August 5, 2020

Volume X, Number 218

August 04, 2020

Subscribe to Latest Legal News and Analysis

August 03, 2020

Subscribe to Latest Legal News and Analysis

Two Cyber Laws Go Into Effect Over US Labor Day Weekend

On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies to investigate potential breaches. If notification is required, it will now have to be provided within 30 days of the company determining that the breach has occurred, and Colorado now joins many other states in having content requirements for breach notices. In addition to the data breach notification changes, the law also creates a requirement to “reasonably” protect personal information.

Also on September 1, a portion of New York Department of Financial Services’ revised cybersecurity regulation became effective. As we previously wrote, the regulation applies to “covered entities” under New York’s Banking, Insurance, and Financial Services laws, and has rolling effective dates. The September 1 date brought into effect the need for covered entities to, inter alia, (1) conduct risk assessments for in-house developed and externally developed applications that are brought into the company’s environment, (2) have policies that limit retention of nonpublic personal information the entity no longer needs, (3) monitor access to nonpublic information in their systems, and (4) encrypt nonpublic information at rest and in transit.

Putting it into Practice: While many eyes in the US may be on the developments coming out of California, these two laws remind us that there continue to be changes across the US in the privacy and data security landscape

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 247


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...