Data Security Breach Response

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory aimed at reminding businesses to be on guard over the Labor Day and other holiday weekends against cyberattacks.

History has shown threat actors often ramp up ransomware and other attacks over holidays when businesses let down their guard.

Nate

On March 26, 2020, Washington D.C. enacted bill number B23-0215, amending its data breach notification law.

In addition to the data breach notification requirements (including medical and biometric data when compromised together with a person’s name) the bill also requires businesses to:

  • “Implement and maintain reasonable security safeguards, including procedures and practices that are appropriate

California has amended its data breach notification law to include biometric and other identifiers.

The bill (AB 1130), signed by Gov. Gavin Newsom on October 11, revises the definition of personal information for purposes of data breach notification requirements to add specified unique biometric data and tax identification numbers, passport numbers, military identification numbers, and

“Learning from recent breaches and the need for a greater understanding of privacy in the enterprise, it’s time for companies to take a new, proactive approach to data management. Making data privacy decisions in a silo is no longer enough. Organizations must now implement robust data privacy practices that also involve their board members on

Passports and biometric data would be included in the types of personal information covered by California’s data breach notification law, under a bill that passed the state Senate and is headed to Gov. Gavin Newsom.

A.B. 1130 by Assemblyman Marc Levine (D) would also add taxpayer and military identification numbers, and other unique government identification

The Lithuanian data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimization, adequate security measures and data breach reporting requirements of GDPR.

Key takeaways:

  • Data minimization:
    • Collect only the information you need. If you only need name, identification code, bank account number, currency, balance, purpose of

Strong data encryption is a best practice, but according to new guidance from the UK’s data protection authority, it may not exempt you from General Data Protection Regulation (GDPR) notification requirements if you suffer a breach. That’s a significant departure from most U.S. federal and state data privacy rules.

Our Privacy & Data Security team

Don’t store users’ passwords in cleartext. Really.

It’s not a good idea. Also, it may be deemed a ‘knowing violation’ of the EU General Data Protection Regulation (GDPR) requirement to adequately protect personal data.

That is one key takeaway from the GDPR enforcement action by the State Commissioner for Data Protection and Freedom of Information

Data privacy and securityFox Rothschild partner and firm Chief Privacy Officer Mark G. McCreary sees a trend: Law firms are increasingly recognizing that naming a lawyer to lead data security and privacy efforts is “an essential ingredient in good risk management.”

In an article for Law360 entitled “Notes From A Law Firm Chief Privacy Officer: CPO vs. CISO,”