On May 29, 2018, Governor Hickenlooper signed HB—1128 into law. Importantly, the Bill amends the State’s data breach notification law to require that affected Colorado residents be notified within 30 days of a data breach, and specifies the information that must be included in the data breach notice. The new law, which takes effect September 1, 2018, applies to “covered entities,” (if your business maintains, owns, or licenses information of Colorado residents, regardless of where the business or data is based, it is a “covered entity”), also sets forth certain data security requirements, and adds requirements regarding the disposal of personal identifying information.
Citing a sixty percent increase in data breach notifications from 2015 to 2016, New York Attorney General Eric Schneiderman recently introduced the Stop Hacks and Improve Data Electronic Security Act (SHIELD) bill. The legislation would require companies that handle sensitive date of New York residents to adopt “reasonable administrative, technical and physical protections for data.”
Yahoo recent announcement that CEO Marissa Mayer would forego a 2017 stock award (after giving up a 2016 cash bonus) following security breaches in 2014, 2015 and 2016 underscores the importance of having a security team in place to prevent or at least mitigate, security breaches.
New York’s Department of Financial Services Cybersecurity regulation became effective March 1. According to the press release issued with the regulation, the regulation is intended to require banks, insurance companies and "covered entities" to "establish and maintain a cybersecurity program designed to protect consumers' private data and ensure the safety and soundness of New York State's financial services industry.” This regulation is the first of its kind in the U.S, and will likely serve as a model to other states looking to address cybersecurity.
This is the first post in a three-part series.
If you work for a U.S.-based company with Canadian operations, your organization probably understands its obligations to comply with Canadian employment and tax laws. But is your company up to date on the protection of privacy and protection of personal information under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)? Moreover, many provinces have their own ...