Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy

This summer, the U.S. District Court for the Southern District of Illinois further bolstered Illinois’ Biometric Information Privacy Act’s (BIPA) nearly unfettered private right of action in Lewis v. Maverick Transportation. In a simple but firm four-page ruling, Judge Rosenstengel denied the defendant’s motion to dismiss, holding that a cause of action under BIPA does not require a plaintiff to plead that data collected is used for identification purposes. The ruling serves to highlight the apparent lack of any real technical defenses to the statute — making it imperative that companies focus on strict compliance before they find themselves in court.Continue Reading Illinois Court Eliminates Another BIPA Defense

On July 25, Missouri, Arkansas, and Iowa (the states), along with intervenors American Water Works Association and National Rural Water Association (the water associations), petitioned the Eighth Circuit to review the U.S. Environmental Protection Agency’s (EPA) new rule requiring states to review and report cybersecurity threats to their public water systems (PWS).Continue Reading EPA Cybersecurity Rule Challenged by States and Water Systems Associations

This article was originally published on August 24, 2023 in Reuters and is republished here with permission.

In the burgeoning realm of data incidents, it is a truism that such incidents are not created equal. Indeed, a data incident is not necessarily a data breach.

An incident is any “occurrence that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system,” or an event that constitutes a violation of an organization’s computer security or acceptable use policies. National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems, FIPS 200, at 7 (Mar. 9, 2006) (nist.gov). A breach is an incident that imposes statutory and regulatory obligations on an affected organization when it holds or controls certain consumer information.Continue Reading Data Protection: One of These Incidents Is Not Like the Other

The Massachusetts Gaming Commission is in the process of shaping new regulatory standards for sports wagering in Massachusetts, following the state’s adoption last summer of the Massachusetts Sports Wagering Act, Mass. Gen. Laws ch. 23N, which legalized sports betting in the Commonwealth.Continue Reading Massachusetts Gaming Commission Targets Youth Advertising and Data Privacy in Proposed New Sports Wagering Rules

On May 17, District of Colombia Attorney General Brian Schwalb announced the settlement of an investigation into Easy Healthcare Corporation, requiring the company to change its privacy practices involving the ovulation tracking app “Premom” to protect the sensitive reproductive data of consumers. Easy Health agreed to several remedial measures intended to prevent the disclosure of sensitive information to third parties and to pay a $100,000 penalty to the states involved with the investigation.Continue Reading AGs Require Company With Ovulation Tracking App to Protect User Data

In addition to a night of revelry, the 2023 new year will trigger the many new privacy mandates in the Virginia Consumer Data Protection Act (VCDPA) for businesses operating in Virginia — only the second state with active consumer privacy legislation behind California, with other states’ privacy laws, such as Colorado, Connecticut and Utah, taking effect later this year. Virginia Attorney General Miyares is no doubt eager to flex his new authority under the VCDPA, meaning companies that process, collect, or sell Virginians’ personal information should carefully read the VCDPA to ensure their compliance with the new law.Continue Reading Virginians Ring In New Year With New Privacy Act

Ketan Bhirud, a member of Troutman Pepper’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) practice groups, is quoted in the Bloomberg Law article, “TikTok Faces ‘Pile-On’ Pressure From States After Indiana Sues.”

“If you have something touching upon exposure to children, that’s something that’s going to get a lot of

Virginia’s new Consumer Data Protection Act will take effect on January 1, 2023, adding new consumer privacy rights, a broader interpretation of “personal information,” a separate “sensitive data” category, and data protection assessment obligations into the mix with the commonwealth’s three major pre-existing privacy and data protection laws as Virginia joins the growing ranks of

Critical Infrastructure Must Soon Report Cyber Incidents to CISA Immediately

In March, President Biden signed the “Cyber Incident Reporting for Critical Infrastructure Act” (CIRCIA) into law. CIRCIA applies to the Critical Infrastructure Sector, which includes entities that are “vital to the United States” and whose incapacitation or destruction would have an adverse effect on national

Introduction

On April 29, Aerojet Rocketdyne Holdings Inc. (Aerojet) settled claims by whistleblower Brain Markus for a reported $9 million after the second day of a jury trial.[1] This is the second recent settlement under the False Claims Act (FCA) relating to alleged misrepresentations about a company’s cybersecurity practices and systems in connection with