beyond breaches affirmative state law duties to protect
play

Beyond Breaches: Affirmative State Law Duties to Protect Data Philip - PowerPoint PPT Presentation

Jun 16, 2023 •183 likes •433 views

womblebonddickinson.com Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May 14, 2019 Agenda Potential State Data Protection Laws Affirmative Obligations GDPR CCPA In the Law Existing State

  1. womblebonddickinson.com Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May 14, 2019

  2. Agenda Potential State Data Protection Laws Affirmative Obligations GDPR CCPA In the Law Existing State Data Protection Laws 2

  3. Changes in Attitudes: Crying Over Spilled Milk Vs. Locking the Barn Door • GDPR, CCPA signal new prospective focus on privacy rights • State laws until now mostly dealt with data breach response • At least 10 states have considered or are considering omnibus privacy regulation • Some states have current affirmative data duties • Information Security • Record Destruction • Restrictions on SSN 3

  4. GDPR – General Data Protection Regulation • Went into effect May 25, 2018 • Most comprehensive privacy law in the world • Privacy by design • Fundamental privacy rights • Fines: € 20 million or 4% of annual global revenue 4

  5. Principles and Rights Under the GDPR • Notice — data subjects should be • Security — collected data should given notice when their data is be kept secure from any potential being collected; abuses; • Purpose — data should only be • Disclosure — data subjects should used for the purpose stated and be informed as to who is not for any other purposes; collecting their data; • Consent — data should not be • Access — data subjects should be disclosed without the data allowed to access their data and subject’s consent; make corrections to any • Accountability — data subjects inaccurate data; should have a method available to • Forgotten — data subject right to them to hold data collectors be forgotten accountable for not following the • Rights Exercised Free of Charge above principles 5

  6. CCPA – California Consumer Privacy Act • Most comprehensive privacy law in the U.S. • Signed on June 28, 2018 • Revised September 23, 2018 • Goes into effect January 1, 2020 6

  7. CCPA – Applicability & Key Components 1. 1. A for-profit entity that; Right to know 2. 2. Doing business in California; or Right to access That collects personal 3. 3. Right to deletion information of California residents; and 4. 4. Right to opt-out Meets revenue thresholds or possesses PI of 50,000 5. California residents Right to equal service 7

  8. CCPA Basics • Applies to businesses without offices or employees in California • Reaches activities conducted outside of California • $2,500 per violation; $7,500 per intentional violation • Limited private right of action • 30 days to cure • Up to $750 per consumer per incident or actual damages, whichever is greater • Note: Awaiting enforcement guidance from CA AG 8

  9. CCPA – Recent Noteworthy Updates • CA Attorney General held public hearings & took comments; regulations to follow • SB 561: Another amendment introduced • Removes pre-enforcement 30 day right to cure • Adds a private right of action to any consumer whose rights are violated • An area that is constantly developing 9

  10. CCPA and GDPR Are Influencing Other States • At least 10 states are considering omnibus privacy legislation • These state proposals include some of the following data rights: • Access to Collected Information • Access to Shared Information • Deletion • Portability • Opt-out • Age-Based Opt-in • Notice Requirement • Against Discrimination 10

  11. CCPA and GDPR Are Influencing Other States • Data Rights Common in Omnibus Proposals (Hawaii, Rhode Island, and Washington): • Access to Collected/Shared Information - Consumer has rights to request information about the processing, disclosure and/or sale of their personal information, and being notified of these rights in a public-facing privacy notice • Deletion - Grants consumers the right to request deletion of their personal information. Entities must disclose this right to consumers. 11

  12. CCPA and GDPR Are Influencing Other States • Data Rights Common in Omnibus Data Proposals (Hawaii, Rhode Island, and Washington) • Portability - Requires businesses list the categories of personal information that it sells/discloses to each category of third party to which the consumer’s personal information is sold/disclosed. • Opt-out - Gives consumers the ability to direct a business not to sell their personal information to a third party. This section does not stop a business from distributing the data within the organization that collected it • Age-Based Opt-in - A business can only sell the personal information of a child between the ages of 13 and 16 with the child's consent and can only sell the personal information of a child under 13 with the consent of the child's parent or guardian. • Against Discrimination - Prohibits discrimination against consumers for exercising rights under the CCPA 12

  13. One Big Issue: Two Approaches to Data Obligations California embraced the GDPR style of data regulation • Large Scale • Comprehensive North Carolina and other states are taking a different approach • Smaller Scale • Subject To Oversight • Less California, More Alabama 13

