Data breaches have become a serious issue for businesses, leading to numerous putative class action lawsuits alleging that the defendants failed to prevent the unauthorized disclosure of personally identifiable information or protected health information of their employees or customers.

The NetDiligence Cyber Risk Summit, which was held September 30-October 2 in Philadelphia, featured panels focused on the latest developments and challenges in cyber risk. Speakers included insurance, legal, and technology experts from a wide variety of organizations in the cyber risk industry.

On October 1, Montana became the newest state with a comprehensive data privacy law, the Montana Consumer Data Privacy Act.

The Commonwealth of Pennsylvania has amended its Breach of Personal Information Notification Act. The amendments, available here 2024 Act 33 - PA General Assembly (state.pa.us), took effect last week, on September 26. The key provisions are as follows:

On April 24, the Federal Trade Commission announced that it had finalized changes to its Health Breach Notification Rule - to address emerging technologies.

Specifically, the Rule was broadened to (1) apply to entities not currently subject to the Health Insurance Portability and Accountability Act, (2) clarify what a breach of security is, (3) expand notification methods, (4) impose additional requirements for the content of notifications, and (5) amend the timeframe for issuing required notifications to the FTC.

Businesses continue to be subjected to a steady stream of consumer class action lawsuits alleging improper collection or disclosure of information from their websites. A variety of laws and legal claims are used to support the suits. Some lawsuits assert violation of laws that are not particularly cutting edge, such as the Video Privacy Protection Act, or cite to non-disclosed use of more modern technology such as tracking pixels. In many of the lawsuits, both types of claims are asserted.  

Laura Balson in our Chicago office recently discussed an amendment to the Illinois Biometric Information Privacy Act. At that time, the Illinois House and Senate had passed an amendment to Illinois Biometric Information Privacy Act, or “BIPA,” which was awaiting the signature of Gov, J.B. Pritzker (D). The amendment has now been signed and must be a consideration in BIPA litigation and in the use of biometric data.

Most significantly, the amendment specifies that an individual is limited to one recovery, even if there were multiple scans that violated the Act. This is good news for businesses.

Minnesota has become the 18th state to enact a comprehensive consumer privacy law. On May 24, Gov. Tim Walz (D) signed the Minnesota Consumer Data Privacy Act into law to provide privacy rights to Minnesotans and to impose new requirements on businesses and organizations handling personal data. For most covered entities, the law will go into effect on July 31, 2025.

Effective May 24, 2024, the Office of the Privacy Commissioner of Canada (OPC) has introduced a new online PIPEDA breach reporting form for federal institutions and businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The past couple of years have seen a number of states enact comprehensive privacy laws. Thus far, California, Colorado, Connecticut, Utah, and Virginia have enacted state privacy laws. In July, we will see three new privacy laws take effect in Texas, Oregon, and Florida. A privacy law in Montana will become effective on October 1.