Publications
-
02.07.2024FTC Brings First Standalone Section 5 Unfairness Claims for Unreasonable Data Retention and Inaccurate Breach NoticeUpdatesOn February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment.
-
11.02.2023FTC Announces Data Breach Reporting Obligation Under GLBA Safeguards RuleUpdatesUnder an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act announced on October 27, 2023, the Federal Trade Commission will require a broad range of nonbank financial institutions to notify the FTC of instances of the unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of more than 500 customers.
-
10.09.20232023 Breach Notification Law Update: Changes to Notification and Security Requirements Continue at State and Federal LevelsUpdatesA flurry of legislative activity over the past year has brought meaningful changes to a variety of privacy and security provisions in state and federal law. At the state level, as in 2022, we have seen a handful of changes to generally applicable breach notification statutes, along with action on both narrower security provisions and broader omnibus privacy laws.
-
September 2023Security Breach Notification ChartLawyer Publications
Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.
-
09.26.2023A Potential Look Into the Future: California Issues First Draft of Cybersecurity Audit and Risk Assessment RegulationsUpdatesThe Board of the California Privacy Protection Agency held its first meeting since July on Friday, September 8, 2023, and discussed the first public draft of cybersecurity audit regulations and risk assessment regulations. While the CPPA Board expressly announced that the drafts were for board meeting discussion purposes and has not started the formal rulemaking procedures yet, the first public drafts of the regulations provide a roadmap for where the CPPA Board may likely go, and the draft regulations would impose new and detailed compliance requirements.
-
10.06.20222022 Breach Notification Law Update: State and Federal Requirements Continue To EvolveUpdatesCyberattacks continue to plague businesses, making the fallout of data breach notification and response as critical as ever. This year, like 2021, has been relatively quiet as it relates to state updates to breach notification laws.
-
09.14.20212021 Breach Notification Law Update: Connecticut and Texas Expand Requirements, Ransomware and Supply Chain Attacks Take SpotlightUpdatesCyberattacks continue to make the news and affect our lives in increasingly more significant ways.
-
07.28.2020Key Financial Data Security Takeaways From FTC WorkshopArticles
Law360
On June 13, the Federal Trade Commission held a virtual workshop on proposed changes to the Gramm-Leach-Bliley Act safeguards rule. -
07.27.2020INSIGHT: Mitigating Data Breach Risks Facing Marijuana BusinessesArticlesMarijuana businesses, especially those in the medical marijuana industry, often have access to sensitive consumer information.
-
06.26.20202020 Breach Notification Law Update: Vermont, District of Columbia, Maine, and California Expand RequirementsUpdatesStates continue to enhance and expand their breach notification requirements, increasing the scope of breaches that require notice as well as the complexity of compliance.
-
06.27.2019States Continue to Expand Breach Notification Requirements in 2019UpdatesAs more and larger data breaches come to light, states continue to update and expand their breach notification statutes, adding to the patchwork of notification obligations that now exists in every state.
-
12.18.2018Is Your Business Prepared for Holiday Hacking?
Privacy Quick Tips
There is often an upsurge in hacking and online scams during the holidays, and businesses are not always prepared to respond. This tip includes five key steps you can take immediately to protect and defend against breaches. -
06.12.2018New Data Breach Notification Laws Spring 2018: What You Need to KnowUpdatesThis spring has brought a particularly active round of revisions to state data breach notification laws.
-
04.12.20186 Ways to Improve Your Incident Response Plan for GDPRUpdatesThe General Data Protection Regulation (GDPR), which is effective May 25, 2018, requires notification to European regulators within 72 hours of the discovery of many types of data breaches. This deadline requires speed and organization that no other jurisdiction currently requires, especially in the United States. Organizations that hold personal data of EU residents and do not have an incident response plan should promptly develop one so they can comply with the GDPR’s requirements.
-
GDPR Data Breach Notification RequirementsLawyer PublicationsAny individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, agency, or instrumentality, public corporation, or any other legal or commercial entity (collectively, Entity) that owns or licenses computerized data that includes an IA resident’s PI that is used in the course of the Entity’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security.
