2014 has been called the “Year of the Data Breach.”  In the wake of many high-profile data breaches, including the recent Sony breach, 2015 promises a continued focus on privacy and cybersecurity issues. This week, President Obama announced the proposal of new cybersecurity legislation. The president’s proposal will include:

  • Cybersecurity Information Sharing. In an effort to promote cybersecurity information sharing, the proposal includes targeted liability protection for companies that share information with government entities and encourages private sector information sharing.
  • Federal Data Breach Legislation. The proposal includes federal legislation intended to simplify and standardize data breach reporting requirements. Currently, there are 47 state data breach statutes, which vary in terms of scope, reporting obligations and timing requirements. Please see our June 2014 alert outlining recent changes to Florida’s data breach statute.
  • Student Privacy Protections. Following in California’s footsteps, (e.g., Senate Bill No. 1177), President Obama’s proposal includes legislation aimed at protecting student information by, among other things, prohibiting companies from selling student data for non-educational purposes.

The president’s legislative proposals come after a year of significant privacy and information security regulatory enforcement, litigation and legislative activity at both the federal and state levels.  Last week, Peter Guffin and Sara Benjamin presented at the Boston Bar Association’s Intellectual Property 2014 Year in Review program on the significant legal developments in this area and what they mean for businesses.  Please view the slides and accompanying manuscript outlining many of these developments in greater detail.

Highlights of their presentation include:

FTC and OCR Regulatory Developments. Regulatory enforcement activity increased in 2014. Lessons learned from FTC and OCR enforcement actions include:

  • Accurately describe and implement privacy and data security practices
  • Ensure mobile app privacy and data security, as described in the firm’s recent client alert
  • Encrypt laptops with personal information

Litigation Developments. Wyndham Worldwide and LabMD continue to challenge the FTC’s authority to regulate corporate privacy and data security practices. The Connecticut Supreme Court also upheld a data breach negligence claim arising from the breach of protected health information.