Photo of Joseph J. Lazzarotti

Joseph J. Lazzarotti

Subscribe to Joseph J. Lazzarotti's Posts

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Contact:Read more about Joseph J. Lazzarotti

Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), becomes effective in less than two weeks. With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements.

This post highlights some features of the SHIELD Act. Given the complexities involved, organizations would be well-served to address their particular situations with experienced counsel.

When does the SHIELD Act become effective?

The SHIELD Act has two effective dates:

  • October 23, 2019 – Changes to the existing breach notification rules
  • March 21, 2020 – Data security requirements

Which businesses are covered by the SHIELD Act?

The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York.

Are there any exceptions for small businesses?

As before the SHIELD Act, there are no exceptions for small businesses in the breach notification rule. A small business that experiences a data breach affecting the private information of New York residents must notify the affected persons. The same is true for persons or businesses that maintain (but do not own) computerized data that includes private information of New York residents. Persons or businesses that experience a breach affecting that information must notify the information’s owner or licensee.

However, the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with:
Continue Reading New York SHIELD Act FAQs

As announcements relaying the spread of Coronavirus (COVID-19) continue daily, governmental agencies at all levels are offering information and guidance, and businesses are scrambling to prepare and protect their employees and customers. As part of a larger group in my firm helping to synthesize all this information, there is an aspect of responding to

Many businesses and their service providers have been awaiting final guidance from the California Attorney General concerning the California Consumer Privacy Act (CCPA). When news came last Friday of a regulatory update (“Update”), there may have been some initial disappointment that the Update did not announce final regulations, but only revisions to existing proposed regulations

Image result for CCPA class actionAs reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among

With the California Consumer Privacy Act (CCPA) effective for nearly one month, businesses continue to grapple with the many components of this new privacy framework. A key component of the CCPA is granting consumers the right to request information about and to exercise some control over their personal information. Developing sufficient mechanisms to receive, process

Employers that sponsor group health plans (medical, dental, vision, HFSA) are used to negotiating detailed administrative services agreements with vendors that provide services to those plans. Many also are familiar with “business associate agreements” required under HIPAA that must be in place with certain vendors, such as third-party claims administrators (TPAs), wellness program vendors, benefits

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning

Coronaviruses 004 lores.jpgThe outbreak of a new coronavirus that is believed to have began in central Chinese city of Wuhan and now appears to be spreading to the United States is driving concerns for organizations around preparedness regarding their operations, their customers, and their employees. Both the Center for Disease Control and Prevention (CDC) and the State

In the final days of 2019, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (“TRACED Act”) was signed into law to combat the increasing number of illegal robocall practices and other intentional violations of telemarketing laws. The TRACED Act, a bipartisan bill, first introduced in Congress in 2018, broadens FCC authority to levy Telephone

Recently, the U.S. Federal Trade Commission issued an important opinion, concluding that Cambridge Analytica, LLC, the data analytics and consulting company, engaged in “deceptive practices to harvest personal information” of tens of millions social media users, by way of using their data from a company developed app, GSRapp, for voter profiling purposes without the