In a legal area with increasing regulatory oversight, companies dealing with personal or sensitive information must keep up with the latest development in data protection. Although securing customer data and ensuring compliance with protection obligations is obviously critical, another important aspect of data protection is ensuring appropriate response in case of an actual data breach.
A company’s obligations in case of data breach is now regulated by law in all 50 U.S. states and the District of Columbia. All states and DC now have data breach notification laws on the books, requiring companies to timely notify consumers of the breach. Furthermore, recent trends continue toward expansion of information covered by these data protection and strengthening of consumer protection.
The newly enacted General Data Protection Regulation (“GDPR”) in Europe is a major development in the field of data protection. GDPR is one of the most expansive data protection laws in the world. With the passage of GDPR and increasing public concern over data protection, many U.S. states are now strengthening their own data protection laws. Data protection laws in California and Vermont are some of the most stringent in the country.
Furthermore, multiple states have amended their data protection laws in 2018, mostly expanding the scope of protected information and clarifying or adding obligations in case of a breach.
For example, Louisiana is one on the states that has amended its laws in 2018 to provide stronger protections. Act 382 strengthens protection for consumers with personal information in commercial database. The Act expands the scope of covered information to biometric data, such as fingerprints, voiceprints, retina scan, iris scan, and other biological identifying characteristics. The Act also requires prompt notice of a breach. If a database containing such information is breached, the company managing the database must notify the relevant authorities within 60 days.
Act 382 also has a rather wide scope of coverage. Not only does the act cover companies that conduct business in Louisiana, it also covers entities that license or own computerized data of personal information of Louisiana residents. Such “Subject Entities” must implement reasonable security procedures and measures to guard against breaches, destruction, use, modification, and disclosure. Subject Entities must also ensure that personal information is destroyed in a sufficient manner to make the information unreadable or undecipherable. These changes mean that businesses that fall under the scope of the law must take care to ensure that their data protection practices meet the law’s requirements and that they have a plan in place in case of any breach of personal information.
About K Todd Wallace
Kenneth Todd Wallace is an attorney at the law firm Wallace Meyaski, LLC, in New Orleans, Louisiana. He has nearly 20 years of experience in the legal and business professions with established excellence in trial advocacy, negotiation, strategic and initiative planning, employment law compliance, government relations, mergers and acquisitions, and team building.
Facebook page of the Law Firm: https://www.facebook.com/WallaceMeyaski/
Facebook page of Kenneth Todd Wallace, Attorney at Law:
LinkedIn Profile of Kenneth Todd Wallace: https://www.linkedin.com/in/k-todd-wallace-03895358/
Lawyer Profile at: http://lawyers.lawyerlegion.com/louisiana/kenneth-todd-wallace-18001529
Lawyer Profile: http://www.lawyerdb.org/LawFirm/Wallace-Meyaski-LLC-New-Orleans/
Twitter: www.twitter.com - Todd Wallace@tarheeltodd94