Jun 252018

Shoshanna Solomon reports:

Even as Israel’s privacy and democracy watchdogs welcome a cybersecurity law that would help the nation fend off damaging attacks to its businesses and critical infrastructure, they are warning that a newly proposed law, now up for comments, is not beneficial to democracy.

The proposal gives “too wide an authority without enough checks and balances,” said Dan Hay, the head of the privacy committee of Israel’s Bar Association, who is planning to submit objections to the proposed law. “There is a danger that if you give a body power, they will misuse it. This is not healthy for a democratic country. The proposal is extreme, and I don’t know of any law in Israel that is so extreme.”

Read more on Times of Israel.

There doesn’t seem to be an English version of the proposed law linked from any coverage, but I’ll keep my eyes open for it. If any reader knows where there’s a copy of the proposal in English, please let me know. 

Jun 182018

Joseph J. Lazzarotti, Jason C. Gavejian, and Maya Atrakchi of Jackson Lewis write that changes to Louisiana’s data breach notification law (Act 382) go into effect on August 1 of this year. Those changes include expansion of the definition of personal information, requirements that notification be made no later than 60 days from discovery of a breach, and requirements for reasonable security and data disposal.

Read more about these changes on The National Law Review.

May 152018

John Litchfield of Foley & Lardner reminds employers that there are new laws coming into effect that impact employers’ collection and protection of employee data. The following laws, he notes, come online this year:

Additionally, for employers doing business in Canada, new laws impose a $100,000 per person per day penalty on any covered entity, including banks, telecommunications and broadcasting companies, and trucking companies, for failure to meet the federal notice of breach requirements.

Read more about these new requirements on National Law Review.

Apr 282018

MintzLevin has updated its state data breach law matrix, as I noted previously on the page where I link to such resources.

Here’s an excerpt from their matrix:

Breach Notification Timeline

Time After Discovery of Breach     Action Required
10 Calendar Days
  • Puerto Rico Department of Consumer Affairs
14 Business Days
  • Vermont AG preliminary notification
15 Business Days
  • California residents, California AG, and California Department of Public Health must be notified of the disclosure of PHI by a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (“CDPH”)
30 Calendar Days
  • Florida residents, AG (500+ residents) (Can request 15 day extension) (60 Days for PHI/HIPAA incidents).
  • Indiana AG will open an investigation if not notified within 30 days
45 Calendar Days
  • Ohio residents
  • Tennessee residents (60 Days for PHI/HIPAA incidents)
  • Vermont residents, AG
  • Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA incidents)
  • Wisconsin residents (60 Days for PHI/HIPAA incidents
  • New Mexico residents, AG (500+ residents)
  • Maryland residents (60 Days for PHI/HIPAA incidents)
60 Calendar Days
  • Individuals and HHS OCR for PHI disclosure.
  • Delaware (effective 4/14/18), AG (500+ residents)
90 Calendar Days
  • Connecticut residents (60 days for PHI/HIPAA incidents)
Most expedient time and without unreasonable delay
  • AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY
As soon as possible
  • NE, NH, TX
Days After Confirmation of Breach   Action Required
45 Calendar Days
  • Rhode Island residents, AG (500+ residents) (60  Days for PHI/HIPAA incidents).
Apr 222018

The Canadian Press reports:

Ottawa. Credit: Dreamstime.

Federal data breach regulations set to take effect Nov. 1 will require mandatory reporting of security breaches that pose a “real risk of significant harm,” but give businesses flexibility about how that’s done.

Ottawa has rolled out the long-awaited requirements in a notice in the Canada Gazette that indicates the government wanted to protect consumers without overburdening private-sector organizations with excessive costs or complexity.

Read more on OHS Canada.