May 192018

Edward J. McAndrew of Ballard Spahr LLP writes:

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.


The South Carolina Act will require all insurers, agents and other licensed entities doing business in the state to establish a comprehensive, written information security program by July 1, 2019. The program must be “[c]ommensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including the use of third-party service providers, and the sensitivity of the nonpublic information” that the licensee uses, possesses, or controls.

Read more on National Law Review.

May 082018


Ryan Johnston reports:

Following weeks of outcry from cybersecurity companies and independent researchers, Republican Georgia Gov. Nathan Deal vetoed the state’s proposed “hack back” bill on Tuesday.

The bill, SB 315, sought to create the misdemeanor crime of “unauthorized” computer or computer network access, criminalizing the act of “intentionally” logging into a computer or website hosted in Georgia without the user first asking permission or being granted authority.

Read more on StateScoop.

May 012018

So if you want to prove a hacking bill is a bad idea, engaging in black hat/grey hat activities may not be the best way to persuade people.

Tom Corwin reports:

A hacking group upset with Georgia legislation that could criminalize what they do targeted Georgia Southern University and two Augusta restaurants in an ongoing campaign to draw attention to what it thinks will be the unintended consequences of that bill.

The group calls itself SB315 after Senate Bill 315, which would make unauthorized computer access illegal in Georgia, according to a hacker who identified himself as Dave who uses the email address augustadave. He said the group is scattered around the state between Augusta and Atlanta, with one member in Savannah and one in Aiken.

The hackers are threatening to retaliate if Gov. Nathan Deal signs the legislation, which they think will make illegal the kind of vulnerability and penetration testing some cybersecurity professionals do to find and report weaknesses in websites and computer systems. Some academics in Georgia worry that it will also create problems for them in terms of their research programs and that terms in the legislation are overly vague.

The hackers appear to have modified the websites for Augusta restaurants Blue Sky Kitchen and Soy Noodle House, posting the same message it left last week on the website of an Augusta church, Calvary Baptist.

Read more on Augusta Chronicle.

Apr 062018

David Stauss of Ballard Spahr writes:

In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor.  A copy of the new law is available here. The most notable changes are as follows:

Amendments to Oregon’s Breach Notification Law, O.R.S. 646A.604

  • The law expands the scope of those who must provide notice of a security breach to include a person who “otherwise possesses” personal information. Existing law applies only to persons who own or license personal information.
  • The law requires that notice of the breach be provided “in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.” The law continues to define “breach of security” as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” With this amendment, Oregon joins a growing number of states that have moved away from ambiguous timing language and instead require notice to be provided in a specific number of days.
  • Notably, HIPAA covered entities are exempt from the 45-day notice requirement.

Read more on JDSupra.

Apr 062018

Hunton & Williams write:

As reported in BNA Privacy Law Watch, on March 21, 2018, South Dakota enacted the state’s first data breach notification law. The law will take effect on July 1, 2018, and includes several key provisions:

  • Definitions of Personal Information and Protected Information. The law defines personal information as a person’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security Number; (2) driver’s license number or other unique identification number created or collected by a government body; (3) account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account; (4) health information; and (5) an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes. The law further defines “protected information” as (1) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (2) account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. Notably, the definition of “protected information” does not include a person’s name.
  • Breach Notification Requirement. The law requires notification to affected individuals (and, in certain circumstances, the Attorney General, as explained below) in the event of unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) by any person that materially compromises the security, confidentiality or integrity of personal information or protected information.

Read more on Privacy & Information Security Law Blog.