Connecticut is the fifth U.S. state, and the second this year after Utah passed the Utah Consumer Privacy Act (“UCPA”), to enact a comprehensive data privacy legislation.
On March 9, 2022, the Securities and Exchange Commission (“SEC”) announced Proposed Rules on cybersecurity risk management, strategy, governance, and incident disclosure (“Proposed Rules”) to address concerns of increasing cybersecurity threats to public companies.
The Department of Justice, acting on behalf of the Federal Trade Commission, recently took action against WW International, Inc., formerly known as Weight Watchers, and its subsidiary, Kurbo, Inc. (together, “Weight Watchers”).
Two new United Kingdom (“UK”) data transfer mechanisms, the International Data Transfer Agreement (“IDTA”) and the International Data Transfer Addendum (“UK Addendum”) to the European Union’s (“EU”) new standard contractual clauses (“SCCs”), came into force on March 21, 2022.
On January 1, 2023, absent intervention from the California legislature, the nation’s first comprehensive data privacy law, the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), will not only regulate consumer data but will also regulate previously exempt human resources data as well.
Update: The UCPA was signed into law by Governor Spencer J. Cox without amendment on March 24, 2022.
As the onslaught of data breaches and ransomware attacks continues, state governments are grappling with ways to bolster the impact and reach of breach notification laws.
Amid high-profile cybersecurity breaches that have spurred regulatory action and encouraged compliance revamps, the Fifth Circuit recently ruled that the Insurance Company of the State of Pennsylvania (“ICSOP”) has a duty to defend Landry’s, a Houston-based hospitality chain, in a $20 million data breach litigation.
Colorado is set to become the third U.S. state to pass comprehensive data privacy legislation.
On June 4, 2021, the European Commission announced the definitive adoption and publication of revamped Standard Contractual Clauses (“SCCs”) for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (“GDPR”).
In McMorris v. Carlos Lopez & Associates, LLC, a data breach case, the Second Circuit held that plaintiffs may demonstrate standing based on a theory of “increased risk” of future identity theft or fraud following an unauthorized disclosure of their data.