Data Security

Subscribe to Data Security

New regulatory activity may help companies experience fewer ransomware attacks and could impact whether ransoms can be paid to threat actors. The activity includes guidance and sanctions by the Department of Treasury (“Treasury”) and a host of resources provided by the Health and Human Services Office for Civil Rights. This post describes the activity, its impact on companies that experience a ransomware attack, and practical takeaways for in-house counsel.

Continue Reading To Pay or Not To Pay: What New Regulatory Activity Means for Ransomware Victims

By a vote of 29-11, the Florida Senate passed its version of HB 969 and sent the bill back to the House for consideration of the rewritten version. At this point, there are only two legislative options remaining: (1) the House passes it without any changes, or (2) no privacy law is adopted in Florida during this legislative session. There is not enough time for the House to change the law again and have Senate reconsider/pass it by tomorrow. The odds are high that the House will pass HB 969 tomorrow and Governor DeSantis will sign it.

Assuming that’s the case, advocates on all sides of this law will have “won” and “lost” something, but the consequences of these last few months will have an enormous impact on privacy law moving forward for much more significant reasons than the bill itself.
Continue Reading Florida Privacy Bill Passes Penultimate Legislative Hurdle; Significant Implications Follow

With only three days left in the legislative session, and on the morning when my Op-Ed was published by the Tallahassee Democrat, the Florida Senate weighed in on the House’s passage of HB 969.  There were two ways it could have done that: (1) take the House version sent to the Senate via messages and make changes to and vote on that version; or (2) ignore the version provided via messages and simply pass the pending version of SB 1734 in the Senate then send that version to the House via messages. It chose path #1. Moments ago, the  Senate passed a strike-all amendment that struck the entirety of HB 969 and replaced it with a modified version of SB 1734. A separate post will discuss the modified version of SB 1734 in greater detail, but this post briefly explains where things stand now and what to expect next.
Continue Reading What Just Happened With Florida Privacy Legislation?

Within the week, we will know whether Florida will adopt the most aggressive privacy law in the country, something more moderate, or nothing at all. But an issue that has not received enough attention is the reason HB 969 and SB 1734 have received more support in a “red” state than any other privacy law. It is a reason that will come full circle to adversely impact the contingency of supporters using privacy laws as a way to attack “Big Tech.”
Continue Reading The Long Game: Why Parler Has Everything To Do With Florida’s Privacy Legislation

Today, the Florida House of Representatives Commerce Committee voted unanimously to allow HB 969, which would be the most aggressive privacy law in the country, to move forward for a full House floor vote. This post explains what happened, what will happen next, and some of the unique political forces and considerations behind HB 969.    
Continue Reading Have Privacy Advocates Found A New Path Forward in Red States?

The Florida Senate appears poised to hit the brakes on privacy legislation that has thus far soared through committees in both legislative chambers.  The House version (HB 969) and the Senate Version (SB 1734) would have not only created the same consumer privacy rights as the CCPA, the bills would have created massive private rights of action, far broader than any other privacy law in the United States.  

Today, a “strike all” Committee Amendment was offered to the Senate version.  TRANSLATION – the Senate Rules Committee, where SB 1734 is now pending, is proposing a “friendly amendment” that would strike the entirety of SB 1734 and replace it with a new version.
Continue Reading Momentum Slows for Florida Privacy Law; What’s Next?

The Florida Senate’s version of a new comprehensive privacy law (a.k.a. the “Florida Privacy Protection Act” (FPPA)) passed unscathed out of the Senate’s Committee on Commerce and Tourism yesterday. The bill’s sponsor fought off two proposed amendments: one that would have eliminated the private right of action and a second that would have required more than just a revenue threshold for the law to apply. This post describes what makes the FPPA more aggressive than the CCPA, it provides a summary of the Senate Committee hearing, and it shares some late-breaking news about the House version (HB 969).
Continue Reading Senate Version of Florida Privacy Law Moves Forward; House Version Makes Class-Action Lawsuits Even Easier

Yesterday, the Governor of Florida threw his support behind a newly introduced consumer data privacy bill (HB 969) which is very similar to the California Consumer Privacy Act of 2018. The Governor’s support is a significant development given that he and both chambers of the Florida Legislature are Republican and, to date, there has not been any aligned support for a privacy law since the Florida Information Protection Act (FIPA), Florida’s data breach notification law.  Nevertheless, as with the CCPA, the bill proposes a boondoggle for the plaintiffs’ bar in the form of a private right of action for data breaches and statutory damages, which could present a significant obstacle to passage in the bill’s current form, particularly for a fairly business-friendly Florida Legislature.

Continue Reading Florida Throws Its Hat Into the Privacy Ring, And It’s Looking A Lot Like California

Yesterday, in a 26-page opinion, the 11th U.S. Circuit Court of Appeals has weighed in on two important questions in the world of privacy and data breach litigation.  First, does a plaintiff have standing where he was exposed to a substantial risk of future identity theft, even though there was no misuse of his information. The court’s answer is no. Second, what efforts to mitigate this risk does a plaintiff need to undertake to meet the standing requirement.  Here, the court held that the plaintiff essentially manufactured his own injuries (wasted time, lost use of his preferred card, and lost credit card benefits) by voluntarily canceling his credit card, which is not enough to confer standing.

Continue Reading The Eleventh U.S. Circuit Weighs in on Data Breach Standing Issues