Last week, the California Legislature passed Assembly Bill 2273:  the California Age-Appropriate Design Code Act (“CAADCA”).  CAADCA is an online safety bill, which contains unique privacy requirements to protect minors under the age of 18.

Covered Businesses:  Covered businesses under the bill include any “business,” as defined by the California Consumer Privacy Act, “that provides an online service, product, or feature likely to be accessed by children.”  This means that if your company conducts business in California and (a) has an annual gross revenue of more than $25 million; or (b) alone or in combination, buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or (c) derives 50% or more of its annual revenue from selling consumers’ personal information, then you will need to evaluate whether your products or services must also address CAADCA requirements. Continue Reading Child’s Play: Latest California Bill Creates Significant Increase in Regulation for Covered Businesses Collecting Personal Data of Children

Ransomware – a demand for a monetary payment to regain access to one’s data or network – continues to rock the charts as cyber criminals’ go-to, get-rich-quick scheme. As we know, the pandemic spurred the work-from-home or hybrid movement that likely will continue for years to come. With more and more employees working from home, more data is being shared remotely, leaving the door open for missed or inadequate computer and technology security. Phishing and fraud schemes and social engineering methods used to demand ransom are particularly attractive as they target and take advantage of the number one security risk – a company’s people. Continue Reading Multi-Factor Authentication: The New Norm for Cyber Insurance Coverage

The California Attorney General’s office recently announced that French multinational personal care and beauty products retailer Sephora, Inc. has agreed to pay $1.2 million to resolve allegations that the company violated the California Consumer Privacy Act (CCPA), making it the first settlement under California’s landmark privacy law.

The CCPA is a first-in-the-nation law that was passed in 2018 and went into effect in 2020.  It gives Californians the right to know what information a business collects about them and shares; the right to delete personal information collected from them; the right to opt out of the sale of their personal information; and the right to not be discriminated against for exercising all the right the CCPA gives them.  Oftentimes, online retailers allow third-party companies to install tracking software to monitor a consumer’s shopping trends. Continue Reading The CCPA Strikes the First Major Blow: Sephora Settles Allegations for $1.2 Million

If you haven’t already seen the notifications in the Taft Privacy and Data Security Mobile App, we wanted to make you aware or remind you about some important security updates issued by Apple affecting multiple products. CISA (Cybersecurity & Infrastructure Security Agency) is recommending consumers update their devices as soon as possible.

And if you need to download the free Taft Privacy and Security Mobile Application for free, you can do it here:

  1. Apple App Store (iPhone, iPad)
  2. Google Play Store (Android)

In the past year, we have seen an increase in the number of countries developing/updating legal frameworks (such as model agreements) that permit the transfer of personal data abroad. Transfer mechanisms, such as the model agreements, are necessary because different countries’ data protection laws may offer different levels of protection to individuals’ personal data. Transfer mechanisms function as an “equalizer” by requiring a base level of protection that all entities must have in place when transferring personal data abroad. Accordingly, transfer mechanisms ensure that protections are in place to safeguard data that leaves a country with strong data protection laws to be transferred to a country that has no such laws. Last June, the European Commission updated its Standard Contractual Clauses (“EU SCCs”) permitting the transfer of data outside the European Economic Area (“EEA”) after a decade. Earlier this year the United Kingdom implemented the UK’s version of transfer clauses with the International Data Transfer Agreement (“UK IDTA”). Like Europe and the United Kingdom, China also has some transfer mechanisms in the works. Continue Reading Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad

Employers have various interests in monitoring employees’ electronic activity on company systems. With an increasing number of businesses allowing remote work throughout and following the Covid-19 pandemic, some companies have sought to implement technical means to keep an eye on their employees’ online activity.  For example, employers may want to monitor this activity as a means to manage productivity and performance.  Enter: “Bossware.” Continue Reading Paying the Cost to be the Boss(ware): Considerations Surrounding Employee Monitoring Technologies

Quite often, business data can be characterized as intellectual property. But you want to share your data with the world, or maybe just customers or clients. This can be tricky. Improper, premature, or unlawful disclosure of certain intellectual property can be damaging and detrimental to your business. So, how do you protect it?

As you have read here on Privacy and Data Security Insights, data privacy is concerned with properly handling one’s personal data – ensuring you get consent, provide notice, and meet applicable regulatory obligations. Another concern should be whether or how data is shared with third parties. However, it is essential to remember that some data, depending on the content, may be considered and protected as intellectual property. Continue Reading The Intersection of Data & Intellectual Property: You Want to Share it, but How do You Protect it?

Following the publication of the U.S. Supreme Court opinion in Dobbs v. Jackson Women’s Health Organization, on June 29, 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) issued guidance regarding disclosures of protected health information (PHI) concerning reproductive health procedures such as abortion. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs the disclosure of PHI by most health care providers, as well as employer-sponsored health plans, (Covered Entities), generally restricting the use or disclosure of PHI without the individual’s authorization other than in specifically excepted circumstances. Specifically, HIPAA does permit Covered Entities to disclose PHI without a patient’s authorization (or in some instances, notice and an opportunity to object), including 1) Disclosures required by law; 2) Disclosures for law enforcement purposes; and 3) Disclosures to avert a serious threat to health or safety. In the guidance, HHS notes that under each of these exceptions, HIPAA permits but does not require disclosure of PHI by a Covered Entity. HHS further reasserts that any disclosure made pursuant to one of the above permitted disclosures must be limited to the minimum PHI necessary to respond to the permitted disclosure request. Continue Reading A HIPAA Right to Privacy Remains: Federal Government Issues Guidance and Orders Following Supreme Court Decision in Dobbs

In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).

First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA. Continue Reading HIPAA: Its Confidentiality Protections (And Limits)

 

Last week, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion to ensure that companies that use and share credit and background reports have a “permissible purpose” under the Fair Credit Reporting Act (“FCRA”). The credit, criminal, job, and rental records of individuals are a few items consumer reporting agencies gather, compile, and assess. This information is then packaged into a report and used across various industries by creditors, insurers, landlords, employers, and others to make eligibility and other decisions about consumers. This collection, assembly, evaluation, dissemination, and use of vast quantities of often highly sensitive personal and financial information contained within consumer reports pose significant risks to consumer privacy. Thus, to combat these risks and better safeguard individuals’ personal data, the CFPB’s new advisory opinion makes clear that users of credit reports also have express obligations to protect this sensitive data. For these reasons, entities must have a “permissible purpose” when obtaining such reports. Continue Reading The Consumer Financial Protection Bureau Issues an Advisory Opinion Strengthening Consumer Privacy