April 02, 2021

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Data Privacy

Virginia Enacts Its Own Consumer Privacy Law

By Dredeir Roberts, In House Counsel at Core States Group and ABA Business Law Fellow

On March 2, 2021 Virginia’s Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “Act”) into law. The Act targets businesses that collect or sell “Personal Data” from Virginia consumers. Personal Data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Entities excluded from the Act’s requirements include non-profits and higher education institutions. This Act grants Virginia consumers several rights with respect to Personal Data, including the right to request access, the right to correct, and the right to delete their Personal Data from company records. While there is no express private right of action in the Act, an uncured violation alleged by the attorney general could bring about fines of up to $7,500 per violation. Qualifying businesses have until January 1, 2023 to become compliant with the Act.

Utah Enacts Cybersecurity Affirmative Defense Act

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

On March 11, 2021, the Governor of Utah signed into law the Cybersecurity Affirmative Defense Act, which provides affirmative defenses to a person that suffers a data breach if that person had in place a written cybersecurity program at the time of a data breach. Utah Code §78B-4-701 et seq. Utah becomes the second state (after Ohio) to enact such a law.

The affirmative defenses will apply to claims brought under Utah state law or in Utah courts that allege a person failed to implement reasonable security and thus suffered a data breach, or failed to appropriately respond to or notify an individual of a data breach. To qualify for the defenses, a person must create, maintain, and reasonably comply with a written cybersecurity program that meets specific criteria and reasonably comply with a “recognized cybersecurity framework”. Recognized frameworks includes certain industry frameworks, like those published by the National Institute of Standards and Technology or the International Organization for Standardization, and frameworks established by state or federal law, such as HIPAA or GLBA). The law takes effect May 5, 2021.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.