As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes.  Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime.  In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps. Please review our updated Mintz Matrix to make sure you understand the latest rules applicable to your business!

According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.  While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.  Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee. Continue Reading Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

Not all the news coming out of Europe these days is about Brexit. In fact, the forces of unity and harmonization remain a top priority for European regulators hoping to combat digital security threats and create a safer and more secure environment for the entire online community.  To this end, on July 6, 2016, the European Parliament adopted the Network and Information Security (“NIS”) Directive in an effort to enhance cybersecurity and incident reporting at a national level across all of its member states (“NIS Directive”). This move followed an announcement the day before from the European Commission (the “Commission”) that it had launched a public-private initiative that will steer €1.8 billion of investment into cybersecurity by 2020.  Continue Reading EU Adopts Cybersecurity Directive: What US Companies Need to Know

While it’s making few headlines, the European Commission is still working to finalize Privacy Shield, and it’s even possible that Privacy Shield will pass a key hurdle by the end of this month.  The Commission is still scrambling to address the concerns raised by the Article 29 Working Party and the European Data Protection Supervisor concerning the Privacy Shield arrangements that the Commission had negotiated with the US.  (The European Parliament has also criticized Privacy Shield.)  Some of the concerns raised so far have made it necessary for the Commission to negotiate further with the U.S. State Department.  And now the Commission is shortly to present a proposed final version of Privacy Shield to the Article 31 Committee, which represents the Member States.

If the Art. 31 Committee agrees with the Commission, Privacy Shield will be submitted to the College of the Commission for  formal adoption.  If the Art. 31 Committee does not endorse the Privacy Shield arrangements, the Commission will need to consider further how to proceed.  Also, the Council or Commission could intervene as permitted by the comitology procedure (which could result in more pressure on the Commission to negotiate further with the US).

News sources have speculated as to the status of the Article 31 negotiations (see here and here (scroll down)), but given the lack of specific information from the Commission on this point, it’s tough to tell what the real status is.  In any event, while we expect to have some more concrete news by the end of June as to the progress of Privacy Shield, it is unlikely that Privacy Shield will be formally adopted by then.

And it’s important to keep in mind that, as soon as Privacy Shield limps over the finish line (assuming it doesn’t succumb to death by a thousand objections), it will almost certainly face immediate litigation seeking to have the Court of Justice of the EU invalidate it.

PS – for those who’ve been wondering, Brexit (should it occur) is unlikely to result in the UK taking a divergent path from the EU on general data protection rules.

In 2004, Mintz Levin created a compendium of state data breach notification laws and has been updating it on a regular basis ever since.imitated

Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.

Some changes of note

Tennessee is our most recent state to amend its existing state data breach notification law.  Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:

  • Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
  • Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
  • Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”

California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015.  Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on  the Mintz Matrix when consulting various states.

What should you do now?

Spring cleaning.   Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line.    In particular:

  • Note tightened response deadlines (Rhode Island, Tennessee)
  • Add identity theft prevention or identity theft mitigation services (Connecticut, California)
  • Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
  • Revise notice templates to comply with the new California format

As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!

Privacy & Security Matters Monday Blog Series ImageAnd the days dwindle down, to a precious few … November …

We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework.   In case you were on a secluded island during the month of October, you can catch up here.

European Commission Issues Communication.  On Friday, the European Commission issued “long-awaited” guidance (called a Communication), which did not shed much new light on the cross-border data transfer issues, but instead rehashes the “alternative transfer tools” available to legitimize data flows to jurisdictions deemed “not adequate,” like the United States.   More after the jump. Continue Reading Privacy Monday: November 9, 2015 – EU/Safe Harbor Updates

For the first Monday in November, we have 10 easy steps to make sure that your data breach incident response planning is viewed from that pesky point of view of a litigator.

  1. Fail to plan = plan to fail.
  2. Big problems first, small problems later (don’t let the perfect be the enemy of the good).Privacy & Security Matters Monday Blog Series Image
  3. The criticality of the tone at the top cannot be overstated.
  4. You cannot prevent idiocy, but you can train (and retrain, and retrain).
  5. Make good email practices your fight song (in both times of calm, and times of crisis).
  6. Say what you mean and mean what you say (avoid good policies with poor follow-through; don’t set standards that you can’t meet).
  7. Avoid inconsistencies wherever possible.
  8. Know what your peers are doing (and if you aren’t doing the same thing, document why not).
  9. If you have a close call, document your decision and carefully consider whether you want privilege to apply or not (and why not).
  10. Think about your “story” in slow motion being played on a movie screen (or in excruciating detail on the front page of the Wall Street Journal).

