< Back to Previous Page
Related Practices

E-Commerce Law Week, Issue 579

October 17, 2009

Data Breach Notification Spreads South of the Border -- Way South

Uruguay recently issued mandatory data breach notification provisions as part of regulations implementing its Personal Data Protection Act (Law 18331).  Article 8 of the Act (Decree No. 414/009) requires that "[w]henever those responsible for or in charge of a database … learn of security breaches at any stage of the (data) treatment process that have the potential of affecting the rights of the injured parties in a significant way, they must inform them of this incident."  The Act and regulations were adopted as part of Uruguay's effort to satisfy the EU Directive on Data Protection, No. 95/46/EC, and to become a premiere Latin American outsourcing point for banking, call-center operations, airplane ticket sales, and other international financial and administrative services.  Few other countries currently require notification of individuals affected by a data breach; Japan, Norway, and Germany, are among the few that do so, along with 45 U.S. states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands.  Mandatory notification is, however, likely to come to the EU in the next year or two as part of proposed revisions to the EU electronic communications framework.  And South Africa's Protection of Personal Information Bill, which was approved by the Cabinet and is now before Parliament, would make notification mandatory.  The spread of such laws makes it all the more imperative for multinational companies to put in place effective data security measures and a response plan to deal with any breaches that do occur.

Governor Vetoes Expanded Breach Notification Requirements in California

California Governor Arnold Schwarzenegger has vetoed legislation (SB 20) that would have required any "agency, person, or business that is required to issue a security breach notification to more than 500 California residents pursuant to existing law" to also notify the state attorney general.  This is the second time in the last two years that Governor Schwarzenegger has vetoed amendments to California's seminal data breach notification law.  As we previously reported, the Governor vetoed AB 1656 in 2008, which would have required notification of the Office of Information Security and Privacy Protection if a business was opting for substitute notice rather than direct notification of affected residents.  Also failing to gain gubernatorial approval this month was AB 632, which would have required social networking websites to warn users that images uploaded onto the website could be freely copied without consent and in possible violation of the website's privacy policies.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.

CONTACT US | PRIVACY | TERMS OF USE | © 2012 STEPTOE & JOHNSON LLP, ALL RIGHTS RESERVED | ATTORNEY ADVERTISING | SITE BY FIRMSEEK
Beijing | Brussels | Century City | Chicago | London | Los Angeles | New York | Phoenix | Washington