Photo of Cynthia Larose

Cynthia Larose is a Member in Mintz Levin’s Corporate Group and leads our Privacy and Security practice. She is a Certified Information Privacy Professional, working with clients in various industries to develop comprehensive information security programs on the front end, and providing timely counsel when it becomes necessary to respond to a data breach.

Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.

Things to take note of under the Alabama law:

  • The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include.   An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”
  • Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
  • The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
  • Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
  • No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
  • The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions.  “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.

 

 

 

 

 

 

Only one U.S. state without a data breach notification law, that is.

South Dakota as become the 49th state to enact a data breach notification law, which take effect on July 1.    The South Dakota law follows the pattern of the most recent notification laws, including an expansive definition of “Personal Information”.

The law defines personal information as a person’s first name/first initial and last name in combination with any one or more of the following:

  1. Social Security Number;
  2. Driver’s license number or other unique identification number created or collected by a government body;
  3. Account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
  4. Health information;
  5. Identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

There is an additional definition of “protected information” that includes (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (b) account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.   The definition of “protected information” does not include a person’s name.

Again, South Dakota includes an encryption “safe harbor,” but does require notification if the encryption key is compromised.   Notice to the South Dakota Attorney General is required in any breach that exceeds 250 South Dakota residents.

Notification is required within 60 days of the discovery of the breach.  A violation of the notification law is considered a deceptive act under South Dakota consumer protection laws, and the Attorney General has noted that this violation has the effect of creating a private right of action.   The AG is also authorized to enforce the law and may impose a fine of up to $10,000 per day, per violation.

Alabama remains the sole U.S. state without a breach notification law, but the Alabama Data Breach Notification Act of 2018 passed the Alabama House unanimously and is now in the state Senate.

A update to the Mintz Matrix will be forthcoming this week with further details on this new South Dakota law, as well as some amendments to existing laws.  Watch this space.

 

 

Beware of March Madness!  Scammers and phishers take advantage of increased web traffic by impersonating popular March Madness websites, including bracket sites and game live streams.  Will your employees take the bait?

Last year, it was reported that traffic activity from users streaming games and checking brackets for updates increased by 100% during the first round of the NCAA tournament.    Monitoring sites also observed an increase in malicious activity related to this category and discovered a clear upward spike in malicious activity, such as phishing pages, adware downloads, improper handling of user data, and attempts at domain squatting.   All of this is likely going on again this year, and it will be on your corporate networks.

  • Have you implemented solutions to limit the impact of nefarious phishing campaigns?
  • Have you trained employees to recognize phishing emails?
  • Do you remind employees about the dangers of falling victim to click bait in emails?
  • Do you remind employees about simple password hygiene and to not reuse corporate passwords outside the network?

The best advice we can offer is only use NCAA-sanctioned bracket applications through your web browser. There are many third-party sites out there that attempt to probe the user to create login credentials. In 2017, it was observed that one such application collected a username and password and then transmits it in the clear. This plain text credential transfer makes the connection vulnerable to sniffing attacks. Since users commonly set the same login credentials for multiple websites, the attackers might gain access to users email accounts, bank accounts, tax preparation accounts etc., or even worse, your corporate network.

Good luck!

The Supreme Court on Tuesday will hear arguments in United States v. Microsoft Corp., in which the court will decide whether a US technology service provider, Microsoft, must obey a search warrant for data stored in a foreign country. “It’s going to set the tone for cross-border data demands on a global scale,” said Gregory Nojeim, senior counsel and director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology.    All briefs and other documents are catalogued here at SCOTUSBlog.   We’ll be watching …..

CNNMoney (2/25)

Mintz Levin Benefits attorney Patricia Moran recently authored an article for  the Society for Human Resources Management’s latest publication describing the cybersecurity risks involved with 401(k) Plan sponsorship.  The article is a great resource for employers who sponsor 401(k) or other retirement plans, especially those who share employees’ sensitive information with third party administrators. For the full story, click here.

We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception.   “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.

Privacy can also be a key differentiator and a competitive advantage.  Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage

Mintz Levin’s TCPA and Consumer Calling Practice Team has published its latest TCPA Digest.

This month’s issue examines an FCC rulemaking proceeding concerning whether providers should be required to establish a challenge mechaniskm for incorrectly blocked robocalls.  In addition, the Digest examines the factors defendants should consider in whether to make an early offer of judgment (a “Rule 68” offer) in a TCPA class action and relevant case law about early offers.

The TCPA Digest can be read here.

 

 

In case you had not heard, the European Union is replacing its current privacy laws with a new, comprehensive General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The essential principles of the EU’s privacy laws are unchanged, but the new Regulation imposes many new obligations on many more entities – all backed up by fines modeled on European antitrust laws. US Life Sciences companies are likely to find that the GDPR applies to their use of personal information that originated in the EU. This post suggests some pragmatic steps companies can take to assess and begin to meet their GDPR obligations.   We’ll be presenting the next webinar in our GDPR series particularly targeted to life sciences and biotech companies and that will be coming up in March.  Watch this space for more information and registration.

Step 1 – Confirm that the GDPR Applies Continue Reading Practical GDPR Steps for US-Headquartered Life Sciences Companies

Happy 2018.  You may notice a new widget in the right sidebar of our home page.  Now you have a reminder as to just how close we are to the GDPR D-Day.    GDPR is real.   GDPR is here.

To brush up on your GDPR, or to help you get moving in the right direction, here is a link to all of the content from our 2017 GDPR webinar series.   Each edition includes a link to the recording and slides.   We will continue to produce targeted content throughout 2018, so stay tuned.