In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what personal information a business is collecting, selling, and disclosing about them; the right to deletion; the right to opt-out of the sale of personal information; and the right not to be discriminated against (written as a business duty). These rights are intended to provide consumers with a level of control of their personal information and to establish transparency on the part of the businesses to comply with consumers’ exercise of their privacy rights. In addition, businesses are required to provide employee training; website notice of consumer rights and categories of personal information collected, sold, and disclosed; and to implement and maintain adequate security measures. The penalties of non-compliance can be severe, with avenues for both regulatory enforcement and private cause of action. Learn what the attorney general’s forthcoming regulations likely have in store for businesses and what your organization should be doing now to proactively prepare for the CCPA to ensure compliance.

Jason Priebe, John Tomaszewski, and Edward “Ted” Murphree, three of our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners, will present a series of three 1-hour CLE webinars. The presenters will provide high-level discussion on strategies for CCPA compliance.

CCPA Webinar Series Part 1: An Overview and What You Need to Know (Until It Changes)

Tuesday, July 9, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 2: Business Obligations and Responsibilities (So Far As We Know Them–They Will Change)

Wednesday, July 17, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 3: Enforcement and Compliance (Or What We Think Will Happen)

Thursday, August 1, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

The eDiscovery and Information Governance Group has been ranked in Tier Three in the latest Legal 500 ranking. Richard (Rick) Lutkus was also recognized as a Rising Star in Media, Technology & Telecoms – Cyber Law. Rick Lutkus and Kathleen McConnell were also recognized by the editorial as recommended lawyers. Led by Scott Carlson (also ranked in the Legal 500) and Jay Carle, the group has been lauded by clients and peers for their “legal experience, computer science knowledge, exceptional business judgment and standout integrity”.

The Legal 500 United States is an independent guide providing comprehensive coverage on legal services and is widely referenced for its definitive judgment of law firm capabilities. The Legal 500 United States recognizes and rewards the best in-house and private practice teams and individuals over the past 12 months. The awards are given to the elite legal practitioners, based on comprehensive research into the U.S. legal market. To learn more about the ranking, please visit this link https://www.seyfarth.com/Accolades/legal500053019.

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer privacy interest groups and plaintiff-oriented trial lawyers, who were banking on even more lucrative individual consumer violation claims after January 1, 2020.

The original proposed amendment would have expanded the private cause of action to any violation of the CCPA, and eliminated the 30-day cure period for alleged violations. California Attorney General Xavier Becerra had earlier expressed his support of Senate Bill 561, reportedly in order to relieve the enforcement burden of the Attorney General’s office (and despite the fact that the CCPA sets up a fund to finance enforcement activity by the Attorney General). The original proposed bill and its potential impact were discussed in an earlier post on this site.

Businesses should celebrate this development as a more reasoned and balanced approach to individual rights under the CCPA with the goal of appropriate and fair governmental enforcement. Organizations and businesses dealing with California residents should be on the lookout for the California Attorney General’s enforcement rules announcement this Fall.

Cross-Posted from The Global Privacy Watch Blog

In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).

The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII. Continue Reading And Texas joins the Privacy Fray – Part 2 (or, Everything is Bigger in Texas…)

Cross-Posted from The Global Privacy Watch Blog

Last month, Texas saw the introduction of not one, but TWO privacy bills in the Texas state legislature: The Texas Consumer Privacy Act (TXCPA) and the Texas Privacy Protection Act (TXPPA). With news of this likely meeting with a collective groan and shoulder shrug, we do have some good news for you.

Both bills’ foundations are set with familiar CA Consumer Privacy Act (“CCPA”) language. Unfortunately, this is also bad news because they both suffer from the same problems found in the CCPA – we’ll explain below. It’s also still early in the game, with the bills having just been filed in the state legislature. Given that there is time in the legislative session for amendments to be made and especially considering the ‘ring-side’ view Texas lawmakers have to the CA legislative and Attorney General rule/procedure process currently unfolding, it would be unreasonable not to expect changes. Finally, the bills are reactive responses to the national (or international) focus on privacy issues of late and may allow impacted businesses a grace period, as we’ve seen in the CCPA. In this blog, we shine the light on the first of these bills: The Texas Consumer Privacy Act. Continue Reading And Texas Joins the Privacy Fray – Part 1 (or, the Elephant in the room just got a LOT bigger…)

Picture your client telling you they were considering starting a litigation, but that they did not yet have all the facts needed for you to prepare a pleading.  Now add the wrinkle that the action would need to be forumed in a foreign country, one with discovery rules narrower than those in the United States, and then the kicker, that some of the relevant documents are held by third parties outside of the planned litigation forum.  Although your initial reaction might be that your client is out of luck, 28 U.S.C. § 1782, which allows foreign litigants (or soon-to-be litigants) to obtain discovery in the United States, under U.S. discovery rules, for use in a pending or contemplated foreign proceeding, might offer some help.

