Privacy & Information Security Law Blog

Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law.

On November 1, 2018, Senator Ron Wyden (D-Ore.) released a draft bill, the Consumer Data Protection Act, that seeks to “empower consumers to control their personal information.” The draft bill imposes heavy penalties on organizations and their executives, and would require senior executives of companies with more than one billion dollars per year of revenue or data on more than 50 million consumers to file annual data reports with the Federal Trade Commission. The draft bill would subject senior company executives to imprisonment for up to 20 years or fines up to $5 million, or both, for certifying false statements on an annual data report. Additionally, like the EU General Data Protection Regulation, the draft bill proposes a maximum fine of 4% of total annual gross revenue for companies that are found to be in violation of Section 5 of the FTC Act.

Effective October 1, 2018, Connecticut law requires organizations that experience a security breach affecting Connecticut residents’ Social Security numbers (“SSNs”) to provide 24 months of credit monitoring to affected individuals. Previously, Connecticut law required entities to provide 12 months of credit monitoring for breaches affecting SSNs.

In 2002, Congress enacted the Supporting Anti-Terrorism by Fostering Effective Technologies Act (“the SAFETY Act”) to limit the liabilities that energy, financial, manufacturing and other critical infrastructure companies face in the event of a serious cyber or physical security attack.

On October 29, 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) released final guidance (“Final Guidance”) regarding how businesses may satisfy the reporting and record-keeping obligations under Canada’s new data breach reporting law. The law, effective November 1, 2018, requires organizations subject to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) to (1) report to the OPC breaches of security safeguards involving personal information “that pose a real risk of significant harm” to individuals; (2) notify affected individuals of the breach; and (3) keep records of every breach of security safeguards, regardless of whether or not there is a real risk of significant harm.

Recently, the French Data Protection Authority (the “CNIL”) published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation’s (“GDPR”) entry into application. View the review (in French). 

At its October monthly meeting, the Federal Energy Regulatory Commission (the “Commission”) adopted new reliability standards addressing cybersecurity risks associated with the global supply chain for Bulk Electric System (“BES”) Cyber Systems. The new standards expand the scope of the mandatory and enforceable cybersecurity standards applicable to the electric utility sector. They will require electric utilities and transmission grid operators to develop and implement plans that include security controls for supply chain management for industrial control systems, hardware, software and services. 

On October 23, 2018, the 40th International Conference of Data Protection and Privacy Commissioners (the “Conference”) released a Declaration on Ethics and Protection in Artificial Intelligence (“the Declaration”). In it, the Conference endorsed several guiding principles as “core values” to protect human rights as the development of artificial intelligence (“AI”) continues apace. Key principles include:

On October 19, 2018, European Commissioner for Justice, Consumers and Gender Equality Věra Jourová and U.S. Secretary of Commerce Wilbur Ross issued a joint statement regarding the second annual review of the EU-U.S. Privacy Shield framework, taking place in Brussels beginning October 18. The statement highlights the following:

Earlier this month, the Department of Energy (“DOE”) and the Department of Homeland Security (“DHS”) co-chaired a meeting with industry leaders from the Oil and Natural Gas Subsector Coordinating Council (“ONG SCC”) in Washington, D.C. to address cybersecurity threats to pipelines. Together, DOE and DHS launched the Pipeline Cybersecurity Initiative, which will harness DHS’s cybersecurity resources, DOE’s energy sector expertise, and the Transportation Security Administration’s (“TSA”) assessment of pipeline security to provide intelligence ...