Sep 202018

Aaron Lancaster of BakerHostetler has a great privacy rewind for the week that includes action in Congress. He writes:

House Committee Passes Federal Data Breach Notification Bill for Financial Institutions

  • The House Financial Services Committee passed R. 6743, the Consumer Information Notification Requirement Act, which would require financial institutions to notify affected customers of a data breach that affects their personal information.
  • The law would establish uniform notification standards across all regulatory agencies empowered by the Gramm-Leach-Bliley Act (GLBA) and pre-empt state and local data breach notification laws with respect to entities subject to GLBA.
  • A number of banking organizations supported the bill’s passage from committee, “so that Congress can take a step forward in enacting comprehensive data breach legislation … for all entities that acquire and use sensitive personal and financial information.”
Sep 172018

Danielle Brown reports:

The Food and Drug Administration (FDA) is working to strengthen the cybersecurity of medical devices in the wake of computer-hacking threats, according to a report by the Star Tribune.

According to the report, FDA staff members are examining companies’ “preparations for potential computer-hacking threats to devices that millions of Americans depend on.” The plans were recently detailed in an audit report by the U.S. Department of Health and Human Services’ Office of the Inspector General.

Image credit: FDA

Under these suggested guidelines, the FDA will begin asking questions about a device’s cybersecurity during the device-approval process.

Read more on Clinical Innovation + Technology.

Sep 152018


Starting next week, consumers will be able to “freeze” their credit reports at no cost. A credit freeze restricts public access to a consumer’s credit report, making it much more difficult for identity thieves to open fraudulent accounts. Previously state laws allowed credit bureaus to charge consumers $2 to $10 place or lift credit phrases. Amendments to the Fair Credit Reporting Act also extend the time period for a fraud alert in a consumer’s file and creates new safeguards for the protection of credit records of minors. Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft.

Sep 112018

Akin Gump Strauss Hauer & Feld LLP write:

The California Consumer Privacy Act (CCPA), the nation’s broadest privacy protection statute, was enacted by the California Legislature in June 2018 as part of a last-minute deal to stop a proposed statewide ballot measure that could have ushered in an even stricter privacy law. We have written about the CCPA’s passage in earlier alerts.

Sponsored by San Francisco real estate magnate Alastair Mctaggart and privacy advocacy groups, the ballot measure was strongly opposed by business groups and tech interests. Racing to beat a statutory deadline for the Mctaggart measure to be placed on the ballot, the Legislature hastily passed the CCPA in June while promising to introduce cleanup legislation after the summer recess.

Efforts to substantively revise the CCPA began nearly immediately after its passage, with the AGO (the chief enforcement agency for the CCPA), business groups, and privacy activists pressing for focused changes. Those efforts coalesced around Senate Bill 1121 (SB 1121) in August.

Read more on JD Supra.

Sep 042018

Craig A. Newman of Patterson Belknap writes:

By today, financial institutions are required to meet their next deadline for compliance with New York’s cybersecurity law. The regulation – enacted in March 2017 –includes a series of rolling deadlines that require banks and insurance companies covered by the law to meet varying data security requirements.

Today’s deadline requires companies to meet five new milestones, mostly technical in nature. Earlier requirements from the New York State Department of Financial Services or DFS cybersecurity regulation focused on developing and implementing written cybersecurity policies and procedures.

Yet, the most difficult requirement for most companies is still six months away. By March 1, 2019, businesses are required to get their third-party vendors in line by adopting policies and procedures that govern the way these outsiders access the company’s network and its most sensitive information.

Read more on Data Security Law Blog.