-
11.13.2017Cybersecurity Threats—And What to do About ThemArticlesIt had been months since a data breach had consumed the news when Equifax burst on the scene in September, announcing that hackers may have accessed information on 145 million Americans.
-
09.18.2017Give Your Customers the Gift of SecurityUpdates2017 has reminded us that data security threats continue to evolve and that the stakes for companies can be very high if their data security programs fail to evolve as well.
-
07.25.2017New Mexico’s Data Breach Notification Is in Effect: What You Need to KnowUpdatesNew Mexico became the 48th state to enact data breach notification legislation with the Data Breach Notification Act, signed in April and effective as of June 16, 2017.
-
07.13.2016Breach Response: New Laws To Know And 5 Questions To AskArticles
Law360
-
07.11.2016Data Breach Incident Response: 5 Questions to Ask and New Laws to Know NowUpdatesThe spring legislative sessions this year brought a now-familiar round of revisions to data breach notification laws, with states broadening their laws in often divergent ways.
-
01.29.2016Data Breach Notification Law in California and Across the Nation Continues to EvolveUpdatesIn four of the last five years, California’s legislature has updated its data breach notification law, expanding its scope and making the required notifications more specific.
-
06.24.2015Data Breach Requirements Expand in Nevada, Connecticut, Oregon and IllinoisUpdatesFour state legislatures closed their sessions with changes to their data breach notification laws, potentially imposing significant new compliance burdens.
-
05.15.2015Spring 2015 Legislative Roundup: States Expand Data Breach Notification RequirementsUpdatesDuring their spring 2015 legislative sessions, Washington, Wyoming, Montana, and North Dakota expanded their data security breach notification laws.
-
01.08.2015Data Breach Plaintiffs Survive Dismissal Against TargetUpdatesTarget’s 2013 data breach has generated over 100 consumer lawsuits, which were consolidated last year before the U.S. District Court for the District of Minnesota. On December 18, 2014, Judge Paul A. Magnuson issued a decision on Target’s motion to dismiss the consolidated consumer cases.
-
10.07.2014Third Quarter 2014: States Expanding Data Breach Notification RequirementsUpdatesCalifornia, Florida, Kentucky, and Iowa have changed their security breach notification requirements in the past few months.
-
02.26.2014Possibility of Future Harm Allows Sony Data Breach Plaintiffs to Survive Motion to DismissUpdatesThe Southern District of California last month let 8 out of 51 claims survive in a putative class action arising out of the 2011 breach of the Sony PlayStation network. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL 11MD2258 AJB MDD, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) (Sony II).
-
10.17.2013Is Your Company Ready for California's Expanded Data Security Notification Law?UpdatesEffective January 1, 2014, California residents must be notified when the information used to access their email or other online accounts is compromised in a data security breach incident.
-
04.16.2013Data Breach Class Actions Can't Survive Certification Without Expert Testimony on Classwide DamagesUpdatesThis is the latest opinion in the ongoing litigation arising out of a massive data breach suffered by Hannaford Bros. grocery stores. In re Hannaford Bros. Privacy Litigation, __F. Supp. 2d __, Case No. 2:08-MD-1954-DBH, 2013 WL 1182733 (D. Me. Mar. 20, 2013).
-
03.18.2013LinkedIn Data Breach Lawsuit Dismissed for Lack of StandingUpdatesA federal judge in the Northern District of California recently added to the growing list of cases rejecting attempts to recover damages resulting from data breaches. In In re LinkedIn User Privacy Litigation, Case no. 5:12-CV-03088 EJD (March 6, 2013), the court dismissed a lawsuit brought by LinkedIn users who were upset over the June 2012 posting of 6.5 million stolen LinkedIn user passwords.
-
03.27.2012Class Action Complaints Strictly Interpret Privacy Policy RequirementsUpdatesSeveral class action complaints filed in recent months take a novel approach regarding the requirements for website privacy policies under California's "Shine the Light" law.
