For Marvel Entertainment fans, this one’s for you: Step aside Nick Fury, New York has a new SHIELD.  New York state recently passed a new law extending protections against cyber-attacks for its residents with NY Senate Bill S5575B, also known as the “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, for short.  This Act expands New York’s data breach notification statute in definition, notice, scope, and compliance requirements of any individual or business handling New York residents’ computerized private information.

The SHIELD Act first redefines “private information” to include username or e-mail address in combination with a password or security question and answer for online accounts as well as biometric information.  It also allows for reporting a breach if an account or credit card number alone (i.e. without an account access code or password) is compromised “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.”  Slightly more nuanced, it expands the definition of “breach of security of the system” to include an unauthorized access of private information as well as an unauthorized acquisition.  Addition of “access” means the statute will be triggered without an incident having to reach “acquisition,” a term more readily applicable in scenarios impacting control, possession and use of that private information. Continue Reading Look Out Marvel, There’s a NEW SHIELD in Town

Cross-posted from The Global Privacy Watch blog.

Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.

Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress. Continue Reading And the Wait for CCPA Rules is Over …. Kind Of

This month, the Federal Bureau of Investigation published information and guidance for organizations about ransomware attacks, along with some suggested preventative measures.  There is a section in the bulletin discussing whether victims should consider paying ransom to attackers.  According to the statement, the FBI “does not advocate paying a ransom, in part because it does not guarantee and organization will regain access to its data,” and paying ransoms emboldens criminals to target others.

Several of the suggested “best practices” are somewhat generalized, such as increased employee awareness about how ransomware is delivered, and basic security techniques (we would recommend adding anti-phishing training and tests to the list).  However, several others are more specific.  All of the measures listed should be considered as parts of a comprehensive standard information security program.

Among the list of the FBI’s “Cyber Defense Best Practices” recommended are: Continue Reading FBI Public Service Announcement on Ransomware

In our May blog post, we took issue with the broadcast statement that ‘consumer privacy law was sweeping the country and that other states were jumping on the California Consumer Privacy Law (CCPA) bandwagon to enact their own state law.’ The problem as we saw it, was that the truth behind these sensationalistic statements was a bit more nuanced than people were led to believe. Most states, we found, that introduced consumer privacy legislation simply did not follow through, either by outright killing the legislation (MS) or by taking a step back with a wait and see approach (see TX). Nevada, by contrast, did neither. Instead, its legislature enacted its own consumer privacy solution, through SB 220, or as we call it, ‘the limited privacy amendment.’ We’ve opted to discuss Nevada’s approach here primarily because of its more restrictive application online and because its October 1, 2019, operational date is a full three months before the CCPA becomes operational.

First, the limited privacy amendment is not the CCPA. Let’s make that perfectly clear. True, it was modeled on the opt-out section of the CCPA, but it isn’t a mirror copy as it amends existing law. There are three primary areas operators conducting business over the Internet need to be aware of, when evaluating compliance measures:   Continue Reading Nevada: Bucking the Wait and See Approach to Consumer Privacy Law

Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills—including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing. Continue Reading CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About

In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what personal information a business is collecting, selling, and disclosing about them; the right to deletion; the right to opt-out of the sale of personal information; and the right not to be discriminated against (written as a business duty). These rights are intended to provide consumers with a level of control of their personal information and to establish transparency on the part of the businesses to comply with consumers’ exercise of their privacy rights. In addition, businesses are required to provide employee training; website notice of consumer rights and categories of personal information collected, sold, and disclosed; and to implement and maintain adequate security measures. The penalties of non-compliance can be severe, with avenues for both regulatory enforcement and private cause of action. Learn what the attorney general’s forthcoming regulations likely have in store for businesses and what your organization should be doing now to proactively prepare for the CCPA to ensure compliance.

Jason Priebe, John Tomaszewski, and Edward “Ted” Murphree, three of our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners, will present a series of three 1-hour CLE webinars. The presenters will provide high-level discussion on strategies for CCPA compliance.

CCPA Webinar Series Part 1: An Overview and What You Need to Know (Until It Changes)

Tuesday, July 9, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 2: Business Obligations and Responsibilities (So Far As We Know Them–They Will Change)

Wednesday, July 17, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 3: Enforcement and Compliance (Or What We Think Will Happen)

Thursday, August 1, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

The eDiscovery and Information Governance Group has been ranked in Tier Three in the latest Legal 500 ranking. Richard (Rick) Lutkus was also recognized as a Rising Star in Media, Technology & Telecoms – Cyber Law. Rick Lutkus and Kathleen McConnell were also recognized by the editorial as recommended lawyers. Led by Scott Carlson (also ranked in the Legal 500) and Jay Carle, the group has been lauded by clients and peers for their “legal experience, computer science knowledge, exceptional business judgment and standout integrity”.

The Legal 500 United States is an independent guide providing comprehensive coverage on legal services and is widely referenced for its definitive judgment of law firm capabilities. The Legal 500 United States recognizes and rewards the best in-house and private practice teams and individuals over the past 12 months. The awards are given to the elite legal practitioners, based on comprehensive research into the U.S. legal market. To learn more about the ranking, please visit this link https://www.seyfarth.com/Accolades/legal500053019.

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer privacy interest groups and plaintiff-oriented trial lawyers, who were banking on even more lucrative individual consumer violation claims after January 1, 2020.

The original proposed amendment would have expanded the private cause of action to any violation of the CCPA, and eliminated the 30-day cure period for alleged violations. California Attorney General Xavier Becerra had earlier expressed his support of Senate Bill 561, reportedly in order to relieve the enforcement burden of the Attorney General’s office (and despite the fact that the CCPA sets up a fund to finance enforcement activity by the Attorney General). The original proposed bill and its potential impact were discussed in an earlier post on this site.

Businesses should celebrate this development as a more reasoned and balanced approach to individual rights under the CCPA with the goal of appropriate and fair governmental enforcement. Organizations and businesses dealing with California residents should be on the lookout for the California Attorney General’s enforcement rules announcement this Fall.

Cross-Posted from The Global Privacy Watch Blog

In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).

The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII. Continue Reading And Texas joins the Privacy Fray – Part 2 (or, Everything is Bigger in Texas…)

Cross-Posted from The Global Privacy Watch Blog

Last month, Texas saw the introduction of not one, but TWO privacy bills in the Texas state legislature: The Texas Consumer Privacy Act (TXCPA) and the Texas Privacy Protection Act (TXPPA). With news of this likely meeting with a collective groan and shoulder shrug, we do have some good news for you.

Both bills’ foundations are set with familiar CA Consumer Privacy Act (“CCPA”) language. Unfortunately, this is also bad news because they both suffer from the same problems found in the CCPA – we’ll explain below. It’s also still early in the game, with the bills having just been filed in the state legislature. Given that there is time in the legislative session for amendments to be made and especially considering the ‘ring-side’ view Texas lawmakers have to the CA legislative and Attorney General rule/procedure process currently unfolding, it would be unreasonable not to expect changes. Finally, the bills are reactive responses to the national (or international) focus on privacy issues of late and may allow impacted businesses a grace period, as we’ve seen in the CCPA. In this blog, we shine the light on the first of these bills: The Texas Consumer Privacy Act. Continue Reading And Texas Joins the Privacy Fray – Part 1 (or, the Elephant in the room just got a LOT bigger…)