Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in December, and is aimed at providing Ohio businesses with special protection from litigation in the event of a security incident or … Read More
Taft summer associate Jordan Jennings-Moore contributed to this article.
In today’s world, very few people remain completely unscathed by a data breach somewhere. From Target, to Anthem, Wendy’s or Equifax, individuals across the country have grown accustomed to getting breach notification letters. Most recently, Alabama and South Dakota became the last two jurisdictions in the United States to adopt data breach notification laws. This means that any person or entity conducting business in the U.S. must be … Read More
Rebekah Mackey, Taft summer associate, contributed to this article.
Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.
As we assist clients with preparing for GDPR compliance before and after this Friday’s effective date, I thought to share some quick thoughts on the law and what we are seeing here at Taft.
- “GDPR Compliant.” Be wary of companies making such claims and don’t make such claims, yourselves. As with HIPAA, there is no such thing as a stamp of “compliance” approval. And, like bragging about your information security, warranting that you are “compliant” is just asking for that
On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.
In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.
- Your choices matter most. I beat this drum pretty heavily, but it is
Earlier this year, there was a report on a new spear-phishing attack seeking to steal people’s sensitive data. The spear-phishing email message, apparently drafted to look like it came from FedEx, included a link that took the recipient of the email to a Google Docs page and then used a script to download malware to the employee’s computer. What was notable about this spear-phishing attempt was that the email “bait” actually included employee sensitive data, such as his or her … Read More
U.S. privacy law is based on the principles of notice and consent – for instance, under FTC and state consumer protection laws, consumers given fair notice and the opportunity to consent generally cannot complain about the use of their data.
But as we have noted in prior posts, the E.U.’s General Data Protection Regulation (“GDPR”), which will become effective May 25 of this year, is more comprehensive than any U.S. privacy law in most respects. It treats personal data (defined … Read More
Every year, the culprit that tops the list of information security risk is the same one from the previous year, and the year before that: your employees. Sure, hackers and technical failures get a lot of attention, but time and again it is the low-tech failures of employees that lead to security incidents and data breaches. To be clear, it is rarely the disgruntled employee, but more often the apathetic or unaware employee that clicks the phishing link or lets … Read More
Beginning in April 2018, the General Services Administration (GSA) will publish for 60 days of public comment updates to its cybersecurity requirements for eventual integration into the GSA Acquisition Regulation (GSAR). [GSAR Case 2016-G511, Information and Information Systems Security, 83 Fed. Reg. 1941 (Jan. 12, 2018).] Then, beginning in August 2018, the GSA will publish for 60 days of public comments updates to its cyber incident reporting requirements for GSA contractors. [GSAR Case 2016-515, Cyber Incident Reporting, 83 F.R. 1941 … Read More