Status of Proposed CCPA-Like State Privacy Legislation
The end of March and beginning of April was another busy week with developments in Washington, Florida, Oklahoma, Alaska, Nevada, and Rhode Island: Washington – The House Committee on Appropriations passed the Washington Privacy Act out of committee. Oklahoma – The author of the Oklahoma Computer Data Privacy Act reported that the bill has been […]
Lessons Learned from New York’s Second Cybersecurity Action
The New York Department of Financial Services has announced its second regulatory enforcement action against a regulated entity (a New York licensed mortgage banker and loan servicer) for violating NYDFS’s Cybersecurity Regulations. The action involved the mortgage banker’s failure to report a data breach – a breach caused by an employee overriding the company’s multi-factor […]
Florida Legislature Considers Sweeping Data-Privacy Legislation Supported by Governor
Florida has joined the wave of states considering new comprehensive data privacy legislation. On February 15, 2021, Representative Fiona McFarland introduced HB 969, modeled after the California Consumer Privacy Act. The bill is supported by Governor Ron DeSantis and the speaker of the Florida House. As introduced, HB 969 would apply to for-profit businesses that […]
Utah Gets a New Data Breach Defense Law
On March 11, 2021, Utah governor Spencer Cox signed the Cybersecurity Affirmative Defense Act, which creates affirmative defenses to certain causes of action arising out of a breach of system security. The Act provides three affirmative defenses: If a “person” (broadly defined to include individuals and most business organizations but not government agencies or departments) […]
Department of Commerce Convenes Virtual Forum on Supply Chain Risks in Semiconductor Manufacturing and...
The U.S. Department of Commerce’s Bureau of Industry and Security Office of Technology Evaluation will hold a virtual forum on April 8, 2021, to...
Byte-Sized Q&A: What About Controlled Technical Information?
Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, host Kate Growley talks about what government contractors need to know about controlled technical information or CTI. More at Crowell & Moring
Finding the Weak Links – President Biden Executive Order Demands Review of Critical U.S....
On February 24, 2021, President Biden signed Executive Order 14017, “Executive Order on America’s Supply Chains,” requiring a review of global supply chains that support key U.S. industries in an attempt to improve supply chain security for the U.S. government and U.S. companies. The new Executive Order appears to be an initial step focused on […]
Senate Version of Florida Privacy Law Moves Forward; House Version Makes Class-Action Lawsuits Even...
The Florida Senate’s version of a new comprehensive privacy law (a.k.a. the “Florida Privacy Protection Act” (FPPA)) passed unscathed out of the Senate’s Committee on Commerce and Tourism yesterday. The bill’s sponsor fought off two proposed amendments: one that would have eliminated the private right of action and a second that would have required more […]
Utah Becomes the Second U.S. State to Establish Affirmative Defenses for Data Breach
In enacting the Cybersecurity Affirmative Defense Act, HB80, (Act) on March 11, 2021, Utah became the second state in the U.S. to create affirmative defenses for “persons” to certain causes of action arising out of a breach of system security. “Persons” is defined to include individuals, associations, corporations, partnerships, and other business entities. The Act […]
California Court Tosses Alleged “Data Breach” Suit, Holding CCPA Does Not Apply Retroactively
In Gardiner v. Walmart, Inc., a Walmart customer who purchased goods online filed a putative class action alleging that Walmart’s cybersecurity procedures led to a purported unauthorized disclosure of his personal identifying information (PII). This purported “data breach” class action is unique in that the plaintiff cannot identify when and how the data breach occurred. Instead, the […]