Dec 072017

William Berglund, Robert J. Hanna and Victoria L. Vance of Tucker Ellis write:

Maintaining robust cybersecurity measures that meet government- and industry-recognized standards will provide businesses operating in Ohio with a legal defense to data breach lawsuits, if a bill recently introduced in the Ohio Senate becomes law.

Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. See S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.01 to 1354.05.

Compliance Standards To Be Met

Businesses that are in substantial compliance with one of the eight frameworks outlined in S.B. 220 would be entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).

Read more on Tucker Ellis.

via Lexology

Nov 162017

Jason C. Gavejian writes:

The United State Supreme Court recently denied certiorari in Nosal v. United States, 16-1344, declining to weigh in on the scope of unauthorized access under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit held in Nosal that David Nosal violated the CFAA by using his past assistant’s password to access his former employer’s computer system after his access credentials were expressly revoked. (For Nosal case history see our past blog posts here and here.)

Read more on Workplace Privacy, DataManagement & Security Report

Nov 022017

Not surprisingly, states are responding to the Equifax breach, but they are taking different approaches. Here are how two states are responding: reports that in New York:

Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten data security laws and expand protections.

The Stop Hacks and Improve Electronic Data Security Act, introduced this week in the Legislature, would require companies that handle New Yorkers’ sensitive data to adopt “reasonable administrative, technical and physical protections for data” regardless of where the company is headquartered, Schneiderman’s office said in a news release Thursday. It would cover credit reporting agencies such as Equifax as well as many other types of companies that collect personally identifiable information on individuals.

And Vermont Public Radio reports:

Chittenden County Sen. Michael Sirotkin says he heard from more constituents about the Equifax breach than almost any other issue he’s dealt with as a lawmaker. Sirotkin says he’s now putting the finishing touches on legislation that would give Vermonters new legal options for similar breaches in the future.

“So what that means is that consumers will have a private right of action, if this bill passes, where they will be able to get their damages for their time and expense and their attorneys’ fees and the cost of repairing the problem,” Sirotkin said Thursday at a press conference announcing the legislation.

Kentucky lawmaker files bill to help victims of data breaches

 Posted by at 2:12 pm  Breach Incidents, Legislation, U.S.  Comments Off on Kentucky lawmaker files bill to help victims of data breaches
Oct 132017

Mark Vanderhoff reports:

A state lawmaker said the Equifax data breach affected 40 percent of Kentuckians.

Sen. Morgan McGarvey announced proposed legislation to help those victims at the Louisville headquarters of the AARP.


The bill requires companies to provide victims with:

  • A free credit freeze.
  • Five years of credit monitoring.
  • Three free credit reports from each of the three major credit monitoring agencies.

Read more on WLKY, but frankly, I don’t think the bill offers nearly enough help to victims of breaches. If this bill is to help people who have already had their data stolen in a breach, where is the mitigation/help if those data are misused by the criminals? Who helps them reverse charges or clear their accounts? And where is the requirement that CRAs respond within X days to a complaint that there is an error in the report, etc.?

Public shaming likely but GOP wary of new laws after Equifax breach

 Posted by at 8:22 am  Business Sector, Commentaries and Analyses, Federal, Hack, Legislation  Comments Off on Public shaming likely but GOP wary of new laws after Equifax breach
Sep 242017

AP reports what I’ve basically been telling everyone already.

Prospects are good for a public shaming in the Equifax data breach, but it’s unlikely Congress will institute sweeping new regulations after hackers accessed the personal information of an estimated 143 million Americans.

Since early this year, President Donald Trump and the Republican-led Congress have strived to curb government’s influence on businesses, arguing that regulations stifle economic growth. Lawmakers have repealed more than a dozen Obama-era rules and the House voted in June to roll back much of Dodd-Frank, the landmark banking law created after the 2008 economic crisis that was designed to prevent future meltdowns.

Read more on KPC News.