On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced the proposed Digital Charter Implementation Act (DCIA or “Act”), new legislation from the Liberal Party of Canada that could dramatically alter how the country regulates consumer data.[1] The Act, which will likely extend to businesses outside of Canada, aims to “significantly increase protections to Canadians’ personal information” and “provide significant new consequences for non-compliance with the law.”[2] The DCIA grants consumers powerful consent rules, including the ability to withdraw consent, control over the transfer of their information to third parties, algorithmic transparency rights and data de-identification safeguards.[3] Penalties for noncompliance are substantial and can reach as high as 5% of a company’s revenue or C$25 million, whichever is greater.[4]
Continue Reading Canada Proposes New Privacy Bill

As regulators attempt to keep pace with the ever-changing technological landscape, legislation and agency guidance continue to evolve. Two recent developments worth noting:

  1. The clarification and modification of the California Consumer Privacy Act (CCPA)
  2. The release of the U.S. Department of Health and Human Service’s (HHS) voluntary cybersecurity practices for health care organizations

For insights

All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude disclosure or access of encrypted PII from the definition of “breach” requiring notice. In such states, notification is required only if the accessed or disclosed PII is unencrypted. In other states, including New York, a “breach” occurs only where there is unauthorized access of both encrypted information and the necessary encryption key. N.Y. Gen. Bus. Law § 899-aa (Westlaw through L. 2019, ch. 1 to 19) (effective Mar. 28, 2013). Unauthorized access of encrypted data alone, therefore, may not necessarily be a breach that requires notice.
Continue Reading Encryption Considerations under Data Breach Notification Laws

With Alabama’s recent enactment of the Alabama Data Breach Notification Act of 2018 (“Act”), all 50 states now have their own data breach reporting statutes. Given the complexity of the current U.S. data breach reporting regime, which also includes statutory reporting obligations in jurisdictions like Puerto Rico and the District of Columbia, businesses with customers in more than one state must coordinate with advisors who have experience navigating this patchwork quilt of statutes.

On March 28, 2018, Alabama became the 50th (and final) state to enact a data breach notification law. The Act requires notification where a “good faith and prompt investigation” results in a determination that “sensitive personally identifying information” (“SPII”) of an Alabama resident has been acquired or is reasonably believed to have been acquired by an unauthorized person, “and is reasonably likely to cause substantial harm to the individuals to whom the information relates.” 
Continue Reading Now That All U.S. States Have Data Breach Laws, National Breach Reporting Is Even More Complex

South Dakota is the latest state to add notice requirements for data breaches, mandating notice within 60 days of the breach. Like many others before it, South Dakota armed the mandate with steep monetary penalties of up to $10,000 per day, per violation.

Alabama — the sole remaining U.S. state without a data breach law

On December 3, 2017, the National Association of Insurance Commissioners (“NAIC”) Cybersecurity (EX) Working Group met and noted that the U.S. Department of the Treasury has recommended that states nationwide work to implement NAIC’s recently adopted Insurance Data Security Model Law (“Model Law”). The full text of the Model Law is available at NAIC.org and can be found here. The Model Law sets standards and best practices for insurers to follow as they safeguard consumers’ data, and it closely follows the New York State Department of Financial Services (“NYDFS”) Cybersecurity Regulation, 23 NYCRR 500, which was adopted earlier this year and applies to those regulated or licensed under New York insurance, banking or finance laws. In short, those in the insurance industry need to take action to develop cybersecurity programs and procedures.
Continue Reading Cybersecurity Pressures within the Insurance Industry