Wednesday, October 23, 2019

New York SHEILD Act becomes effective (in part) today

Back in July, the State of New York adopted the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), which operates as an amendment to New York's existing data breach notification statute.  Certain parts of the SHEILD Act become effective today:
  • The breach notification provisions formerly applied only to those conducting business in New York.  Now, like many other state breach notification laws, the statute applies to any person or business that owns or licenses private information of a New York resident.
  • A security breach will now include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, which is intended to include most ransomware.  ("Acquisition" of data is no longer required.)
  • "Private information" will now include biometric information, as well as a username/email address in combination with a password or security questions and answers, and account numbers  (including credit/debit card numbers) even without a password or code if the account could be accessed without a code.
In addition, beginning March 21, 2020, New York will join other states in requiring companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information.

Friday, October 11, 2019

Proposed Regulations Implementing the California Consumer Privacy Act

Image of laptop displaying eyeball and text California California's Attorney General released proposed regulations implementing the California Consumer Privacy Act yesterday (10/10), and at first glance, I'm disappointed.  I'm still digesting them, and will probably post more later, but you can read them for yourself here.  The AG's press release is here.  The AG's "Fact Sheet" is here.

The draft regulations are out for public comment until December 6. Make your voice heard! The Attorney General will consider  comments and may revise the regulations in response. Any revision will trigger an additional 15 day public comment period.  Following the comment period(s), the AG will submit the final text to the Office of Administrative Law, which has 30 business days to review the regulations before they will go into effect.  In other words, the regulations will not be final before the January 1 compliance deadline. 

Although the AG will not begin enforcing the regulations until July 7, 2020, I predict the plaintiffs' bar will be initiating actions soon after January 1.