Heads up to entities doing business in California: your breach notification obligations are changing. Joseph Lazzarotti of JacksonLewis explains: Governor Gavin Newsom recently signed SB 446 into law, introducing significant changes to California’s data breach notification requirements. The bill establishes deadlines for notifying consumers and the state’s Attorney General when personal information of California residents has been…
Category: State/Local
California’s New Delete Request Tool Impacts Data Brokers and Residents
Going forward, this might help California residents reduce the chances of their personal information being caught up in some breaches. Hunton Andrews Kurth writes: On September 26, 2025, following a public comment period, the California Privacy Protection Agency (“CPPA”) adopted its regulations concerning the Delete Request and Opt-Out Platform (“DROP”). The DROP is a tool developed to…
Shad White’s office finds nearly a third of Mississippi’s state agencies fail cybersecurity requirements
Stephanie Cunningham reports: According to Mississippi State Auditor Shad White, a third of state offices are at risk of cybercrimes due to not meeting cybersecurity assessment requirements according to a report released yesterday, Tuesday, Oct. 7. Auditor Shad White stated in the release, “Part of our role in my office according to state regulations is…
California hospitals can escape fines if workers expose patient info
Scott Holland reports that a California state appeals court agreed with a hospital that it should not be held liable for employee misbehavior if they had a clear policy in place but the employee knowingly violated it: A state appeals panel has agreed hospitals can’t be sued if one of their employees posts confidential patient…
Two agencies in one state investigated and fined Healthplex. Was that one too many?
DataBreaches is generally a great fan of state attorneys general taking enforcement action stemming from data breaches where the security was really subpar or the entity did not notify those affected in a reasonable amount of time. But two enforcement actions in New York have me wondering if the state has been a bit unfair…
Ohio law to require local governments to formally approve ransomware payments
Cleveland.com reports: In response to Cleveland and other local governments around Ohio being targeted with cyberattacks and ransomware threats, the state of Ohio will soon require all counties, cities, townships, school districts, libraries, and other local governments to have a cybersecurity policy that adheres to certain standards, as well as only allow locals to approve…