New Connecticut Law Threatens $500,000 Penalty for Privacy Violations

On June 10, Connecticut Governor M. Jodi Rell signed into law a bill to safeguard Social Security numbers and other personal information. The law imposes a civil penalty of up to $500,000 on violators. The new law takes effect October 1, 2008. 

The new law penalizes any individual or business that intentionally fails to protect personal information.  “Personal information” includes Social Security numbers, driver’s license numbers, and account numbers for insurance policies, credit card numbers and bank accounts. Individuals and businesses are subject to civil penalties of $500 per violation, up to $500,000 for any single event. The law imposes the same penalty for intentional failure to “destroy, erase or make unreadable” personal information during disposal of records. It does not, however, impose fines on negligent or unintentional violators, nor does it apply to public entities.        

Continue Reading...

SEC Seeks to Better Protect Investors' Privacy With Proposed Amendments to Regulation S-P

In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities.

Continue Reading...

Proskauer's Tanya Forsheit Gives Web Exclusive Interview on Pending Data Breach Legislation

Focus on the EU and France -- Can US Employers Collect Sensitive Data about Their Employees Resident in the EU?

US employers are sometimes required for diversity purposes to collect data regarding the race and ethnicity of their employees.  However, collection of such “sensitive” data may infringe EU data protection laws under Article 8 of the EU Data Protection Directive.  This blog post is designed to provide some basic information about Article 8 and its exceptions.  It relates only to the collection of sensitive data from EU-based employees and does not address cross-border data transfer issues.

 

Continue Reading...

French Data Protection Agency Rules that Employees Are Entitled to View Their Evaluations

 

Earlier this year, CNIL, the French Data Protection Agency, issued a ruling that changed the confidentiality treatment accorded to employee evaluations under French law. CNIL ruled that employees must be able to review any evaluations written about them by their employers. The CNIL issued the ruling after receiving several complaints from employees of an (anonymous) multinational company, which refused to divulge the employees’ evaluations to employees upon request.

Continue Reading...

Proposed California Legislation Would Require Retailers to Dispose of Personal Information Within 90 Days

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements.  In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779.  That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers.  The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.  

Continue Reading...