Under Section 1782, a federal courts can grant an application for discovery in aid of a foreign proceeding (or planned proceeding) if the applicant: (a) has an interest in the foreign proceeding; (b) the discovery will be used in that foreign proceeding; and (c) the target of the discovery request resides in the judicial district where the request is made.[1]  However, federal courts can deny the discovery request, even when those statutory factors are met, based on purely discretionary factors such as whether the target is a party to the litigation, whether the applicant is attempting to circumvent either U.S. or foreign proof gathering restrictions, and whether the requests are found “unduly burdensome.”[2]  Although one might think that overworked federal courts would often use those discretionary factors to deny discovery requests in support of litigation pending in a far-flung forum, federal courts routinely grant Section 1782 applications.  Two recent decisions—one granting and one denying a Section 1782 application—show just how broad discovery under Section 1782 can be. Continue Reading The Broad Scope of 28 U.S.C. Section 1782

One benefit of living in the digital age is that we no longer need to travel to our attorney’s office to place a wet signature on an important contract or mortgage document. Parties now regularly execute multi-million dollar real estate transactions, non-competition agreements, and stock purchases, among other agreements, using digital signature applications. The most often used application, DocuSign, boasts that its solution enables you to electronically sign while meeting the requirements of the ESIGN Act and the Uniform Electronic Transactions Act in the United States, in addition to complying with most other laws in countries where electronic signatures are recognized.

As trial lawyers who often encounter these agreements after a deal has soured, we now have an additional evidentiary burden as we lay a foundation in court and authenticate these documents which the parties “signed” digitally. As with traditional wet signatures, we can anticipate that in some instances we will need to prove that the obligee digitally “signed” the document after he or she denies doing so.

DocuSign offers multiple levels of security and authentication that allow a sender to determine how thoroughly a signer must identify him or herself, including using email, access codes, SMS, phone, and knowledge based identity checks. In these cases, reviewing the authentication data is the digital equivalent of hiring a handwriting expert to authenticate a contract signature. Continue Reading Authenticating Digital Signatures at Trial

Just when we thought we had an remote understanding on how the California Consumer Privacy Act (“CCPA”) would work from an enforcement and penalty perspective, Senate Bill 561 was introduced on February 22. The bill has the full support of Attorney General Xavier Becerra and appears to be heading for a vote; the odds are favoring passage.

It is not surprising that the Attorney General supports the proposed changes because they remove some of the biggest headaches for enforcement and administration. These include elimination of the Attorney General’s obligation to provide guidance to businesses, upon request, about how to comply with the CCPA, and removal of a 30-day cure period before enforcement actions can begin.

In addition to relieving the Attorney General’s administration and enforcement constraints, SB 561 contains a more drastic and significant change. By the removal of one short sentence, SB 561 expands the individual cause of action for statutory damages beyond narrowly defined data breach situations (unauthorized access and exfiltration, theft, or disclosure of their non-encrypted or non-redacted personal information) and throws open the doors. Under the proposed version, any consumer with a claim that his or her CCPA rights are violated (presumably in any manner) may bring a civil suit and claim statutory damages of up to $750 per incident. This change, combined with the ability for claims to be pursued on class-wide basis, could be a potential bonanza for plaintiffs’ attorneys.

The proposed revision keeps the 30-day cure period for individual claims, although the grace period is removed for the Attorney General’s enforcement actions.  This is some small relief for individual claims, although it is still difficult to imagine how a business could “cure” a data breach or other incident violation, such as a failure to respond to a consumer request in the proscribed period of time. It is conceivable that the 30 day cure could provide some defense against de minimis technical violations, like the failure to provide appropriate notification language, disclosures, or contact information for consumers. Arguably, even the failure to provide an adequate response to a cure notice (“an express written statement that the violations have been cured and that no further violations shall occur…”) could itself raise a claim for statutory damages.

From a business and commercial compliance standpoint, it is starting to appear that the stakes will be even higher on January 1, 2020.

Every day all over the world, companies fall victim to cybersecurity attacks.  It’s nearly a constant these days.  Many of these attacks are preventable with the right amount of attention to detail in system setup and hardening.  The three common themes in postmortem examination of all of these attacks boil down to 1) human error; 2) configuration error; 3) failing to proactively defend.  In this series of six posts, we will dive into each attack’s anatomy, the attack vector, and the ways companies can attempt to avoid being victim to them.  In the last post, guest bloggers from G2 Insurance will walk through how insurance companies react to claims, what to watch out for in your policies, and appropriate coverage levels for cyber insurance based on their experience handling claims.

#1  Email Spoofing and Wire Fraud

This attack is essentially a wire instruction interception/redirection or wholly fake request for a transfer.  This is an event that comes up daily or at least weekly in any cybersecurity professional’s world.  This attack typically plays out with a threat actor masquerading as a legitimate authority within a company, typically someone in the C-suite or Director level.  To make it successful, the recipient of the wire transfer request has to believe it’s legitimately originating from one of those authoritative people.

One way attackers do this is using actual stolen credentials.  Despite the flood of data security breaches and database hacks, people unfortunately still use weak passwords and also re-use passwords.  We have seen dozens of instances of successful credential attacks where the attacker used publicly available database leak information to gain unauthorized access to corporate accounts.  The approach goes like this: an attacker harvests information regarding corporate leadership from various data sources about companies (LinkedIn, Dunn & Bradstreet, Bloomberg, Google Finance) and chooses a few people to target.  They then cross-reference those names to leaked credential databases, often times hosted on Darkweb sites, IRC chat rooms, or other forums dedicated to hacking.  If the attacker is able to find other accounts belonging to their targets that have been compromised and have a password, they can try that password, and tens of thousands of variations of it, to attack the corporate account of their victim.

Continue Reading Top Five Most Common Cybersecurity Attacks and How to Prevent Them – Part 1: Email Spoofing and Wire Fraud

California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019. Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now