Social Security Number

Effective October 1, 2018, Connecticut law requires organizations that experience a security breach affecting Connecticut residents’ Social Security numbers (“SSNs”) to provide 24 months of credit monitoring to affected individuals. Previously, Connecticut law required entities to provide 12 months of credit monitoring for breaches affecting SSNs. Continue Reading Connecticut Requires 24 Months of Credit Monitoring for Certain Security Breaches

On August 15, 2018, U.S. District Judge Lucy Koh signed an order granting final approval of the record $115 million class action settlement agreed to by Anthem Inc. in June 2017. As previously reported, Judge Koh signed an order granting preliminary approval of the settlement in August 2017. Continue Reading Judge Grants Final Approval of Record Data Breach Settlement in Anthem Class Action

On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020. Continue Reading California Consumer Privacy Act Signed, Introduces Key Privacy Requirements for Businesses

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information. Continue Reading California Ballot Initiative to Establish Disclosure and Opt-Out Requirements for Consumers’ Personal Information

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information. Continue Reading Colorado Amends Data Breach Notification Law and Enacts Data Security Requirements

On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances. Continue Reading Arizona Amends Data Breach Notification Law

As reported in BNA Privacy Law Watch, on December 6, 2017, health care provider 21st Century Oncology agreed to pay $2.3 million to settle charges by the Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) that its security practices led to a data breach involving patient information. The settlement was made public in the company’s December 6, 2017, bankruptcy filing. The HHS charges stemmed from a 2015 data breach involving the compromise of Social Security numbers, medical diagnoses and health insurance information of at least 2.2 million patients. OCR found that 21st Century Oncology failed to perform risk assessments on its systems or implement effective security protocols to protect patient information. As part of the settlement, 21st Century Oncology did not admit liability but did agree, in addition to the $2.3 million payment, to undertake a revision of its information security policies and procedures and to implement certain information security measures, including risk assessments.

On November 8, 2017, the FTC announced a settlement with Georgia-based online tax preparation service, TaxSlayer, LLC (“TaxSlayer”), regarding allegations that the company violated federal rules on financial privacy and data security. According to the FTC’s complaint, malicious hackers were able to gain full access to nearly 9,000 TaxSlayer user accounts between October 2015 and December 2015. The hackers allegedly used the personal information contained in the users’ accounts, including contact information, Social Security numbers and financial information, to engage in tax identify theft and obtain tax refunds through filing fraudulent tax returns. The FTC charged TaxSlayer with violating the Gramm-Leach-Bliley Act’s Safeguards Rule and Privacy Rule.  Continue Reading FTC Announces Settlement with Tax Prep Service over Financial Privacy and Security Violations

On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General.  Continue Reading FTC Announces Settlement with Lenovo Regarding Preinstalled Laptop Software