On March 22, 2023, Capita PLC (“Capita”) experienced a cyber incident which it announced in a press release on April 3, 2023 and an update on April 20, 2023. Capita identified the incident on March 31, 2023, and confirmed the incident caused disruption to some services provided to individual clients, which has now been resolved. On April 21, 2023, the UK Information Commissioner’s Office (“ICO”) issued a statement confirming that Capita reported the incident and the ICO is investigating. The ICO also noted that other organizations affected by the incident should “consider their position[s]” and, if necessary, submit a breach notification.
Continue Reading UK Regulators Urge Capita PLC Clients to Assess Effects of Data BreachTennessee Privacy Law Recognizes CBPR and PRP Certifications
On April 21, 2023, the Tennessee legislature voted to enact the Tennessee Information Privacy Act (H.B. 1181)(“TIPA”). TIPA includes a requirement for controllers and processors to create, maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework. Under TIPA, the scale and scope of a controller or processor’s privacy program is appropriate if it is based on specific factors enumerated in the law. These include (1) the size and complexity of the controller or processor’s business; (2) the nature and scope of the activities of the controller or processor; (3) the sensitivity of the personal information processed; (4) the cost and availability of tools to improve privacy protections and data governance; and (5) compliance with a comparable state or federal law.
Continue Reading Tennessee Privacy Law Recognizes CBPR and PRP CertificationsMontana and Tennessee Could Become Eighth and Ninth States to Enact Comprehensive Consumer Privacy Bills
On April 21, 2023, the Montana and Tennessee legislatures voted to enact comprehensive consumer privacy bills in their respective states. If signed by their governors, Montana’s Consumer Data Privacy Act (S.B. 384) (“MCDPA”) and Tennessee’s Information Protection Act (H.B. 1181) (“TIPA”) could make these states the eighth and ninth U.S. states to enact comprehensive privacy legislation.
Continue Reading Montana and Tennessee Could Become Eighth and Ninth States to Enact Comprehensive Consumer Privacy BillsEDPB Initiates Procedure for Electing a New Chair
On April 26, 2023, the European Data Protection Board (“EDPB”) initiated the procedure for electing a new Chair and Deputy Chair to replace Andrea Jelinek and Ventsislav Karadjov, whose mandates will end on May 25, 2023.
Continue Reading EDPB Initiates Procedure for Electing a New ChairNYC DCWP Adopts Rules to Implement Law Governing Automated Employment Decision Tools and Sets July Enforcement Date
On April 6, 2023, the New York City Department of Consumer and Worker Protection (“DCWP”) announced it adopted final rules to implement NYC’s Local Law 144 (“LL 144”) regarding automated employment decision tools (“AEDTs”). Enforcement of the law and the rules will begin on July 5, 2023.
Continue Reading NYC DCWP Adopts Rules to Implement Law Governing Automated Employment Decision Tools and Sets July Enforcement DateWashington Likely to Become First State to Enact a Comprehensive Health Privacy Law
On April 17, 2023, the Washington State House concurred to the Washington State Senate’s amendments to Washington State House Bill 1155, the My Health My Data Act (the “Act”), clearing the Act’s way to Governor Jay Inslee for a final signature. If enacted, the Act would be the first comprehensive consumer health information privacy law in the United States.
Continue Reading Washington Likely to Become First State to Enact a Comprehensive Health Privacy LawHHS Issues NPRM to Strengthen Protections under HIPAA for Reproductive Privacy
On April 12, 2023, the U.S. Department of Health and Human Services (“HHS”) issued a Notice of Proposed Rulemaking (“NPRM”) to modify protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to strengthen reproductive health care privacy.
Continue Reading HHS Issues NPRM to Strengthen Protections under HIPAA for Reproductive PrivacyIndiana Likely to Become Seventh State to Enact a Comprehensive State Privacy Law
On April 13, 2023, the Indiana Senate concurred to the Indiana House’s amendments of Senate Bill 5 (“SB 5”) a day after the House returned the bill to the Senate with amendments, and a couple days after the Indiana House unanimously voted to approve SB 5. SB 5 now will head to Governor Eric Holcomb for a final signature, where he will have seven days upon transmission to sign SB 5 into law or veto it. This could make Indiana the seventh U.S. state to enact comprehensive privacy legislation.
Continue Reading Indiana Likely to Become Seventh State to Enact a Comprehensive State Privacy LawArkansas Enacts Legislation Restricting Social Media Accounts for Minors
On April 12, 2023, Arkansas Governor Sarah Huckabee Sanders signed into law S.B. 396 creating the state’s Social Media Safety Act (the “Act”). The Act comes after Utah’s similar social media laws enacted in March.
Continue Reading Arkansas Enacts Legislation Restricting Social Media Accounts for MinorsThe UK Data Protection Regulator Fines TikTok £12.7 Million
On April 4, 2023, the data protection regulator of the UK, the Information Commissioner’s Office (ICO), issued a fine of a £12.7 million to TikTok Information Technologies UK Limited and TikTok Inc (together, “TikTok”) for a number of breaches of UK data protection law, including failing to use children’s personal data lawfully.
Continue Reading The UK Data Protection Regulator Fines TikTok £12.7 Million