New York’s Stop Hacks and Improve Electronic Data Security Act, which went into effect on March 21, places a greater burden on regulated entities in responding to data breaches and expands the enforcement powers of the New York Attorney General’s office. In order to avoid penalties, businesses would be wise to ensure that they are in compliance with the new law.
For the full alert, visit the Faegre Drinker website.
In the wake of data breaches, companies may find themselves targets of class actions by customers or employees whose personal information was compromised in the breach. The exposure is considerable, with an estimated 765 million people impacted by data breaches between April and June of 2018. As we previously reported, some courts have allowed consumer and employee data breach cases to proceed despite threshold challenges – leading to multi-million-dollar settlements. And in Dittman, Pennsylvania’s Supreme Court recently held that an employer owed an affirmative duty to exercise reasonable care to protect employees’ personal nonpublic data from data breaches.
South Dakota and Alabama are the last of the 50 states to have enacted breach notification laws, along with Washington, D.C., Guam, Puerto Rico and the Virgin Islands. South Dakota became the 49th state to enact a data breach notification law when Governor Dennis Daugaard signed Senate Bill 62 into law on March 21. It goes into effect on July 1, 2018. On March 28, 2018, Alabama Governor Kay Ivey signed into law Alabama Senate Bill 318, effective May 1, 2018. Below are the parameters of these new data breach notification laws.
The draft bill, “Data Acquisition and Technology Accountability and Security Act,” has led 32 state attorneys general to release a letter urging Congress to avoid preempting state data breach and data security laws.
On February 16, 2018, Representatives Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) introduced the draft bill in the House of Representatives, which would establish, (i) sweeping standards for data protection across various industries, (ii) federal post-data breach notification requirements, and (iii) establish a process that covered entities must follow to notify law enforcement, regulators, and victims following different types of data breaches.