Amazon’s financial records have revealed that the Luxembourg data protection supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”), is fining the retailer’s European arm (Amazon Europe Core S.à.r.l.) an eyewatering 746 million euros (£636m or $838m) for breaches of the EU’s General Data Protection Regulation (“GDPR”).

When the GDPR was introduced in May 2018, the potential for huge financial sanctions grabbed many headlines: it gives European supervisory authorities the power to impose fines of up to 20 million euros or 4% of annual global turnover (whichever is greater) for breaches of the GDPR. There have been some undeniably sizeable fines issued under the GDPR in the last three years. But the level of this particular fine is extraordinary: it’s the largest GDPR fine issued to date by a considerable margin. The second largest fine ever imposed under the GDPR was a comparatively paltry 50 million euros, levied against Google by CNIL (the French supervisory authority) in early 2019 (which you can read about here).


Continue Reading CNPD v. Amazon, the largest GDPR fine on record – what do we know so far?

New York City’s recently enacted biometric privacy law took effect July 9, 2021. While the law is vague as to exactly who must abide by certain subsections, it is undoubtedly consumer-focused. However, even if employers escape New York City’s biometric ordinance, a looming New York state law may soon impose more expansive biometric requirements on

On June 14, 2021, the Board of the newly-formed California Privacy Protection Agency (“CPPA”) held its first public meeting.  The Board had an extensive agenda, covering topics such as the laws affecting the Board and CPPA, initial hiring strategy for the CPPA, policies and practices on delegations of authority and conflicts of interest, establishment of subcommittees of the Board, notice to the Attorney General regarding the assumption of rulemaking under the California Privacy Rights Act (the “CPRA”), and setting future agenda items and a meeting schedule for the Board.  (As a refresher, when the CPRA passed as a ballot measure last Fall, it established the CPPA as a first-of-its-kind agency solely devoted to the regulation and enforcement of consumer privacy.  The CPPA is tasked with enforcing the CPRA and developing a set of regulations providing guidance for businesses on how to comply with that new law.  For more on the CPRA, please see our post here.)

While the CPPA Board’s June 14 full-day meeting covered a lot of ground, it is clear there is much work to be done for the CPPA to emerge as an independent, fully-functional agency, let alone promulgating regulations in time to meet the CPRA’s July 1, 2022 deadline for final regulations.  Overall, the Board members appeared to be committed to working through these challenges, but acknowledged that they are under a lot of time pressure.


Continue Reading Starting at the Beginning: California Privacy Protection Agency Board Meets for the First Time

Yesterday, the Supreme Court resolved a circuit split on the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) in a decision that emphasizes the importance of how organizations manage access to their systems.  Employees with access to information at work sometimes access that information with improper motives, and in violation of office policies.  This inappropriate use of access has led to federal criminal prosecution for some.  In Van Buren v. United States, No. 19-783, the United States Supreme Court held that the CFAA is not properly applied to justify those prosecutions.

Nathan Van Buren was a police officer who accepted $6,000 from Andrew Albo, a participant in an FBI sting operation, to search a police database to determine whether a woman Albo professed interest in was an undercover police officer.  Van Buren ran a search for the woman’s license plate in the Georgia Crime Information Center database.  For doing so, Van Buren was charged and convicted of violating the CFAA, because he had “exceeded” his authority to access that database.


Continue Reading Federal Law Won’t Protect Your Organization from Bad User Access Control Practices

On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.

The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.

The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.


Continue Reading DOL’s New Cybersecurity Guidance

The technology sector runs the gamut from artificial intelligence (AI), the Internet of Things (IoT) to SaaS companies or cybersecurity, and from the biggest household names to the smallest companies being operated out of garages. The rise of AI and traps for the unwary were previously covered here.  Risks of investing in SaaS Solutions can be found here and here.  Technology is everywhere in 2021, even in the smallest brick and mortar shops around.  Technology investing offers lucrative opportunities for investors large and small, but there are many traps for the unwary, such as “zero-day exploits.”

Continue Reading Tech Investing Part 1: Zero Hour

Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.

On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities.  Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.


Continue Reading SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!

On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.


Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)

Earlier this year, U.S. Senator Sherrod Brown of Ohio released a draft discussion bill that if implemented would drastically alter corporations’ ability to collect and use personal information from consumers.

According to Sen. Brown, “We need legislation now more than ever that empowers Americans to control their personal information. No person should have to worry about being spied on, just as no one should worry about their information being bought and sold or stolen.” Brown believes that his bill would “change the fundamental framework of privacy in this country” by shifting the burden of privacy protection from consumers to corporations. Brown’s new bill is critical of the current consent-based framework that requires customers to agree to privacy policies in order to use specific online service.


Continue Reading Senator Brown Proposes New Privacy Bill