Photo of Zachary Heck

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Continue Reading Proactive Approach to Cybersecurity Pays off in Ohio with New Data Protection Act

On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.

What Data?
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:

  • Non-truncated Social Security or tax-identification number;
  • Non-truncated driver’s license, passport, or other government identification number,
  • Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
  • Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
  • Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.


Continue Reading Alabama Rolls with Tide as Last State to Adopt Breach Notification Law