It is the end of an era: September 27, 2021, officially marks the termination date for the Standard Contractual Clauses (SCCs) grace period set forth by the European Commission (“Commission”). In June 2021, the Commission published two new sets of clauses (2021 SCCs), marking the first update to the SCCs in over a decade. Unlike prior iterations, which were created before the enactment of the European Union’s (EU) General Data Protection Regulation (GDPR), the 2021 SCCs reflect the GDPR’s data protection requirements for multiple variations of data exporter-importer relationships.
As we anticipated in 2018, “So Goes California, So Goes the Country,” when it comes to U.S. privacy law. California broke new ground when it passed the California Consumer Privacy Act of 2018 (CCPA), now, the rest of the nation is following suit. Since 2018, Virginia (the VCDPA) and Colorado (the CPA) have passed similar statues. Now, Ohio is ready to join the party.
Introduced earlier this month, House Bill 376 “The Ohio Personal Privacy Act,” seeks to bring similar protections to Ohio consumers by giving them control over their personal data. The draft legislation does not have an effective date, but we expect that in the next few years, businesses subject to proposed law will need to meet its specifications. For now, businesses should start to consider the bill’s requirements and how they may implement the necessary processes to be compliant with its requirements.
In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.
The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:
- Right to opt out
- Right of access
- Right to correction
- Right to deletion
- Right to data portability
That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider. Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law
With the recent shift to a remote or hybrid workplace and advancements in technology, there are increased privacy concerns for employee information as well as employer liability for data breaches. There are important legal concerns for employers to understand about employee privacy issues. In addition, companies must have a plan to safeguard company and employee data and minimize the risk of a data breach.
Join Taft Law on July 28 at 12:00 pm ET for a discussion of the practical and legal implications of employee privacy and data security, including:
- Establishing clear guidelines, expectations, and training for your employees regarding data security and privacy.
- Policies and best practices for remote work.
- Employee rights over their personal data.
- BIPA compliance: policies, practices, disclosures, and releases.
- Incident response plans and how to better manage the risk of data breaches.
One hour of SHRM professional development credit and CLE credit for Illinois, Indiana, Kentucky, Minnesota, and Ohio pending.
Over the 4th of July holiday weekend, an affiliate of the Russia-linked criminal syndicate known as REvil succeeded in executing the single largest global ransomware attack on record with over one million firms affected worldwide. As a result of the intrusion, thousands of companies have reduced or entirely ceased operation. For example:
- Swedish grocery chain Coop was forced to close over 800 stores;
- Fujifilm shut down parts of its global network, as the company has been unable to accept or process orders; and
- Groupo Fleury, a Brazilian medical diagnostic company with over 10,000 employees, disclosed that its processing systems are currently unavailable worldwide.
In June, the U.S. Supreme Court resolved an important issue under the Federal Computer Fraud and Abuse Act (CFAA), which has been used by companies as they battle hackers, rogue employees, and terminated employees. The CFAA imposes criminal and civil liability when a person accesses a computer “without authorization or exceeds authorized access.” Rogue employees who obtain company information without a business need often find themselves facing a suit that seeks, among other things, damages under the CFAA. A company that can invoke a federal statute — especially one that also could create criminal liability — can create significant leverage in litigation.
The Court held that one “exceeds authorized access” when they access a computer with authorization but then obtain information located in particular areas of the computer — such as files, folders, or databases — that are off limits from a security standpoint. In other words, the employee needs to hack into an internal database in order to exceed the access provided by the employer.
The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.
On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.
I am often asked by clients and my partners alike, “What is the #1 thing companies should be doing to secure their data and systems?” Usually when I get requests to boil down everything involved in my practice area to one topic, I balk. And for good reason. However, this one is easy.
Multi-Factor Authentication or “MFA.”
The European Commission has finally released the first updates to the standard contractual clauses (SCCs) required for certain cross-border transfers in more than 10 years. The new SCCs include versions for use between processors and controllers, as well as one for transfers to third countries. These new SCCs mark the first change in such clauses since 2010 and in view of the Court of Justice of the European Union’s decision in Schrems II.
We will write more on this in the future, but the updated versions are intended to provide more flexibility for data processing for all parties to such a transfer and “will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.” Regulated entities currently operating under the 2010 versions will have 18 months to update existing agreements with these SCCs.
The White House issued this memorandum to corporate executives and business leaders this week in which it stresses the need for urgent vigilance in implementing many of the best information security best practices we commonly discuss on our Privacy and Data Security Insights blog. The memo contains good information that any business of any size should consider and implement as quickly as possible to bolster its defenses to what has been an onslaught of ransomware attacks in the past year.