As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in
Janet P. Peyton
Janet practices in the areas of intellectual property and data privacy and security. Janet provides worldwide brand protection, enforcement, licensing and transactional IP services, and she assists clients with preventive data security as well as compliance issues in the aftermath of a data breach.
Virginia’s New Consumer Data Protection Act (CDPA)
On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.
The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.…
Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)
Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too
Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.
On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:
- Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!). But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
- Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time. It’s certainly not too early to get started.”
Continue Reading Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too
Frenemies Video Series – Season 1: Marketers and Lawyers Learn to Speak the Same Language
There’s tension in this relationship. Marketing and the legal department know they need each other, but that doesn’t mean they always understand each other.
Marketers are out-of-the-box thinkers whose ideas engage customers and drive company revenue. Lawyers help the business stay in business by avoiding unnecessary risk, which sometimes requires them to say “no” to the marketing team’s ideas. It’s no wonder the departments are often frenemies, supporting the same organizational goals, but sometimes pushing back on each other.
In the interests of peace, love and understanding, McGuireWoods’ IP and privacy teams present “Frenemies,” a series of short videos covering legal considerations in advertising. We hope these episodes help marketing and legal departments understand each other, work together, issue-spot, and maybe go from being frenemies to friends. Registration is not required and after release, each season will be available for binge watching from your office or your couch.…
Continue Reading Frenemies Video Series – Season 1: Marketers and Lawyers Learn to Speak the Same Language
Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities?
On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.
Blackbaud’s handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminal’s ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.…
Continue Reading Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities?
ECJ Invalidates the EU-US Privacy Shield! How Safe is it to Use SCCs for Data Transfers from the EU to the US?
In its long awaited judgment in the Schrems II case, the ECJ has this morning invalidated the EU-US Privacy Shield citing the “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities” in respect of personal data transferred from the European Union to the United States on the basis that such limitations do not provide the protections ensured under EU law. The ECJ’s concerns centered around certain US surveillance programs which are not limited to what is strictly necessary and EU data subjects not having effective rights of enforcement against US authorities under US laws.
Continue Reading ECJ Invalidates the EU-US Privacy Shield! How Safe is it to Use SCCs for Data Transfers from the EU to the US?
Update: Coronavirus Cyberscams and Other Attacks – Scammers Are Still at It
The global coronavirus pandemic continues on, and the cyberattacks and scams continue to multiply. In the midst of the pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed at infecting computers with malware or obtaining sensitive, personal information. Below are some of the latest examples of attacks and vulnerabilities to be aware of:
Continue Reading Update: Coronavirus Cyberscams and Other Attacks – Scammers Are Still at It
Coronavirus Cyber Scams: Outbreak Map Used to Spread Malware and Cyber Attack Experienced by the HHS
In the midst of the coronavirus pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed to infect computers with malware or obtain sensitive, personal information.
For example, readers may be familiar with a popular interactive dashboard created by Johns Hopkins University using real-time data from the World Health Organization to track the spread of the virus. It has become a go-to source for many wishing to stay up to date on the virus. Recently hackers have circulated links via social media, email attachments and online advertisements to malicious websites that are disguised as the university’s COVID-19 map. However, the deceptive links open an applet that, when installed, infect the device with malware designed to steal personal data such as login credentials, banking information and other sensitive data. To ensure you are accessing the “real” COVID-19 map, directly access it through Johns Hopkins’ official home page, rather than clicking any unidentified links or searching the internet.…
Continue Reading Coronavirus Cyber Scams: Outbreak Map Used to Spread Malware and Cyber Attack Experienced by the HHS
The New CFPB Consumer Protection Principles
On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses…
Obama Order Establishes Federal Privacy Council
On Tuesday, February 9, 2016, President Obama issued an Executive Order establishing the “Federal Privacy Council,” an interagency council of senior officials from each of 24 federal departments and agencies. The Council is to be the “principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf.” The Council…