By

Colleen Theresa Brown

15 October 2019

China Implements Regulation Increasing Protections for Children’s Personal Data

On 22 August 2019, the Cyberspace Administration of China (CAC) announced the implementation of the Online Protection of Children’s Personal Data Regulation (儿童个人信息网络保护规定), (“the Regulation”) which came into force on 1 October 2019. The Regulation comprises a list of rules which seek to ensure the safety of children’s personal data and promote a healthy upbringing for children.

This constitutes the latest step in China’s drive to sophisticate its data protection regime and adds to legislation under the framework of the Cybersecurity Law, implemented in 2017. It contains similarities to the Children’s Online Privacy Protection Act (COPPA) in the U.S. and the GDPR in the EU.

As there is no official English translation of the Regulation, this article summarises its key points.

(more…)

EmailShare
17 September 2019

Final California Consumer Privacy Act Amendments Bring Practical Changes (But Your Business May Now Be a California “Data Broker”)

After months of wrangling, the California legislature has finally passed a set of significant amendments to the California Consumer Privacy Act (CCPA), a sweeping data privacy and security law commonly referred to as “California’s GDPR” (Europe’s General Data Protection Regulation). Employee personal information and personal information obtained in business-to-business (B2B) interactions are now mostly out of scope. Personal information in credit reports and other data covered by the Fair Credit Reporting Act is also largely exempt. Only personal information that is “reasonably” capable of being associated with a consumer or household is subject to the act. And aggregate or deidentified information definitively does not qualify as CCPA personal information.

(more…)

EmailShare
05 August 2019

New York Enacts Stricter Data Cybersecurity Laws

The flurry of state legislative activity in the wake of the enactment of the California Consumer Protection Act (CCPA) continues with the New York legislature recently passing two bills to increase accountability for the processing of personal information.  On July 25, 2019, Governor Cuomo signed the two bills into law, one which amended the state’s data breach notification law, and another that created additional obligations for data breaches at credit reporting agencies.  Together, the new laws require the implementation of reasonable data security safeguards, expand breach reporting obligations for certain types of information, and require that a “consumer credit reporting agency” that suffers a data breach provide five years of identity theft prevention services for impacted residents.  Meanwhile, the more comprehensive New York Privacy Act, which many viewed as even more expansive than the CCPA, failed to gather the necessary support in the most recent legislative session.

(more…)

EmailShare
20 June 2019

Maine’s Act to Protect the Privacy of Online Consumer Information

Since the passage of the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) (“CCPA”), several states are following in California’s footsteps and adopting privacy bills that would allow consumers to object to the sale of their personal information.

(more…)

EmailShare
11 June 2019

The CCPA Ripple Effect: Nevada Passes Privacy Legislation

With about half a year to go until the California Consumer Privacy Act (CCPA)’s effective date, and with significant amendments still percolating to define the scope and impact of the CCPA come 2020, other states continue to consider whether to adopt new and broader privacy laws of their own, with Nevada recently taking the distinction of being the first to follow the CCPA trend.  While the scope and obligations of the Nevada law is significantly narrower than the CCPA and thus largely will align with current CCPA implementation projects, the new Nevada law does expand upon the CCPA in one particularly notable way—it moves the deadline to facilitate opt-outs of sales of personal information up to October 2019. (more…)

EmailShare
03 June 2019

Recent Risk Alerts by SEC OCIE Highlight Privacy and Cybersecurity Issues in Examinations

The SEC’s Office of Compliance Inspections and Examinations (OCIE) released two Risk Alerts, on April 16, 2019 and May 23, 2019, highlighting the importance of privacy and cybersecurity compliance for SEC-registered investment advisors and broker-dealers under Regulation S-P. As previously covered on Data Matters, OCIE has consistently identified cybersecurity as one of its main areas of focus for examinations.

Indeed, cybersecurity was once again identified by OCIE in its 2019 National Exam Program Examination Priorities (2019 Exam Priorities), which placed a particular emphasis on proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security.  With the issuance of the April 16 and May 23 Risk Alerts, OCIE has provided additional detail regarding specific issues that SEC-registered entities should focus on to mitigate privacy and cybersecurity risk, as well as to prepare for examinations.

(more…)

EmailShare
02 May 2019

Washington State Comprehensive Privacy Bill Loses Steam, Data Breach Law Amendment Heads to Governor’s Desk

As the legislative session drew to a close, what once seemed like an inevitability suddenly looked unlikely.  The Washington Privacy Act, SB 5376/HB1854, failed to make its way through the legislative process.  The Bill’s sponsor, Sen. Reuven Carlyle, called the game on April 17, tweeting that despite the “unprecedented 46-1 vote” in the Senate, “[u]nfortunately, House failed to pass privacy legislation this year.  We’re committed to 2020.”  Nevertheless, the State of Washington did pass notable privacy legislation, albeit on a more narrow topic.

(more…)

EmailShare
14 March 2019

FTC Announces Record-Setting $5.7M COPPA Penalty

On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).

(more…)

EmailShare
26 February 2019

NERC $10,000,000 Fine of Public Utility Highlights the Need for Cybersecurity Preparedness and CIP Compliance Programs

On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”).  Although none of the violations resulted in any reported outages, NERC concluded that the cumulative effect of the violations posed a serious risk to the reliability of the bulk U.S. power grid because “many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.” Settlement Agreement at 12.

(more…)

EmailShare
06 February 2019

First Multistate HIPAA Data Breach Lawsuit May Signal Increased State Interest in Data Security Enforcement

On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana.  See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018).  The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.  While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.

(more…)

EmailShare
1 2 3 11
XSLT Plugin by BMI Calculator