Dec 132018
 

Laura Hautala reports:

The US doesn’t have a single data privacy law that applies to all fifty states. On Wednesday, a group of 15 US senators indicated it wanted to change the status quo, introducing the Data Care Act.


The bill (PDF) would require companies that collect personal data from users to take reasonable steps to safeguard the information. The act also has provisions to prevent them from using the data in ways that could harm consumers. 


If the bill becomes law, the US Federal Trade Commission would be in charge of implementing it.


“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them,” Sen. Brian Schatz, a Democrat from Hawaii who is sponsoring the bill, said in a press release.

Read more on CNET.

Nov 202018
 

Ben Kochman reports:

The Federal Trade Commission has called on Congress to “clarify” its authority to regulate data breaches, while responding to the White House’s request for advice on how the administration should handle consumer privacy.

In comments posted last week to the U.S. Department of Commerce‘s National Telecommunications and Information Administration, the FTC said it “continues its longstanding call” for federal legislation that “clarifies the FTC’s authority and the rules relating to data security and breach notification.”

The agency added that it “strongly supports” efforts to enact a national privacy law that would regulate how companies manage consumer data and communicate with users, so long as it does not hamper innovation.

So if privacy and innovation clash, innovation wins? Does the FTC represent the public/consumer or businesses?

Read more on Law360.com.

Nov 022018
 

Hunton writes:

Effective October 1, 2018, Connecticut law requires organizations that experience a security breach affecting Connecticut residents’ Social Security numbers (“SSNs”) to provide 24 months of credit monitoring to affected individuals. Previously, Connecticut law required entities to provide 12 months of credit monitoring for breaches affecting SSNs.

The amendment was passed as part of Public Act 18-90, An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies.

Read more on Privacy & Information Security Law Blog.

Oct 302018
 

Valerie K. Jackson of Jackson Lewis writes:

October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.

Under the HIPAA Security Rule, a covered entity or business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [e-PHI] held by the covered entity or business associate.” See 45 CFR § 164.308(a)(1)(ii). Failing to conduct a risk assessment can become a basis for significant monetary exposure to the OCR, such as this $750,000 settlement by a covered health care provider with OCR.

Read more on National Law Review.

Sep 202018
 

Aaron Lancaster of BakerHostetler has a great privacy rewind for the week that includes action in Congress. He writes:

House Committee Passes Federal Data Breach Notification Bill for Financial Institutions

  • The House Financial Services Committee passed R. 6743, the Consumer Information Notification Requirement Act, which would require financial institutions to notify affected customers of a data breach that affects their personal information.
  • The law would establish uniform notification standards across all regulatory agencies empowered by the Gramm-Leach-Bliley Act (GLBA) and pre-empt state and local data breach notification laws with respect to entities subject to GLBA.
  • A number of banking organizations supported the bill’s passage from committee, “so that Congress can take a step forward in enacting comprehensive data breach legislation … for all entities that acquire and use sensitive personal and financial information.”