On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR. … Continue Reading
On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005. The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of … Continue Reading
Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals … Continue Reading
On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for … Continue Reading
Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident. His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on … Continue Reading
Businesses scrambling to comply with the dozens of varying state laws governing data privacy and security breaches may have a new ally in California Attorney General Kamala Harris, but they shouldn’t expect her to relax any standards. In her introduction to the 2016 California Data Breach Report, Harris addressed the concerns of many who have … Continue Reading
U.S. tech giants, like Google and Facebook, found themselves caught between the European Parliament and the European Commission as disagreements continue as to whether Internet service providers should be included within the definition of ‘market operators’ in the Proposed Directive on Network and Information Security (IP/13/94) (the ‘Directive’). Currently, the EU Commission would like to … Continue Reading
On April 17, advocates in support of a federal data security and breach notification law achieved a victory when the House Energy and Commerce Committee passed a bill supporting national legislation. The proposed Data Security and Notification Act of 2015 (the “Act”) seeks to codify uniform regulations governing consumer personal information throughout the United States. … Continue Reading
On April 13, the Washington State Senate unanimously passed an amendment to the state’s data breach notification law. The amendment, which was requested by Washington Attorney General Bob Ferguson, and which we discussed in this previous post, passed the state house of representatives in March and is now awaiting the governor’s signature. The law will … Continue Reading
The federal government may be pushing a cybersecurity and data privacy agenda, but that doesn’t mean that the states are taking a back seat. The state attorneys general are maintaining their focus on issues relating to privacy and data security and expanding the scope of that focus to address the ever-evolving nature of those issues. … Continue Reading
On December 10, Oregon Attorney General Ellen Rosenblum testified in front of the joint Oregon Senate and House Judiciary Committee on the evolving nature of not only data collection and use, but also on cybersecurity incidents and hacking, and the need to amend the Oregon data breach notification law to provide enforcement authority to the … Continue Reading
Last month, the Information Commissioner’s Office (ICO) published a response to the government’s call for views and evidence on the draft EU Directive on Network and Information Security (NIS Directive). The ICO’s criticism stemmed from its experience with mandatory data breach notifications from the telecoms sector and included suggestions for modifying the proposed NIS Directive. … Continue Reading
As the year is coming to an end, the industry is speculating the release date of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) final rule. The final rule is expected to address modifications to the Privacy, Security, Enforcement, and Breach Notification Rules, and with the release date yet to be determined, … Continue Reading
ENISA (the European Network and Information Security Agency) has issued a new report on data breach notifications . Having approached telecoms operators and data protection authorities (DPAs) on this topic, the report highlights data breach handling and key stakeholder concerns. The revised e-Privacy Directive (2002/58/EC) brought in EU data breach notification requirements for the telecoms … Continue Reading