Photo of Zachary Heck

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.

I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.


Continue Reading

Last week, I had the pleasure of speaking at the 11th Annual Northern Kentucky University Cybersecurity Symposium. This year, over three hundred attendees ranging from IT and security professionals, to corporate executives and attorneys, gathered for workshops and presentations relating to nascent privacy and security issues. During my presentation, “So Goes California, So Goes the Nation,” I discussed the California Consumer Privacy Act (“CCPA”), and the California legislature’s recent amendments to the CCPA (“the Amendments”), which were signed into law by Governor Brown on Sept. 28, 2018.

As I explained during my presentation, the CCPA was fast-tracked through the California legislature in an attempt to preempt a state-wide voter initiative that would enact regulations on California businesses that collect personal information, but would have been immune from amendment absent a second state-wide voter initiative. Because the California legislature drafted and passed the CCPA in a week, a number of businesses have identified vague and confusing aspects of the law. Therefore, just eight weeks after passing the CCPA, the California legislature has already passed the first set of Amendments. Here are the top takeaways from my talk at NKU:

  • Private Right of Action & Civil Penalties: The CCPA creates a private right of action for a California citizen only when a company has suffered a data breach that is the result of the company’s failure to implement reasonable security measures. The CCPA requires the individual to contact the company prior to initiating an action, and allows the company thirty (30) days to cure the violation. The California Attorney General can also issue civil penalties of up to $2,500 per violation of the CCPA, and up to $7,500 per each intentional violation.
  • Role of California Attorney General: The Amendments clarified that although the CCPA takes effect on Jan. 1, 2020, the California Attorney General can wait until July 1, 2020 to promulgate final regulations. Further, the California AG cannot file enforcement actions under the CCPA until the earlier of July 1, 2020, or six months after the date of the final regulations. Accordingly, businesses regulated under the CCPA will have limited time to align their compliance programs before potential enforcement. Additionally, the original CCPA required any private right of action suits or class actions to be sent to the California AG’s office to determine whether a potential violation existed. The Amendments removed this requirement to avoid forcing the AG’s office into the role of a litigation gatekeeper.
  • Federal Privacy Regulations Exemptions: Originally, the CCPA contained exemptions for compliance for information already subject to federal privacy laws, such as Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act or Health Information Portability and Accountability Act, whenever the CCPA conflicted with a requirement of the federal law. Now, under the amendments, that exemption simply applies across the board regardless of whether or not the CCPA conflicts with these laws. However, companies need to be aware that being subject to a federal regulation does not exempt all data being collected from the new CCPA. If a business collects data outside the federal regulations, then that data will still be regulated by the CCPA.


Continue Reading

Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Continue Reading

On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.

What Data?
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:

  • Non-truncated Social Security or tax-identification number;
  • Non-truncated driver’s license, passport, or other government identification number,
  • Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
  • Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
  • Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.


Continue Reading