The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws.
Continue Reading New Utah Privacy Law Largely Overlaps with Existing State Statutes

Investing in artificial intelligence (AI) companies has become a riskier and more involved process than in previous years.  Companies need new processes and tools to follow the more stringent AI regulations that are on the horizon (at least in Europe and the United States).  Regulators are discussing how best to structure AI regulations in order to align risk management with optimizing the potential value creation of these technologies.  Investors should take a similar approach in their investment strategy. Read on for a discussion of the considerations investors should keep in mind as they vet their investment pipeline.

Continue Reading Tech Investing Part III: Investing in AI

Threats to cybersecurity and data privacy are constantly increasing both in volume and complexity.  This trend is expected to continue in 2022.  In a bid to protect cybersecurity and ensure data is properly safeguarded, countries around the world are introducing new laws focused on cybersecurity and data protection.  Armed with new legal frameworks, regulators and law enforcement are placing onerous obligations on organisations who fall victim to cybersecurity breaches.  There are shorter deadlines in which to notify the authorities of data breaches and ever increasing fines and penalties for businesses that fail to respond swiftly and appropriately to a cyberattack.

In this ever-changing area what is on the horizon for 2022?

Continue Reading Cybersecurity and Data Privacy – What to expect in 2022

Amazon’s financial records have revealed that the Luxembourg data protection supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”), is fining the retailer’s European arm (Amazon Europe Core S.à.r.l.) an eyewatering 746 million euros (£636m or $838m) for breaches of the EU’s General Data Protection Regulation (“GDPR”).

When the GDPR was introduced in May 2018, the potential for huge financial sanctions grabbed many headlines: it gives European supervisory authorities the power to impose fines of up to 20 million euros or 4% of annual global turnover (whichever is greater) for breaches of the GDPR. There have been some undeniably sizeable fines issued under the GDPR in the last three years. But the level of this particular fine is extraordinary: it’s the largest GDPR fine issued to date by a considerable margin. The second largest fine ever imposed under the GDPR was a comparatively paltry 50 million euros, levied against Google by CNIL (the French supervisory authority) in early 2019 (which you can read about here).

Continue Reading CNPD v. Amazon, the largest GDPR fine on record – what do we know so far?

New York City’s recently enacted biometric privacy law took effect July 9, 2021. While the law is vague as to exactly who must abide by certain subsections, it is undoubtedly consumer-focused. However, even if employers escape New York City’s biometric ordinance, a looming New York state law may soon impose more expansive biometric requirements on

On June 14, 2021, the Board of the newly-formed California Privacy Protection Agency (“CPPA”) held its first public meeting.  The Board had an extensive agenda, covering topics such as the laws affecting the Board and CPPA, initial hiring strategy for the CPPA, policies and practices on delegations of authority and conflicts of interest, establishment of subcommittees of the Board, notice to the Attorney General regarding the assumption of rulemaking under the California Privacy Rights Act (the “CPRA”), and setting future agenda items and a meeting schedule for the Board.  (As a refresher, when the CPRA passed as a ballot measure last Fall, it established the CPPA as a first-of-its-kind agency solely devoted to the regulation and enforcement of consumer privacy.  The CPPA is tasked with enforcing the CPRA and developing a set of regulations providing guidance for businesses on how to comply with that new law.  For more on the CPRA, please see our post here.)

While the CPPA Board’s June 14 full-day meeting covered a lot of ground, it is clear there is much work to be done for the CPPA to emerge as an independent, fully-functional agency, let alone promulgating regulations in time to meet the CPRA’s July 1, 2022 deadline for final regulations.  Overall, the Board members appeared to be committed to working through these challenges, but acknowledged that they are under a lot of time pressure.

Continue Reading Starting at the Beginning: California Privacy Protection Agency Board Meets for the First Time

On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), discussed in a previous McGuireWoods’ post. The comment period for these proposals recently ended on May 6, 2021, and HHS received almost 1500 comments from interested stakeholders. If finalized, these proposals will require HIPAA-covered entities and business associates to implement many changes, including updates to their policies, procedures, security standards, notices of privacy practices, authorization and disclosure forms, and business associate agreements. In the age of digital targeting and ransomware, possibly the most important of these is a change to security standards.

Continue Reading As HIPAA, HITECH Undergo Modernization, NIST Seeks Comment on Security Standard Guidance

On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.

The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.

The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.

Continue Reading DOL’s New Cybersecurity Guidance

Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.

On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities.  Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.

Continue Reading SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!

On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.

Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)