New Rhode Island data security law takes effect July 2

June 22, 2016 0 COMMENTS

by Timothy C. Cavazza and Matthew H. Parker

The Rhode Island Identity Theft Protection Act of 2015 will take full effect on July 2, meaning employers need to have their data security and notification policies in compliance or face serious financial consequences if even one data breach occurs.

The new law applies to employers and municipal agencies. It requires that any person or entity in Rhode Island that stores, collects, processes, maintains, acquires, uses, owns, or licenses “personal information” about a Rhode Island resident to “implement and maintain a risk-based information security program [that] contains reasonable security procedures and practices appropriate [for] the size and scope of [the] organization, the nature of the information[,] and the purpose for which the information was collected.”

read more…

New Oregon data security law takes effect January 1

December 16, 2015 0 COMMENTS

by Joanna Perini-Abbott

Oregon’s expanded data breach law will take effect January 1, making two significant changes to the old law—a notification requirement and a change in the definition of “personal information.”  Lock that Data Down

Like the old law, the new law requires businesses that maintain personal information digitally, including information about employees, to notify Oregon residents whose electronically stored information has been compromised as soon as the breach is discovered.

read more…

Expanded data security breach laws taking effect in Washington

July 09, 2015 0 COMMENTS

by Joelle Hong and Amelia Morrow Gerlicher

Washington’s expanded data security breach notification laws are set to take effect July 24, meaning employers must make sure they have safe and effective privacy practices in place and are ready to respond in the event of a security breach.

Under the old law, businesses that own or license computerized data containing personal information about Washington residents must disclose any breach involving unencrypted personal information. But beginning July 24, the requirement will expand to include both computerized and hard copy data containing personal information that is not “secured” as well as encrypted information if the person who gains unauthorized access to the data has access to the encryption key or an alternative means of deciphering the data.

read more…

Wyoming employers need to be ready for strengthened data breach law

June 30, 2015 0 COMMENTS

by Brad Cave

Wyoming’s new data breach notification law takes effect July 1, meaning employers need to be ready for beefed-up notification requirements.

Wyoming law requires that any entity or person who conducts business in Wyoming and owns or licenses computerized data that include personal identifying information must notify affected consumers of a data breach. Because personal identifying information includes such things as Social Security numbers, addresses, phone numbers, and health insurance and medical information, most employers have data covered by the law.

Under the old law, breach notifications needed to include only a toll-free number consumers could use to contact the business that was collecting their data so it could provide the telephone numbers and addresses of the major credit-reporting agencies. Under the new law, notifications must provide much more information.

read more…