California continues to be at the forefront of data privacy in the United States. Two new laws (AB 825 and SB 41) were signed in October, expanding California residents’ rights to their genetic information and imposing additional obligations on companies that collect such information. We guess you could say data privacy is in California’s DNA. (See what we did there?)

These new laws go into effect on January 1, 2022. Here is a rundown of what you should know. Continue Reading New Year, New Privacy Laws: California Expands Law to Protect Genetic Information

Considering the potential number of companies impacted by each of the following, we in Taft’s Privacy and Data Security Practice wanted to share this urgent post with more information to ensure your company is considering the related risks presented by these vulnerabilities in commonly used website tools and platforms.

  1. Log4j. The Department of Homeland Security and CISA reported the presence of this vulnerability being used to exploit websites and internet-connected devices of all kinds.
    More info here.
  2. WordPress. A separate vulnerability in one of the most ubiquitous website development and administration platforms was also reported. These vulnerabilities in website plugins, if exploited, can give threat actors the ability to redirect customers from your website to another site or take otherwise take control of administrator roles on a website. More info here.

Monitoring for such news and vulnerabilities should be a solid part of every company’s information security program and risks management strategy. As always, we will continue to share information here on Privacy and Data Security Insights, but nothing replaces the value of your company having active threat monitoring as part of your information security toolbox. Stay vigilant!

On October 8, 2021, President Biden signed the bipartisan K-12 Cybersecurity Act of 2021 (the “Act”) in response to K-12 educational institutions facing cyber-attacks across the United States. The types of cyber incidents targeting K-12 information systems include denial of service, phishing, ransomware and malware, and other unauthorized disclosures of personal information.

While the Act itself does not detail specific requirements for K-12 educational institutions, it seeks to address the increasing risk of cybersecurity incidents by authorizing the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study on the specific cybersecurity risks currently facing K-12 educational institutions. The director has 120 days from the enactment of the Act to complete the study. The director will then have an additional 60 days to issue recommendations that include cybersecurity guidelines to assist K-12 educational institutions in responding to the cybersecurity threats described in the director’s study. In conjunction with cybersecurity recommendations, CISA will be developing an online training toolkit to educate school officials about the recommendations and to help ease the implementation of the recommendations by providing strategies for officials to take such action. Continue Reading K-12 Cybersecurity Act: Federal Government Seeks to Improve Security for America’s Educational Institutions

In addition to ongoing privacy and security related issues, one of the hot spots for litigation has been the accessibility of websites. In this post, we will lay out the current legal landscape and what the ADA requires. We will also provide practical next steps to help your company not only manage its compliance requirements, but also leverage your website to produce a more inclusive customer experience.

Continue Reading ADA Website Accessibility and Liability: Why Businesses Need to Develop a Strategy… Now.

On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”

In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements. Continue Reading See ya, CMMC. Hello, CMMC 2.0: DOD Announces Suspension of Current Information Security Certification Program

It is the end of an era: September 27, 2021, officially marks the termination date for the Standard Contractual Clauses (SCCs) grace period set forth by the European Commission (“Commission”). In June 2021, the Commission published two new sets of clauses (2021 SCCs), marking the first update to the SCCs in over a decade. Unlike prior iterations, which were created before the enactment of the European Union’s (EU) General Data Protection Regulation (GDPR), the 2021 SCCs reflect the GDPR’s data protection requirements for multiple variations of data exporter-importer relationships.

Continue Reading Out with the Old and In with The New: European Commission’s New Standard Contractual Clauses Grace Period is Ending

As we anticipated in 2018, “So Goes California, So Goes the Country,” when it comes to U.S. privacy law. California broke new ground when it passed the California Consumer Privacy Act of 2018 (CCPA), now, the rest of the nation is following suit. Since 2018, Virginia (the VCDPA) and Colorado (the CPA) have passed similar statues. Now, Ohio is ready to join the party.

Introduced earlier this month, House Bill 376 “The Ohio Personal Privacy Act,” seeks to bring similar protections to Ohio consumers by giving them control over their personal data. The draft legislation does not have an effective date, but we expect that in the next few years, businesses subject to proposed law will need to meet its specifications. For now, businesses should start to consider the bill’s requirements and how they may implement the necessary processes to be compliant with its requirements.

Continue Reading Welcome to the Privacy Party, Ohio: State Legislature Proposes Comprehensive Data Privacy Legislation

In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest  state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.

The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:

  • Right to opt out
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability

That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider. Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law

With the recent shift to a remote or hybrid workplace and advancements in technology, there are increased privacy concerns for employee information as well as employer liability for data breaches. There are important legal concerns for employers to understand about employee privacy issues. In addition, companies must have a plan to safeguard company and employee data and minimize the risk of a data breach.

Join Taft Law on July 28 at 12:00 pm ET for a discussion of the practical and legal implications of employee privacy and data security, including:

  • Establishing clear guidelines, expectations, and training for your employees regarding data security and privacy.
  • Policies and best practices for remote work.
  • Employee rights over their personal data.
  • BIPA compliance: policies, practices, disclosures, and releases.
  • Incident response plans and how to better manage the risk of data breaches.

Presented by Taft lawyers: Carolyn Davis, Scot Ganow, and Daniel Saeedi.

One hour of SHRM professional development credit and CLE credit for Illinois, Indiana, Kentucky, Minnesota, and Ohio pending.

Register here.

Over the 4th of July holiday weekend, an affiliate of the Russia-linked criminal syndicate known as REvil succeeded in executing the single largest global ransomware attack on record with over one million firms affected worldwide. As a result of the intrusion, thousands of companies have reduced or entirely ceased operation. For example:

Continue Reading It May Take a Village: What the REvil Holiday Attack Teaches Us About the Evolving Threat