  14. We’ll Know It When We See It – North Carolina North Carolina - HB 904 would require that businesses “[ i]mplement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure .” Despite not being omnibus, this creates a series of compliance hurdles 14

  15. Existing Data Obligations – Information Security • Many states require companies to take reasonable measures to implement and maintain security measures (i.e. Utah and Arkansas) • Not omnibus or comprehensive like California • Creates an affirmative information security obligation • Look to both Alabama and Ohio laws to understand industry standards and expectations 15

  16. Information Security – Ex: Alabama • Take reasonable measures to implement and maintain security measures, including consideration of the following: • (i ) designation of an employee to coordinate the entity’s security measures, • (ii) identification of risks for security breaches, • (iii) adoption of appropriate safeguards to address the identified risks and assess their effectiveness, • (iv) contractual retention of service providers to provide appropriate safeguards for personally identifiable information, • (v) adjustment of security measures for personally identifiable information to account for changes of circumstance, and • (vi) keeping the entities management informed of the security measures AL S.B. 318 16

  17. Ohio’s Affirmative Defense: How High Is High? • Ohio’s safe harbor applies to businesses that access, maintain, communicate or process personal or restricted information. Aimed at combatting the uptick in costly data breaches, cybersecurity measures must be designed to (i) protect the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to the acquisition of personal information likely to result in a material risk of identity theft or other fraud for respective individuals. • Encourages businesses to comply with established frameworks and gain an affirmative defense to tort actions arising from alleged “failure[s] to implement reasonable information security controls, resulting in a data breach.” • To qualify for safe harbor, businesses must “reasonably conform” with one of the eight commonplace industry- recognized frameworks, including HIPAA, GLBA, FISMA, and NIST’s Cybersecurity Framework. 17

  18. Existing Data Obligations – Record Destruction - Most states require entities to destroy or dispose records reasonably (i.e. Georgia, South Carolina) - These laws are often triggered when the sensitive or personally identifying information is no longer necessary for storage 18

  19. Record Destruction – Ex: Florida An entity or third-party agent must take reasonable measures to dispose of records containing sensitive personally identifying information within its custody or control when the records are no longer to be retained pursuant to applicable law, regulations, or business needs. Fla. Stat. Ann. § 501.171 19

  20. Existing Data Obligations – Prohibitions on SSN Use Many states (including Georgia) have explicit prohibitions on how social security numbers can be used and sent • Important to look at encryption methods • Level of exposure in electronic and carrier mail • Manner in which it is transported 20

  21. Prohibitions on SSN Use – Ex: Hawaii Entities should not • Make SSN available to general public • Print or embed entire SSN • Require whole SSN be transmitted on internet through unsecured server • Send exposed SSN through the mail Haw. Rev. Stat. Ann. § 487J-2 21

  22. StateDataUseLaw.com 22

  23. Questions? StateDataUseLaw.com Phil Gura T: 404-888-7480 E: Phil.Gura@WBD-US.com Dominic Panakal T: 404-879-2481 E: Dominic.Panakal@WBD-US.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ACTION August 2019 AFFIRMATIVE ACTION OFFICERS District Affirmative Action Officer

ACTION August 2019 AFFIRMATIVE ACTION OFFICERS District Affirmative Action Officer

AFFIRMATIVE ACTION August 2019 AFFIRMATIVE ACTION OFFICERS District Affirmative Action Officer District Civil Rights Coordinator Elizabeth A. Curry, Ed.D. Gloucester City High School (856) 456-7000, ext. 1550 School Affirmative

331 views • 9 slides
Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

AUGUST 25, 2015 Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks Tyler Gerking, Partner David B. Smith, CPCU, ARM, Insurance & Risk Management Consultant What is Cyber Insurance?

368 views • 10 slides
Bank Claims for Target-Type Breaches: Leveraging Litigation Theories, Assessing and Pleading

Bank Claims for Target-Type Breaches: Leveraging Litigation Theories, Assessing and Pleading

Presenting a live 90-minute webinar with interactive Q&A Bank Claims for Target-Type Breaches: Leveraging Litigation Theories, Assessing and Pleading Damages Recovering Losses Due to Third-Party Data Breaches and Response Planning to Protect

946 views • 55 slides
Protecting Yourself Against Scams and Data Breaches During Coronavirus Crisis ... and Beyond

Protecting Yourself Against Scams and Data Breaches During Coronavirus Crisis ... and Beyond

