Feb 222019

Zack Whittaker reports:

California, which has some of the strongest data breach notification laws in the U.S., thinks it can do even better.

The golden state’s attorney general Xavier Becerra announced a new bill Thursday that aims to close loopholes in its existing data breach notification laws by expanding the requirements for companies to notify users or customers if their passport and government ID numbers, along with biometric data, such as fingerprints, and iris and facial recognition scans, have been stolen.

Read more on TechCrunch.

Feb 212019

Anjali C. Das, Brian Dollar, Stefanie L. Ferrari, and David H. Potter of Wilson Elser Moskowitz Edelman & Dicker LLP write:

….   Following the rise of the use of biometric information, the Illinois Legislature passed the Biometric Information Privacy Act (BIPA) in 2008 to provide standards of conduct to help regulate how biometric information is collected, stored and used. Examples of a biometric identifier include a retina or iris scan, fingerprint scan, voiceprint, or hand/face-geometry scan. What makes BIPA all the more powerful is that it allows for a private right of action, permitting an individual who has been “aggrieved” to pursue damages or injunctive relief.

The Illinois Supreme Court gave BIPA even more “punch” in its decision in Stacy Rosenbach, et al. v. Six Flags Entertainment Corporation, released on January 25, 2019, holding that an individual does not need to prove harm to recover; rather, a technical violation of the Act alone is sufficient to constitute standing.

Read more on The National Law Review.

Feb 162019

Jared Beinart reports:

Using ransomware to hold computers hostage would draw stiffer penalties under legislation — prompted in part by attacks on Maryland hospitals over the past few years — state lawmakers are considering.


Maryland Senate bill 151, cross-filed with House bill 211, would define ransomware attacks that result in a loss greater than $1,000 as a felony, subject to a fine of up to $100,000 and a maximum sentence of 10 years in prison.

Read more on DelmarvaNow.

Related:  SB 151

Feb 092019

Bret Cohen, Paul Otto, Nathan Salminen, and Morgan Perna (law clerk) of Hogan Lovells write:

….This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk.

Available statutory penalties

The CCPA allows consumers to sue businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations of this provision are subject to statutory penalties of $100 to $750 per incident (which did not previously exist for breaches involving California residents’ personal information), additional actual damages, and injunctive relief. Judges may consider a defendant’s “assets, liabilities, and net worth” in determining the precise award.

Read more on Chronicle of Data Protection.

Feb 072019

Andreas Kaltsounis and Shea M. Leitch of BakerHostetler write:

Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements apply to certain banking, insurance and financial service entities licensed in the state of New York. The legislative trend based on the NAIC model law prescribes detailed cybersecurity requirements for insurance-related entities. South Carolina led the pack, enacting the Insurance Data Security Act in May 2018. Ohio and Michigan followed suit in December, and other states appear poised to consider similar legislation.

Read more on Data Privacy Monitor.