Jan 122019

David M. Brown of Baker Hostetler writes:

On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019.

One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when the data security incident involves a Massachusetts resident’s Social Security number. With this new obligation, Massachusetts joins Connecticut and Delaware as states that require an offer of complimentary credit monitoring when the incident involves a resident’s Social Security number. There was no update to the timing of any required individual notice obligations, which remains “as soon as practicable and without unreasonable delay”; but the new amendments require a rolling notification to individuals under certain circumstances: “A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.” Additionally, the notice to individuals must now identify the name of the parent or affiliated corporation if the organization that experienced a breach of security is owned by another person or corporation.

Read more on Data Privacy Monitor.

Jan 062019

Phil Fairbanks reports:

When the FBI uncovered a scammer targeting Wegmans two years ago, agents hacked into the suspect’s computer in an effort to learn his identity.

The hacking, approved by a judge, involved an email and attachment that, when opened, connected the suspect’s computer to an FBI server.

A new lawsuit in Buffalo federal court says the Wegmans case is just one example of how the government is now using hacking in ordinary, day-to-day investigations, and not just in national security and foreign intelligence probes.

Read more on The Buffalo News. They don’t seem to give the case information, but I’m embedding the complaint, filed in federal court for the Western District of New York, below so you can read it all for yourself.


Jan 022019

Dipanjan Roy Chaudhury reports:

The United Nations has adopted two resolutions, proposed by Russia and backed by India, on International Information Security (IIS) system, marking progress towards creating the world’s first code of conduct in the digital sphere.

This month the UN General Assembly adopted the two resolutions – ‘Developments in the field of information and telecommunications in the context of international security’ and ‘Countering the use of information and communications technologies for criminal purposes’ – and thereby opened a new chapter in the global discussion on international information security. 


 The resolutions were supported by several countries and coauthored by more than 30 countries, but did not get the support of the United States and the European Union members. 

Read more on The Economic Times.

Jan 012019

Josephine Cicchetti of Carlton Fields writes:

Ohio has joined South Carolina in becoming the next state to adopt a variation of the NAIC Insurance Data Security Model Law (“MDL-668”). This legislation makes a number of changes to Ohio’s insurance law, including the addition of a new Chapter 3965, which establishes “standards for data security and for the investigation of and notification to the Superintendent of Insurance of a cybersecurity event” (containing new Sections 3965.01 through 3965.11). Licensees will have one year to come into compliance with the new requirements, with the exception of the third party service provider provisions (Section 3965.02(F)), which have been granted a two-year implementation date.

Read more on The National Law Review.

Jan 012019

Caleb Skeath and Brooke Kahn of Covington & Burling provide a useful recap of changes in 2018 that will impact us in 2019:

…. Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year.

Data Breach Notification Laws in All 50 States.  With the enactment of new data breach notification laws in South Dakota and Alabama, all fifty states and the District of Columbia have implemented data breach notification laws.  The new laws in South Dakota and Alabama, which went into effect in mid-2018, included many features commonly seen in recent amendments to other states’ existing data breach notification laws, such as expanded PII definitions, explicit notification deadlines, and state regulator notification requirements.

Explicit Notification Deadlines.  During 2018, several states also joined a growing trend by revising their data breach notification laws to include explicit deadlines for notifying affected individuals.  Notably, Colorado enacted a 30-day deadline from the discovery of the breach for notifying affected individuals, which matches Florida’s 30-day deadline for the shortest notification deadline in the U.S.  Alabama, Arizona, and Oregon all passed legislation in 2018 requiring notification of affected individuals within 45 days of discovery of a breach, while Louisiana and South Dakota passed legislation requiring notification of affected individuals within 60 days of discovery.

Read more of their summary of changes in state legislation this year on InsidePrivacy.