Photo of Scot Ganow

Scot is a partner in Taft’s Dayton office, and co-chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

As businesses continue to apply for relief through Small Business Administration (SBA) programs, SBA’s Carol R. Wilkerson announced that nearly 8,000 business owners’ information may have been exposed to unauthorized users on March 29, 2020. This incident only affected the Disaster Loan Program and not the Paycheck Protection Program. The SBA has notified the business owners that may have been affected and offered them a year of free credit monitoring.

At this time, the SBA has stated that the
Continue Reading SBA Data Breach: Disaster Loan Applicants’ Information Possibly Exposed

While hardly a new topic for anyone doing business with the government, current events and the challenges of COVID-19 provide a cautionary tale and proactive reminder that doing business with the government carries with the burden of ensuring applicable data privacy and security protections are in place.  As companies consider existing relationships with the U.S. government, or potentially pursuing new business with the U.S. government in responding to current challenges, we thought it a good time to provide a high-level summary of what to expect.

All organizations store, maintain, and process data to some extent.  However, organizations that contract with the federal government may also be storing controlled unclassified information (“CUI”).  The federal government requires that CUI be protected from public disclosure; or other unauthorized use.  Protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly affect the ability of the federal government to successfully conduct its essential missions and functions. For example, over the last decade, cyber criminals have increasingly targeted contractor organizations to extract information in an attempt to weaken the federal government’s supply chain. Accordingly, companies can expect to see an emphasis on security of CUI when contracting with the federal government as they process CUI and other types of data on the government’s behalf, whether directly as a prime contractor or subcontractor to a prime contractor of the government.


Continue Reading COVID-19 Bulletin: Dreaming of a government contract? Neglecting data security can be a nightmare.

With at least 70% of American schools shutting down, and others, if not all, to follow, school and millions of parents are faced with unprecedented challenges managing the children’s education from children’s homes through online schooling. Online schooling or “distance learning” presents not only operational and technical challenges of its own, but also presents concerns and challenges to properly protecting the privacy and security of student information. Even in view of a pandemic and emergency conditions, schools and online education providers are still required to meet legal obligations under various laws and implement best practices to not only meet the laws’ requirements but also to foster a secure environment for students to learn. The following provides a summary of the applicable federal and state laws impacting online learning, followed by general best practices.

Continue Reading COVID-19 Bulletin: Online Schooling Data Privacy Concerns and Best Practices During the Pandemic

In a letter sent earlier this month, a group representing more than 30 companies, trade associations and various industries asked the California Attorney General if enforcement of the California Consumer Privacy Act could be postponed. Concerned with the business impacts and reprioritization related to COVID-19, the association asked the Attorney General to delay enforcement from July 2020 until January 2021. The association stated that companies scrambling to respond to COVID-19 would need more time to comply with the various
Continue Reading COVID-19 Bulletin: California Attorney General: CCPA Enforcement Will Not Be Delayed Due to COVID-19

In the past week, businesses in every industry faced the growing concerns that the coronavirus pandemic has brought to our communities. As the situation around the globe continues to develop and multi-faceted issues arise, companies should be considering their employees’ and customers’ privacy and be prepared to adequately and appropriately respond to privacy concerns, requests for information, and understand the basic expectations of how and when personal information can be used without consent.

While the current environment demands flexibility and responsiveness, and not all-personal information or your industry may be subject to such regulations, the following information provides some guidelines on how the law expects businesses to balance privacy and public health concerns. We conclude with some best practices that apply to the use of personal information in all conditions.


Continue Reading COVID-19 Bulletin: Balancing Privacy and Public Health Needs

As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.

  • Establish clear guidance and expectations to your employees.
    • All remote computer and


Continue Reading COVID-19 Bulletin: Sending Employees Home? Don’t compromise information security in the process.

As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.

Continue Reading So goes the EU, so goes the world….Brazil’s new privacy law is on the horizon.

Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.

Continue Reading How am I supposed to do this? Part Deux: California Attorney General issues CCPA modifications

Yes, it actually is. Jan. 28 has been set aside as a date to raise awareness and generally promote proper use and safeguarding of personal data. While it started in Europe, it is now recognized by more than 50 countries.

Why Jan. 28? The date is important because on this date in 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (say that five times quickly) was introduced for signature by the Council
Continue Reading Happy Data Privacy Day! Is this really a thing?

As we have written in blog posts over the past year, the California Consumer Privacy Act (CCPA) is the most comprehensive state privacy law to date. While there are a number of conditions and exemptions in play, the law goes into effect on Jan. 1, 2020, and will be enforced starting in July 2020.

In anticipation of the law’s effective date and requirements, we have provided a checklist to help you assess the applicability of the law to your business
Continue Reading Business Considerations: California Consumer Privacy Act