Protecting personal information is important to all Americans. In the absence of a comprehensive federal privacy law (the US is one of the few remaining countries without one), states are stepping up. Five states have adopted comprehensive privacy legislation: California, Colorado, Connecticut, Virginia and Utah. And more than half of the country’s state legislatures have […]
After failed attempts in years past, on April 28, 2022, Connecticut became the fifth state to pass a consumer data privacy bill. It is headed to the Governor’s desk for signature, and he is expected to sign. Entitled “An Act Concerning Personal Data Privacy and Online Monitoring,” it enjoyed bipartisan support passing unanimously in the […]
Today, the Connecticut Attorney General’s office announced that it created an online form for data breach reporting. According to the CT AG’s office, “[t]he need for a standardized, online submission form was also motivated by recent amendments to Connecticut’s data breach notification statute.” Those amendments, which took effect on October 1, 2021, include a broadened definition of personal information and a reduced timeframe for notification and reporting from 90 days to 60 days.
Today, Connecticut’s Governor signed An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, Public Act 21-119 (the Act). The Act prohibits the assessment of punitive damages against an entity sued for negligent data protection practices related to a data breach involving personal information or information that can be used to identify an individual if the entity adopts and implements recognized cybersecurity standards.
Written in collaboration with Nathaly Tamayo, JD.
Late in the legislative session, both the Connecticut House and Senate passed House Bill 5310 (now Public Act 21-59), An Act Concerning Data Privacy Breaches, which substantially amends Connecticut’s data breach notification statute (CGS §36a-701b). Although the bill implemented a number of revisions, the most notable changes significantly expand the definition of personal information and shorten the notification timeframe.
In Part I of this mini-series last week, Dayle A. Duran, Esq., CIPP/US articulately described Apple and Google’s COVID-19 contact tracing API. Overall, she concluded that, if used as intended, the technology provides good privacy protections, but flagged that the real privacy risks lie in unintended use and function creep. Recently proposed bipartisan legislation may adequately address these concerns.
This is part one of a two-part series focused on COVID-19 contact tracing technology and its implications for US privacy law. The next installment of this series will examine legislative solutions to protect data subjects from misuse of information collected through contact tracing apps and related technologies.
The Federal Trade Commission’s Health Breach Notification Rule (HBNR) is a perfect example of a narrowly tailored regulation that only contributes to the cumbersome patchwork of privacy rules in this country without providing any real benefit. In this blog post, I explore the problems with the HBNR and why we should focus instead on creating meaningful, comprehensive privacy legislation.
Yesterday, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator of Health Information Technology (ONC) released their long-awaited final rules on interoperability and information blocking.
A relatively new kind of ransomware is targeting law firms and publicly shaming them into paying the ransom or risk having the firm’s data dumped on the internet. In other ransomware news, instead of money, some hackers are demanding photos of women’s body parts.