Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur. By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures. Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security
If you have had to provide data breach notices across any number of states (and who hasn’t….), you would know that they vary widely in how those notices must be provided to state regulators. In some states (for example, California, North Carolina, Indiana, and New York), the Attorney General’s office has established an online portal that must be used for breach notices. In still other states, notice letters must be sent to one or multiple regulators.
Pursuant to the Massachusetts data breach notification statute, M.G.L. 93H, notices must be provided to the affected resident, the Attorney General’s office and to the Office of Consumer Affairs and Business Regulation (OCABR). It is not enough that Massachusetts has a sui generis breach notice content statutory requirement (you must tell affected residents of the breach, but you can’t tell them about the breach), now the OCABR has created its own notice submission portal that is a separate form and not just a place to upload a copy of the AG notice. A letter sent out earlier this month also says “It is important to note that this electronic submission form only satisfies the notification requirement for OCABR. The submission does not relieve businesses of their legal obligation to separately notify the AGO and the affected Massachusetts residents.”
Make sure you update your incident response plan to account for this additional notice requirement.
As we reported last month, the FCC was preparing a proposed rulemaking (NPRM) to establish privacy and data security requirements for broadband internet access service (BIAS) providers. The FCC has now released that proposal with comments and reply comments due May 27th and June 27th respectively.
The brief background to this proposal is that in 2015, the FCC adopted net neutrality rules in Open Internet Order, which reclassified BIAS as a common carrier telecommunications service subject to regulation under Title II of the Communications Act. The Commission determined that, as a consequence of reclassification, Section 222 of the Communications Act, which is part of Title II, would now apply to BIAS providers. Section 222 regulates a telecommunications carrier’s use and disclosure of Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. The FCC concluded in its Open Internet Order that the rules implementing Section 222 were telephone-centric and ill-suited to BIAS, and so chose to forbear from applying those rules to ISPs. With this latest release, the FCC is proposing a new set of rules implementing Section 222 that would apply to BIAS providers. Continue Reading FCC Broadband Privacy and Security Proposed Rulemaking Underway
Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.
Some changes of note
Tennessee is our most recent state to amend its existing state data breach notification law. Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:
- Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
- Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
- Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”
California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015. Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on the Mintz Matrix when consulting various states.
What should you do now?
Spring cleaning. Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line. In particular:
- Note tightened response deadlines (Rhode Island, Tennessee)
- Add identity theft prevention or identity theft mitigation services (Connecticut, California)
- Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
- Revise notice templates to comply with the new California format
As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!
21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago. Read on for the gory details….. Continue Reading Not again …. yet another health care data breach
Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.
In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”
California Attorney General Kamala Harris has released a report of the data breaches that have been reported to her office from 2012 until 2015. Although the California data breach notification law took effect in 2003, beginning in 2012, businesses and government agencies have been required to notify the Attorney General of data breaches affecting more than 500 California residents.
The number of personal records that were compromised is staggering; 178 breaches were reported during 2015 and 24 million personal records were compromised.
There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries are in the top twenty (Canada is in twelfth place). Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?
The European Union Commission has issued a fact sheet on the new General Data Protection Regulation (final post-trilogue text available via Statewatch). The Commission claims that the Regulation is good for individuals and good for business. We’ll leave that to readers . . . and history . . . .to decide.
As regulations go, the GDPR is a page-turner, but if you don’t have time to read all 204 pages before the holidays, consider joining our webinar at 1 pm ET today. Registration is here.
As expected, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (also known as LIBE) voted today to adopt the new General Data Protection Regulation (see the summary we provided yesterday here). A LIBE press release announced the vote with the proclamation “New EU rules on data protection put the citizen back in the driving seat.” The vote was 48 for the GDPR, 4 against, and 4 abstentions. The GDPR will go to a vote of the full EU Parliament in March or April of 2016. It is expected to be passed based on LIBE’s endorsement.
Companies will have a grace period of two years to come into compliance, measured from the date that the GDPR is formally adopted and published in the Official Register. That means that the key compliance date will probably fall in March or April of 2018. Given the complexity of the 200 page Regulation and the likely need to audit and change business processes throughout organizations, we recommend starting the compliance review process immediately.
We will announce a series of webinars to drill down on specific topics under the GDPR early in the new year.