-
02.08.2012Proposed EU Regulation Promises Significant Changes to Consumer PrivacyUpdatesThe European Commission's proposed "Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" offers a significantly higher level of legal harmonization and predictability across Europe, but at the price of more stringent requirements and availability of stricter sanctions.
-
10.06.2011FTC Proposes Changes to Children's Online Privacy Protection RuleUpdatesOn September 15, 2011, the Federal Trade Commission (FTC) released the changes it is proposing to make to the Children’s Online Privacy Protection Rule (required by the Children’s Online Privacy Protection Act, or COPPA), which has been in effect since 2000. To address technological developments in the past decade, the FTC is recommending a number of changes.
-
12.20.2010Red Flags Rule Now Excludes Lawyers, Doctors, and Other ProfessionalsUpdates
On December 18, 2010, President Obama signed the Red Flag Program Clarification Act of 2010. Effective immediately, the act changes the definition of the word “creditor” in the FTC Red Flags Rule to exclude most professionals that take payment after rendering services.
Presentations
-
04.18.2024Data Privacy Compliance: Pre-Attack Risk Mitigation and Post-Attack Best PracticesSpeaking EngagementsIncident Response Forum presented by Cybersecurity Docket / Virtual EventThis virtual event will showcase a distinguished lineup of more than 30 incident response leaders who will participate in 10 insightful panels.
-
05.24.2022The SEC’s Climate/Cyber Rulemakings – Your Action Items NowSpeaking EngagementsWebinarThis webinar covered the practical side of the U.S. Security and Exchange Commission’s (SEC) recent climate and cybersecurity disclosure rule proposals.
-
09.24.2020Incident Response in the U.S. and in the EU: The Primary DistinctionsSpeaking EngagementsIncident Response Forum Europe 2020 / Virtual Event
-
07.07.2020Threat and Breach Response: What's New?Speaking EngagementsAmelia Gerlicher and Alexandria Bradshaw will explore trending attacks, review U.S. breach notification law, as well as share insight into recent legislative updates and the trends that continue to drive changes to state law.
-
10.10.2019
-
06.21.2017Data Breach Planning and Insurance: What You Need to KnowSpeaking EngagementsPanelist
In-House Counsel / Dallas, TX -
06.20.2017Data Breach Planning and Insurance: What You Need to KnowSpeaking EngagementsPanelist
In-House Counsel / Dallas, TX -
10.14.2016The Big Elephants in the Room: Privacy and Data Security OverviewSpeaking EngagementsGame Technology Law Conference / Seattle, WA
-
09.15.2015Privacy 101: Emerging Issues in Privacy & Data SecuritySpeaking EngagementsArizona Chapter of the Association of Corporate Counsel / Phoenix, AZ
-
06.25.2014Cyber Security and Data Privacy: Views on Article III StandingSpeaking EngagementsKnowledge Group Webcast
Blogs
-
On February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment. According to the FTC’s complaint, Blackbaud’s allegedly unfair and misleading conduct included not just deficient data security practices but also a delay in providing...
-
FTC Announces Data Breach Reporting Obligation Under GLBA Safeguards Rule
Under an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act announced on October 27, 2023, the Federal Trade Commission will require a broad range of nonbank financial institutions to notify the FTC of instances of the unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of more than 500 customers. The new notification obligation... -
The Board of the California Privacy Protection Agency (the CPPA) held its first meeting since July on Friday, September 8, 2023, and discussed the first public draft of cybersecurity audit regulations and risk assessment regulations. While the CPPA Board expressly announced that the drafts were for board meeting discussion purposes and that it has not...
-
2022 Breach Notification Law Update: State and Federal Requirements Continue To Evolve
Overview 2022 has been relatively quiet as it relates to state updates to breach notification laws, but Maryland made significant alterations to its general data breach notification law. Additionally, several other states made more minor changes, and the federal government issued or proposed several new data security and breach reporting requirements for certain types of...