As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”
Data Security Law BlogVisit the Full Blog
DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.
On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations. The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages.
As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020. The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents.
SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements
It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.
Professional athletes, teams, and leagues have embraced wearable technology. But as this new technology becomes ubiquitous, a new category of valuable—and personally sensitive—data has emerged, raising novel data security issues and incentives for would-be hackers.
On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students. And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.
A cybersecurity vulnerability at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations and disciplinary actions. The story of what happened—and why it should be an object lesson for higher education. The second of a three-part series.
The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.
While courts and the Federal Rules of Evidence take an increasingly pragmatic approach to the question of when inadvertent disclosure of privileged information results in waiver, a recent federal magistrate’s ruling serves as a potent warning that use of a file-sharing site—without sufficient safeguards—may constitute a waiver. Harleysville Insurance Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017) is the first published decision to find that the use of a file-sharing site to exchange potentially privileged information constituted a waiver of the attorney-client privilege and work product protection—because the company failed to password protect its transmission.
On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC). In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy. Pai’s appointment suggests that significant changes may be on the horizon.
Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage. According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.
Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit. Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.” The lawsuit makes no claim that any client information has been stolen or misused. Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.
Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders. An unofficial English translation of the newly-enacted law is available here.
Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.
Last week, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) provided guidance on an open question in the Cybersecurity Information Sharing Act (“CISA”): What type of information may companies share under CISA?
Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements. Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations. The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.
Come Back With a Warrant: Proposed Rule Change Expands the Government’s Ability to Access Electronically Stored Information in Criminal Investigations
On April 28, 2016 the United States Supreme Court proposed a modification to Federal Rule of Criminal Procedure 41 that significantly alters the manner in which the government can obtain search warrants to access computer systems and electronically stored information that will no doubt have an effect on hackers and hacking victims alike. The modification will go into effect on December 1, 2016, barring Congressional intervention.
In the latest twist in the ongoing saga of the EU-U.S. Privacy Shield data transfer agreement, EU data protection authorities (commonly known as the Article 29 Working Party) stated on Wednesday that it would not affirm the adequacy of the Privacy Shield deal.
The Department of Homeland Security (“DHS”) recently issued a joint alert with the Canadian Cyber Incident Response Centre warning of two new ransomware threats behind recent well-publicized attacks against healthcare companies.
On April 14, 2016, the U.S. Attorney for the Southern District of New York filed a civil forfeiture action seeking to recover nearly $100 million stolen from an unidentified U.S. company through a form of wire fraud or Automated Clearing House (“ACH”) fraud.
On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service. The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices. The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.
On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.
American and European officials failed to meet the January 31st deadline for a new agreement on the transfer of data between the United States and Europe, disappointing hopes that the two sides would broker a deal to replace the now-invalidated U.S.-EU Safe Harbor Framework.
U.S. and European Commission officials announced on Tuesday that they have reached an agreement in principle on a new EU-U.S. Privacy Shield to permit the flow of data between Europe and the United States. The new deal follows on the heels of reports Monday evening that U.S. and European officials were continuing to negotiate a replacement for the now-defunct Safe Harbor Framework, after officials failed to reach an agreement by the January 31st deadline.