With the recent enactment of data breach notification laws in South Dakota and Alabama, all 50 US states now have laws regulating data breach notification.   We’ve updated the Mintz Matrix (maintained by the Mintz Privacy Team for nearly 10 years) to provide you with the latest information.

Managing the differing requirements remains a challenge, and points to the need for updated incident response plans.   As an example, the chart below outlines the different timelines for notification.  The Mintz Matrix contains information on all of these, and more.

Continue Reading Mintz Matrix Updated – Data Breach Laws in All 50 States

Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.

Things to take note of under the Alabama law:

  • The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include.   An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”
  • Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
  • The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
  • Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
  • No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
  • The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions.  “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.

 

 

 

 

 

 

Only one U.S. state without a data breach notification law, that is.

South Dakota as become the 49th state to enact a data breach notification law, which take effect on July 1.    The South Dakota law follows the pattern of the most recent notification laws, including an expansive definition of “Personal Information”.

The law defines personal information as a person’s first name/first initial and last name in combination with any one or more of the following:

  1. Social Security Number;
  2. Driver’s license number or other unique identification number created or collected by a government body;
  3. Account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
  4. Health information;
  5. Identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

There is an additional definition of “protected information” that includes (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (b) account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.   The definition of “protected information” does not include a person’s name.

Again, South Dakota includes an encryption “safe harbor,” but does require notification if the encryption key is compromised.   Notice to the South Dakota Attorney General is required in any breach that exceeds 250 South Dakota residents.

Notification is required within 60 days of the discovery of the breach.  A violation of the notification law is considered a deceptive act under South Dakota consumer protection laws, and the Attorney General has noted that this violation has the effect of creating a private right of action.   The AG is also authorized to enforce the law and may impose a fine of up to $10,000 per day, per violation.

Alabama remains the sole U.S. state without a breach notification law, but the Alabama Data Breach Notification Act of 2018 passed the Alabama House unanimously and is now in the state Senate.

A update to the Mintz Matrix will be forthcoming this week with further details on this new South Dakota law, as well as some amendments to existing laws.  Watch this space.

 

 

A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved.  Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias.  In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.

Continue Reading Supreme Court Declines to Address Circuit Split on Data Breach Standing Issue

Mintz Levin Benefits attorney Patricia Moran recently authored an article for  the Society for Human Resources Management’s latest publication describing the cybersecurity risks involved with 401(k) Plan sponsorship.  The article is a great resource for employers who sponsor 401(k) or other retirement plans, especially those who share employees’ sensitive information with third party administrators. For the full story, click here.

 

Recently proposed legislation in Ohio could provide businesses with special protection from lawsuits in the event of a hack under certain circumstances. Senate Bill 220 would shelter businesses that have been proactive in instituting defenses to guard against data breaches. The idea is to encourage firms to voluntarily enact privacy protections by promising them the ability to later claim an affirmative defense in court should a hack still occur.

Other states already require businesses to meet specific standards with regard to providing cyber security protections and preventing data breaches. In New York, businesses licensed by the Department of Financial Services (DFS) must meet compliance standards in accordance with DFS cybersecurity regulations. These standards require licensees to have a written cybersecurity program in place, maintain a cybersecurity policy that covers 14 regulation-specific areas, designate a qualified employee as a Chief Information Security Officer, and implement an incident response plan, among additional imperatives. Similarly, states differ with regard to their requirements of businesses in providing data breach notices. For example, in Massachusetts, notices must be provided to the affected resident, the Attorney General’s office, and to the Office of Consumer Affairs and Business Regulation (OCABR).

Ohio’s Senate Bill 220 is interesting in that it does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach. Businesses will be tasked with instituting their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology. The legislation provides for an evolving standard, which means lawmakers won’t have to continually revisit the issue to update a minimum set of standards. Whether or not a business qualifies for the safe harbor provision will be up to a judge to determine if such business has met its burden. Ultimately, the key takeaway is that this new legislation will provide for compliance as an affirmative defense for businesses facing a lawsuit as a result of a data breach.

The Mintz Levin team will continue to monitor this pending legislation and update our readers as it develops.

Has your company recently beefed up its employee identification and access security and added biometric identifiers, such as fingerprints, facial recognition, or retina scans?  Have you implemented new timekeeping technology utilizing biometric identifiers like fingerprints or palm prints in lieu of punch clocks?  All of these developments provide an extra measure of security control beyond key cards which can be lost or stolen, and can help to control a time-keeping fraud practice known as “buddy punching.”  If you have operations and employees in Illinois (or if you utilize biometrics such as voice scans to authenticate customers located in Illinois), your risk and liability could have increased with the adoption of such biometric technology, so read on ….  Continue Reading The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers

This week’s disclosure that a 2013 data breach may have affected all 3 billion Yahoo accounts then in existence could alter the scope of the consolidated data breach cases currently pending against Yahoo in the federal court in San Francisco. In the wake of the court’s August 30 order denying Yahoo’s motion to dismiss the case, the parties have been in the process of negotiating a schedule for discovery and motion practice. The parties had been due to make their joint scheduling submission to the Court today. However, just last night, Judge Lucy Koh issued an order postponing the submission deadline in order to allow the parties to address the impact of Yahoo’s recent disclosure. The court ordered Yahoo to “disclose to Plaintiffs available information regarding the recent data breach disclosure by October 6, 2017, so that the Joint Case Management Statement can propose a realistic amended case schedule.” The court also directed that Yahoo “expedite its production of discovery regarding the recent data breach disclosure and include a proposal to do so” in the parties’ joint scheduling submission, which is now due to be submitted on October 11, 2017.

Continue Reading 3 Billion Compromised Yahoo Accounts May Yield Largest Plaintiff Class Ever

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs.  Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.  Before reading on please download a copy of our September 2017 edition of the Mintz Matrix by clicking here. Continue Reading The Mintz Matrix – September 2017