Consistent with global developments, the landscape of privacy and cybersecurity laws in the United States has been rapidly changing. Data privacy and cybersecurity are regulated at both the federal and state level in the United States, and it is at the state level that many of the major legislative developments have occurred in recent years. Most notably, California recently enacted the most sweeping general privacy standard in the United States. In addition, all 50 states now have data breach notification laws, and those laws have been evolving and growing in scope, with more states expanding the categories of information that would trigger notification obligations. States have also moved into regulating other aspects of data privacy and cybersecurity and are increasingly adopting cybersecurity requirements that are much more specific than the usual “reasonable and appropriate” standard. For example, Ohio has passed a law that provides a cybersecurity safe harbor, and Vermont now imposes specific minimum data security requirements on data brokers. These constant changes create challenges for managing effective compliance programs, and staying abreast of these changes is key to maintaining effective cybersecurity and data privacy compliance programs.

Continue reading.