Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.

Things to take note of under the Alabama law:

  • The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include.   An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”
  • Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
  • The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
  • Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
  • No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
  • The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions.  “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.

 

 

 

 

 

 

Only one U.S. state without a data breach notification law, that is.

South Dakota as become the 49th state to enact a data breach notification law, which take effect on July 1.    The South Dakota law follows the pattern of the most recent notification laws, including an expansive definition of “Personal Information”.

The law defines personal information as a person’s first name/first initial and last name in combination with any one or more of the following:

  1. Social Security Number;
  2. Driver’s license number or other unique identification number created or collected by a government body;
  3. Account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
  4. Health information;
  5. Identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

There is an additional definition of “protected information” that includes (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (b) account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.   The definition of “protected information” does not include a person’s name.

Again, South Dakota includes an encryption “safe harbor,” but does require notification if the encryption key is compromised.   Notice to the South Dakota Attorney General is required in any breach that exceeds 250 South Dakota residents.

Notification is required within 60 days of the discovery of the breach.  A violation of the notification law is considered a deceptive act under South Dakota consumer protection laws, and the Attorney General has noted that this violation has the effect of creating a private right of action.   The AG is also authorized to enforce the law and may impose a fine of up to $10,000 per day, per violation.

Alabama remains the sole U.S. state without a breach notification law, but the Alabama Data Breach Notification Act of 2018 passed the Alabama House unanimously and is now in the state Senate.

A update to the Mintz Matrix will be forthcoming this week with further details on this new South Dakota law, as well as some amendments to existing laws.  Watch this space.

 

 

Beware of March Madness!  Scammers and phishers take advantage of increased web traffic by impersonating popular March Madness websites, including bracket sites and game live streams.  Will your employees take the bait?

Last year, it was reported that traffic activity from users streaming games and checking brackets for updates increased by 100% during the first round of the NCAA tournament.    Monitoring sites also observed an increase in malicious activity related to this category and discovered a clear upward spike in malicious activity, such as phishing pages, adware downloads, improper handling of user data, and attempts at domain squatting.   All of this is likely going on again this year, and it will be on your corporate networks.

  • Have you implemented solutions to limit the impact of nefarious phishing campaigns?
  • Have you trained employees to recognize phishing emails?
  • Do you remind employees about the dangers of falling victim to click bait in emails?
  • Do you remind employees about simple password hygiene and to not reuse corporate passwords outside the network?

The best advice we can offer is only use NCAA-sanctioned bracket applications through your web browser. There are many third-party sites out there that attempt to probe the user to create login credentials. In 2017, it was observed that one such application collected a username and password and then transmits it in the clear. This plain text credential transfer makes the connection vulnerable to sniffing attacks. Since users commonly set the same login credentials for multiple websites, the attackers might gain access to users email accounts, bank accounts, tax preparation accounts etc., or even worse, your corporate network.

Good luck!

A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved.  Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias.  In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.

Continue Reading Supreme Court Declines to Address Circuit Split on Data Breach Standing Issue

The Supreme Court on Tuesday will hear arguments in United States v. Microsoft Corp., in which the court will decide whether a US technology service provider, Microsoft, must obey a search warrant for data stored in a foreign country. “It’s going to set the tone for cross-border data demands on a global scale,” said Gregory Nojeim, senior counsel and director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology.    All briefs and other documents are catalogued here at SCOTUSBlog.   We’ll be watching …..

CNNMoney (2/25)

Mintz Levin Benefits attorney Patricia Moran recently authored an article for  the Society for Human Resources Management’s latest publication describing the cybersecurity risks involved with 401(k) Plan sponsorship.  The article is a great resource for employers who sponsor 401(k) or other retirement plans, especially those who share employees’ sensitive information with third party administrators. For the full story, click here.

We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception.   “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.

Privacy can also be a key differentiator and a competitive advantage.  Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage

Mintz Levin’s TCPA and Consumer Calling Practice Team has published its latest TCPA Digest.

This month’s issue examines an FCC rulemaking proceeding concerning whether providers should be required to establish a challenge mechaniskm for incorrectly blocked robocalls.  In addition, the Digest examines the factors defendants should consider in whether to make an early offer of judgment (a “Rule 68” offer) in a TCPA class action and relevant case law about early offers.

The TCPA Digest can be read here.

 

 

If your company is one of the broad group of businesses licensed by the New York Department of Financial Services (NY DFS), a very important deadline is bearing down on February 15.    Continue Reading Deadline Approaching under NY Cybersecurity Regulations

In case you had not heard, the European Union is replacing its current privacy laws with a new, comprehensive General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The essential principles of the EU’s privacy laws are unchanged, but the new Regulation imposes many new obligations on many more entities – all backed up by fines modeled on European antitrust laws. US Life Sciences companies are likely to find that the GDPR applies to their use of personal information that originated in the EU. This post suggests some pragmatic steps companies can take to assess and begin to meet their GDPR obligations.   We’ll be presenting the next webinar in our GDPR series particularly targeted to life sciences and biotech companies and that will be coming up in March.  Watch this space for more information and registration.

Step 1 – Confirm that the GDPR Applies Continue Reading Practical GDPR Steps for US-Headquartered Life Sciences Companies