Archives: Breach Notification

Subscribe to Breach Notification RSS Feed

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final … Continue Reading

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

By Benjamin Wanger and Elana Weinblatt on September 27, 2021 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Data Privacy, HIPAA/HITECH

On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

Everything Data!

By Theodore J. Kobus III on January 21, 2020 Posted in Advertising, Breach Notification, Consumer Data, Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Governance, Information Security

Thank you to our clients and relationships, as well as to the BakerHostetler team who made the creation of the new Digital Assets and Data Management (DADM) Practice Group possible. In a world dependent on data, this group takes a 360-degree approach to the delivery of services and counsel to clients on how they manage … Continue Reading

New Year Brings Trio of U.S. Breach Notification Amendments

By Andreas Kaltsounis on January 7, 2020 Posted in Breach Notification

Along with the California Consumer Privacy Act, the new year brought us a trio of updated breach notification laws, in Oregon, Texas and Illinois. The Oregon law is of the most interest because it is the first to require that vendors notify the state’s attorney general of breaches in some cases. It also requires a … Continue Reading

Maryland Insurance Administration Issues Breach Notification Bulletin

By Patrick H. Haggerty on September 4, 2019 Posted in Breach Notification

On Aug. 29, 2019, the Maryland Insurance Administration (MIA) issued Bulletin 19-14. The purpose of the bulletin is to inform insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents and third-party administrators of a new security breach reporting requirement to the Compliance & Enforcement Unit at the MIA. Effective Oct. … Continue Reading

Massachusetts Enacts Significant Changes to Its Data Breach Notification Law

By David M. Brown on January 11, 2019 Posted in Breach Notification, Data Breach Notification Laws, State Legislation

On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019. One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when … Continue Reading

GDPR Spurring Legal Reforms in South America With New Legislation in Brazil

By Brian P. Bartish and Laura E. Jehl on October 30, 2018 Posted in Breach Notification, GDPR, Privacy Litigation

As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s European operations. The global effects of the GDPR are even more apparent when one surveys new and proposed data … Continue Reading

Navigating the State Data Breach Laws? An Enhanced Resource is Available

By Julie Hein on September 21, 2018 Posted in Breach Notification, Data Breach Notification Laws

In large security incidents, the differences among state breach notification laws usually do not come into play. In smaller matters, where individuals in only a few states are potentially affected, the differences sometimes result in having an obligation to notify individuals in some states but not others. And states have been active in amending their … Continue Reading

Arizona Expands Its Data Breach Notification Statute

By Anthony P. Valach and Julie Hein on May 22, 2018 Posted in Breach Notification

Effective August 1, 2018, the House Bill 2154 recently signed by the Arizona governor will expand the current Arizona data breach notification law. Following the trend of other states, the amended statute expands the definition of “personal information.” The law will now require individual and regulatory notification within 45 days of a breach and will … Continue Reading

New Mexico passes data breach notification and protection bill

By Erich Falke on March 20, 2017 Posted in Breach Notification, Data Breach Notification Laws

Then there were two. On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states … Continue Reading

Australia’s New Breach Notification Law Set to Take Effect February 2018

By Melinda L. McLellan and Emily R. Fedeles on March 7, 2017 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, International Privacy Law

On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of “eligible” data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives the previous week, amends Australia’s Privacy Act 1988 and is slated to take … Continue Reading

Federal agencies given new breach response and preparation guidelines

By Erich Falke on January 17, 2017 Posted in Breach Notification

The White House has made a step toward implementing in federal agencies some breach response best practices currently used in the private sector. On Jan. 3, the White House issued a memorandum (Memo) updating for the first time in almost a decade guidelines on how federal agencies should prepare for and respond to a breach … Continue Reading

