Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

Washington State Expands Data Breach Notification Law

Effective March 1, 2020, Washington State House Bill 1071 amends the state’s data breach notification law, expanding the categories of consumer information the unauthorized access of which would trigger notification requirements.  Under current law, any person or business conducts business in Washington State and that owns or licenses data that includes personal information to provide notice to potentially affected consumers and to the state Attorney General no more than 45 calendar days after a data breach that may have resulted in authorized access of consumers’ personal information; as amended, the law will reduce the timeline for notification to 30 days.

In addition to making non-substantive changes (e.g., recodifying definition and exemption provisions), the measure also:

  • Adds notification procedures for a data breach involving a consumer’s username or password (which vary according to whether the breach involves login credentials for an email account furnished by the person or business providing the notification);
  • Requires the notification to affected consumers to include “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; and
  • If a breach affected more than 500 Washington consumers, requires the notification to the Attorney General to provide: (i) a list of the types of personal information that were, or are reasonably believed to have ben, the subject of a breach; (ii) “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; (iii) a summary of steps taken to contain the breach; and (iv) a sample copy of a notification (which must exclude any personally identifiable information).

Alston & Bird Issues Client Alert on New Cybersecurity Requirements As Recently Announced by the Federal Trade Commission

On April 3 , Alston & Bird Senior Associate Michael Young issued a Client Alert on a recent announcement made by the Federal Trade Commission on proposed rule updates to two key privacy and security regulations of the Safeguards Rule and the Privacy Rule that address new cybersecurity requirements.  The Client Alert provides key highlights of the proposed rule updates for both rules as follows.  Under the Safeguards Rule, the proposal seeks to partially model itself after New York’s Cybersecurity Regulations, and would include a number of information security requirements.  Under the Privacy Rule, the proposal seeks to update the Privacy Rule to address annual privacy notice requirements.  In addition, the proposal seeks to provide clarification of the limited scope of the rulemaking authority of the FTC under Gramm Leach Bliley. The Client Alert also points out that the requirements set forth in the proposals may significantly impact various entities in the financial services industry and its activities under the authority of the FTC.

The Client Alert can be found here on the Alston & Bird Privacy Blog.