Author: Josephine Law, FIP, CIPP/US, CIPM

According to Hunton Andrews Kurth’s Privacy & Information Security Law Blog, New York’s Stop Hacks and Improve Electronic Data Security Act, better known as the SHIELD Act, is a two-part data security-focused bill impacting all businesses that handle information belonging to New York state residents. The SHIELD Act took force on March 21, 2020. The law calls on covered organizations to implement a data security program with appropriate administrative, technical and physical safeguards for the personal information of New York residents. Companies found to be violating the SHIELD Act may be subject to a $5,000 fine for each violation. Full Story

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Developed from a draft version in collaboration with a range of stakeholders, the framework provides a useful set of privacy protection strategies for organizations that wish to improve their approach to using and protecting…

The National Conference of State Legislatures tracks state legislation and laws across the privacy and security space, and we have placed links below to many of the different resources they provide. Access to Social Media Usernames and Passwords-Legislation Anti-Phishing Statutes Anti-Spyware Statutes Automated License Plate Readers-Statutes Chief Information Security Officers Computer Crime Statutes Constitutional Privacy Protections Cybersecurity Legislation Data Disposal Laws Data Security Laws | Government Denial of Service Statutes Identity Theft Statutes Election Security Event Data Recorders and Privacy Privacy Protections in State Constitutions Privacy Legislation Related to Internet Service Providers Radio Frequency Identification Ransomware Statutes Security Breach Laws and Legislation…

Foley Hoag Security, Privacy and the Law Blog looks at the key provisions within the New York Privacy Act. The NYPA would apply to “legal entities that conduct business in New York” and go into effect within 180 days after it is enacted. Organizations face fiduciary duties if they collect, sell or license any personal data. The bill is currently under consideration by the state Senate’s Consumer Protection Committee. Meanwhile, Gov. Larry Hogan, R-Md., signed a bill to amend Maryland’s data breach notification law, and Sen. Amy Klobuchar, D-Minn., introduced a bill to create protections for genetic, biometric and personal health information. Full Story

The Brookings Institution reports on the differences between the New York Privacy Act and the California Consumer Privacy Act and why the two bills will impact the chances of a federal U.S. privacy law. While the laws share similarities, the New York bill includes a private right of action and does not have a revenue threshold. As the states represent more than 20% of the U.S. economy, companies and lawmakers have begun to look at an all-encompassing federal rule. “But even as the introduction of each new state law deepens the need for a federal standard, a proliferation of state…

Just as legal experts have been predicting for nearly a year, individual U.S. states are starting to develop their own privacy legislation similar in form and content to the California Consumer Privacy Act (CCPA). The first state to follow the lead of California is New York State, which has proposed new privacy legislation (NY Senate Bill 224) that would be considerably tougher than California’s bill. The New York Privacy Act is still looking for a sponsor in the state assembly, but New York legislators are confident that the new legislation will be passed by the end of the summer. Full…

Westin research: The hits and misses of GDPR compliance

Privacy professionals seeking clarity on compliance with the California Consumer Privacy Act (CCPA) are monitoring numerous amendment bills introduced in the California State Assembly and the California State Senate. Twelve bills garnered the votes needed to pass the Assembly and moved to the Senate for further revision and voting. The Assembly’s calendar prohibits consideration of new bills this session, which means that any amendments enacted prior to the CCPA’s 2020 effective date will be based on these bills. California’s complex legislative process makes tracking amendments yeoman’s work. Read more.

Privacy by Design (PbD) is generally regarded as a synonym for Data Protection by Design. However, its use as a specific term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles. Data protection must be considered from the start of the design phase of system development. Companies must be able to show compliance with privacy considerations in system design and system access, e.g., collect and store only the minimum amount of personal data needed. Privacy by Design – The 7 Foundational Principles This document, authored by…

Can being overly helpful and multi-tasking cause you to make privacy mistakes? The short answer is yes. Most of us are focused on meeting the needs of internal and external clients. How can this be a bad thing? Sometimes when trying to complete a task, we may be providing excessive information. The less information is exchanged, the lower the risk of a privacy incident. The opposite is also true. Unknowingly, with well-intended reasons, we may provide more personal information than is required. If that information is provided to unauthorized individuals, a privacy infraction may be the result. Over-collection of data…