Liisa M. Thomas, Kari M. Rollins, and Julia K. Kadish of Sheppard, Mullin, Richter & Hampton LLP write: The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered. The FTC emphasized at the…
Category: Legislation
PA House Committee advances Data Breach Notification legislation
George Stockburger reports: The Pennsylvania House State Government Committee has sent to the full House of Representatives for consideration Sen. Dan Laughlin’s legislation that would require state agencies to notify victims of a data breach within one week. Under Senate Bill 696, any state agency, county, municipality, public school or third-party vendor that conducts business with…
‘Too Much’ Data Breach Disclosure May Risk Additional Cyber Vulnerabilities
Isha Marathe reports: Even before Russia’s invasion of Ukraine, cyberattacks had been on the rise, leading to provisions from regulatory bodies such as the mandatory disclosures of incidents to protect investors and alert other businesses alike. Now, some attorneys and cybersecurity experts are asking if forced reporting of breaches and attacks at the level of detail that the U.S….
New Canadian cybersecurity bill to require mandatory reporting of ransomware, other attacks
Jim Bronskill reports: Businesses and other private-sector organizations would be required to report ransomware incidents and other cyberattacks to the government under a federal bill to be tabled today. The legislation is intended to flesh out Liberal government efforts to protect critical infrastructure following last month’s announcement that Chinese vendors Huawei Technologies and ZTE will be banned from Canada’s…
Vermont Enacts Insurance Data Security Law
Hunton Andrews Kurth writes: On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law (“MDL-668”). The Vermont Insurance Data Security Law applies to “licensees”—those licensed, authorized to operate or registered, and those required to be…
Defensive Cyber Attacks Declared Legal by UK AG, Path Cleared to “Hack Back” When Critical Infrastructure & Services Attacked
Scott Ikeda reports: The Attorney General of the United Kingdom has declared the country can make use of defensive cyber attacks when “key services” (such as critical infrastructure and banks) are struck by foreign threat actors. The country is taking a formal position on extending international law to the digital realm, something that nations have…