Jun 192019

Jason Grant reports:

State lawmakers have passed legislation that would “modernize” and update consumer data protections and expand New York Attorney General Letitia James’ oversight of data breaches affecting New Yorkers, according to a news release issued by James “applauding” the act’s passage.

Called the “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, the bill now moves to Gov. Andrew Cuomo’s desk for his decision on whether to sign it into law.

Read more on  New York Law Journal.

Jun 142019

Hunton Andrews Kurth writes:

Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.

Under the existing data breach notification law, a business that owns or licenses personal information and becomes aware of a data security breach must conduct a reasonable, prompt and good faith investigation to determine the likelihood that personal information has been or will be misused as a result of the breach. The Bill expands this investigatory requirement to apply expressly to all businesses that own, license or maintain the personal information of Maryland residents.

Read more on Privacy & Information Security Law Blog.

Jun 122019

Daniel J. Moses of JacksonLewis writes:

As we recently noted, Washington state amended its data breach notification law on May 7 to expand the definition of “personal information” and shorten the notification deadline (among other changes). Not to be outdone by its sister state to the north, Oregon followed suit shortly thereafter—Senate Bill 684 passed unanimously in both legislative bodies on May 20, and was signed into law by Governor Kate Brown on May 24. The amendments will become effective January 1, 2020.

Among the changes effected by SB 684 is a trimming of the Act’s short title—now styled the “Oregon Consumer Information Protection Act” or “OCIPA” (formerly the “Oregon Consumer Identity Theft Protection Act” or “OCITPA”). Apart from establishing a much more palatable acronym, the amended short title mirrors the national (and international) trend of expanding laws beyond mere “identity theft protection” to focus on larger scale consumer privacy and data rights.

Read more on The National Law Review.

Jun 122019

Will R. Daugherty and Caroline B. Brackeen of BakerHostetler write:

Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted.

Read more on Data Privacy Monitor.

May 242019

Steven Erkel and Kaeley Brown of Alston & Bird write:


In April, Arkansas’ Governor signed H.B. 1943 as Act 1030 expanding the scope of personal information, as used in the Personal Information Protection Act, to include “biometric data.” The Bill defines “biometric data” as “data generated by automatic measurements of an individual’s biological characteristics, including without limitation: (a) Fingerprints, (b) Faceprint, (c) A retinal or iris scan, (d) Hand geometry, (e) Voiceprint analysis, (f) Deoxyribonucleic acid (DNA), or (g) Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.”

Read more on Privacy Blog.