Archives: Data Breach Notification Laws

Subscribe to Data Breach Notification Laws RSS Feed

Pennsylvania’s Data Breach Notification Law Is Changing: What Does It Mean for Entities Doing Business in the Keystone State?

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Data Breach Notification Laws, Data Breaches
2023 is going to bring big changes to Pennsylvania’s Breach of Personal Information Notification Act. Although the revisions to the law do not go into effect until May 2, 2023, now is the time for Pennsylvania entities to ensure that they are in compliance before the effective date.… Continue Reading

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

Photo of Adam CohenPhoto of Andreas KaltsounisPhoto of Jeewon SerratoPhoto of Shruti Bhutani AroraBy Adam Cohen, Andreas Kaltsounis, Jeewon Serrato and Shruti Bhutani Arora on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches
As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements

Photo of Craig CarpenterBy Craig Carpenter on Posted in Cybersecurity, Data Breach Notification Laws, Data Breaches, Information Security, Uncategorized
The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered in this blog, including trends in global breach notification, healthcare industry risks and ransomware. The report is … Continue Reading

8 Key Takeaways for Initial Defenses Under the CCPA and CPRA

Photo of Marshall J. MatteraPhoto of Jeewon SerratoPhoto of Casie CollignonPhoto of Stanton BurkeBy Marshall J. Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke on Posted in CCPA, CPRA, Data Breach Notification Laws, Data Breaches, Privacy
Authors: Marshall Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke Since the Jan. 1, 2020 kickoff for private enforcement under the California Consumer Privacy Act (CCPA), plaintiffs have filed scores of class actions invoking the CCPA. Such claims, when properly made, present substantial risk to companies including statutory damages up to $750 per consumer. Early … Continue Reading

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

Photo of Benjamin WangerPhoto of Elana WeinblattBy Benjamin Wanger and Elana Weinblatt on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Data Privacy, HIPAA/HITECH
On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

Key Changes to New York Breach Notification and Data Security Protection Requirements from the New York SHIELD Act

Photo of Damon C. BarhorstBy David Kitchen and Damon C. Barhorst on Posted in Data Breach Notification Laws
The New York SHIELD Act,[1] officially titled the Stop Hacks and Improve Electronic Data Security Act, amends New York’s existing data breach notification law in several significant ways and adds a number of data security protection requirements. The amended data breach notification obligations went into effect on Oct. 23, 2019, with the data security requirements … Continue Reading

Deeper Dive: GDPR a Game-Changer for Data Breach Notification

Photo of Andreas KaltsounisBy Laura E. Jehl and Andreas Kaltsounis on Posted in Data Breach Notification Laws, Data Security Incident Response, GDPR
When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to have violated the GDPR’s data security and breach reporting obligations could face much steeper regulatory fines than those available … Continue Reading

Massachusetts Enacts Significant Changes to Its Data Breach Notification Law

By David M. Brown on Posted in Breach Notification, Data Breach Notification Laws, State Legislation
On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019. One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when … Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on Posted in Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy
On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

Navigating the State Data Breach Laws? An Enhanced Resource is Available

Photo of Julie HeinBy Julie Hein on Posted in Breach Notification, Data Breach Notification Laws
In large security incidents, the differences among state breach notification laws usually do not come into play. In smaller matters, where individuals in only a few states are potentially affected, the differences sometimes result in having an obligation to notify individuals in some states but not others. And states have been active in amending their … Continue Reading

Colorado Enacts Sweeping Changes to Data Breach Reporting Requirements and Adds New Data Security Requirements

By David M. Brown on Posted in Data Breach Notification Laws, State Legislation
Colorado’s Gov. John Hickenlooper signed a bill that significantly strengthens its current data breach notification requirements and adds new measures designed to enhance protections for consumer data privacy. The new law will go into effect on Sept. 1, 2018. Disposal of personal identifying information As previously discussed here (while the bill was in committee), HB18-1128 … Continue Reading

Last but not least: Alabama enacts a data breach notification law with strong notification and security requirements

Photo of Andreas KaltsounisPhoto of Sara GoldsteinBy Andreas Kaltsounis and Sara Goldstein on Posted in Data Breach Notification Laws
Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws. The Alabama Data Breach Notification Act of 2018 takes effect on May 1, 2018, and imposes information security, breach notification and data disposal requirements on organizations handling Alabama residents’ personal information. Alabama requires organizations to implement and … Continue Reading

Canadian Breach Notification Requirements Take Effect November 1

Photo of Melinda L. McLellanPhoto of Julie HeinBy Melinda L. McLellan and Julie Hein on Posted in Data Breach Notification Laws, Data Security Incident Response
On April 18, 2018, the Canadian government published long-awaited Breach of Security Safeguards Regulations specifying the requirements for notifying the Office of the Privacy Commissioner and affected individuals of data breaches that pose a “real risk of significant harm.” The Regulations will come into force on November 1. As we previously reported, the Digital Privacy Act, … Continue Reading

South Dakota Becomes 49th State to Enact a Data Breach Notification Law

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Data Breach Notification Laws
One of two remaining states without a data breach notification law has finally enacted one of its own. On March 21, 2018, South Dakota Governor Dennis Daugaard signed South Dakota Senate Bill 62 into law, creating the newest state data breach notification law, making Alabama the last holdout. South Dakota’s new statute, which will be … Continue Reading

Colorado Legislature Signals That It May Create More Stringent Data Destruction Regulations and Tighten Breach Reporting Requirements

Photo of Sammantha TillotsonPhoto of Casie CollignonBy Sammantha Tillotson and Casie Collignon on Posted in Data Breach Notification Laws
In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which … Continue Reading

SEC Clarifies Existing Cybersecurity Disclosure Guidance

Photo of Craig A. HoffmanPhoto of Jonathan A. FormanBy Craig A. Hoffman, Jonathan A. Forman and John Busch on Posted in Cybersecurity, Data Breach Notification Laws
On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities … Continue Reading

Delaware Revamps Its State Data Breach Notification Statute

By David M. Brown on Posted in Data Breach Notification Laws, State Legislation
On Aug. 17, 2017, Delaware revamped its existing data breach notification statute. In doing so, Delaware became the second state (joining Connecticut) to mandate offering individuals affected by a breach of security involving Social Security numbers at least one year of complimentary credit monitoring services. The new law takes effect on April 14, 2018, and … Continue Reading

Virginia, Tennessee and New Mexico Are the Latest States to Amend Breach Notification Laws

Photo of M. Scott KollerBy M. Scott Koller on Posted in Data Breach Notification Laws
Breach notification statutes remain one of the most active areas of the law. Seldom does a month go by without a new bill or amendment addressing privacy or data security, and this month is no exception. Virginia The state of Virginia recently expanded its breach notification statute to include income tax information among the types … Continue Reading

New Mexico passes data breach notification and protection bill

By Erich Falke on Posted in Breach Notification, Data Breach Notification Laws
Then there were two. On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states … Continue Reading

Australia’s New Breach Notification Law Set to Take Effect February 2018

Photo of Melinda L. McLellanBy Melinda L. McLellan and Emily R. Fedeles on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, International Privacy Law
On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of “eligible” data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives the previous week, amends Australia’s Privacy Act 1988 and is slated to take … Continue Reading

Massachusetts Breach Notifications Will Now Be Publicly Available Online

By Will R. Daugherty on Posted in Data Breach Notification Laws
On Jan. 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation announced that it will begin making its data breach notification archive publicly available online. Previously, data breach notifications filed with the Massachusetts attorney general were only available through public records requests. The change was made pursuant to the June 2016 amendment to … Continue Reading

Tennessee Revamps Its State Data Breach Notification Statute

By David M. Brown on Posted in Data Breach Notification Laws
Tennessee amended its data breach notification statute to potentially require notification of a data breach to affected individuals regardless of whether the personal information involved in the security incident was encrypted. On July 1, Tennessee becomes the first state to remove its encryption safe harbor; there is still an ability to perform a risk analysis … Continue Reading

California Amends Its Breach Notification Statute

Photo of M. Scott KollerBy M. Scott Koller on Posted in Data Breach Notification Laws
For the third time in as many years, California has once again amended its breach notification statute. This time it expanded the definition of “personal information,” clarified the term “encryption,” and mandated additional formatting and content requirements for individual notification letters. These amendments impact both companies and agencies and will go into effect on January … Continue Reading

State Data Breach Notification Requirements Specifically Applicable to Insurers

Photo of Patrick H. HaggertyBy Patrick H. Haggerty on Posted in Data Breach Notification Laws, Data Breaches, State Legislation
Almost all U.S. states and territories have enacted breach notification laws requiring private and/or government entities to notify individuals when their personal information is compromised. These laws vary, and much has been written about the challenges caused by the differences, including who must comply with the law (e.g., persons, businesses, information brokers, government entities, covered … Continue Reading
LexBlog