New regulatory activity may help companies experience fewer ransomware attacks and could impact whether ransoms can be paid to threat actors. The activity includes guidance and sanctions by the Department of Treasury (“Treasury”) and a host of resources provided by the Health and Human Services Office for Civil Rights. This post describes the activity, its impact on companies that experience a ransomware attack, and practical takeaways for in-house counsel.

Continue Reading To Pay or Not To Pay: What New Regulatory Activity Means for Ransomware Victims

The Florida privacy legislation appears to be dead, and the best way to explain it is with the southern adage that “pigs get fat, hogs get slaughtered.” With a strong privacy bill in hand that gave privacy advocates 95% of everything they wanted and approved by the Senate, the House decided it wanted more. It really wanted its private right of action.

Realizing that wasn’t going to happen, the House decided it was better to do nothing than pass a comprehensive privacy law enforced only by the Florida Attorney General. As a result, Florida privacy legislation is dead for 2021.

There will be a lot of Monday-morning-quarterbacking by privacy advocates who pushed too hard and ultimately came away with nothing. Would it have been smarter to start with AG enforcement, then add a private right of action later after a year or two showing that AG enforcement does not meet the mark? All along, was it only important to the House and privacy advocates that the bill provide a private right to sue? Was this bill always just a tool of the plaintiffs’ bar to generate a ton of new revenue through class action lawsuits, and having lost the most important part of that tool, they walked away? How else do we explain the House’s refusal to take up the Senate version that had 95% of the rest of the House version and in some ways was stronger? None of that seems good for Floridians, businesses, or the development of privacy law.

Stepping back, I still believe the blueprint for privacy laws in Red states has been shaped by this process — strong consumer rights accompanied by significant compliance obligations, lots of exceptions/exemptions (initially), but no private right of action. We will see what impact Florida’s legislative roller coaster has on other states and Congress. But for now, I get to enjoy not having to prepare a bunch of webinar slides this weekend on what the new Florida privacy law means to in-house counsel!

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

By a vote of 29-11, the Florida Senate passed its version of HB 969 and sent the bill back to the House for consideration of the rewritten version. At this point, there are only two legislative options remaining: (1) the House passes it without any changes, or (2) no privacy law is adopted in Florida during this legislative session. There is not enough time for the House to change the law again and have Senate reconsider/pass it by tomorrow. The odds are high that the House will pass HB 969 tomorrow and Governor DeSantis will sign it.

Assuming that’s the case, advocates on all sides of this law will have “won” and “lost” something, but the consequences of these last few months will have an enormous impact on privacy law moving forward for much more significant reasons than the bill itself. Continue Reading Florida Privacy Bill Passes Penultimate Legislative Hurdle; Significant Implications Follow

With only three days left in the legislative session, and on the morning when my Op-Ed was published by the Tallahassee Democrat, the Florida Senate weighed in on the House’s passage of HB 969.  There were two ways it could have done that: (1) take the House version sent to the Senate via messages and make changes to and vote on that version; or (2) ignore the version provided via messages and simply pass the pending version of SB 1734 in the Senate then send that version to the House via messages. It chose path #1. Moments ago, the  Senate passed a strike-all amendment that struck the entirety of HB 969 and replaced it with a modified version of SB 1734. A separate post will discuss the modified version of SB 1734 in greater detail, but this post briefly explains where things stand now and what to expect next.

Continue Reading What Just Happened With Florida Privacy Legislation?

Within the week, we will know whether Florida will adopt the most aggressive privacy law in the country, something more moderate, or nothing at all. But an issue that has not received enough attention is the reason HB 969 and SB 1734 have received more support in a “red” state than any other privacy law. It is a reason that will come full circle to adversely impact the contingency of supporters using privacy laws as a way to attack “Big Tech.” Continue Reading The Long Game: Why Parler Has Everything To Do With Florida’s Privacy Legislation

The Florida House of Representatives has officially passed HB 969, which would create the most aggressive privacy law in the United States. The bill would apply to companies that generate $50 million or more in annual gross revenue and collect a significant amount of personal information about Florida residents. In addition to imposing CCPA-like compliance obligations on companies, it creates the broadest private right of action ever seen in privacy law. The private right of action for $100 to $750 per consumer per incident would apply to: (1) data breaches of broadly-defined personal information; (2) a company’s failure to comply with a consumer’s request to delete personal information; (3) a company’s failure to comply with a consumer’s request to correct personal information; and (4) a company’s failure to comply with a consumer’s request to opt-out of the sale of their personal information. Further encouraging these lawsuits, the bill would allow for attorney’s fees and costs (for the consumer only, not a prevailing defendant).

