Utah Gov. Spencer Cox on March 23 signed into law Senate Bill 127, which amends the state’s data breach notification statutes. The amendments go into effect May 2, 2023.
Posts published in “Data Privacy and Security”
The U.S. Court of Appeals for the Fifth Circuit recently held that a merchant had a contractual obligation to indemnify its payment processor after a data breach at the merchant compromised customer credit card data.
The Illinois Supreme Court recently held that a separate claim accrues under the Illinois Biometric Information Privacy Act each time a private entity scans or transmits an individual’s biometric identifier or other protected information in violation of section 15(b) or (d) of BIPA.
The Ohio Supreme Court recently reversed the decision of an appellate court and reinstated the trial court’s grant of summary judgment in favor of an insurer and against an insured company on the company’s claim for breach of contract and bad faith denial of insurance coverage relating to damages arising from a ransomware attack.
Just a few years ago, the annual review would primarily encompass federal activity. But a shift began in 2018, and by the close of this year, it’s clear there is far more state activity impacting consumer debt collection.
The upward trend in data privacy legislation continued in 2022. According to the National Conference of State Legislatures, “[a]t least 35 states and the District of Columbia in 2022 introduced or considered almost 200 consumer privacy bills,” which is a significant increase from 160 bills in 2021.
In a pair of recent enforcement actions, the Federal Trade Commission cracked down on companies with allegedly lax data security measures that resulted in the theft of personal information of millions of consumers.
The Superintendent for the New York Department of Financial Services recently announced a consent order assessing a $4.5 million penalty against a health insurance company for violations of the DFS Cybersecurity Regulations, 23 NYCRR, Part 500.
On Oct. 25, 2022, the Director of the Consumer Financial Protection Bureau (CFPB), Rohit Chopra, announced at a fintech conference that the CFPB “will launch the process to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act . . . [to] provide for personal financial data rights for Americans . . .”
The U.S. Court of Appeals for the Third Circuit recently held in Clemens v. ExecuPharm Inc. that the risk of future harm from a data breach can be enough for Article III standing, taking into consideration whether the breach was intentional, whether the data was misused, and the nature of the data accessed.
On Sept. 27, Michigan Sen. Rosemary Bayer and eight fellow Democrat cosponsors introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act. The Michigan Legislature remains in session through the end of the year.
Insufficient data protection or information security can violate the prohibition against unfair acts or practices according to a circular released last week by the federal Consumer Financial Protection Bureau.