Header graphic for print
Privacy Law Blog

Tag Archives: data security

California Amends Data Breach Notification Law

Posted in California, Data Privacy Laws

On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82).  Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question… Continue Reading

Connecticut Amends Data Breach Notification Law

Posted in Data Privacy Laws

On the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law. The amended law will take effect on October 1, 2012.

India Issues Clarification of Recent Privacy Rules

Posted in International

As mentioned in a prior post on this blog, earlier this year the Indian Ministry of Communications and Information Technology issued new privacy and data security rules under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “Privacy Rules”). The strict consent requirements relating to the collection… Continue Reading

Let us tell you how we see this going down: White House publishes cybersecurity legislative proposal

Posted in Data Privacy Laws

On May 12, 2011, the Obama Administration released its legislative proposal concerning cybersecurity. The stated focus of the proposal is to shore up cybersecurity measures to protect the American people, the Nation’s critical infrastructure, and the Federal Government’s networks and computers while providing a framework for safeguarding individual privacy and civil liberties.

Bay State “Brings It”: Attorney General Enters Consent Agreement with Restaurant Group for Data Security Failures

Posted in Data Breaches

On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.

French Data Protection Agency Issues Guidelines to Help Companies Strengthen the Security of their Data Processing

Posted in Data Privacy Laws

To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as “CNIL”) recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL’s recommendations in these areas.

Massachusetts Data Security Regulations: Your Company May Not Be Located There, But If Your Customers Are, You Need to Comply

Posted in Data Privacy Laws

As we’ve discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach.  The regulations are national and international in scope, as they apply to all companies – wherever located– using personal data… Continue Reading

The FTC Brings 27th Case for “Faulty Data Security Practices”

Posted in FTC Enforcement

On March 25, 2010, the Federal Trade Commission (“FTC”) announced that it had entered into a settlement with entertainment operator, Dave & Buster’s, Inc., for alleged violations of Section 5(a) of the FTC Act, and for “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks.”
The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.

Life Unlocked? FTC and 35 State Attorneys General Ding LifeLock, Inc. for Deceptive Claims and Poor Data Security

Posted in FTC Enforcement

On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

French Data Protection Agency Issues Recommendations Regarding Employees’ Personal Data that Companies in France May Collect To Minimize the Impact of Swine Flu on Business Continuity

Posted in Data Privacy Laws

In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs. The French government has strongly recommended… Continue Reading

Massachusetts’ Revised Data Security Regulations Extend Deadline (Again) and Soften Some Requirements

Posted in Data Privacy Laws

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.) The revised regulations emphasize… Continue Reading

Third Time’s a Charm for “Data Accountability and Trust”? Federal Breach Notification Bill Introduced in the House. Again. This Time With Data Security Provisions.

Posted in Security Breach Notification Laws

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest “Data Accountability and Trust Act” is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush’s latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements.

Federal Trade Commission Announces Settlement with TJX Over Inadequate Security Practices

Posted in FTC Enforcement

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and… Continue Reading

Governor Schwarzenegger Says No to California A.B. 779

Posted in Security Breach Notification Laws

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

Breach Law Data

Posted in Identity Theft, Security Breach Notification Laws

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included). We also provide links, or uploaded copies, where available.

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Posted in Security Breach Notification Laws

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of… Continue Reading