Photo of Scot Ganow

Scot is a partner in Taft’s Dayton office, and co-chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.

  • Establish clear guidance and expectations to your employees.
    • All remote computer and


Continue Reading COVID-19 Bulletin: Sending Employees Home? Don’t compromise information security in the process.

As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.

Continue Reading So goes the EU, so goes the world….Brazil’s new privacy law is on the horizon.

Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.

Continue Reading How am I supposed to do this? Part Deux: California Attorney General issues CCPA modifications

Yes, it actually is. Jan. 28 has been set aside as a date to raise awareness and generally promote proper use and safeguarding of personal data. While it started in Europe, it is now recognized by more than 50 countries.

Why Jan. 28? The date is important because on this date in 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (say that five times quickly) was introduced for signature by the Council
Continue Reading Happy Data Privacy Day! Is this really a thing?

As we have written in blog posts over the past year, the California Consumer Privacy Act (CCPA) is the most comprehensive state privacy law to date. While there are a number of conditions and exemptions in play, the law goes into effect on Jan. 1, 2020, and will be enforced starting in July 2020.

In anticipation of the law’s effective date and requirements, we have provided a checklist to help you assess the applicability of the law to your business
Continue Reading Business Considerations: California Consumer Privacy Act

As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.

I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.


Continue Reading California Raisin’ the Stakes: Final CCPA Amendments Pass CA Legislature

What’s happening?

The one topic, as of late, that tops the list of incoming phone calls to our Privacy and Data Security practice seems to be from a client reporting that either:

  1. The client paid a bogus invoice to a fraudulent account as a result of a communication from someone who looked just like a trusted payee; OR
  2. The client’s long-standing, regularly-paying customer has been strangely behind a couple of months on making payments to the client. Upon follow up, the client finds out the customer received a change in payment instruction reportedly from the client via email and has been sending the client’s payments to another banking account via ACH.

Inevitably, in either case, the payment account is bogus. The recipient failed to check the validity of the email requesting the change in payment practices, such as a new bank account, or possibly moving to ACH or EFT for payments instead of mailing checks. The recipient might have recognized the sender’s name, email address and even observed the expected company branding and logos in the body of the email and signature line. But, rather than pause, place a call or verify the request and account validity, the recipient quickly makes the change and the payment is sent. Frequently, clients aren’t aware of the theft until it’s too late. The consequences are harsh, as getting the money back is not always easy to do, if at all possible. While there are sometimes remedies through bank action or even law enforcement, the speed with which such payments are made and money is removed make it difficult to make a company whole again.


Continue Reading Kiss that money goodbye! Why you must scrutinize payment processing changes at every level of your business.

The struggles continue for Facebook. As you hopefully know by now, on Sept. 28, the social media giant announced a security breach affecting 50 million accounts. The breach involved the theft of password tokens that allow a user to stay signed in or to sign into numerous third party applications, such as Spotify, Instagram and Yelp, among thousands of others. We thought to take the opportunity with this most recent breach to remind you about best practices that can help
Continue Reading Yet Another Facebook Breach: Use this opportunity to get smart about your online privacy and security

I don’t mean to ruin your holiday weekend, but we thought to send out a friendly reminder on the next set of rolling deadlines and requirements from New York’s financial services cybersecurity law (23 NYCRR 500). A regulated organization that must comply with the law, or “covered entity,” is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial
Continue Reading Perfect Labor Day Beach Reading: New York’s (Next) Round of Financial Cybersecurity Requirements

Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Continue Reading Proactive Approach to Cybersecurity Pays off in Ohio with New Data Protection Act