On June 10, 2021, the National People’s Congress of the People’s Republic of China (PRC) approved the passage of the Data Security Law (DSL), which will take effect on Sept. 1, 2021. Overview Unlike the PRC’s Cybersecurity Law of 2016 (CSL) and the Personal Information Protection Law – undergoing public comment for its second draft, released on April 29, 2021 – both of which permitted organizations doing business in the PRC to implement their own…

On June 2, 2021, Nevada Gov. Stephen F. Sisolak signed SB 260 approving amendments to the Nevada Privacy of Information Collected on the Internet from Consumers Act. Some key changes to the amended law include expanding the definition of “sale,” extending the current obligations of operators to “data brokers,” limiting the cure period and adding new exemptions. The amended law will go into effect on Oct. 1, 2021. Definition of ‘Sale’ The amended law broadens…

A recent Federal Trade Commission (FTC) action demonstrates how the FTC has pivoted toward enforcement actions based on specific acts of Congress and rules in light of the Supreme Court’s ruling in AMG Capital. Congress passed the COVID-19 Consumer Protection Act in December 2020, which made deceptive acts or practices involving the treatment, cure, prevention, mitigation, or diagnosis of COVID-19 unlawful. Since the pandemic began, the FTC has sent hundreds of warning letters to companies…

Given what the healthcare industry faced in 2020, the seventh edition of our Data Security Incident Response (DSIR) Report, “Disruption and Transformation,” is aptly titled. As if fighting the COVID-19 pandemic weren’t enough for the industry to tackle, it also faced a surge of ransomware attacks, evolving legal/regulatory considerations, and novel and complex issues presented by pandemic- and technology-driven changes. The growing wave of ransomware incidents that we saw toward the end of 2019…

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report highlights some regulatory enforcement trends we saw from the European Union (EU) data protection authorities (DPAs) during the past year. EU DPA enforcement actions increased significantly in 2020, as DPAs followed up on personal data breach notices and individual complaints and also launched investigations into other issues of interest. In particular, companies should be aware that a personal data breach notification in the EU…

For those attorneys and information governance practitioners unfamiliar with recent pedagogic advancements, “real-world problem solving” moves teaching approaches away from the classical model that assumes individuals will operate logically and in self-interested ways to a more realistic view. The more realistic view then acknowledges the powers of wishful thinking, uneven knowledge across populations, and the politics and dynamics inherent in groups (including, for our purposes, companies and other organizations). This is a challenge for individuals…

On May 31, 2021, the Texas Legislature approved House Bill 3746, which amends the Texas Business and Commerce Code § 521.053 relating to certain notifications required following a data breach involving Texas residents. The bill includes the existing requirement that any business or entity notify the attorney general of a data breach within 60 days of its occurrence if the breach involves at least 250 Texas residents. The notice must include the nature and…