On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law. This blog entry provides a summary of the legislation.
Continue Reading Vermont Enacts Insurance Data Security Law
Gramm Leach Bliley Act
Connecticut Enacts Consumer Privacy Law
Posted on
On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.
Continue Reading Connecticut Enacts Consumer Privacy Law
Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law
Posted on
Posted in U.S. State Law
On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act. The law will take effect on December 31, 2023.
Continue Reading Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law
FTC Puts Companies on Notice that Failure to Identify and Patch Instances of Log4j May Violate FTC Act
Posted on
On January 4, 2022, the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability.
Continue Reading FTC Puts Companies on Notice that Failure to Identify and Patch Instances of Log4j May Violate FTC Act
FTC Announces Significant Updates to GLB Safeguards Rule
Posted on
Posted in Financial Privacy, U.S. Federal Law
On October 27, 2021, the Federal Trade Commission announced significant amendments to the agency’s Safeguards Rule, which requires covered financial institutions to develop, implement and maintain a comprehensive information security program that complies with the Safeguards Rule’s requirements.
Continue Reading FTC Announces Significant Updates to GLB Safeguards Rule
UPDATE: New Connecticut Breach Notification Requirements and Cybersecurity Safe Harbor Are Now in Effect
Posted on
On October 1, 2021, Connecticut’s two new data security laws went into effect. The new laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program.
Continue Reading UPDATE: New Connecticut Breach Notification Requirements and Cybersecurity Safe Harbor Are Now in Effect
New Connecticut Breach Notification Requirements and Cybersecurity Safe Harbor Effective October 2021
Posted on
Connecticut recently passed two cybersecurity laws that will become effective on October 1, 2021. The newly passed laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program that complies with applicable state or federal law or industry-recognized security frameworks.
Continue Reading New Connecticut Breach Notification Requirements and Cybersecurity Safe Harbor Effective October 2021
Nevada’s Governor Expands State’s Internet Privacy Law That Previously Limited Right to Opt Out of Sales
Posted on
On June 2, 2021, Nevada’s governor approved SB 260 (the “Amendment Bill”), which expands on the previously amended Nevada Privacy of Information Collected on the Internet from Consumers Act (the “Act”). Specifically, the Amendment Bill broadens the definition of key terms along with providing several new exemptions.
…
Continue Reading Nevada’s Governor Expands State’s Internet Privacy Law That Previously Limited Right to Opt Out of Sales
FTC Announces Enforcement for Inadequate Third-Party Risk Management Practices Under the GLBA’s Safeguards Rule
Posted on
On December 15, 2020, the Federal Trade Commission announced a proposed settlement with Ascension Data & Analytics, LLC, a Texas-based mortgage industry data analytics company, to resolve allegations that the company failed to ensure one of its vendors was adequately securing personal information of mortgage holders.
Continue Reading FTC Announces Enforcement for Inadequate Third-Party Risk Management Practices Under the GLBA’s Safeguards Rule
Financial Regulators Announce Proposed 36-Hour Notification Requirement for Notification Incidents
Posted on
Posted in Financial Privacy, U.S. Federal Law
On December 18, 2020, federal financial regulatory agencies announced a proposed rule that would require “banking organizations” to notify their primary federal regulator within 36 hours following any “computer-security incident” that rises to the level of a “notification incident.” The Proposed Rule also would require service providers to notify at least two individuals at the banking organizations they service immediately after experiencing a computer security incident that materially disrupts, degrades or impairs the services they provide.
Continue Reading Financial Regulators Announce Proposed 36-Hour Notification Requirement for Notification Incidents