H/T to Mintz’s Meredith Leary for these.   For more on these 10 easy steps and a replay of our Halloween-themed October Privacy Webinar, “Tricks, But No Treats:  A Halloween Visit to the Frightening World of Data Security Litigation,”  check out this link to the recording.

We will be following up our post last week regarding the latest US-EU Safe Harbor decision out of Europe with further analysis both from the Mintz Privacy team and our international network of privacy specialists.  Our friends at TaylorWessing have graciously allowed us to repost their view here.   Continue Reading Privacy Monday, September 28, 2015: More on US-EU Safe Harbor — what’s next?

Rather than our usual Privacy Monday “bits and bytes,” we have a breaking story relating to the ongoing Wyndham/FTC saga.

Today, Wyndham Worldwide Corp. lost a critical round in the Third Circuit.   Anticipated since April, 2014, the three-judge panel upheld U.S. District Judge Esther Salas’ ruling that the Federal Trade Commission (FTC) has the authority under the “unfairness” prong of Section 5 of the FTC Act to bring suit against companies over data security practices.

For all the background leading up to today’s ruling, we send you back to our April 2014 post  summarizing Judge Salas’ ruling and a recap of the entire case history, going back to June 2012 when the FTC filed its complaint.  The FTC originally alleged that Wyndham had engaged both in unfair and deceptive business practices in violation of Section 5 by failing to maintain reasonable and appropriate security measures.  The alleged security failures led to at least three data breaches between April 2001 and January 2010, exposing consumer data and payment card account numbers.  Wyndham has been fighting back all along the way, using this case to oppose the FTC’s authority and claiming that the agency exceeded statutory powers.

The appeals court said that Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform….[T]he company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts.”

This precedential opinion squarely rejects Wyndham’s argument that the FTC exceeded its statutory authority and Congress never intended for the commission to be able to use its Section 5 powers to police “failures to institute voluntary industry best practices” and virtually ensures the position of the FTC as “top cop” for data privacy and security regulation.


It’s Monday!   Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week.

1.    The Site that Promises “Discreet Encounters” Hacked — Karma?

If you have not heard the provocative ad campaign launched by a site called AshleyMadison, it may surprise you to know that a self-described site dedicated to “infidelity and married dating” has over 37 million members.  Then again, maybe not.  In any event, the site that bluntly declares “Life is short.  Have an affair.” has apparently been hacked, according to Krebs on Security.   A group calling itself “The Impact Team” claims to have gained access to the databases of Avid Life Media (ALM), the company running AshleyMadison.   The booty The Impact Team allegedly possesses includes payment and personal information of the nearly 37 million members of AshleyMadison — most of whom presumably would desperately want to remain anonymous — as well as internal business information and network and technology mapping of ALM.

The Impact Team’s demand is aimed straight at ALM’s business and demands that either ALM take AshleyMadison and its other site Established Men  (“Connecting young beautiful women with interesting men”) offline, or the data dump will be made public.  “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver … And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”    According to ALM, they are working with law enforcement to track and shut down the hackers.

Until then, there are a lot of nervous cheaters out there today …..

Read more:



2.  Another High Profile Healthcare Data Breach 

UCLA Health System reports that a criminal hack attack could have accessed the health information of as many as 4.5 million patients.  According to the public statement and notices made by the provider, an intruder apparently gained access to its computer system and activity was tracked to a part of the network where unencrypted patient information was stored.  Although UCLA Health does not have any information that leads it to believe that such information was stolen, because the records were not encrypted, patients were notified out of the ubiquitous “abundance of caution.”   Suspicious activity was apparently discovered by the health system back in October 2014 but the access was not discovered until May 2015 as part of the ongoing investigation.   The Los Angeles Times has published an FAQ regarding the hack.

The takeaway:  If encryption of information “in transit” is a prophylactic against theft, then encryption of sensitive records “at rest” is an insurance policy — it is less expensive than providing notice and credit monitoring and certainly more protective of your company’s reputation.  

3.   The FCC Issues Long-Awaited Autodialer Order

The Federal Communication Commission has released its long-awaited “omnibus” Declaratory Ruling and Order clarifying certain provisions of the Telephone Consumer Protection Act of 1981 (“TCPA”).     In the Order, the FCC responded to 21 petitions by a number of companies and trade associations seeing relief or clarification regarding requirements of the TCPA, particularly with respect to so-called “autodialers.”   Mintz Levin’s Communications group has published a client alert analyzing the provisions of the Order.   Read it here.