On February 7, 2020, the California Attorney General (AG) published a set of Modified Regulations under the California Consumer Privacy Act (CCPA). The Modified Regulations take into account some of the comments received from the public late last year and make key changes to multiple definitions and provisions, in at least some cases providing more clarity and specificity than the original version. The regulatory process is not yet done—the AG is accepting written public comments on the Modified Regulations until February 24, 2020—but it is unlikely there will be many more substantial revisions from this point forward. It also now seems possible that we will see final Regulations in advance of the July 1, 2020 deadline. The last step in the process is the AG’s submission of the final rulemaking record for approval by the CA Office of Administrative Law (OAL), which has 30 working days to approve the record before filing of the final Regulations with the Secretary of State.
Continue Reading California Attorney General’s Modified CCPA Regulations: Top Ten Changes
CCPA Review: The CCPA May Prohibit Some, But Not All, State Consumer Protection Law Claims
In less than one month, the California Consumer Privacy Act of 2018 (CCPA) will go into effect and begin a new era of data breach litigation. While the California Attorney General is charged with generally enforcing the state’s landmark privacy law, consumers’ ability to rely on a violation of the CCPA as a basis for violations of other state law statutes will be a concern.
For background, Section 1798.150(a)(1) of the CCPA gives consumers a limited private right of action. The provision allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days. A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief. To determine the appropriate amount of statutory damages, courts must analyze the circumstances of the case, including the number of violations, the nature, seriousness, willfulness, pattern, and length of the misconduct, and the defendant’s assets, liabilities, and net worth.Continue Reading CCPA Review: The CCPA May Prohibit Some, But Not All, State Consumer Protection Law Claims
California Attorney General’s Public Hearings on CCPA Regulations in Los Angeles and San Francisco—An Overview
This week, the California Attorney General held public hearings on the draft California Consumer Privacy Act (CCPA) regulations it issued in October. We attended the hearings in both Los Angeles and San Francisco. One clear message resounded — unintended consequences of the proposed regulations if left as drafted.
Both hearings were well-attended, with dozens of comments from businesspeople, attorneys, and a handful of concerned citizens. In addition to these two hearings, the Attorney General also held public hearings in Sacramento and Fresno, and is accepting written comments through Friday, December 6, 2019. If the Los Angeles and San Francisco hearings are any indication, there are many areas in which the Attorney General could provide further clarity should it choose to revise the current draft regulations.Continue Reading California Attorney General’s Public Hearings on CCPA Regulations in Los Angeles and San Francisco—An Overview
The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part III)
Welcome back to our three-part series providing an overview of CIPA, recent CIPA class actions, and class action defenses. In Part I we provided an overview of CIPA and its recent resurgence in the age of smart speakers. In Part II we highlighted recent class actions alleging CIPA violations involving the use of smart speakers. Here, we address potential defenses in response to a motion to certify a CIPA class.
Defenses to a CIPA Class Action
These recent lawsuits are good reminders of the real privacy concerns with new developing technologies. Below is an overview of practice pointers and lessons learned from CIPA lawsuits if you are named in CIPA litigation.
Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part III)
The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part II)
Welcome back to our three-part series examining CIPA class actions and defenses. In Part I of this series, we provided an overview of CIPA and its recent resurgence in the age of smart speakers. Here, we review recent CIPA class actions and common violations.
CIPA Finds New Life in the Wake of the “Smart” Devices
According to a recent report, over a quarter of the adult population in the United States owns a smart speaker.[1] As smart speakers gain popularity, privacy litigation risks continue to grow. Recently-filed complaints utilize CIPA to attack the practice of recording and storing communications between a customer and a smart device such as smart phones or smart speakers.[2] In 2019 alone, we have seen a rise in the number of cases against major technology companies alleging CIPA violations related to smart devices. Below is an overview of those recent cases.
Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part II)
The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part I)
Welcome to a three-part series that provides an overview of the California Invasion of Privacy Act (CIPA), examines recent CIPA litigation involving smart speakers, and proposes defenses in response to an alleged violation.
CIPA in the Age of Smart Devices
The California Invasion of Privacy Act (CIPA)[1]—traditionally used by law enforcement and the plaintiffs’ bar to address illegal recording/eavesdropping on phone calls—has seen renewed interest in the age of smart speakers. Smart speakers, such as Amazon’s Alexa, Google Home and Apple’s Siri, are voice-enabled devices where the user utters a “wake word” to activate a “virtual assistant”. A number of putative class actions have recently been filed over these “virtual assistants” and whether they illegally record individuals without their consent. This recent spate of lawsuits highlights CIPA-compliance risks associated with these new technologies. This article provides an overview of CIPA’s history and features, addresses recently filed CIPA smart-device cases, and recommends defenses for responding to a smart device CIPA action.
Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part I)
What is Your Family Office Doing to Protect Itself From Security Threats? (Part III)
Welcome back to our three-part series examining cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. In Part Two, we reviewed different types and trends of cyberattacks. Here, we will outline how family offices can defend against cyberattacks.
How Family Offices Can Defend Against Cyberattacks
Over a quarter of multi-million dollar family offices do not have dedicated cybersecurity policies in place to protect their systems. This may be because they do not view themselves as needing an onerous cybersecurity policy. However, this view is short-sighted and can leave family offices subject to heavy losses. Family offices do not need to implement large scale or particularly burdensome policies or procedures. Rather, they can build specialized, flexible programs by utilizing a consultant that is reactive to ongoing and updating threats.
Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part III)
What is Your Family Office Doing to Protect Itself From Security Threats? (Part II)
Welcome back to our three-part series examining vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. Here, we will review different types and trends of cyberattacks.
Cyberattack Trends
Most cyberattacks are the result of “phishing” emails. “Phishing” refers to a deceptive effort to obtain the recipient’s sensitive information by disguising the sender as someone the recipient knows and would trust. Phishing recipients can be deceived into downloading malicious software, providing personal information like account numbers or PINs, wiring funds or paying invoices to cyber-criminals. Ransomware is malware that denies the victim access to their system’s files until the victim pays a ransom. While malware can also take the form of “drive-by” downloading when a victim visits a website prompting the malware to download, over 90% of malware is still delivered via email.
Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part II)
What is Your Family Office Doing to Protect Itself From Security Threats?
At least 25% of family offices have been subjects of cyberattacks, and nearly 40% of them lack a cyber security policy. Welcome to a three-part series that will examine the cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks.
Family Offices Are Particularly Vulnerable to Cyber-Crime
As part of the global increase in the number of billionaires worldwide, family offices have evolved from little more than holding companies to highly sophisticated financial firms managing family wealth, administering assets and acting like a typical private equity or debt fund. Family offices are managing almost 50% of Ultra High Net Worth family wealth. Given the vast amount of wealth that family offices support, they are prime targets for cyber crime, which some analysts project will account for a global $6 trillion cost by 2021. The fact that nearly 40% of family offices do not even have a cybersecurity policy in place highlights the need for improvement when it comes to making themselves less vulnerable to cybercrime.
Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats?