Tag Archives: Data Breach Notification

The Ordinance: Chicago’s Proposal to Protect Personal Data

With the passage of the General Data Protection Regulation (GDPR), many government entities here in the US have joined the bandwagon in strengthening data protection laws concerning personal information. The city of Chicago is the latest municipality to actively take on the threat of data breaches.

Chicago’s Personal Data Collection and Protection Ordinance (“the Ordinance”)  was recently introduced to its city council and is designed to equip consumers with control over their information, informed consent to its disclosure, awareness of its use, and redress for its misuse.

Data Collection & Disclosure

The purpose of the Ordinance is to regulate operators that collect sensitive customer personal information through the Internet about individual consumers in the City of Chicago.

Some of the major provisions of the Ordinance include:

  1. Obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information;
  2. Notify affected Chicago residents and the City of Chicago in the event of a data breach;
  3. Register with the City of Chicago if they qualify as “data brokers;”
  4. Provide specific notification to mobile device users for location services; and
  5. Obtain prior express consent to use geolocation data from mobile applications.

Continue reading The Ordinance: Chicago’s Proposal to Protect Personal Data

Canada’s Mandatory Breach Notification Takes Effect November 1

The Canadian government recently published a cabinet order laying out federal data breach reporting regulations through the Personal Information Protection and Electronic Documents Act (PIPEDA) and amendments. Similar to other breach notification requirements, these new regulations mandate that organizations that experience a “breach of security safeguards” notify all affected individuals, as well as the Privacy Commissioner and any other related organizations and governmental institutions. The order also includes fines of up to $100,000 (CAD) for noncompliance. These regulations will go into effect starting on November 1, 2018.

Continue reading Canada’s Mandatory Breach Notification Takes Effect November 1

California Amends Data Breach Notification Law

Governor Jerry Brown recently signed three bills into law, amending California’s breach notification statute. The new laws expand the definition of personal information, add clarity to the term encryption, and add requirements for notification letters.

Personal Information Definition

S.B. 34 expands the definition of personal information to include information or data collected through the use or operation of an automated license plate recognition system.

License plate recognition systems use optical character recognition on images to read license plate numbers and store that data. Many police departments have adopted this technology, creating concerns regarding the use and safety of that data.

The amendment requires entities using the technology to maintain reasonable safeguards to protect the license plate recognition data from unauthorized use or disclosure. The law also has a provision allowing private right of action for anyone harmed by violations of the statute.

Encryption Definition

A.B. 964 provides a bit of clarity on the definition of encryption. Most state laws, including California’s, allow for a safe harbor for encrypted information that is accessed by an unauthorized person. The grey area of the law is what qualifies as acceptable encryption.

The amendment defines encryption as information that is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

Notification Letter Changes

S.B. 570 updates the requirements for breach notification letters that are sent to individuals affected by a security breach.

Additional requirements include:

  • The notification must be titled “Notice of Data Breach.”
  • The information must be presented under the following headings – “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
  • The title and headings must be clearly and conspicuously displayed.
  • The text should be at least 10-point font size.

The new law also provides a model security breach notification form that complies with the requirements listed above.

The amendments are effective January 1, 2016.

Five Important Changes to Canada’s PIPEDA

The Canadian government passed the Digital Privacy Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) which governs the collection, use, and disclosure of personal information by private organizations in Canada. There are several important changes for Canadian organizations to take note of.

It’s also worth noting that these amendments expand the situations in which organizations are allowed to share personal information without consent. However, organizations should be aware that PIPEDA requires use or disclosure of personal information to be reasonable, and appropriate safeguards must be in place when personal information is transferred from one entity to another.

1. Data breach notification requirements

PIPEDA now includes data breach notification requirements that will come into effect at a later date to be announced. Organizations affected by a data breach will be required to disclose the incident to the Office of the Privacy Commissioner of Canada (OPC) and to affected individuals when a reasonable expectation of harm exists as a result of the breach. Violations may result in fines up to C$100,000. Additionally, the OPC will be able to publicize data breaches as they see fit.

2. Sharing personal information during business transactions

Organizations are now allowed to use and disclose personal information without consent in a situation when it is necessary to determine whether to proceed with the business transaction or not. This does not apply when the purpose of the transaction is to buy, sell, or lease personal information. And if the transaction is not completed, all personal information must be returned or destroyed within a reasonable amount of time.

3. Notice required for using employee information

Federal works, undertakings (FWUB), or businesses are now allowed to collect, use, and disclose the personal information of an individual without his or her consent in situations where it’s necessary in order to establish, maintain, or terminate an employment relationship with that individual. However, the FWUB is required to inform the individual of the purpose of the collection, use, and disclosure.

4. Sharing personal information during investigations

Organizations are now allowed to disclose personal information to another organization without consent when it is reasonable for the purposes of investigations relating to a breach of agreement or Canadian law and when it is reasonable to expect that obtaining consent from the individual would compromise the investigation.

5. OPC enforcement actions include compliance agreements

The OPC now has the authority to enter into compliance agreements with organizations where they believe an organization is likely to violate PIPEDA. Compliance agreements are voluntary for organizations and can be entered with the intent to demonstrate a commitment to privacy protection.

New Hampshire Enacts Breach Notification for Department of Education

New Hampshire enacted HB 322, requiring the Department of Education (DOE) to implement additional procedures to protect student and teacher data from security breaches, including a breach notification requirement.

According to the law, the DOE shall develop a detailed data security plan including compliance standards, security audits, breach procedures, and polices for data retention and disposal.

Additionally, notifications are required to as soon as practicable to any student or teacher whose personally identifiable information is assumed to have been involved on a security breach. Other entities to be notified include the governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee, and commissioner of the department of information technology.

This new law follows HB 520 passed last year as an effort by New Hampshire’s legislature to increase protections of student data. HB 520 follows in the footsteps of California’s Student Online Personal Information Protection Act and prohibits companies from using student information to target advertisements to students.

The bill is effective August 11, 2015.

Connecticut Amends State Breach Notification Statute

Connecticut Governor Malloy signed SB 949 amending the state’s breach notification law to include requirements to provide identity theft services and a deadline for organizations to notify.

Organizations that suffer a breach involving Social Security numbers of Connecticut residents are required to provide “appropriate identity theft prevention services” at no cost for at least twelve months.

The notification requirements were also amended to include a deadline for notices of a breach. Organizations shall make notices not later than ninety days after the discovery of a breach. This clarifies the existing, ambiguous language of “without unreasonable delay” setting a hard deadline for organizations.

Connecticut Attorney General Jepsen issued a press release discussing the impact of the amendments to the law and his office’s involvement.

The amendments are effective October 1, 2015.

Oregon Amends State Breach Notification Statute

Oregon Governor Kate Brown signed into law SB 601, updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment broadens the definition of personal information (PI) and includes additional requirements to notify the state Attorney General.

PI has been expanded to include the following elements in combination with first and last name:

  • Biometric information (fingerprint, retina, or iris);
  • Health insurance; and
  • Medical information

Additionally, the act now requires written or electronic notice to the Attorney General if the number of consumers affected by the breach exceeds 250 individuals.

The bill will take effect on January 1, 2016, and apply to data breaches occurring on or after that date.

Montana Amends State Data Breach Notification Statute

Montana’s governor signed into law HB 74, amending the state’s data breach notification statute to broaden the definition of personal information (PI) and include additional requirements.

PI has been expanded to include the following elements in combination with first and last name:

  • Medical record information;
  • Taxpayer identification number; or
  • An identity protection personal identification number issued by the U.S. internal revenue service.

Additional requirements include submitting an electronic copy of the notification, along with a statement providing the date and method of distribution of the notification and the number of residents impacted by the breach, to the state Attorney General’s Consumer Protection Office.

The bill was enacted on February 27, 2015 and will take effect on October 1, 2015.