The Obama Administration has just released the proposed text of the Personal Data Notification & Protection Act as the latest step in its uniform federal breach notification initiative. Similar legislative efforts in the past have been unsuccessful, but there remains interest in federal legislation that would eliminate the need to navigate the patchwork of 47 different state breach notification laws. This article will highlight how the proposed federal law compares to most state breach notification requirements, and how it may impact businesses as a practical matter.
The fundamental shift for businesses in the past 15 years from paper documents to computer data has forced the courts to decide whether intangible electronic data should enjoy the same legal protections as physical property.
Because of this shift, it is important to review the judicial response to the electronic-data issue in the context of a federal criminal statute, the National Stolen Property Act (NSPA), and common law conversion.
The NSPA makes it a felony for one who “transports, transmits, or transfers in interstate or foreign commerce any goods, wares, merchandise … of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.” Conversion is the state civil cause of action for the theft of property.
Continuing the trend of changes in state breach notification and related laws, Cal. A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws in the wake of significant data breaches, particularly in the retail sector. (See “Changes in State Breach Notification Laws.”)
As data breaches continue to occur, breach notification laws are being amended or enacted. In the United States, state and federal breach notification laws should be monitored carefully regarding changes, as should breach notification laws in other countries (e.g., Canada).
As of July 15, 2014, 47 states (other than Alabama, New Mexico, and South Dakota) plus the District of Columbia, Guam, Puerto Rico, and Virgin Islands have breach notification laws. This article addresses changes in state breach notification laws.
Cybersecurity threats have reached a point where they cannot go ignored by any government agency,even the U.S. Securities and Exchange Commission. Although an agency that is tasked with protecting investors is not one that typically comes to mind in the battle against cyberthreats,the SEC does maintain jurisdiction over cybersecurity issues for public companies, broker dealers and investment advisers, due to its responsibilities for ensuring the disclosure of material information, integrity of market systems and customer data protection.
DATE and SCHEDULEThursday, June 26, 2014 8:00 a.m. – 8:30 a.m. Breakfast and Registration 8:30 a.m. to Noon Seminar LOCATION Dorsey & Whitney LLP 51 W. 52nd Street 9th Floor New York, NY 10019 Complimentary. Pre-registration is required. CLE INFORMATION Dorsey is an Accredited CLE Provider in California and… Read More
A number of class actions have recently been filed in federal district courts, predicated, in part, on alleged violations of the federal computer crime statute, the Computer Fraud and Abuse Act, complaining of tracking software placed on iPhone and Android devices and unwanted text messages. Decisions in these cases have implications for filing a valid CFAA civil action.
A New York trial court announced a decision on February 21, 2014, that may be a harbinger of wide-reaching limitations on insurance coverage for data breaches under commercial general liability (CGL) policies. The court’s ruling, while subject to appeal, demonstrates the hazards of relying on traditional CGL policies for coverage for data breaches. The lawsuit, Zurich… Read More
Although headlines have focused on foreign cyberattacks, plenty are U.S.-based—and can be remedied. Over the past year the national press has repeatedly reported on the vulnerability of our intellectual property to nation-state hackers like China, which have reportedly accessed and stolen highly confidential data by entering computer systems through public websites. Lost in the headlines… Read More
In all jurisdictions the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, the federal computer crime statute, applies to former employees who steal data from the company computer, but in two federal circuits it does not apply when the theft occurs during employment. The difference in jurisdictions is significant to employers because the CFAA provides a civil remedy for damages and injunctive relief for a company that “suffers damage or loss” by reason of a violation of the CFAA. 18 U.S.C. 1030(g).
Last year the U.S. Court of Appeals for the Ninth Circuit in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), disagreed with certain of its sister circuits and narrowly interpret-ed what it means to access the company computer “without authorization,” effec-tively eliminating a company’s ability in that jurisdiction to use the CFAA against current employees. This column will review the conflicting interpretations of the CFAA that distinguishes between current and former employees and the strategies and options companies can employ to navigate this conflict.