Photo of Rebekah Mackey

Rebekah is an attorney in Taft’s Business and Finance practice group. Prior to law school, Rebekah worked at the Indiana State Senate as a press secretary and legislative assistant and at the Indiana Supreme Court as a legal extern.

It is summer and you just finished all the hard work to make sure your organization addressed all applicable California Consumer Privacy Act (CCPA or the “Act”) requirements.  You sit down, take a deep breath, and see what California has been up to during your CCPA preparations.  Well, lo and behold, California wants to give the nation’s most aggressive data protection law a facelift in a new ballot initiative to be voted on this November.

You may remember that California pioneered the first sweeping privacy reform in the United States in 2018 when the CCPA was passed. The Act was amended in 2019 and went into effect January 1, 2020, with enforcement beginning July 1 of this year. Taft’s Privacy & Data Security group has provided information regarding the data requirements of the CCPA in previous blog posts, but generally, the Act affords consumers the right to know what information is being collected from them, the right to prohibit businesses from keeping their information, and the right to opt-out of the sale of their personal information, among other things.  The CCPA already reaches outside California state lines, as it applies to companies that do business within the state that have revenues of over $25 million per year, derive at least 50% of its revenue from selling information, or buy, sell or share personal information of at least 50,000 California consumers, households or devices.


Continue Reading Data Déjà vu? Data Protection Back On the Ballot in California

Businesses in all industries and of all sizes are collecting data about their customers, potential clients, and workforce. This collection can be as simple as processing credit cards for purchases or gathering data about consumer behavior on websites or social media platforms, or can include a robust collection of sensitive financial, location, or health information. In the event that an incident occurs, a business is obligated to respond quickly to address the pitfall and potentially inform consumers that their information may have been subject to an unauthorized access according to applicable national or state laws. Navigating these unchartered waters usually involves bringing in counsel to assess whether a “breach” has occurred, how much, whose and what information was accessed, and to potentially prepare for litigation from those consumers whose data was subjected to the breach.

As part of this response, counsel often calls on cybersecurity experts to provide incident response services and breach analysis to understand the severity of the breach and the company’s data security posture. These forensic assessments can be used in a variety of ways, including helping determine the immediate steps that need to be taken to comply with data breach laws, ensure that the compromise is resolved, or troubleshoot potential weak points in the company’s cybersecurity safeguards to develop a stronger infrastructure to avoid future incidents.


Continue Reading The Aftermath of a Breach: Evidentiary Protections Related to Forensic Investigations in Limbo

The COVID-19 outbreak has ignited a frenzy of scamming attempts as about 90% of Americans are ordered to stay at home and are navigating how to work remotely and keep themselves and their loved ones safe. Our recent bulletin discussed attempts bad actors are using to try to steal personal information through email phishing attacks and ransomware, as well as efforts to ransack bank accounts through donations to fake charities and orders for goods that never arrive. Government officials warn
Continue Reading COVID-19 Bulletin: Avoiding Stimulus Check Scams as CARES Kicks In

In the past week, businesses in every industry faced the growing concerns that the coronavirus pandemic has brought to our communities. As the situation around the globe continues to develop and multi-faceted issues arise, companies should be considering their employees’ and customers’ privacy and be prepared to adequately and appropriately respond to privacy concerns, requests for information, and understand the basic expectations of how and when personal information can be used without consent.

While the current environment demands flexibility and responsiveness, and not all-personal information or your industry may be subject to such regulations, the following information provides some guidelines on how the law expects businesses to balance privacy and public health concerns. We conclude with some best practices that apply to the use of personal information in all conditions.


Continue Reading COVID-19 Bulletin: Balancing Privacy and Public Health Needs