Protecting Yourself Against Scams and Data Breaches During Coronavirus Crisis ... and Beyond Daler Radjabov, Esq. NYCLA CLE Institute Todays topics CoronaVirus related scams How to secure your online identity How to protect your

514 views • 22 slides
Affirmative Action Policies in the US: An Introductory Overview Presentation by Glenn C. Loury

Affirmative Action Policies in the US: An Introductory Overview Presentation by Glenn C. Loury

Affirmative Action Policies in the US: An Introductory Overview Presentation by Glenn C. Loury Merton P. Stoltz Professor of the Social Sciences Brown University For Discussion Group on Affirmative Action Institute for Advanced Study in

897 views • 53 slides
Legal Duties Legal Duties Legal duties to patient, employer, medical director, and public

Legal Duties Legal Duties Legal duties to patient, employer, medical director, and public

Chapter 4: Medical/Legal Issues Legal Duties Legal Duties Legal duties to patient, employer, medical director, and public Set by statutes and regulations Based on generally accepted standards Ethical Responsibilities Ethical

568 views • 20 slides
Some Legal and Political Controversies about Affirmative Action in the United States Discussion

Some Legal and Political Controversies about Affirmative Action in the United States Discussion

Some Legal and Political Controversies about Affirmative Action in the United States Discussion Group on Affirmative Action Policies Institute for Advanced Study in Toulouse Glenn C. Loury, October 12, 2018 Two Topics for Todays Discussion:

807 views • 41 slides
Human Centered Ethics Duties: Not to allow the natural environment to deteriorate

Human Centered Ethics Duties: Not to allow the natural environment to deteriorate

Human Centered Ethics Duties: Not to allow the natural environment to deteriorate Responsibility: To protect Wilderness Obligations: Link the plants & Animals with Human Values Life Centered Ethics Biocentric Equality To

531 views • 17 slides
https://xkcd.com/838/ Data Breaches This years study analyzed 524 breaches that occurred

https://xkcd.com/838/ Data Breaches This years study analyzed 524 breaches that occurred

https://xkcd.com/838/ Data Breaches This years study analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. The 2020 Cost of a Data Breach

289 views • 17 slides
The Rise and Fall of Periphrastic Do in Affirmative Declaratives Relja Vulanovi c Department

The Rise and Fall of Periphrastic Do in Affirmative Declaratives Relja Vulanovi c Department

The Rise and Fall of Periphrastic Do in Affirmative Declaratives Relja Vulanovi c Department of Mathematical Sciences Kent State University Stark Campus 6000 Frank Ave. NW Canton, OH 44720, USA rvulanovic@stark.kent.edu

156 views • 14 slides
The Effect of Banning Affirmative Action on Human Capital Accumulation Prior to College Entry

The Effect of Banning Affirmative Action on Human Capital Accumulation Prior to College Entry

The Effect of Banning Affirmative Action on Human Capital Accumulation Prior to College Entry Kate Antonovics Ben Backes UC San Diego CALDER/AIR January 2014 CALDER Conference Motivation Popular debate surrounding affirmative action

371 views • 22 slides
Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches &

Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches &

Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches & Security Requirements Security Breaches Criminal Conduct -computer viruses (ransomware) -physical theft -server, laptops, flash drives -electronic

668 views • 31 slides
Protect Your Small Business From Cyber Attacks Presenter: Jacob Blacksten Technology Business

Protect Your Small Business From Cyber Attacks Presenter: Jacob Blacksten Technology Business

Protect Your Small Business From Cyber Attacks Presenter: Jacob Blacksten Technology Business Advisor, Delaware SBDC 01/01/2018 www.delawaresbdc.org Small Businesses are a Target 68% of breaches took months or longer to 58% of data breach

529 views • 25 slides
Construction OS&H General duties ILO Construction OS&H Summary ILO Convention C167,

Construction OS&H General duties ILO Construction OS&H Summary ILO Convention C167,

Construction OS&H General duties ILO Construction OS&H Summary ILO Convention C167, Recommendation R175 and the Code of Practice Duties of authorities, employers, the self-employed, and workers Duties of construction clients and

758 views • 43 slides
PORTFOLIO COMPANY BOARD MEMBER ROLE & DUTIES May 11, 2020 1 AGENDA Role and Duties of

PORTFOLIO COMPANY BOARD MEMBER ROLE & DUTIES May 11, 2020 1 AGENDA Role and Duties of

PORTFOLIO COMPANY BOARD MEMBER ROLE & DUTIES May 11, 2020 1 AGENDA Role and Duties of Board Members Fiduciary Duties Personal Liability & Indemnification Antitrust Concerns Dual-Hat Liability Identifying

