The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program. The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include: Designating one or more employees to be in charge of the ISP; Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules; Obligating a company to conduct...
Category: Data Privacy and Security
Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims. The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack. Implement a Written Information Security Program. Knowing how to mitigate the...
On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else
On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
On May 11, 2016, President Obama signed the Defend Trade Secrets Act (“DTSA”) into law. President Obama publicly supported this legislation and efforts generally directed to strengthen trade secret protections within the U.S. economy. As we previously reported on May 3, 2016 and November 24, 2015, trade secret misappropriation was formerly treated exclusively as a matter of state law, governed by varied versions of the Uniform Trade Secrets Act as enacted in most states. A lack of uniform enactment of this Act resulted in differences in the application of the law between states, which presented difficulties for trade secret owners seeking to enforce their rights in the general commerce.
On April 27, 2016, the Defend Trade Secrets Act (“DTSA”) passed the House of Representatives with a 410-2 vote. The two no votes were from Rep. Justin Amash (R-MI) and Rep. Thomas Massey (R-KY). Earlier this month, on April 4, the Senate passed the DTSA by a unanimous vote of 87-0. Now, the DTSA heads to President Obama’s desk for his signature.
Class Action Certified in In re Yahoo Mail Litigation for Violations of Stored Communication Act and California’s Invasion of Privacy Act
On May 28, 2015, U.S. District Judge Lucy Koh in the Northern District of California certified a class of email users in a privacy action that claims Yahoo Inc. (“Yahoo”) violated the federal Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”) through its practice of scanning and analyzing emails of non-Yahoo Mail subscribers in order to display targeted ads to Yahoo Mail subscribers. In re Yahoo Mail Litigation, No. 13-CV-04980-LHK, (N.D. Cal. 2015). Plaintiffs are non-Yahoo Mail subscribers who sent emails to Yahoo Mail subscribers from non-Yahoo email accounts and allege that Yahoo routinely copies and extracts key words from emails and stores this information for later use. Plaintiffs allege that Yahoo’s practices violate § 2702(a)(1) of the SCA, which prohibits, among other items, divulging the contents of a communication without consent and § 631 of CIPA, which prohibits the recording or reading of any type of communication without the prior consent of all parties.
On December 15, 2014, the New Jersey Assembly voted 75-to-0 to advance a bill that would expand the existing data breach notification requirements for companies doing business in the state. The bill, A3146, would broaden the type of information that, if compromised, would trigger a company’s obligation to notify customers of the breach. The proposal now heads to the Senate, where a similar bill, S2188, has been pending in the Commerce Committee since June.