Safe & Sound

A Privacy and Security Blog from Quarles & Brady

On September 28, 2018 California Governor Jerry Brown signed into law the first law in the United States governing the security of connected devices, set to take effect on January 1, 2020. The law places a burden on manufacturers of so-called “connected devices” to determine if changes to their security measures are required. The law applies to a broad range of “connected devices” and necessitates “reasonable” security. Quarles & Brady is working with manufacturers to…
Just when you thought you’d heard enough of newly enacted data privacy and security laws (“GDPR” ring a bell?), there’s more news on that front. The California legislature recently passed The California Consumer Privacy Act of 2018 (CCPA). According to a report by the International Association of Privacy Professionals, CCPA will affect over 500,000 U.S. businesses. And that’s a conservative estimate. Undoubtedly, CCPA’s enactment was influenced by the EU’s General Data Protection Regulation (GDPR) and…
What sort of damages must be pleaded to survive a motion to dismiss in a data breach class action? Recently, the Court of Appeals for the Seventh Circuit in Dieffenbach v. Barnes & Noble answered that question. In short, the court held that at the pleadings stage, damages may be just a “trifle.” The case arose when Barnes & Noble experienced a data breach that resulted from the compromise of its point of sale system…
Today, May 25, 2018, is a historic day in the global data privacy and security world as it is the effective day of the European Union’s (EU) General Data Protection Regulation (GDPR), a regulation designed to protect the “personal data” of EU residents by mandating standards for processing, using, and storing that data. Many organizations do not realize the full magnitude of what the GDPR requires, and non-compliance can cost organizations dearly. However, we are…
On April 30, 2018 a Massachusetts physician was convicted by a federal jury for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and obstructing a criminal health care investigation after impermissibly disclosing protected health information and lying to federal agents during a criminal health care investigation.…
We have already provided you with the update on Health Information Technology, Privacy and Security 2018 First Quarter Update but we did not want the non-health care entities to feel left out! As such, we have assembled a few other noteworthy events in the data privacy and security world from the first quarter of 2018.…
Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting guidance and events from the first quarter of 2018.…
On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were the only states that did not have data breach notification laws. Under Senate Bill 318, any person or…
On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification law when Senate Bill 62 was signed by the governor. South Dakota’s breach notification law is effective July 1, 2018. In 2002, California became the first state to enact a data breach law, and since then, nearly every state has followed suit. Up until this point, the lone stragglers were South Dakota and Alabama (more on Alabama below).…
The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules address five key areas: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber…