Page 32 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 32

Colorado Joins States in Passing Data Protection Requirements
Posted on June 26, 2018
Colorado’s recently passed breach notice law, which goes into effect on September 1, includes a data security requirement. This mirrors the change to the Louisiana breach notice law we reported about yesterday. Under the law, companies will need to have “reasonable” security practices and procedures that protect personal information. Personal information is defined as social security numbers, personal identification number, a password or pass code, state ID numbers, and biometric data. The law also will require companies to ensure that third parties with whom they share personal information have reasonable security protections.
PUTTING IT INTO PRACTICE: Companies should keep in mind the growing number of state law requirements to protect information when developing and maintaining their information security programs. Here, the Colorado requirements around vendors are particularly useful to keep in mind.
Louisiana Adds Data Security Requirements to Breach Notice Law
Posted on June 25, 2018
Louisiana’s breach notice law has been amended to require companies to protect personal information. The definition of personal information matches that which -if breached- would give rise to a duty to notify. This includes name combined with social security numbers, drivers’ license (and state ID/passport numbers) or financial account numbers. The law applies to companies that “maintain computerized information” and require that entities (1) have reasonable security procedures and practices “appropriate to the nature of the information” that protects against unauthorized access, destruction, use, modification and disclosure and (2) destroy personal information or make it unreadable when it is no longer needed by “shredding, erasing” or making the information otherwise unreadable. Louisiana joins a growing list of states that have such data protection requirements, including California, Connecticut, Delaware, Florida, Massachusetts, Nevada, and New Jersey to name but a few. The requirement goes into effect August 1, 2018.
PUTTING IT INTO PRACTICE: Companies that suffer a data breach should keep in mind these data breach protection requirements. Often an inquiry will be made after an incident to determine if the company took sufficient steps to protect information in compliance with these data protection laws. In other words, if the company had taken more steps to protect the information, would the breach have occurred?
DHS Releases New Cybersecurity Strategy
Posted on May 21, 2018
On May 15, the Department of Homeland Security released its long-awaited Cybersecurity Strategy.
The Strategy aims to reduce cybersecurity risk through “an innovative approach that fully leverages our collective capabilities across the Department and the entire cybersecurity community.” It sets a course of cybersecurity policy for the Department for the next five years and signals a more assertive approach to cyber vis a vis other agencies by setting forth clearer consequence for agencies that don’t adopt best practices. It also fleshes out an initiative for DHS to engage the private sector more actively and share cybersecurity tools directly with industry, especially critical infrastructure sectors such as hospitals, information technology, health care, transportation systems and chemical plants.
                    31 Eye on Privacy 2018 Year in Review

   30   31   32   33   34