Archives: Data Security

Subscribe to Data Security RSS Feed

Musings of Retirement Plan Fiduciaries on Cybersecurity: Episode One

By now, plan fiduciaries and their service providers likely have heard about the DOL’s cybersecurity guidance. The Department of Labor’s stepping into cybersecurity in this way – a posting of best practices on the agency’s website – has left plan fiduciaries with some questions. Here are a few: “When is this effective?” “Does this apply … Continue Reading

Texas Joins Other States with New Texas Data Breach Notification Requirement: Is This a New Trend?

The Texas Legislature, which meets every other year, pushed a change to its data breach notification law at the end of the session in late May, and yesterday Governor Greg Abbott signed the bill into law.  It follows a growing trend of changes to privacy and cybersecurity laws at the state level. Texas House Bill … Continue Reading

Connecticut on its Way to an Enhanced Data Breach Notification Law

UPDATE: On June 16, Gov. Ned Lamont signed HB 3510 into law which becomes effective October 1, 2021. State legislatures across the nation are prioritizing privacy and security matters, and Connecticut is no exception. This week, Connecticut Attorney General William Tong announced the passage of An Act Concerning Data Privacy Breaches, a measure that will … Continue Reading

NY Attorney General Announces Settlement After Website Data Breach

In late May, New York Attorney General Letitia James announced a $200,000 settlement agreement with Filters Fast, an online water filtration retailer, stemming from a 2019 data breach compromising the personal information of over 300,000 consumers across the U.S., including nearly 17,000 in New York state.  The settlement also requires the online retailer to strengthen … Continue Reading

Long-Term Care Facilities Must Educate, Offer, and Report on COVID-19 Vaccinations for Residents and Staff, According to CMS Interim Rule

On May 11, 2021, the Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health & Human Services published an interim final rule/guidance to establish COVID-19 vaccination requirements for Long-Term Care (LTC) facilities. The requirements are applicable to both residents and staff. LTC facilities have already been managing COVID-19 vaccination requirements both … Continue Reading

Is New York Next? A Comprehensive Consumer Privacy Bill Reintroduced

On May 13th, New York State Senator Kevin Thomas, Chair of NY’s Consumer Protection Committee, reintroduced the New York Privacy Act (“NYPA”), a comprehensive consumer privacy law similar in kind to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“CDPA”).  The NYPA had been introduced in a previous … Continue Reading

Don’t be Fooled by the CPRA Effective Date, Employers Have Current Obligations Under the CCPA

The passage of Prop 24, the California Privacy Rights Act of 2020 (“CPRA”), has caused a bit of confusion among businesses in California.  The confusion stems from the fact that the CPRA has an effective date of January 1, 2023, amending the existing California Consumer Privacy Act (CCPA) when it takes effect, but also immediately … Continue Reading

Biden Administration Issues Cybersecurity Executive Order Following Colonial Pipeline Cyberattack

On May 12, 2021, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, reportedly a ransomware incident that snarled the flow of gas on the east coast for days. Ransomware attacks are nothing new, but they are increasing in … Continue Reading

NYC Council Passes Data Privacy Bill That Would Impose Rigorous Requirements On Owners of “Smart Access” Buildings

As we noted in our last post, there has been a flurry of data privacy and security activity in New York, with the State appearing poised to join California as a leader in this space.  Most recently, on April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would … Continue Reading

NYC Creates BIPA-Like Requirements for Retail, Hospitality Businesses Concerning Biometric Information Collected From Customers

Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities.  These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers.  Customers … Continue Reading

COVID-19 Vaccine Passport Programs: Privacy and Security Considerations

As access to COVID-19 vaccines becomes more prevalent, and we begin to conceptualize what a post-pandemic world might look like, many governments are assessing the idea of a COVID-19 vaccine passport framework.  In late March, the European Commission announced its plan for a COVID-19 Digital Green Certificate framework (“the framework”) to facilitate “safe free movement … Continue Reading

DOH Employee Error Causes Breach of COVID-19 and Other Health Data Affecting Nearly 165,000 Individuals

