Photo of Scot Ganow

Scot is a partner in Taft’s Dayton office, and co-chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

With at least 70% of American schools shutting down, and others, if not all, to follow, school and millions of parents are faced with unprecedented challenges managing the children’s education from children’s homes through online schooling. Online schooling or “distance learning” presents not only operational and technical challenges of its own, but also presents concerns and challenges to properly protecting the privacy and security of student information. Even in view of a pandemic and emergency conditions, schools and online education providers are still required to meet legal obligations under various laws and implement best practices to not only meet the laws’ requirements but also to foster a secure environment for students to learn. The following provides a summary of the applicable federal and state laws impacting online learning, followed by general best practices.

Continue Reading COVID-19 Bulletin: Online Schooling Data Privacy Concerns and Best Practices During the Pandemic

In a letter sent earlier this month, a group representing more than 30 companies, trade associations and various industries asked the California Attorney General if enforcement of the California Consumer Privacy Act could be postponed. Concerned with the business impacts and reprioritization related to COVID-19, the association asked the Attorney General to delay enforcement from July 2020 until January 2021. The association stated that companies scrambling to respond to COVID-19 would need more time to comply with the various
Continue Reading COVID-19 Bulletin: California Attorney General: CCPA Enforcement Will Not Be Delayed Due to COVID-19

In the past week, businesses in every industry faced the growing concerns that the coronavirus pandemic has brought to our communities. As the situation around the globe continues to develop and multi-faceted issues arise, companies should be considering their employees’ and customers’ privacy and be prepared to adequately and appropriately respond to privacy concerns, requests for information, and understand the basic expectations of how and when personal information can be used without consent.

While the current environment demands flexibility and responsiveness, and not all-personal information or your industry may be subject to such regulations, the following information provides some guidelines on how the law expects businesses to balance privacy and public health concerns. We conclude with some best practices that apply to the use of personal information in all conditions.


Continue Reading COVID-19 Bulletin: Balancing Privacy and Public Health Needs

As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.

  • Establish clear guidance and expectations to your employees.
    • All remote computer and


Continue Reading COVID-19 Bulletin: Sending Employees Home? Don’t compromise information security in the process.

As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.

Continue Reading So goes the EU, so goes the world….Brazil’s new privacy law is on the horizon.

Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.

Continue Reading How am I supposed to do this? Part Deux: California Attorney General issues CCPA modifications

Yes, it actually is. Jan. 28 has been set aside as a date to raise awareness and generally promote proper use and safeguarding of personal data. While it started in Europe, it is now recognized by more than 50 countries.

Why Jan. 28? The date is important because on this date in 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (say that five times quickly) was introduced for signature by the Council
Continue Reading Happy Data Privacy Day! Is this really a thing?

As we have written in blog posts over the past year, the California Consumer Privacy Act (CCPA) is the most comprehensive state privacy law to date. While there are a number of conditions and exemptions in play, the law goes into effect on Jan. 1, 2020, and will be enforced starting in July 2020.

In anticipation of the law’s effective date and requirements, we have provided a checklist to help you assess the applicability of the law to your business
Continue Reading Business Considerations: California Consumer Privacy Act

As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.

I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.


Continue Reading California Raisin’ the Stakes: Final CCPA Amendments Pass CA Legislature

What’s happening?

The one topic, as of late, that tops the list of incoming phone calls to our Privacy and Data Security practice seems to be from a client reporting that either:

  1. The client paid a bogus invoice to a fraudulent account as a result of a communication from someone who looked just like a trusted payee; OR
  2. The client’s long-standing, regularly-paying customer has been strangely behind a couple of months on making payments to the client. Upon follow up, the client finds out the customer received a change in payment instruction reportedly from the client via email and has been sending the client’s payments to another banking account via ACH.

Inevitably, in either case, the payment account is bogus. The recipient failed to check the validity of the email requesting the change in payment practices, such as a new bank account, or possibly moving to ACH or EFT for payments instead of mailing checks. The recipient might have recognized the sender’s name, email address and even observed the expected company branding and logos in the body of the email and signature line. But, rather than pause, place a call or verify the request and account validity, the recipient quickly makes the change and the payment is sent. Frequently, clients aren’t aware of the theft until it’s too late. The consequences are harsh, as getting the money back is not always easy to do, if at all possible. While there are sometimes remedies through bank action or even law enforcement, the speed with which such payments are made and money is removed make it difficult to make a company whole again.


Continue Reading Kiss that money goodbye! Why you must scrutinize payment processing changes at every level of your business.