Sep 202018

Aaron Lancaster of BakerHostetler has a great privacy rewind for the week that includes action in Congress. He writes:

House Committee Passes Federal Data Breach Notification Bill for Financial Institutions

  • The House Financial Services Committee passed R. 6743, the Consumer Information Notification Requirement Act, which would require financial institutions to notify affected customers of a data breach that affects their personal information.
  • The law would establish uniform notification standards across all regulatory agencies empowered by the Gramm-Leach-Bliley Act (GLBA) and pre-empt state and local data breach notification laws with respect to entities subject to GLBA.
  • A number of banking organizations supported the bill’s passage from committee, “so that Congress can take a step forward in enacting comprehensive data breach legislation … for all entities that acquire and use sensitive personal and financial information.”
Sep 112018

Akin Gump Strauss Hauer & Feld LLP write:

The California Consumer Privacy Act (CCPA), the nation’s broadest privacy protection statute, was enacted by the California Legislature in June 2018 as part of a last-minute deal to stop a proposed statewide ballot measure that could have ushered in an even stricter privacy law. We have written about the CCPA’s passage in earlier alerts.

Sponsored by San Francisco real estate magnate Alastair Mctaggart and privacy advocacy groups, the ballot measure was strongly opposed by business groups and tech interests. Racing to beat a statutory deadline for the Mctaggart measure to be placed on the ballot, the Legislature hastily passed the CCPA in June while promising to introduce cleanup legislation after the summer recess.

Efforts to substantively revise the CCPA began nearly immediately after its passage, with the AGO (the chief enforcement agency for the CCPA), business groups, and privacy activists pressing for focused changes. Those efforts coalesced around Senate Bill 1121 (SB 1121) in August.

Read more on JD Supra.

Jul 252018

Katie Lannan reports:

A compromise bill filed Tuesday by a House-Senate conference committee would afford Massachusetts residents a year and a half of free credit monitoring services if their personal data and Social Security number are compromised by a data security breach.

The panel, chaired by Rep. Tackey Chan and Sen. Barbara L’Italien, filed its report with the House clerk’s office around 5:30 p.m. after all six of its members had signed off. The bill could surface for a vote on Wednesday.

Read more on WBUR.

Bill information:   H4806

Headline corrected post-publication. I had used WBUR’s headline, which unfortunately said “Protest” instead of “Protect.” Thanks to the Twitter user who alerted me to it. 

Jun 252018

Shoshanna Solomon reports:

Even as Israel’s privacy and democracy watchdogs welcome a cybersecurity law that would help the nation fend off damaging attacks to its businesses and critical infrastructure, they are warning that a newly proposed law, now up for comments, is not beneficial to democracy.

The proposal gives “too wide an authority without enough checks and balances,” said Dan Hay, the head of the privacy committee of Israel’s Bar Association, who is planning to submit objections to the proposed law. “There is a danger that if you give a body power, they will misuse it. This is not healthy for a democratic country. The proposal is extreme, and I don’t know of any law in Israel that is so extreme.”

Read more on Times of Israel.

There doesn’t seem to be an English version of the proposed law linked from any coverage, but I’ll keep my eyes open for it. If any reader knows where there’s a copy of the proposal in English, please let me know. 

Jun 182018

Joseph J. Lazzarotti, Jason C. Gavejian, and Maya Atrakchi of Jackson Lewis write that changes to Louisiana’s data breach notification law (Act 382) go into effect on August 1 of this year. Those changes include expansion of the definition of personal information, requirements that notification be made no later than 60 days from discovery of a breach, and requirements for reasonable security and data disposal.

Read more about these changes on The National Law Review.