As discussed here, the California Consumer Privacy Act of 2018 (CCPA), in its current state, likely applies to businesses that collect the personal information of their employees.  AB 25, which passed in the California Assembly on May 29, 2019, sought to address this issue by removing employees and job applicants from the CCPA’s definition

New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. The SHIELD Act takes effect in March 2020.

The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (Act). The Act requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The Act becomes effective in September 2019.

Continue reading for a summary of the SHIELD Act and how it could impact your business.
Continue Reading

On April 30, 2019, the United States Department of Health and Human Services (HHS) published a notice of enforcement discretion that lowers most of the annual caps on civil money penalties (CMP). HHS may assess against Covered Entities and Business Associates for violating the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  Specifically, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers that progressively increases from the first to the fourth penalty tier and maxes out at $1.5 million per violation per year.
Continue Reading

The world of data privacy often focuses on how companies are using consumers’ information and what measures those companies take to protect such information.  Each of the fifty states have enacted laws that require entities to notify individuals of security breaches involving personally identifiable information (although those laws vary greatly).  Additionally, twenty-five states have laws that address the data security practices of private sector entities.  But what happens when a privacy breach originates not from a company, but from a government agency?  
Continue Reading

Although not a new practice, the application of geofencing continues to increase in sophistication and expand into personal space on an unprecedented scale, jumping beyond commercial retail advertising schemes and diving into the depths of employment, health care, law enforcement, and politics. As the growth of these applications prompt privacy and security concerns, including government surveillance concerns, regulations lag and may be further delayed considering lawmakers’ very use of geofencing to win a governing seat.

Geofencing is the practice of using wireless internet, cellular data, global positioning system (GPS) or radio-frequency identification (RFID), or a combination of such technologies, to create a virtual boundary around a particular geographic area. When a smart-phone, tablet, or other targeted device crosses over the geofence perimeter, it triggers a response from the geofence software. So-called “active” geofencing technology powers things like home applications or “apps” that automatically adjust ambient temperature and lighting when a person enters their house. “Passive” geofencing technology is used to both (1) push advertising and other information to consumers through social media apps and other channels and (2) monitor or pull information about a consumer’s habits.
Continue Reading

The European Union’s (EU) ambitious and far-reaching regulation, the General Data Protection Regulation (GDPR), became effective on 25 May 2018. On the one-year anniversary, we reflect on some of the principal developments following the implementation of the GDPR

European privacy values: a cultural shift

Critics have derided the GDPR for placing an onerous and expensive compliance burden on businesses, causing confusion and creating ‘data privacy fatigue’ amongst consumers and businesses alike.

Conversely, the furore has generated significant publicity around the GDPR, contributing to a cultural shift towards greater consumer empowerment and control over personal information. Public awareness of the GDPR is high – in May 2018, GDPR was searched more often on Google than either Beyoncé or Kim Kardashian. Individuals have a better understanding of their rights in respect of their personal data – which presents more of a risk to data controllers.

Equally, GDPR has completely changed the risk profile of data protection for most businesses. Under the previous, weakly enforced regime, most businesses treated data protection as a low risk issue. Under the new regime, data protection has become a high-risk issue.
Continue Reading

European Commission Comments on GDPR’s One-Year Anniversary

On the one-year anniversary of the GDPR, Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality has released a joint statement on the momentous law: “The main aim of the rules has been to empower people and help them to gain more control over their personal data. This is already happening as people are starting to use their new rights and more than two-third of Europeans have heard of the regulation.”  The entire statement can be found here.

FTC Extends Comment Deadline on Proposed Changes to Safeguards Rule

The FTC has extended the deadline to submit comments on proposed changes to the Safeguards Rule by 60 days until August 2nd.  In March, the FTC announced it was seeking comment on proposed changes to the Gramm-Leach-Bliley Act’s Safeguards Rule as well as the Privacy Rule. These regulations require financial institutions to inform customers about its information-sharing practices. More information can be found here.

FBI Reports That Cybercrime Cost $2.7B in 2018

The FBI’s annual Internet Crime Report, states that IC3 received 351,936 complaints in 2018 which is about 900 every day. The statement released with the report said, “[t]he most frequently reported complaints were for non-payment/non-delivery scams, extortion, and personal data breaches. The most financially costly complaints involved business email compromise, romance or confidence fraud, and investment scams, which can include Ponzi and pyramid schemes.” More information can be found here.
Continue Reading

Last week, the IAPP hosted its annual Global Privacy Summit in Washington, D.C.  This year’s summit was the IAPP’s largest event, with more than 4,000 attendees from around the world.  From day 1, it was clear that the summit was heavily focused on the California Consumer Privacy Act of 2018 (CCPA), with many of the conferences covering the CCPA’s nuances, and tech vendors, legal professionals, and consultants offering compliance solutions for this new law.
Continue Reading