On March 11, 2020, the second set of modifications (or the third version) of the CCPA draft regulations were released. While the number of substantive changes dwindled in this version, there are a number of drafting...more
During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still...more
The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address...more
The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to...more
The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had...more
11/21/2019
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
Hackers ,
Personally Identifiable Information ,
Popular ,
Settlement ,
Software Developers ,
Technology Sector
Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many...more
9/30/2019
/ CNIL ,
Cybersecurity ,
Data Controller ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
New Guidance ,
Personal Data ,
Recordkeeping Requirements
Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements.
In August 2019, the Maryland...more
Illinois has updated its breach notice law to require, effective January 1, 2020, notice to the Illinois Attorney General of a data breach involving more than 500 Illinois residents.
The law contains specific requirements...more
As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective...more
New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required...more
8/27/2019
/ Cybersecurity ,
Data Breach ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
New Legislation ,
Personally Identifiable Information ,
Policies and Procedures ,
Security Risk Assessments ,
SHIELD Act ,
State Data Breach Notification Statutes
Global corporations will soon have another privacy law acronym to address. In one year (August 2020), Brazil will join the fray with its own general privacy law, the Lei Geral de Proteção de Dados Pessaoais (General Data...more
8/21/2019
/ Brazil ,
Data Collection ,
Data Controller ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Protection Authority ,
Data Security ,
Data Subjects Rights ,
New Legislation ,
Personally Identifiable Information ,
Privacy Laws
The Federal Trade Commission is requesting comments and input on the effectiveness of the 2013 amendments it made to the Children’s Online Privacy Protection Rule. Although the FTC typically reviews its rules every ten years,...more
7/29/2019
/ Amended Rules ,
Comment Period ,
Cookies ,
COPPA ,
Data Collection ,
Data Privacy ,
Data Protection ,
Federal Trade Commission (FTC) ,
Online Safety for Children ,
Parental Consent ,
Personal Information ,
Public Comment
International companies should keep in mind recent developments coming out of Asia on the privacy front. Chinese authorities are reported to be confiscating smartphones at the border to install surveillance apps. Companies...more
7/25/2019
/ China ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Government Investigations ,
Hong Kong ,
Law Enforcement ,
Memorandum of Understanding ,
Personal Data ,
Popular ,
Singapore ,
Trade Secrets
Maryland has amended its breach notification law to require businesses that maintain data, not just those that own or license the data, to conduct “a reasonable and prompt investigation” into whether personal information has...more
7/3/2019
/ Amended Legislation ,
Cooperation ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Duty to Investigate ,
Personally Identifiable Information ,
State Data Breach Notification Statutes ,
Vendors
New requirements to the Texas data breach statute, including a requirement to notify the Texas attorney general of a breach, are set to go into effect January 1, 2020. The legislation, signed by Texas Governor, Greg Abbot, on...more
The FTC recently settled with LightYear Dealer Technologies, maker of DealerBuilt software, over allegations that the company failed to provide adequate protection for the personal data it houses. The companies’ clients...more
6/25/2019
/ Car Dealerships ,
Cybersecurity ,
Data Breach ,
Data Collection ,
Data Processors ,
Data Protection ,
Data Security ,
Data Storage ,
Federal Trade Commission (FTC) ,
Gramm-Leach-Blilely Act ,
Hackers ,
Personally Identifiable Information ,
Safeguards Rule ,
Section 5 ,
Security Risk Assessments ,
Settlement
Nevada recently amended its existing online privacy law to give Nevada residents the ability – in certain circumstances – to opt out of the sale of their data to third parties. The amendment goes into effect October 1, 2019,...more
6/21/2019
/ Amended Legislation ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Use Policies ,
Data-Sharing ,
Opt-Outs ,
Personally Identifiable Information ,
Privacy Laws ,
Privacy Policy ,
Website Owner Liability
The SEC recently issued a risk alert warning about using vendors and cloud-based platforms. Many broker dealers and investment advisors are turning to these third parties to store customer data. In its alert, the SEC’s Office...more
6/12/2019
/ Broker-Dealer ,
Cloud Storage ,
Customer Information ,
Data Outsourcing ,
Data Protection ,
Data Security ,
Data Storage Providers ,
Investment Adviser ,
Policies and Procedures ,
Regulation S-ID ,
Regulation S-P ,
Risk Alert ,
Securities and Exchange Commission (SEC) ,
Vendors
California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to...more
5/29/2019
/ Amended Legislation ,
California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Rights ,
Data-Sharing ,
Pending Legislation ,
Personal Data ,
Personally Identifiable Information ,
Privacy Laws ,
Private Right of Action
Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in...more
North Dakota criminal law currently contains penalties for misusing the personal information of another. That law has been expanded, and beginning August 1, 2019, it is a class B felony to use a skimmer or scanning device to...more
The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being...more
4/24/2019
/ Comment Period ,
Cybersecurity ,
Data Privacy ,
Data Processors ,
Data Protection ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Public Comment
The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member...more
4/18/2019
/ Consent ,
Data Breach ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data-Sharing ,
Information Commissioner's Office (ICO) ,
Notification Requirements ,
Personally Identifiable Information ,
Privacy Policy ,
UK
The French CNIL (the country’s data protection authority) has released rules for how companies can use the biometric information of their employees. Fingerprint scanning is a popular method for “clocking in” around the globe,...more
4/3/2019
/ Biometric Information ,
CNIL ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Protection Acts ,
Data Protection Authority ,
Data Security ,
Employee Privacy Rights ,
Employer Liability Issues ,
General Data Protection Regulation (GDPR) ,
New Rules
The European Data Protection Board (EDPB) has released its priorities for 2019/2020 in its two-year “Work Program.” The EDPB is charged with issuing guidelines and opinions about GDPR, advising the European Commission about...more