Photo of Scot Ganow

Scot is a partner in Taft’s Dayton office, and chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”

In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements.
Continue Reading See ya, CMMC. Hello, CMMC 2.0: DOD Announces Suspension of Current Information Security Certification Program

As we anticipated in 2018, “So Goes California, So Goes the Country,” when it comes to U.S. privacy law. California broke new ground when it passed the California Consumer Privacy Act of 2018 (CCPA), now, the rest of the nation is following suit. Since 2018, Virginia (the VCDPA) and Colorado (the CPA) have passed similar statues. Now, Ohio is ready to join the party.

Introduced earlier this month, House Bill 376 “The Ohio Personal Privacy Act,” seeks to bring similar protections to Ohio consumers by giving them control over their personal data. The draft legislation does not have an effective date, but we expect that in the next few years, businesses subject to proposed law will need to meet its specifications. For now, businesses should start to consider the bill’s requirements and how they may implement the necessary processes to be compliant with its requirements.


Continue Reading Welcome to the Privacy Party, Ohio: State Legislature Proposes Comprehensive Data Privacy Legislation

With the recent shift to a remote or hybrid workplace and advancements in technology, there are increased privacy concerns for employee information as well as employer liability for data breaches. There are important legal concerns for employers to understand about employee privacy issues. In addition, companies must have a plan to safeguard company and employee data and minimize the risk of a data breach.

Join Taft Law on July 28 at 12:00 pm ET for a discussion of the practical
Continue Reading Webinar – Face the Facts: Getting Smart About Employee Privacy and Data Security

Over the 4th of July holiday weekend, an affiliate of the Russia-linked criminal syndicate known as REvil succeeded in executing the single largest global ransomware attack on record with over one million firms affected worldwide. As a result of the intrusion, thousands of companies have reduced or entirely ceased operation. For example:


Continue Reading It May Take a Village: What the REvil Holiday Attack Teaches Us About the Evolving Threat

I am often asked by clients and my partners alike, “What is the #1 thing companies should be doing to secure their data and systems?” Usually when I get requests to boil down everything involved in my practice area to one topic, I balk. And for good reason. However, this one is easy.

Multi-Factor Authentication or “MFA.” 


Continue Reading Multi-Factor Authentication (MFA). Please. Do it. Now.

The European Commission has finally released the first updates to the standard contractual clauses (SCCs) required for certain cross-border transfers in more than 10 years. The new SCCs include versions for use between processors and controllers, as well as one for transfers to third countries.  These new SCCs mark the first change in such clauses since 2010 and in view of the Court of Justice of the European Union’s decision in  Schrems II.

We will write more on this
Continue Reading Europe Commission Releases Updated Standard Contractual Clauses for GDPR Compliance

The White House issued this memorandum to corporate executives and business leaders this week in which it stresses the need for urgent vigilance in implementing many of the best information security best practices we commonly discuss on our Privacy and Data Security Insights blog.  The memo contains good information that any business of any size should consider and implement as quickly as possible to bolster its defenses to what has been an onslaught of ransomware attacks in the past year.  

Continue Reading White House Memo Stresses Need For Vigilance in Defending Against Ransomware Attacks

Taft Appellate attorneys Jon Olivito and Michael Robertson recently wrote about a U.S. Court of Appeals for the Sixth Circuit decision that clarified the scope of conduct that could potentially expose any consumer business to immense liability.

In Thomas v. TOMS King (Ohio), LLC, No. 20-3977 (6th Cir. May 11, 2021), a consumer sued a defendant business alleging a violation of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The plaintiff alleged the defendant had violated the
Continue Reading Sixth Circuit Helps Businesses by Joining Sister Circuits in Identity Theft Case

In response to recommendations contained in the Solarium Commission report and the Solar Winds cybersecurity incident, President Biden issued an Executive Order on May 12, 2021, outlining new requirements for information technology providers that do business with the federal government. The purpose of the requirements are to protect federal networks from malicious cyber-attacks and to improve information-sharing between the U.S. government and the private sector on cyber issues, thereby strengthening the United States’ ability to respond to incidents when they
Continue Reading Strengthening U.S. Cyber Security – New Executive Order

Guess what?  Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it.  We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.

Continue Reading Celebrating World Password Day. Responsibly.