacts Data Breach Notification Law

Last week, Kentucky governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  The law requires companies that suffer a data breach to provide notice of the breach to Kentucky residents “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” … Continue Reading

Iowa Amends Breach Notice Law to Require Notice to State AG

Iowa’s governor recently signed into law S.F. 2259, which amends Iowa’s data breach notification law.  Under the amendment, entities that suffer breaches of personal information that are required to notify more than 500 state residents will also be required to notify the state’s attorney general.  The notice to the attorney general must be provided within … Continue Reading

EU Article 29 Working Party Publishes Guidance on Data Breach Notification

By Philippe Bradley and Ezra Steinhardt Last week, the Article 29 Data Protection Working Party published a non-binding Opinion on data breach notifications, titled Opinion 03/2014 on Personal Data Breach Notification (the Opinion).  The Opinion provides helpful new guidance to companies seeking to understand whether or not notifications about a breach must be made to … Continue Reading
LexBlog