On October 27, 2023, the Federal Trade Commission (FTC) announced it is amending the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) to include a requirement for non-bank financial institutions to report certain data breaches and other security events to the agency.Continue Reading FTC Amends Safeguard Rule with Requirement for Non-Banking Financial Institutions to Report Data Security Breaches
data breach
WSGR Event Recap: The State of Play at the FTC on Privacy
On May 1, 2019, WSGR held an event in which regulators and experts discussed privacy developments in the U.S. and Europe. The first session featured a fireside chat with the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection Director, Andrew Smith, on “The State of Play at the FTC on Privacy.” In case you missed it, here are the key takeaways from the discussion:
- More specificity in data security orders. Director Smith noted that we should expect to see more specificity in data security orders moving forward, particularly after the Eleventh Circuit’s decision in LabMD.1 He mentioned that the FTC’s approach to post-LabMD orders is still evolving, but the next data security order entered will likely reflect the FTC’s new approach.
Continue Reading WSGR Event Recap: The State of Play at the FTC on Privacy
EDPB Opinion on Consent and Legal Basis in Clinical Trials
On January 23, 2019, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR), an issue which has been the subject of intense debate and that resulted in a draft, and still non-public, FAQ prepared by the EU Commission. The Opinion comments on the draft FAQ and provides some insight on data protection regulators’ view on how the GDPR applies to patient data collected as a part of a clinical trial.
In short, the EDPB takes the position that consent under the GDPR, and informed consent under the CTR, are different concepts, and that various legal grounds, including consent, are available under the GDPR to process patient personal data in the clinical trial context. Practically speaking, organizations will have to conduct a case-by-case assessment of the various options available.
Continue Reading EDPB Opinion on Consent and Legal Basis in Clinical Trials
New Colorado Law Takes Effect That Includes Strict 30-Day Data Breach Notification Requirement
On September 1, 2018, a new Colorado law took effect that, among other things, amends the state’s data breach law to: (1) expand the scope of the categories of “personal information” that trigger notification requirements; (2) require notification to residents and the state attorney general no more than 30 days after determining that a security breach has occurred; and (3) specify what must be included in these notifications.1 In addition, the statute requires entities that maintain, own, or license personal identifying information (PII) to implement and maintain reasonable security practices and procedures to secure PII and impose similar security obligations on third party service providers with which the entity shares PII. Finally, the law amends Colorado’s data disposal law to clarify the appropriate procedure for disposing of documents that contain PII. The passage of the Colorado law serves as a reminder that not only do state data breach notification requirements vary, but state laws also change over time in significant ways. Companies are well-advised to continue monitoring state laws for such changes.
Continue Reading New Colorado Law Takes Effect That Includes Strict 30-Day Data Breach Notification Requirement
Alabama Becomes Final State to Enact Data Breach Notification Law
On June 1, 2018, the Alabama Data Breach Notification Act of 2018 will take effect. In addition to being the last state to enact a breach notification law, Alabama’s new law distinguishes itself in a variety of unique ways.
Consistent with other state breach notification laws, the new law defines “sensitive personally identifying information” maintained in electronic form (covered information) broadly. In addition to government issued forms of identification and financial account numbers, covered information includes an individual’s medical history, mental or physical condition, or medical treatment or diagnostic information when combined with the resident’s name. In addition, usernames or email addresses, in combination with a password or security question and answer, are also classified as covered information, but only if the account is affiliated with the entity that experienced the breach, and only if such credentials would permit access to an online account that is “reasonably likely to contain or is used to obtain” sensitive personally identifying information (i.e., if the username or email address and password grant access to covered information that triggers the notification requirement). These important caveats limit the circumstances in which entities that maintain covered information (covered entities) must notify Alabama residents of breaches involving usernames or email addresses and passwords.
Continue Reading Alabama Becomes Final State to Enact Data Breach Notification Law
Tennessee Updates Data Breach Notification Law
The State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor from its data breach notification statute. However, this is not the case; Tennessee has not removed its primary encryption safe harbor. Even under the amended Tennessee law, data encryption remains an important method for securing data, and one that may reduce notice obligations if a breach occurs.
S.B. 2005 makes three changes to the breach notification statute that may impact whether Tennessee’s notification law applies to a particular data breach situation, and when organizations must send notices to affected individuals.
Continue Reading Tennessee Updates Data Breach Notification Law
EU Reaches Political Agreement on New Data Protection Regulation
On December 15, 2015, the European Parliament and the Council of the European Union reached a political agreement on the text of the EU General Data Protection Regulation (GDPR).1 This is a major step toward the official adoption of the GDPR, which is now expected in Spring 2016. The GDPR will have a significant impact on how EU and non-EU businesses can collect and process the personal data of EU individuals. This article discusses the key elements of the GDPR.
Continue Reading EU Reaches Political Agreement on New Data Protection Regulation