Jun 192019

Jason Grant reports:

State lawmakers have passed legislation that would “modernize” and update consumer data protections and expand New York Attorney General Letitia James’ oversight of data breaches affecting New Yorkers, according to a news release issued by James “applauding” the act’s passage.

Called the “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, the bill now moves to Gov. Andrew Cuomo’s desk for his decision on whether to sign it into law.

Read more on  New York Law Journal.

Jun 142019

Hunton Andrews Kurth writes:

Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.

Under the existing data breach notification law, a business that owns or licenses personal information and becomes aware of a data security breach must conduct a reasonable, prompt and good faith investigation to determine the likelihood that personal information has been or will be misused as a result of the breach. The Bill expands this investigatory requirement to apply expressly to all businesses that own, license or maintain the personal information of Maryland residents.

Read more on Privacy & Information Security Law Blog.

Jun 122019

Daniel J. Moses of JacksonLewis writes:

As we recently noted, Washington state amended its data breach notification law on May 7 to expand the definition of “personal information” and shorten the notification deadline (among other changes). Not to be outdone by its sister state to the north, Oregon followed suit shortly thereafter—Senate Bill 684 passed unanimously in both legislative bodies on May 20, and was signed into law by Governor Kate Brown on May 24. The amendments will become effective January 1, 2020.

Among the changes effected by SB 684 is a trimming of the Act’s short title—now styled the “Oregon Consumer Information Protection Act” or “OCIPA” (formerly the “Oregon Consumer Identity Theft Protection Act” or “OCITPA”). Apart from establishing a much more palatable acronym, the amended short title mirrors the national (and international) trend of expanding laws beyond mere “identity theft protection” to focus on larger scale consumer privacy and data rights.

Read more on The National Law Review.

Jun 042019

Aimee Jachym and Samantha A. Kopacz of Miller Canfield PLC write:

New guidance issued by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) reaffirms that business associates must have proper HIPAA compliance practices, safeguards and documentation in place in order to avoid costly penalties.

OCR recently released a Fact Sheet summarizing the instances in which a business associate is directly liable for HIPAA violations. While nothing in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) has changed at this time, the Fact Sheet, released on May 24, 2019, aims to make it easier for regulated entities to understand and comply with their obligations under the law.

Read more on Miller Canfield.

h/t, Lexology

May 032019

Jeremy Hainsworth reports:

A Vancouver-based HIV/AIDS organization is facing a class-action suit for breach of privacy after an alleged release of email addresses of 800 of its members via a September 2016 mass email.

And, said a BC Supreme Court ruling released May 1, a staff member of Positive Living BC had warned the organization poor data-control practices were going to eventually create problems.

Read more on Vancouver Courier.