Photo of Jason Priebe

This month, the Federal Bureau of Investigation published information and guidance for organizations about ransomware attacks, along with some suggested preventative measures.  There is a section in the bulletin discussing whether victims should consider paying ransom to attackers.  According to the statement, the FBI “does not advocate paying a ransom, in part because it does not guarantee and organization will regain access to its data,” and paying ransoms emboldens criminals to target others.

Several of the suggested “best practices” are somewhat generalized, such as increased employee awareness about how ransomware is delivered, and basic security techniques (we would recommend adding anti-phishing training and tests to the list).  However, several others are more specific.  All of the measures listed should be considered as parts of a comprehensive standard information security program.

Among the list of the FBI’s “Cyber Defense Best Practices” recommended are:
Continue Reading FBI Public Service Announcement on Ransomware

In our May blog post, we took issue with the broadcast statement that ‘consumer privacy law was sweeping the country and that other states were jumping on the California Consumer Privacy Law (CCPA) bandwagon to enact their own state law.’ The problem as we saw it, was that the truth behind these sensationalistic statements was a bit more nuanced than people were led to believe. Most states, we found, that introduced consumer privacy legislation simply did not follow through, either by outright killing the legislation (MS) or by taking a step back with a wait and see approach (see TX). Nevada, by contrast, did neither. Instead, its legislature enacted its own consumer privacy solution, through SB 220, or as we call it, ‘the limited privacy amendment.’ We’ve opted to discuss Nevada’s approach here primarily because of its more restrictive application online and because its October 1, 2019, operational date is a full three months before the CCPA becomes operational.

First, the limited privacy amendment is not the CCPA. Let’s make that perfectly clear. True, it was modeled on the opt-out section of the CCPA, but it isn’t a mirror copy as it amends existing law. There are three primary areas operators conducting business over the Internet need to be aware of, when evaluating compliance measures:  
Continue Reading Nevada: Bucking the Wait and See Approach to Consumer Privacy Law

Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills—including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing.
Continue Reading CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About

In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer

California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019.
Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now

The European Data Protection Board (EDPB) recently issued a report after their November 16, 2018 plenary session.  The statement covered a range of topics being discussed by the Board, but no substantive publications.  The EDPB is charged with ensuring that GDPR is applied consistently across the EU and that there is consistent enforcement by DPAs

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors.  Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar.  For example:

  • Consumers can request a copy of all the Personal Information a business has collected;
  • Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
  • Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.

Continue Reading California’s Consumer Privacy Act of 2018 – Get Ready for New GDPR Style Requirements in the US

A trial court opinion involving allegations of spoliation of text messages on a mobile phone in the Southern District of New York has gotten attention because of the application of legal preservation standards.  Ronnie Van Zant, Inc. v. Pyle 2017 BL 3018, S.D.N.Y. 17 Civ. 3360 (RWS), 8/23/17) is an interesting read, not just because it involves odd characters, intrigue and drama surrounding one of the greatest Southern Rock bands of all time.  It also includes some instructive information about the application of the “practical ability” test for preservation, and the uphill battle for witnesses who lose credibility in testimony about what they did and did not do in a preservation effort.

Not long after the tragic plane crash that resulted in the deaths of Lynyrd Skynyrd lead singer Ronnie Van Zandt and his co-founding band member Steven Gaines,  Artimus Pyle, the former drummer, entered an agreement with the surviving heirs and other members of the band.  The agreement involved promises to never perform as “Lynyrd Skynyrd,” or to generally profit from the name of the band or the tragic deaths of Van Zant or Gaines without approval of the original parties to the agreement.  Their dramatically named “blood oath” agreement was more concretely memorialized in a Consent Order in 1988, following other litigation, which Pyle signed.

Over 20 years after the 1988 Consent Order, the drama that spawned the litigation began in a story that sounds like it came from a Netflix mini-series.  A film director named Jared Cohn, who worked under contract for an independent record label-turned movie producer, Cleopatra Records, Inc. (“Cleopatra”) reached out to Pyle about making a movie centered around the band and Pyle’s life in it.  Cohn was hired by the founder and co-owner of Cleopatra Records, Brian Perera, who is another interesting character in his own right. Pyle met and consulted with Perera on multiple occasions about ideas for a film generally depicting his life and the plane crash, which Pyle survived.  In their first conversations, Pyle did not mention the 1988 Consent Order, but the Order eventually was delivered to Cleopatra.  The copy of the Order was also eventually followed by a “cease and desist” letter and other correspondence from the Plaintiffs’ counsel.  All the while, Cleopatra’s movie production work continued.
Continue Reading Spoliation and Southern Rock