Nebraska Amends Its Data Breach Notification Statute

By Kathryn Mellinger on April 26, 2016 Posted in Breach Notification

Since the beginning of 2015, numerous states have amended their data breach notification statutes to include expanded definitions of personal information, clarifications on encryption standards, and new notice content and timing requirements. On April 13, 2016, Nebraska joined this roster when Governor Pete Ricketts signed LB 835 into law, amending Nebraska’s Financial Data Protection and … Continue Reading

Incident Response Practice Tip: Balance Meeting Breach Notification Deadlines With Securing Your Network

By Theodore J. Kobus III on September 15, 2015 Posted in Breach Notification, Data Breach Notification Laws, Incident Response

State breach notification statutes are being amended on almost a monthly basis. Several laws have, or will soon have, a mandatory notification deadline for notifying affected individuals after the discovery of the incident. Washington’s new law, which went into effect on July 24, includes a 45-day deadline for notification but goes further to allow for … Continue Reading

State Law Roundup: Legislatures Across the U.S. Revamp Data Breach Notification Laws

By M. Scott Koller, Melinda L. McLellan and Jenna N. Felz on July 27, 2015 Posted in Breach Notification, Data Breach Notification Laws, State Legislation

As the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makers, with nine states formalizing amendments to their … Continue Reading

A Deeper Dive: Regulatory Investigations Following a Reported Breach

By Theodore J. Kobus III on June 2, 2015 Posted in Breach Notification, Incident Response, Information Security

In our inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company’s breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time. A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an … Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

By Craig A. Hoffman on January 20, 2015 Posted in Breach Notification, Data Breach Notification Laws, State Legislation

The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone. The pendulum has swung in the opposite direction. Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as … Continue Reading

New York Attorney General Announces Proposal to Revamp State Data Security Laws

By Melinda L. McLellan on January 20, 2015 Posted in Breach Notification, Data Breach Notification Laws, State Legislation

On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of “private information” under the state’s data security breach notification statute. Schneiderman’s proposal comes on the heels of President Obama’s January 13, 2015, unveiling of measures … Continue Reading

What’s on the Horizon in the Golden State?

By Tanya Forsheit on December 16, 2014 Posted in Breach Notification, Cybersecurity, Data Breach Notification Laws, Marketing, Online Privacy

As we near the turn of the year into 2015, organizations should keep an eye on laws taking effect on the West Coast. This year, the crop of new privacy statutes includes a few without precedent anywhere in the country. The focus? Kids and security. Following are a few examples of new California laws taking … Continue Reading

California Attorney General Releases 2014 Data Breach Report and Recommendations, Finding More of the Same.

By Tanya Forsheit on October 29, 2014 Posted in Breach Notification, Data Breaches, Identity Theft, Retail Industry

Editor’s Note: The author thanks Jaysen Borja for his contributions to this post. On October 28, 2014, Attorney General Kamala Harris released the second annual California Data Breach Report. The report detailed the nature and scope of data breach notifications that her office received in 2013. Her office has been analyzing notifications of data breaches … Continue Reading

Florida Gives Breach Notification Statute More Teeth

By Cory J. Fox on June 30, 2014 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security

On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014. On the same day, Governor Scott also signed SB … Continue Reading

Iowa Breach Notification Law Now Requires AG Notification, Applies to Paper Records

By Cory J. Fox on April 16, 2014 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security

Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations. On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa … Continue Reading

Kentucky Enacts Data Breach Notification Statute

By Cory J. Fox on April 14, 2014 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Information Security

On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation. H.B. 232 also includes a separate section … Continue Reading

Is the 5th Time the Charm? – Nationalizing Data Breach Notification

By Eric A. Packel on March 16, 2014 Posted in Breach Notification, Data Breach Notification Laws, Federal Legislation

Once the smoke and dust clears from the latest enormous data breach, the fried servers are hauled away and the ritual IT department purge takes place, the focus seems to turn to the lack of any comprehensive national data breach law. Although certain sector specific breach notification laws are in place, such as HIPAA/HITECH in … Continue Reading