BlogLine

States are Busy on the Cyber Front

2/19/20

By: Amy C. Bender

2020 is off to a busy start, with several states taking action on cybersecurity legislation and issuing other legal updates. Highlights include:
California – California’s Attorney General has issued revised proposed regulations regarding the California Consumer Privacy Act (“CCPA”), which creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The updates, which are aimed at providing more relief for consumers and clarity to covered businesses, include changes to definitions, notice and other requirements for covered businesses, and consumer rights and requests. The revised proposed regulations are available here and are currently under a public comment period.
Maryland – In the first decision of its kind under Maryland law, a federal court has ruled that a loss of software and data due to a ransomware attack was covered under a business owner’s property insurance policy. Specifically, the court found that the loss qualified as a “direct physical loss of or damage” to covered property (the affected computer server and networked computers) based on the loss of the data and software in the computer system and the loss of functionality to the computer system itself. The court reasoned that the policy did not limit covered losses to tangible property only or to total property losses. The decision is available here.
Massachusetts – The state’s legislature has stalled a proposed consumer data privacy law (available here) that would have imposed notice and disclosure requirements on businesses that collect consumers’ personal information, provided consumers the right to delete and opt out of third-party disclosure of collected personal information, and allowed consumers to sue for violations of the act without having to show any resulting damage. The bill has been sent to a “study order,” where a committee will study it and report its findings.
New York – The Stop Hacks and Improve Electronic Data Security Act (“SHIELD ACT”), available here, amends the state’s existing data breach notification law to require any person or business that owns or licenses computerized data that includes private information of New York residents to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including disposal of data. The data security provisions go into effect on March 21, 2020.
Virginia – Similar to Massachusetts, Virginia’s legislature has delayed and referred to study several privacy-related bills, including bills relating to consumer rights regarding access and sale of their personal data, destruction and disposal of records containing personally identifiable information, and collection and safekeeping of biometric data by employers.
Washington – The legislature has introduced a revised version of a proposed law, the Washington Privacy Act (available here), which would apply to certain private business that control or process consumer personal data and that are located within or targeted to residents of the state. The law would provide consumers rights regarding their personal data, impose responsibilities on covered controllers and processors, and regulate facial recognition services. The bill is now scheduled for a public hearing.
Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Amy Bender at abender@fmglaw.com.