Privacy & Data Protection

New changes to the Massachusetts data breach notification statute emphasize timely and public disclosure of data security incidents, including requiring companies to disclose compliance with Massachusetts’ data security law. Among other more technical changes, H. 4806, effective April 11, increases the information that breached companies must provide to Massachusetts state agencies and provides for ways that information will be made public. Under the changes, when a breach is reported to the attorney general and the director of the Office of Consumer Affairs and Business Regulation (OCABR):

  • Companies are required to disclose whether or not they have the written information security plan required by MA law;
  • The OCABR is required to make consumer notices provided to it public within one day, and update the breach notification report on its website within 10 days; and
  • The OCABR is required to inform consumers of their ability to file a public records request to obtain a copy of the notice provided to the AG and OCABR.

Continue Reading Updates to Massachusetts Data Security Requirements

On December 29, 2018, Google won summary judgment in Rivera v. Google, a privacy class action alleging violations of the Illinois Biometric Information Privacy Act (BIPA). The case involved “face grouping,” a feature that enables Google Photos to automatically sort and group the photographs in a user’s private account based on visual similarities between the images of faces in the photos. The court held that any alleged collection of “biometric information” or “biometric identifiers” stemming from this feature did not cause an injury-in-fact sufficient to confer Article III standing.  The Rivera v. Google decision demonstrates that, even in the context of claims arising out of privacy statutes, like Illinois’ BIPA, a defendant can prevail on a challenge to subject matter jurisdiction if it can demonstrate that the alleged violation did not result in any concrete injury to the plaintiffs. Some states impose similar requirements to bringing suit in state court. As states continue to enact privacy legislation, corporations that collect private information can mitigate risk by considering and enhancing their available Article III defenses, including by documenting how they protect potential plaintiffs’ information from disclosure.

Click here for a summary of the decision.

In the first half of 2018, on the heels of the Equifax breach last fall, a number of state legislatures addressed privacy and data security issues, and in particular, data breach notification. Most notably, Alabama and South Dakota passed their first breach notification laws, making it so there now breach notification laws in all 50 states. In addition, Arizona, Louisiana, Colorado and Oregon updated their existing laws.

Both the new laws and the revisions reflect national trends over the last several years to clarify (and shorten) notification periods, broaden the scope of information that prompts notification requirements, and increase engagement with regulators. The changes add complexity, but because they are in line with changes made by other states, they should not require substantial changes to existing procedures for responding to larger incidents. Continue Reading What You Need to Know Regarding The New Data Breach Notification Laws