Photo of Erik Dullea

Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Follow:Read more about Erik DulleaErik's Linkedin Profile

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Resulting in Zoom Promising to Implement an Information Security Program, Resembling the SHIELD Act

Key point: The Letter of Agreement between the New York Attorney General and Zoom Video Communications, Inc. provides insight into what the Attorney General may consider satisfying the Reasonable Safeguards requirement under the SHIELD Act.

On May 7, 2020 Zoom Video Communications, Inc. (Zoom) became the first company to experience one of the new enforcement tools available to the New York Attorney General’s Office (NYAG) under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

The SHIELD Act took effect on March 21, 2020, and requires any person or business owning or licensing computerized data containing the private information of a New York resident “to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.” GBL § 899-BB(2).

Keypoint: Individuals and businesses should take steps to prevent against becoming victims of the rapid rise in Coronavirus-related hacking scams.

On March 20, 2020, the FBI issued an alert warning that cyber thieves are actively trying to exploit the Coronavirus pandemic to steal money, commit identity theft, and engage in other hacking-related activity. The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar alert earlier this month.

Keypoint: With just two days to go before the close of the Washington legislature, a conference committee will try to resolve conflicts between the House and Senate versions of the WPA.

As we previously reported, on Friday, March 6, the Washington House passed an amended version of the Washington Privacy Act (WPA) that included a private right of action. The bill then moved back to the Senate where, on Monday, March 9, the Senate refused to concur in the amendments and asked the House to recede from them. Predictably, the House refused.

However, the House requested that the Senate agree to a conference committee, which request the Senate quickly granted. The House and Senate thereafter appointed three members each to participate in the conference committee.

As it did last year, the Washington state senate has overwhelmingly passed comprehensive consumer privacy legislation. The legislation, entitled the Washington Privacy Act (WPA), passed the state senate on February 14, 2020, by a vote of 46-1. The legislation will now move to the state house of representatives where it failed last year. A copy

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: Maryland lawmakers have introduced a bill that would allow Maryland residents to opt-out of certain types of personal information transfers but that would stop far short of creating CCPA-like rights for Maryland residents.

On January 17, 2020, Maryland House Delegates Courtney Watson and Ned Carey introduced HB0249. If enacted in its current form, the bill would allow Maryland residents to opt-out of certain types of transfers of their personal information to third parties. However, it would not create other CCPA-like privacy rights such as the right to deletion and would not require businesses to make disclosures regarding their privacy practices.

Maryland joins a growing list of states considering consumer privacy legislation, including Florida, Illinois, Virginia, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.

Below is our analysis of the Maryland legislation (as introduced).

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.

2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.

But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.

Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.

Safety concept: Police on digital background

Key Point:  If you consider your cybersecurity defensive measures to be a one-time investment, that is what the criminals are banking on.

Most people enjoy improvements and innovations when it comes to consumer electronics, but the unfortunate truth is that cybercriminals are innovating and improving their techniques and tactics as well. These innovations include “getting a second bite from the ransomware apple” and using ransomware to cause “physical vulnerabilities at your business.” Hopefully the anecdotes below help to convince the decision-makers in your business to follow the Coast Guard’s motto Semper Paratus – Always Prepared.

Key Point: The SHIELD Act increases the statutory penalties for knowing and reckless violations of the State’s data breach notification law. It also authorizes the NY Attorney General to pursue injunctive relief and monetary penalties against persons and businesses who fail to implement reasonable safeguards to protect New York residents’ private information.

On July 25, 2019, New York Governor Andrew Cuomo signed two bills related to data privacy and identity theft. In our June 24 post, we summarized the contents of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The second signing was the Identity Theft Prevention and Mitigation Services bill. Highlights of the laws’ requirements and effective dates are described below.

Key Point: If signed by the Governor, the legislation will require entities doing business in New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.

As it closed its session, the New York legislature passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The bill, which the New York Attorney General’s (“AG”) office strongly supports, is now at the governor’s office for review. New York AG Letitia James stated New York will join the “increasing number of states that require reasonable data security protections, while being careful to avoid excessive costs to small business and without imposing duplicate obligations under federal or state data security regulations.”

If Governor Cuomo signs the bill, New York will build upon its existing data breach notification law, and add a new requirement for data custodians in the private and public sectors to adopt reasonable measures to safeguard sensitive data of New York residents.