Dec 072017

William Berglund, Robert J. Hanna and Victoria L. Vance of Tucker Ellis write:

Maintaining robust cybersecurity measures that meet government- and industry-recognized standards will provide businesses operating in Ohio with a legal defense to data breach lawsuits, if a bill recently introduced in the Ohio Senate becomes law.

Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. See S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.01 to 1354.05.

Compliance Standards To Be Met

Businesses that are in substantial compliance with one of the eight frameworks outlined in S.B. 220 would be entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).

Read more on Tucker Ellis.

via Lexology

Nov 022017

Not surprisingly, states are responding to the Equifax breach, but they are taking different approaches. Here are how two states are responding: reports that in New York:

Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten data security laws and expand protections.

The Stop Hacks and Improve Electronic Data Security Act, introduced this week in the Legislature, would require companies that handle New Yorkers’ sensitive data to adopt “reasonable administrative, technical and physical protections for data” regardless of where the company is headquartered, Schneiderman’s office said in a news release Thursday. It would cover credit reporting agencies such as Equifax as well as many other types of companies that collect personally identifiable information on individuals.

And Vermont Public Radio reports:

Chittenden County Sen. Michael Sirotkin says he heard from more constituents about the Equifax breach than almost any other issue he’s dealt with as a lawmaker. Sirotkin says he’s now putting the finishing touches on legislation that would give Vermonters new legal options for similar breaches in the future.

“So what that means is that consumers will have a private right of action, if this bill passes, where they will be able to get their damages for their time and expense and their attorneys’ fees and the cost of repairing the problem,” Sirotkin said Thursday at a press conference announcing the legislation.

Delaware House Moves Bill to Expand Data Breach Notice Law

 Posted by at 9:12 pm  State/Local  Comments Off on Delaware House Moves Bill to Expand Data Breach Notice Law
Jul 012017

Leslie A. Pappas reports:

The Delaware House has moved legislation that would strengthen the state’s data breach notification law.

The bill would require any person doing business in Delaware to safeguard personal information. It would expand the definition of personal information to include medical information, biometric data, user names and passwords, passport numbers, routing numbers to accounts, and individual taxpayer identification numbers.

The bill would also add a new requirement that companies notify the state attorney general of breaches affecting more than 500 residents.

Read more on Bloomberg BNA.

States Take Action! New Mexico, Tennessee and Virginia Pass New Data Breach Legislation

 Posted by at 1:58 pm  Breach Laws, State/Local  Comments Off on States Take Action! New Mexico, Tennessee and Virginia Pass New Data Breach Legislation
Apr 182017

Michael B. Katz and Cynthia J. Larose of  Mintz Levin write:

After a quiet winter there has been significant activity in state legislatures to enact, strengthen or clarify their data breach notification statutes. The latest happenings are summarized below and we have updated our “Mintz Matrix” to reflect these new and pending laws.

Read more on Privacy & Security Matters Blog. The authors also link to the full text of the new statutes.

Virginia Adds Notification Requirements for Payroll Incidents to Breach Law

 Posted by at 8:11 am  Breach Laws, Phishing, State/Local  Comments Off on Virginia Adds Notification Requirements for Payroll Incidents to Breach Law
Mar 292017

Liisa M. Thomas, Robert H. Newman, and Eric J. Shinabarger of Winston Strawn LLP write:

With little fanfare, Virginia recently amended its data breach notification law, requiring employers and payroll service providers to notify the Virginia Attorney General if they are subject to a W2 phishing scam. More specifically, the law requires that they notify the Virginia AG if they discover “unauthorized access and acquisition of unencrypted computerized data containing a taxpayer identification number in combination with the income tax withhold for an individual” if there is compromise to the data and it will cause identity theft or fraud. This requirement is the first of its kind, and will be effective July 1, 2017.

Read more on Lexology.