On March 28th, Alabama Governor Kay Ivey (R) signed into law the Alabama Data Breach Notification Act, Act No. 2018-396, making Alabama the final state to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed into a law a similar statute one-week prior. The Alabama law will take effect May 1, 2018. … Continue Reading
It’s official! Alabama is the only remaining state lacking a data breach notification statute. On March 21, 2018 South Dakota Attorney General Marty Jackley announced that Governor Dennis Daugaard signed into law the state’s first data breach notification law, after unanimous approval by both chambers of the state legislature a couple weeks prior. The law … Continue Reading
Only two states in the United States lack data breach notification statutes, but that may change in 2018. If legislation pending in South Dakota passes, Alabama would be the only state without a data breach notification law. South Dakota Senate Bill No. 62 would create a breach notification requirement for any person or business conducting … Continue Reading
An Illinois nursing home is facing a putative class action lawsuit filed by a worker who argues that the facility’s required fingerprint scan for timekeeping poses a threat to their privacy, and violates Illinois’s Biometric Information Privacy Act (“BIPA”). From July 2017 to October 2017, at least 26 employment class actions based on the BIPA … Continue Reading
Delaware joins the growing number of states that recently amended their data breach notification law. On August 17th, Delaware amended its data breach notification law with House Bill 180, the first significant change since 2005, effective 240 days after enactment (on or about April 14, 2018). Delaware maintains the state law trend of requiring businesses … Continue Reading
When businesses set out to safeguard “personal information,” a fundamental consideration is what that term means. Likewise, when negotiating a third-party vendor agreement, it typically is not enough to rely on the standard definition for “confidential information.” Recently, Nevada and other states have updated their definitions of personal information in connection data breaches notification and … Continue Reading
UPDATE: The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information. As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, … Continue Reading
On October 24, 2014, the Federal Communications Commission (FCC) announced its intention to fine two telecom companies $10 million for several violations of laws protecting the privacy of phone customers’ personal information. This marks the FCC’s first data security case and the largest privacy action in the FCC’s history. According to the FCC, TerraCom, Inc. … Continue Reading
On January 1, 2015, Delaware employers who dispose of records which contain the unencrypted personal identifying information of employees must take steps to ensure the privacy of such information. The bill, H.B. 294, was recently signed by Delaware’s Governor Jack Markell. The new law defines personal identifying information as an employee’s first name or first initial … Continue Reading
The U.S. Commodity Futures Trading Commission (Commission) issued a Staff Advisory on best practices for financial institutions that must comply with Gramm-Leach-Bliley Act (GLBA) provisions on data security and customer privacy. GLBA was enacted to ensure that financial institutions respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information. Specifically, … Continue Reading
In a recent consent order, the New Jersey Division of Consumer Affairs settled an investigation involving Dokogeo, Inc., a California based mobile application developer. Under the Children’s Online Privacy Protection Act (“COPPA”) websites and online services which collect information from children younger than 13 are subject to certain parental notice and consent requirements. In the Dokogeo … Continue Reading
In the face of increasing incidences of and rising public concern regarding identity theft, the California Legislature is considering a bill with new personal information data disclosure requirements for California businesses and a broad definition of what constitutes personal information. California Assembly Bill 1291, would require businesses who have customer personal information and have disclosed … Continue Reading
Note to parents and school districts - data thieves are targeting cash-strapped school distrists to steal unprotected personal information of students who happen to have pristine credit histories.… Continue Reading
In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states. The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business … Continue Reading
In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively. On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified … Continue Reading
