Data Points: Privacy & Data Security Blog

Tuesday, September 4, 2018 marked the New York State Department for Financial Service’s deadline for compliance with several sections of cybersecurity regulation 23 NYCRR 500 (the “Regulation”).  The Regulation covers any organization that operates (or is required to operate) under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law (Title 3 of the NYCRR), the Insurance Law (Title 11 of the NYCRR), or the Financial Services Law (Title 23 or the NYCRR) (a “Covered Entity”).  This is the third compliance ...

By Bret Buckler and Todd Taylor
Recently the state of California passed a data privacy and security law called the California Consumer Privacy Act (“CCPA”) (Assembly Bill 375, found here).

The law, which takes effect on January 1, 2020, is aimed at establishing a defined set of rights for consumers with regard to how their personal information is being collected and used.  The political push for the law comes on the heels of a contentious few months where tech giants such as Facebook have admitted to potentially problematic data breaches and oversharing of personal information ...

Now that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next? 

Regulations  

Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech.  On his ...

By Tandy Mathis

On Friday, March 23, 2018, Congress passed a 2,232 page omnibus spending bill. Included in the bill was a bipartisan act known as the “Clarifying Lawful Overseas Use of Data Act” or CLOUD Act, which will allow United States law enforcement to access the data stored abroad for U.S. citizens and will provide some relief to foreign law enforcement agencies to access the data of their citizens when that data is stored in the U.S..

The CLOUD Act Overhauls an Outdated Stored Communications Act (SCA) and an Overburdened Mutual Legal Assistance Treaty (MLAT) Act

At its core ...

By Nathan White

According to the recently released North Carolina Attorney General Security Breach Report, nearly 5,337,154 North Carolinians were impacted by security breaches in 2017.  The Report highlights several trends data protection specialists and North Carolina businesses should take into consideration.

The report breaks down 1,022 data breaches occurring in North Carolina during calendar year 2017.  For the first time since reporting was required in 2005, hacking constituted a slight majority of the reported breaches at 50.49%.  This reflects a continuing trend of ...

With major consumer data breaches making headlines on a semi-regular basis, legislators around the country are starting to hold businesses more accountable for cybersecurity compliance.  Industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) already establish federal data security standards for some companies, and the Federal Trade Commission has taken the position that failure to have reasonable security measures is a violation of the FTC Act (see our DataPoints post here). 

From Massachusetts to New Mexico, a handful of state legislatures also have ...

On August 17, 2017, Delaware amended its personal information protection law, Delaware Code Title 6, Chapter 12B.  The amendment becomes effective 240 days after enactment or March 14, 2018. The amended law significantly enhances the protections afforded Delaware residents whose personal information has been – or is reasonably believed to have been – breached, by adding obligations on the part of a person or entity who conducts business in Delaware or owns, licenses and maintains “personal information” as the Delaware law defines the term. The major changes to the law are ...

By Nathan A. White

Can the government force the hosting service of an activist website company to turn over vast amounts of user data in order to track down political protesters?  According to a federal court ruling, the answer  -- Yes, but let’s slow this train down a little bit.  On Thursday, August 24, 2017, District of Columbia Superior Court Chief Judge Robert E. Morin ordered DreamHost to comply with a search warrant issued by the Department of Justice on July 12, 2017 seeking IP addresses and other data of visitors to “disruptj20.org” website hosted by DreamHost.  Disruptj20 ...

By Bill Butler

Recently, the D.C. Circuit Court of Appeals ruled in Attias v. CareFirst, Inc., No. 16-7108, that customers had standing to sue a health insurer for a 2014 data breach in which the customers’ information was stolen.  In reversing the district court’s dismissal of the class action, the D.C. Circuit held that the customers’ allegations that the hackers accessed and took their Social Security numbers, credit card numbers, and health insurance subscriber ID numbers were each independently sufficient to show actual or imminent injury.  The customers’ complaint ...

PRIVACY AND DATA SECURITY IN THE TRUMP ERA: HOW TO TALK TO THE FBI AND YOUR IT DEPARTMENT IN A DATA BREACH (MAY 24, 2017): Effectively responding to a data breach requires clear communication with a web of internal and external groups. Two important groups are law enforcement and a company’s internal IT department. With the help of an FBI agent and an IT professional, this seminar will explore how to effectively work with these two groups to address a breach. Wednesday, May 24, 2017 11:30 AM - 1:00 PM. Register here.