House Rep. Ben Diamond (a Democrat and someone who is destined to run for Florida Governor and/or Attorney General at some point in the future) expressed concern on the House Floor about the impact of the law on Florida businesses. He implied that enforcement by the Florida Attorney General, instead of a private right of action, would be the better approach. Nevertheless, he ultimately voted in favor of the bill. The only representative to vote against HB 969 was Rep. Anthony Sabatini (R).

In short, if ever there were a question as to whether the Speaker of the House is fully aligned with the plaintiffs’ bar, the movement of HB 969 through the House provided certainty that he is.

Attention now turns to the Florida Senate, which is considering SB 1734, a more moderate privacy law that does NOT contain a private right of action, but allows the law to be enforced by the Florida Attorney General’s office (like Florida’s data breach notification law). The bill still needs to go through a second and third reading, which is not expected to be completed until early next week (if at all). If the Senate does not pass its version by the end of next week, there will be no change in Florida privacy law.  If the Senate passes SB 1734, a race will begin with many behind-the-scenes negotiations taking place to determine which version of the two versions (or perhaps a modified version of one of them) will become law before the legislative session ends next Friday. These negotiations may include the House Speaker and Senate President pushing for and prioritizing their favorite pieces of legislation (it’s clear from HB 969’s ability to soar relatively untouched through the House how important that law is to the House Speaker).

Next week we can expect “The Big Dog” to get more involved in this dispute and put his finger on the scale, likely pushing one version over the other. But as it stands right now, Team Open-The-Floodgates has scored a touchdown in the fourth quarter to take the lead, but Team Protect-Florida-Businesses has the ball and is driving.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Despite concerns expressed by House Democrat Ben Diamond about the private right of action, HB 969 passed second reading in the Florida House of Representatives today. The bill now moves to a 3rd reading, which is the last step to passage by the House.

HB 969 would be the most aggressive privacy law in the country, allowing for a private right of action for: (1) data breaches of personal information (broadly defined); (2) a company’s failure to comply with a consumer’s request to delete personal information; (3) a company’s failure to comply with a consumer’s request to correct personal information; and (4) a company’s failure to comply with a consumer’s request to opt out of the sale of their personal information.  Unlike the CCPA, which limits the data breach private right of action to breaches of sensitive information and provides a right to cure, HB 969’s private right of action would apply to a data breach of the broad definition of personal information and the bill contains no opportunity to cure.  It is possible an amendment to HB 969 could be introduced between now and the 3rd reading.

Meanwhile, the Senate version of its privacy law (SB 1734) awaits second reading. That bill would create a more moderate version of a privacy law that would not include a private right of action, would be limited to the sale of personal information, and would be limited in scope to companies that buy or sell a significant amount of personal information.  The Senate version has its own problems, like the fact it adds requirements for “sensitive data” but doesn’t define what that means, and the fact that it requires companies to comply with opt-out requests within two days.

Assuming both versions of the law pass their respective chamber, the Florida Legislature would then have until April 30th to pass a unified version.

In short, we have entered the “fourth quarter” and the score is tied.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Today, the Florida House of Representatives Commerce Committee voted unanimously to allow HB 969, which would be the most aggressive privacy law in the country, to move forward for a full House floor vote. This post explains what happened, what will happen next, and some of the unique political forces and considerations behind HB 969.     Continue Reading Have Privacy Advocates Found A New Path Forward in Red States?

The Florida Senate appears poised to hit the brakes on privacy legislation that has thus far soared through committees in both legislative chambers.  The House version (HB 969) and the Senate Version (SB 1734) would have not only created the same consumer privacy rights as the CCPA, the bills would have created massive private rights of action, far broader than any other privacy law in the United States.  

Today, a “strike all” Committee Amendment was offered to the Senate version.  TRANSLATION – the Senate Rules Committee, where SB 1734 is now pending, is proposing a “friendly amendment” that would strike the entirety of SB 1734 and replace it with a new version. Continue Reading Momentum Slows for Florida Privacy Law; What’s Next?

The Florida Senate’s version of a new comprehensive privacy law (a.k.a. the “Florida Privacy Protection Act” (FPPA)) passed unscathed out of the Senate’s Committee on Commerce and Tourism yesterday. The bill’s sponsor fought off two proposed amendments: one that would have eliminated the private right of action and a second that would have required more than just a revenue threshold for the law to apply. This post describes what makes the FPPA more aggressive than the CCPA, it provides a summary of the Senate Committee hearing, and it shares some late-breaking news about the House version (HB 969).

Continue Reading Senate Version of Florida Privacy Law Moves Forward; House Version Makes Class-Action Lawsuits Even Easier