In honor of Data Privacy Day, we provide the following “Top 10 for 2017.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017.
1. Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or
While data breach incidents affecting the entertainment, retail, healthcare, and financial industries have garnered more attention in past years, the data breach spotlight recently shifted to law firms.
This shift was triggered by media coverage of the breach and leak of the Panama Papers, and by reports that, in 2015, hackers breached the networks
The Internet of Things (IoT), as defined by Wikipedia, is the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. The IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between
On January 1, 2015, Delaware employers who dispose of records which contain the unencrypted personal identifying information of employees must take steps to ensure the privacy of such information. The bill, H.B. 294, was recently signed by Delaware’s Governor Jack Markell.
The new law defines personal identifying information as an employee’s first name
As we have previously anticipated, yesterday New Jersey joined the multitude of other states which have enacted laws limiting employer access to employee social media accounts.
The law prohibits employers from requesting or requiring a current or prospective employee to provide or disclose any user name or password, or in any way provide the employer access to, a personal account. 
Additionally, the law goes on to prohibit employers from requiring an individual to waive or limit any protection granted under the law as a condition of applying for or receiving an offer of employment. Specifically, the law states that an agreement to waive any right or protection is against the public policy of New Jersey and is void and unenforceable.
The law also prohibits employer retaliation or discrimination against an individual because the individual: refuses to provide or disclose any user name or password, or in any way provide access to, a personal account; reports an alleged violation to the Commission of Labor and Workforce Development; testifies, assists, or participates in an investigation, proceeding, or action concerning a violation of the law; or otherwise opposes a violation of the law.
Notably, the law permits the Commissioner of Labor and Workforce Development to collect civil penalties in an amount not to exceed $1,000 for the first violation and $2,500 for each subsequent violation.
Based on the Governor’s recommendations, the final law does not prevent an employer from implementing and enforcing a policy pertaining to the use of an employer issued electronic communications device or any accounts or services provided by the employer or that the employee uses for business purposes.
While the law prohibits certain employer activity, it does permit employers to conduct investigations regarding: work-related employee misconduct based on information about activity on social media; or an employee’s actions based on information about the unauthorized transfer of an employer’s proprietary, confidential, or financial information to social media. Logically, the law also does not prevent an employer from viewing, accessing, or utilizing information about a current or prospective employee that can be obtained in the public domain.
It appears that New Jersey is just the next in the line of states which will adopt similar provisions limiting employer access to an employee’s personal social media accounts. While it is difficult to say the impact the law will have, at a minimum, employers must begin to assess their own internal hiring and human resources practices to make sure they comply with this law.Continue Reading New Jersey Ban On Employer Access To Social Media Accounts
In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states. The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business
A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity’s disclosure of protected information can form the basis for a state-law negligence claim. The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA.
The plaintiff, I.S., was undergoing medical treatment
The Maryland Senate recently referred Senate Bill 971 which prohibits Maryland employers from demanding that workers and job applicants turn over their passwords to specific websites or web-based accounts. 
Under the bill, employers would be prohibited from refusing to hire applicants and disciplining, terminating, or taking other adverse employment action against employees who refuse to provide
Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government’s computers and networks. While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously
In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.
On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents