As we anticipated in 2018, “So Goes California, So Goes the Country,” when it comes to U.S. privacy law. California broke new ground when it passed the California Consumer Privacy Act of 2018 (CCPA), now, the rest of the nation is following suit. Since 2018, Virginia (the VCDPA) and Colorado (the CPA) have passed similar statues. Now, Ohio is ready to join the party.

Introduced earlier this month, House Bill 376 “The Ohio Personal Privacy Act,” seeks to bring similar protections to Ohio consumers by giving them control over their personal data. The draft legislation does not have an effective date, but we expect that in the next few years, businesses subject to proposed law will need to meet its specifications. For now, businesses should start to consider the bill’s requirements and how they may implement the necessary processes to be compliant with its requirements.

Continue Reading Welcome to the Privacy Party, Ohio: State Legislature Proposes Comprehensive Data Privacy Legislation

In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest  state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.

The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:

  • Right to opt out
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability

That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider. Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law

With the recent shift to a remote or hybrid workplace and advancements in technology, there are increased privacy concerns for employee information as well as employer liability for data breaches. There are important legal concerns for employers to understand about employee privacy issues. In addition, companies must have a plan to safeguard company and employee data and minimize the risk of a data breach.

Join Taft Law on July 28 at 12:00 pm ET for a discussion of the practical and legal implications of employee privacy and data security, including:

  • Establishing clear guidelines, expectations, and training for your employees regarding data security and privacy.
  • Policies and best practices for remote work.
  • Employee rights over their personal data.
  • BIPA compliance: policies, practices, disclosures, and releases.
  • Incident response plans and how to better manage the risk of data breaches.

Presented by Taft lawyers: Carolyn Davis, Scot Ganow, and Daniel Saeedi.

One hour of SHRM professional development credit and CLE credit for Illinois, Indiana, Kentucky, Minnesota, and Ohio pending.

Register here.

Over the 4th of July holiday weekend, an affiliate of the Russia-linked criminal syndicate known as REvil succeeded in executing the single largest global ransomware attack on record with over one million firms affected worldwide. As a result of the intrusion, thousands of companies have reduced or entirely ceased operation. For example:

Continue Reading It May Take a Village: What the REvil Holiday Attack Teaches Us About the Evolving Threat

In June, the U.S. Supreme Court resolved an important issue under the Federal Computer Fraud and Abuse Act (CFAA), which has been used by companies as they battle hackers, rogue employees, and terminated employees. The CFAA imposes criminal and civil liability when a person accesses a computer “without authorization or exceeds authorized access.” Rogue employees who obtain company information without a business need often find themselves facing a suit that seeks, among other things, damages under the CFAA. A company that can invoke a federal statute — especially one that also could create criminal liability — can create significant leverage in litigation.

The Court held that one “exceeds authorized access” when they access a computer with authorization but then obtain information located in particular areas of the computer — such as files, folders, or databases — that are off limits from a security standpoint. In other words, the employee needs to hack into an internal database in order to exceed the access provided by the employer.

Continue Reading U.S. Supreme Court Narrows the Reach of the Computer Fraud and Abuse Act

GDPR Image

The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.

On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.

Continue Reading Freezing the Cloud: Microsoft Takes a Hardline on Data Privacy in the EU

I am often asked by clients and my partners alike, “What is the #1 thing companies should be doing to secure their data and systems?” Usually when I get requests to boil down everything involved in my practice area to one topic, I balk. And for good reason. However, this one is easy.

Multi-Factor Authentication or “MFA.” 

Continue Reading Multi-Factor Authentication (MFA). Please. Do it. Now.

The European Commission has finally released the first updates to the standard contractual clauses (SCCs) required for certain cross-border transfers in more than 10 years. The new SCCs include versions for use between processors and controllers, as well as one for transfers to third countries.  These new SCCs mark the first change in such clauses since 2010 and in view of the Court of Justice of the European Union’s decision in  Schrems II.

We will write more on this in the future, but the updated versions are intended to provide more flexibility for data processing for all parties to such a transfer and “will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.”  Regulated entities currently operating under the 2010 versions will have 18 months to update existing agreements with these SCCs.

The White House issued this memorandum to corporate executives and business leaders this week in which it stresses the need for urgent vigilance in implementing many of the best information security best practices we commonly discuss on our Privacy and Data Security Insights blog.  The memo contains good information that any business of any size should consider and implement as quickly as possible to bolster its defenses to what has been an onslaught of ransomware attacks in the past year.  

Continue Reading White House Memo Stresses Need For Vigilance in Defending Against Ransomware Attacks

Taft Appellate attorneys Jon Olivito and Michael Robertson recently wrote about a U.S. Court of Appeals for the Sixth Circuit decision that clarified the scope of conduct that could potentially expose any consumer business to immense liability.

In Thomas v. TOMS King (Ohio), LLC, No. 20-3977 (6th Cir. May 11, 2021), a consumer sued a defendant business alleging a violation of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The plaintiff alleged the defendant had violated the “truncation requirement” of FACTA and exposed her to an increased risk of identity theft by issuing a credit card that included the first six and last four digits of her credit card number. In an effort to thwart identify theft, the truncation requirement prohibits businesses from printing more than the last five digits of a customer’s credit or debit card number on a receipt. Violations of FACTA can expose businesses to actual and statutory damages, punitive damages, and attorneys’ fees.

Read the full Taft law bulletin.