In a recent post, we highlighted the need for a privacy and cybersecurity training program, one not solely focused on spotting phishing attempts (although that is quite important as well). A primary reason, quite simply, is that employees continue to be a leading cause of data breaches. This fact was reaffirmed for the Wyoming Department … Continue Reading

Florida Moves Forward a Revised Consumer Privacy Bill

Will Florida be the next state to enact a comprehensive consumer privacy law? It sure is starting to look like a viable possibility.  With the California Consumer Privacy Act (“CCPA”) in full effect, and the recent enactment of Virginia’s Consumer Data Protection Act (“CDPA”), there has been a flurry of state privacy legislative proposals since … Continue Reading

Developing a Privacy and Cybersecurity Training Program for Employees

Increased remote work due to the COVID-19 pandemic has only exacerbated privacy and cybersecurity concerns, and likely has not changed the finding in Experian’s 2015 Second Annual Data Breach Industry Forecast: Employees and negligence are the leading cause of security incidents but remain the least reported issue. A more recent state of the industry report … Continue Reading

DOL Issues Cybersecurity Best Practices for ERISA Covered Retirement Plans

Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of … Continue Reading

COVID-19 Vaccination: Setting Up An On-site Program

The Biden administration reportedly has called for all people at least 18 to be eligible for the COVID-19 vaccine by April 19, 2021, two weeks earlier than its prior goal of May 1, and less than a week away. Most states have already done so. Without the barriers created by state-by-state priority rules, the rate … Continue Reading

5 Key Data Privacy and Security Risks That Arise When Organizations Record Job Interviews & Strategies for Mitigating Them

COVID-19 drove many formerly in-person interactions onto a variety of video conferencing platforms.  But as millions of vaccinations are administered each day, and case numbers decline, it’s now possible to imagine and plan for the time when conducting business over video will no longer be mandatory. For many organizations, though, COVID-19 has led to an … Continue Reading

Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation

In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense. … Continue Reading

Travel 2.0: Vaccine Passports and Visas—What’s Next on the Horizon

One of the industries perhaps hardest hit by the coronavirus, the travel industry, received welcomed news late last week in the form of CDC guidance stating that people fully vaccinated against COVID-19 can resume domestic travel and do not need to get tested for COVID-19 before or after travel or self-quarantine after travel. According to … Continue Reading

Colorado Introduces a Comprehensive Consumer Privacy Bill

Colorado recently became the latest state to consider a comprehensive consumer privacy law.  On March 19, 2021, Colorado State Senators Rodriguez and Lundeen introduced SB 21-190, entitled “an Act Concerning additional protection of data relating to personal privacy”. Following California’s bold example of the California Consumer Privacy Act (“CCPA”) effective since January 2020, Virginia recently … Continue Reading

New York Considering Dramatic Expansion of Consumer Privacy Rights

In 2018, the California Consumer Privacy Act (“CCPA”), which provides for an expansive array of privacy rights and obligations, was enacted.  At the time, it was reasonable to wonder whether California’s bold example would catalyze similar activity in other states.  It’s clear now that it has.   Virginia recently passed its own robust privacy law, the … Continue Reading

The Circuit Split Continues: 11th Circuit Weighs in on Standing in Data Breach Litigation

The 11th Circuit recently weighed in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Joining several other circuit courts, the 11th Circuit in Tsao v. Captiva MVP Rest. Partners, concluded that the plaintiff had failed to allege either that the data breach … Continue Reading

Virginia Becomes 2nd State to Enact a Comprehensive Consumer Privacy Law

On Tuesday, March 2nd, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act (CDPA), officially joining California as the second state with a comprehensive consumer privacy law, intended to enhance privacy rights and consumer protection for state residents.  We provide an in-depth analysis of the CDPA here, along with legislative activity in … Continue Reading

FDA Names First Acting Director of Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) named University of Michigan Associate Professor Kevin Fu Acting Director of Medical Device Security in its Center for Devices and Radiological Health. This is a newly created 12-month post in which Fu will “work to bridge the gap between medicine and computer science and help manufacturers protect medical … Continue Reading
LexBlog