Cybersecurity and Data Privacy

Rutters, a prominent grocery chain in Pennsylvania with 80 locations statewide, settled a data breach investigation with Attorney General (AG) Michelle Henry’s office by agreeing to pay $1 million and to implement certain injunctive relief. Henry announced the settlement on Wednesday, October 11, following a months-long data breach lasting from 2018 to 2019 that potentially exposed the payment card data of 1.3 million Pennsylvania consumers.

Continue Reading Cleanup on Aisle 1: Pennsylvania Grocer Rutters Latest to Settle Single-State Data Breach Investigation With Pennsylvania AG

This article was originally published on October 16, 2023 in Reuters and Westlaw Today. It is republished here with permission.

Government regulators are seemingly as numerous as the stars nowadays, especially in the universe of data incidents. When organizations experience a data incident, they will need to quickly assess what happened, why it happened, and who (e.g., clients, consumers, vendors, employees) was affected. They will also need to chart a course by which they resolve the incident while limiting their legal exposure.

Continue Reading Your Organization Has Suffered a Data Incident: Now Here Are the Regulators It Will Likely Encounter

This summer, the U.S. District Court for the Southern District of Illinois further bolstered Illinois’ Biometric Information Privacy Act’s (BIPA) nearly unfettered private right of action in Lewis v. Maverick Transportation. In a simple but firm four-page ruling, Judge Rosenstengel denied the defendant’s motion to dismiss, holding that a cause of action under BIPA does not require a plaintiff to plead that data collected is used for identification purposes. The ruling serves to highlight the apparent lack of any real technical defenses to the statute — making it imperative that companies focus on strict compliance before they find themselves in court.Continue Reading Illinois Court Eliminates Another BIPA Defense

On July 25, Missouri, Arkansas, and Iowa (the states), along with intervenors American Water Works Association and National Rural Water Association (the water associations), petitioned the Eighth Circuit to review the U.S. Environmental Protection Agency’s (EPA) new rule requiring states to review and report cybersecurity threats to their public water systems (PWS).Continue Reading EPA Cybersecurity Rule Challenged by States and Water Systems Associations

This article was originally published on August 24, 2023 in Reuters and is republished here with permission.

In the burgeoning realm of data incidents, it is a truism that such incidents are not created equal. Indeed, a data incident is not necessarily a data breach.

An incident is any “occurrence that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system,” or an event that constitutes a violation of an organization’s computer security or acceptable use policies. National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems, FIPS 200, at 7 (Mar. 9, 2006) ( A breach is an incident that imposes statutory and regulatory obligations on an affected organization when it holds or controls certain consumer information.Continue Reading Data Protection: One of These Incidents Is Not Like the Other

The Massachusetts Gaming Commission is in the process of shaping new regulatory standards for sports wagering in Massachusetts, following the state’s adoption last summer of the Massachusetts Sports Wagering Act, Mass. Gen. Laws ch. 23N, which legalized sports betting in the Commonwealth.Continue Reading Massachusetts Gaming Commission Targets Youth Advertising and Data Privacy in Proposed New Sports Wagering Rules

On May 17, District of Colombia Attorney General Brian Schwalb announced the settlement of an investigation into Easy Healthcare Corporation, requiring the company to change its privacy practices involving the ovulation tracking app “Premom” to protect the sensitive reproductive data of consumers. Easy Health agreed to several remedial measures intended to prevent the disclosure of sensitive information to third parties and to pay a $100,000 penalty to the states involved with the investigation.Continue Reading AGs Require Company With Ovulation Tracking App to Protect User Data

In addition to a night of revelry, the 2023 new year will trigger the many new privacy mandates in the Virginia Consumer Data Protection Act (VCDPA) for businesses operating in Virginia — only the second state with active consumer privacy legislation behind California, with other states’ privacy laws, such as Colorado, Connecticut and Utah, taking effect later this year. Virginia Attorney General Miyares is no doubt eager to flex his new authority under the VCDPA, meaning companies that process, collect, or sell Virginians’ personal information should carefully read the VCDPA to ensure their compliance with the new law.Continue Reading Virginians Ring In New Year With New Privacy Act

Ketan Bhirud, a member of Troutman Pepper’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) practice groups, is quoted in the Bloomberg Law article, “TikTok Faces ‘Pile-On’ Pressure From States After Indiana Sues.”

“If you have something touching upon exposure to children, that’s something that’s going to get a lot of

Virginia’s new Consumer Data Protection Act will take effect on January 1, 2023, adding new consumer privacy rights, a broader interpretation of “personal information,” a separate “sensitive data” category, and data protection assessment obligations into the mix with the commonwealth’s three major pre-existing privacy and data protection laws as Virginia joins the growing ranks of