U.S. Federal Bank Regulators Require Notifications For Material Cybersecurity Incidents
On November 18, 2021, a group of federal bank regulators announced a final rule requiring banks to notify their primary federal regulator of any “significant computer-security incidents.” Regulators must be notified no later than 36 hours after the bank has determined that the incident triggers the rule’s notification requirement. Further, bank service providers are now required to promptly notify all affected banks whenever a cybersecurity disruption lasts for four or more hours. (more…)
Data Breaches are More Expensive than Last Year, New IBM Security Report Finds
Death, taxes and data breaches. Cybersecurity incidents have grown in frequency, scale and seriousness. As articulated in President Biden’s May 2021 Executive Order, Improving the Nation’s Cybersecurity, “[t]he United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” These threats lead to direct costs on victims, and these costs have also grown exponentially in recent years, as readers of the famed annual Ponemon data breach report well know. This year’s report is out, and confirms the continuation of a troubling trend. (more…)
Connecticut Strengthens Data Breach Notification Requirements and the Uniform Law Commission Approves and Recommends Comprehensive and Uniform State Privacy Legislation
In recent weeks, Connecticut passed An Act Concerning Data Privacy Breaches (“The Act”), and the Uniform Law Commission approved and recommended the Uniform Personal Data Protection Act (“UPDPA”). With the growing patchwork of state data privacy laws continuing to pose challenges for compliance—and the potential for federal data privacy legislation at the forefront of policy debates—the UPDPA may provide state legislators with a path toward a standardized statutory scheme.
West Coast, East Coast, and Now Mountains, Too: Colorado Joins the Comprehensive State Privacy Law Club
With the U.S. Congress continuing to stymie federal omnibus privacy legislation, states have decidedly taken up the call. Most recently, on July 8, 2021, Colorado Gov. Jared Polis signed into law Senate Bill 21-190, the Colorado Privacy Act (CPA). With the signing of the CPA, which will largely go into effect on July 1, 2023, Colorado became the third state to enact comprehensive privacy legislation following the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Other states have taken a more limited approach, most notably Nevada, which increased the scope of the right to opt out of personal data sales under its targeted privacy law.
U.S. Supreme Court Tightens Standing Requirements in TransUnion Decision
On June 25, 2021, the Supreme Court of the United States handed down its decision in TransUnion LLC v. Ramirez, which tightened the Court’s requirements for showing standing and will significantly affect class action litigation, particularly in cases involving causes of action created by federal statute or involving allegations of a potential risk of injury.
Supreme Court Considers Injury and Typicality Questions in Case With Implications for Data Breach and Privacy Class Action Litigation
On March 30, 2021, the Supreme Court heard arguments in TransUnion LLC. v. Ramirez, a case in which Respondent Ramirez brought a class action lawsuit against Petitioner TransUnion, alleging that it incorrectly placed a flag on his credit report; the flag suggested that Ramirez was on a list of potential terrorists and criminals maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (the “OFAC list”) because his name was similar to two individuals whose name were on that list. After Ramirez learned he had been flagged, he requested a copy of his credit report from TransUnion. TransUnion sent him a copy of his credit report, which did not include any reference to the OFAC list, and a second mailing indicating that his name was a potential match for a name on the OFAC list. Ramirez sued on behalf of himself and a class of over 8,000 individuals who received similar mailings, alleging that TransUnion violated the Fair Credit Reporting Act (“FCRA”) by (i) incorrectly flagging him as potentially appearing on the OFAC list and (ii) sending him the information about the potential match separately from his requested credit report, which he argued was confusing because the mailing regarding the OFAC list did not include FCRA-required information about how to dispute and correct the incorrect information.
Trump Executive Order Blocks Transactions With Certain Chinese Software Applications
On January 5, 2021, President Donald Trump signed Executive Order (EO) 13971, banning certain transactions and activities with persons who “develop or control” eight Chinese “connected software applications,”1 specifically Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office. The prohibitions will come into effect 45 days after the issuance of the order, that is, February 19.
Comments Sought on Proposed Rulemaking: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).1 The NPR is a joint proposal by the Office of the Comptroller (OCC), the Board of Governors of the Federal Reserve System (Board), and the FDIC.
Important Changes to the Singapore Data Privacy Regime
On November 2, 2020, Singapore’s legislature finally approved amendments to the Personal Data Protection Act (PDPA). The changes become law once a government gazette is passed (possibly before the end of 2020). If you operate in Singapore, handle Singapore data, or maintain a server in Singapore, it is crucial that you have protocols in place to guide employees on what to do when a data breach occurs and consider doing a data breach tabletop exercise. (We have organized a number of these drills for clients in preparation for breach notification requirements in Australia and now Singapore.) (more…)
California Privacy Law Overhaul – Proposition 24 Passes
The results are in, and California voters have approved the California Privacy Rights Act (CPRA) which was listed on the ballot as Proposition 24. The law, most of which does not go into effect until January 1, 2023, will substantially overhaul and amend the California Consumer Privacy Act (CCPA) which went into effect just this year, on January 1, 2020, with final regulations issued just a few months ago, on August 14, 2020. And indeed, CCPA obligations continue to evolve, with proposed amendments to the regulations proposed by the Attorney General’s Office mid-October 2020.