671 views • 24 slides
FLORIDAS PLAN AGAINST COVID -19 1. Protect the Vulnerable 2. Increase Testing 3. Promote

FLORIDAS PLAN AGAINST COVID -19 1. Protect the Vulnerable 2. Increase Testing 3. Promote

FLORIDAS PLAN AGAINST COVID -19 1. Protect the Vulnerable 2. Increase Testing 3. Promote Social Distancing 4. Support Hospitals and Protect Health Care Workers 5. Prevent Introduction from Outside of the State ACTIONS TO PROTECT THE

488 views • 32 slides
Final Agreement on the Management Integration of Chuo Mitsui Trust Group and The Sumitomo Trust

Final Agreement on the Management Integration of Chuo Mitsui Trust Group and The Sumitomo Trust

To whom it may concern August 24, 2010 Chuo Mitsui Trust Holdings, Inc. (Securities Code: 8309 TSE, OSE, NSE) The Sumitomo Trust and Banking Co., Ltd. (Securities Code: 8403 TSE, OSE) Final Agreement on the Management Integration of Chuo

356 views • 24 slides
PUBLIC SCHOOL CODE OF 1949 - OMNIBUS AMENDMENTS Act of Nov. 3, 2016, P.L. 1061, No. 138 Cl. 24

PUBLIC SCHOOL CODE OF 1949 - OMNIBUS AMENDMENTS Act of Nov. 3, 2016, P.L. 1061, No. 138 Cl. 24

PUBLIC SCHOOL CODE OF 1949 - OMNIBUS AMENDMENTS Act of Nov. 3, 2016, P.L. 1061, No. 138 Cl. 24 Session of 2016 No. 2016-138 HB 1907 AN ACT Amending the act of March 10, 1949 (P.L.30, No.14), entitled "An act relating to the public

682 views • 12 slides
MERKO EHITUS GROUP 9 months and III quarter 2014 November 2014 Agenda 1. Key highlights 2.

MERKO EHITUS GROUP 9 months and III quarter 2014 November 2014 Agenda 1. Key highlights 2.

MERKO EHITUS GROUP 9 months and III quarter 2014 November 2014 Agenda 1. Key highlights 2. Business review at segment level 3. Financial position 4. Market outlook 5. Group in brief 2 Key highlights 9M 9M Var Q3 Q3 Var 12M EUR

275 views • 15 slides
PROMISE INDIANA Technical Aspects How Promise Works February 23, 2017 HOW PROMISE WORKS

PROMISE INDIANA Technical Aspects How Promise Works February 23, 2017 HOW PROMISE WORKS

PROMISE INDIANA Technical Aspects How Promise Works February 23, 2017 HOW PROMISE WORKS Community Coalition Building Community Application Process Support for Promise Communities Technical Aspects and Innovation

304 views • 12 slides
INFRONT ASA Q4 2017 Results 16 February 2018 Disclaimer This Presentation might include certain

INFRONT ASA Q4 2017 Results 16 February 2018 Disclaimer This Presentation might include certain

INFRONT ASA Q4 2017 Results 16 February 2018 Disclaimer This Presentation might include certain forward-looking statements relating to the business, financial performance and results of the Company and/or the industry in which it operates.

409 views • 18 slides
I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has

I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has

Wheres your phone? Pocket, lap, hand? It is prolly within an easy reach, unless you are one of those people. Always losing it. I bet someone has checked FB in the last 5 minutes Everyone gets social media, everywhere It has changed the way

647 views • 50 slides
Reviving the Medicare Shared Savings/ACO Initiative Key Points of the Final Rule Nick Manetto

Reviving the Medicare Shared Savings/ACO Initiative Key Points of the Final Rule Nick Manetto

Reviving the Medicare Shared Savings/ACO Initiative Key Points of the Final Rule Nick Manetto Vice President, B&D Consulting October 25, 2011 What is an ACO? Rooted in a 2007 paper by Elliott Fisher and colleagues at Dartmouth.

301 views • 15 slides
Puck XT Puck comparison Puck XT Previous Puck 16mm 15mm deep 18mm 15mm deep

Puck XT Puck comparison Puck XT Previous Puck 16mm 15mm deep 18mm 15mm deep

Puck XT Puck comparison Puck XT Previous Puck 16mm 15mm deep 18mm 15mm deep IP66 IP66 IK10 IK10 18mm For curved & flat rails For curved & flat rails 5 Distributions achieved with reflector

274 views • 16 slides

More recommend