Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

2020 Brings New Data Breach Laws

January 23, 2020

Why oh why don't we have a federal data breach law? Never mind, a rhetorical question.

But because we don't have a federal data breach law, complying with changing state-level privacy laws will be a business priority in 2020.

Here are seven data breach updates in 2020 you should know from a JD Supra post:

JANUARY

California

The California Consumer Privacy Act ("CCPA") went into effect on January 1, 2020 and applies to companies that do business in California and collect personal information from California residents. Considered to be one of the broadest state-level privacy laws in U.S. history, the CCPA creates four primary consumer rights: (1) the right to know what information a company has on you; (2) the right to request companies delete information about you; (3) the right to opt-out of the sale of your information; and (4) the right to receive equal service and pricing from a business if you exercise your CCPA rights. However, the Attorney General is prohibited from initiating an enforcement action until July 1, 2020.

Illinois SB 1624

Effective January 1, 2020, businesses must notify the Attorney General of breaches involving more than 500 people. The notice must include a description of the nature of the breach of security or unauthorized acquisition, the date of the breach, the number of Illinois residents affected by the incident at the time of notification, and any steps the entity took or plans to take relating to the data security incident. Of note, the Attorney General may publish data collector's names, types of personal information disclosed, and the date range of the breach.

Oregon SB 684

As of January 1, 2020, the Oregon Consumer Information Protection Act expands the scope of data breach notification rules for vendors. Vendors will have to notify any contracted entity within ten (10) days of discovering a breach and notify the Attorney General if the breach involves more than 250 individuals or if the affected number of people is unknown. The law also expands the definition of personal information to include user names, or information necessary to authenticate a user, for the purpose of providing access to the consumer's account.

Texas HB 4390

Effective January 1, 2020, the amended data breach notification statute requires that notice of a breach be provided to all affected parties within sixty (60) days of determining when a breach has occurred. For incidents involving 250 Texas residents or more, notice must also be provided to the Texas Attorney General. Additionally, the bill establishes a new Texas Privacy Protection Advisory Council which will study data privacy laws in different jurisdictions.

MARCH

Washington HB 1071

Beginning March 1, 2020, Washington's definition of personal information is expanded, and the window of time within which a notification of a breach must be made is reduced from 45 days to 30 days.

New York

As of March 21, 2020, the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD") data security requirements take effect. The Act requires specific protections of New York residents' private information. Any person or business that owns or licenses this private information must implement a data security program which includes reasonable administrative, technical, and physical safeguards, and enumerates certain standards companies are required to implement. Previously the Act just applied to companies doing business in New York.

JULY

Maine LD 946

Effective July 1, 2020, "An Act to Protect the Privacy of Online Customer Information" will become enforceable in Maine. This Act prohibits broadband internet access providers from using, disclosing, selling or permitting access to customers' personal information unless the customer expressly consents. It also prohibits companies from charging customers more if they do not allow access to their personal information. Under the Act, the definition of personal information includes identifiers such as web browsing history and geolocation data.

The patchwork quilt of privacy laws is driving everyone crazy – and making lawyers a lot of money. It is difficult for businesses to navigate and maintain compliance in the various jurisdictions, especially as various jurisdictions adopt new or revised data privacy laws or promulgate regulations regarding the specific laws.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

2020 Brings New Data Breach Laws

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer