Last month we discussed California’s Proposition 24, called the California Privacy Rights Act (“CPRA”), and that California voters approved the CPRA on November 3, 2020. The CPRA amends the California Consumer Privacy Act (“CCPA”), which the final regulations of the CCPA were only recently approved by Attorney General Xavier Becerra in August, 2020. The CPRA makes a few substantial changes to the CCPA, such as additional rights to consumers, additional obligations on businesses that apply to the CPRA, an increased focus on “sharing” information for behavioral advertising, and the creation of a new governing entity to enforce the CPRA. The CPRA is set to become effective on January 1, 2023. Until then, the CCPA will remain in full force and effect.
Continue Reading Meet the California Privacy Rights Act (CPRA): California Voters Approve Additional Consumer Rights and Business Obligations
California Voters Approve California Consumer Privacy Act; Amendments to CCPA
In the midst of an unprecedented presidential campaign, you might have missed that California’s Proposition 24, also called the California Privacy Act (CPRA), was poised to amend the California Consumer Privacy Act (CCPA) a mere three months after Attorney General Xavier Becerra approved the final regulations for the CCPA.
On November 3, California voters approved the CPRA by a count of 56% (YES) to 44% (No). In July, we discussed the CPRA’s proposed changes to the CCPA, such as
Continue Reading California Voters Approve California Consumer Privacy Act; Amendments to CCPA
Taft Partner to Speak on Business Email Compromise
Taft partner Scot Ganow will be one of the presenters for “What we wish clients would do about business email compromise,” on Oct. 29, 2020. The one-hour seminar brings together cybersecurity and risk management professionals to examine business email compromise including a real-world case study, the ramifications of an attack, and how to arm your business against would-be opportunists.
Register to attend here.
Continue Reading Taft Partner to Speak on Business Email Compromise
A little relief? CCPA exemptions for employee and business contact information likely to be extended to 2022 (or beyond)
Since we originally posted this content to Taft Privacy & Data Security Insights, the governor of California has since signed AB1281, extending the exemptions for employee personal information and that of business contacts until January 2022. This deadline may be extended again, should voters choose the CPRA, as discussed below.
* * *
An important development on the California Consumer Privacy Act (CCPA) front occurred as many of us enjoyed the last days of summer and readied for the Labor
Continue Reading A little relief? CCPA exemptions for employee and business contact information likely to be extended to 2022 (or beyond)
Taft Partners Ganow and Schenkenberg to Speak at “Cybersecurity for In-House Legal Counsel” Seminar
Taft partners Scot Ganow and Phil Schenkenberg will be featured speakers for the “Cybersecurity for In-house Legal Counsel” Seminar on Oct. 26. The virtual seminar will help in-house counsel understand the legal constructs and terminology widely used within the cybersecurity space, and to provide practical ways they can be more responsive and efficient when cyber issues arise. Taft is a sponsor of the event.
Ganow will present “Legal Overview and Key Cyber Risks for Businesses,” which covers the laws, regulations,
Warning! Shields are Down: Top EU Court Invalidates EU-US Privacy Shield Protections
What is Privacy Shield? Since 2016, U.S. companies and organizations receiving personal data relating to individuals in the European Union have relied upon a self-certification program known as Privacy Shield. Rather than enter into numerous agreements and meet other requirements to process the personal data of individuals in the EU, U.S. companies have been able to self-certify to a level of compliance to meet EU law. Privacy Shield serves to address the General Data Protection Regulation’s (GDPR) requirement that adequate safeguards be in place for the protection of transatlantic transfers of personal data and the receiving entity’s handling of that data. Under Privacy Shield, self-certified companies that comply with the agreement’s requirements are considered to have met the EU’s higher standard for data privacy and obtained some level of “adequacy.” Since its implementation, more than 5,300 companies have operated under its terms. The future of Privacy Shield, however, is now in jeopardy.
EU Court holds Privacy Shield to be Inadequate. On July 16, 2020, Europe’s highest court, the Court of Justice of the European Union (CJEU) held that United States law is inadequate to protect EU citizens’ personal data to the extent that EU law requires. Specifically, the CJEU held that the “limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by U.S. public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” To put it another way, Privacy Shield’s fundamental flaw, according to the court, is not so much that member companies’ practices are inadequate, but rather that the U.S. government cannot be trusted to maintain the confidentiality, integrity, and availability of personal data. Specifically, the justices found that federal laws such as the Foreign Intelligence Surveillance Act “cannot be regarded as limited to what is strictly necessary” and fails to meet “minimum safeguards” guaranteed by the EU.
Continue Reading Warning! Shields are Down: Top EU Court Invalidates EU-US Privacy Shield Protections
Don’t Forget! CCPA Enforcement Commences July 1, 2020
Just a friendly reminder from the Taft Law Privacy and Data Security Practice Group that the Attorney General of California will commence enforcement of the California Consumer Privacy Act (CCPA) on July 1, 2020. While we have all understandably been focused on the many important issues of this year, both personally and professionally, let us not forget that the Attorney General of California explicitly declined to extend the enforcement date due to COVID-19 for this first of its kind state privacy law.
While it is obviously late in the game, and impossible to provide you all the ins and outs of CCPA compliance in this single post, you can always check older posts on our Taft Privacy & Data Security Insights. That said, it doesn’t mean you can’t get started or continue making progress to understand and meet any applicable requirements for your business. Here are some quick points and additional resources to consider.
Continue Reading Don’t Forget! CCPA Enforcement Commences July 1, 2020
It’s more than giving ‘em a laptop: Operational & Security Considerations for Supporting the Remote Workforce
Like so many companies navigating the challenges and changes demanded by COVID-19, we at Taft have had to move our entire workforce home while maintaining a high level of support for our employees and clients. Whether in crisis, design, or other business strategy, companies should carefully and methodically approach the transition of its employees, equipment, and data to a remote environment. Such an approach should be followed in all such moves, whether temporary or permanent. In this article we share what we have learned and some best practices that will benefit any company considering making the move.
A. Operational Support (Andrea Markstrom, CIO, Taft Stettinius & Hollister LLP)
Faced with COVID-19 and moving a firm of 620+ attorneys to home offices, I knew this was not just another business continuity tabletop exercise. I needed to plan thoroughly while still reacting quickly. To do so, I thought about how we were going to be able to keep our employees safe, fully productive, and continue providing excellent service to our clients. To be successful, I think you need to consider and accomplish the following three things.
Continue Reading It’s more than giving ‘em a laptop: Operational & Security Considerations for Supporting the Remote Workforce
The Aftermath of a Breach: Evidentiary Protections Related to Forensic Investigations in Limbo
Businesses in all industries and of all sizes are collecting data about their customers, potential clients, and workforce. This collection can be as simple as processing credit cards for purchases or gathering data about consumer behavior on websites or social media platforms, or can include a robust collection of sensitive financial, location, or health information. In the event that an incident occurs, a business is obligated to respond quickly to address the pitfall and potentially inform consumers that their information may have been subject to an unauthorized access according to applicable national or state laws. Navigating these unchartered waters usually involves bringing in counsel to assess whether a “breach” has occurred, how much, whose and what information was accessed, and to potentially prepare for litigation from those consumers whose data was subjected to the breach.
As part of this response, counsel often calls on cybersecurity experts to provide incident response services and breach analysis to understand the severity of the breach and the company’s data security posture. These forensic assessments can be used in a variety of ways, including helping determine the immediate steps that need to be taken to comply with data breach laws, ensure that the compromise is resolved, or troubleshoot potential weak points in the company’s cybersecurity safeguards to develop a stronger infrastructure to avoid future incidents.
Adding Insult to Injury: Government Agency Security Incidents Expose Unemployed Personal Data
Losing a job and struggling with finances have added significant stress to those trying to stay safe during the COVID-19 pandemic. It is no secret that for weeks, state departments administering unemployment compensation have been under fire due to massive backlogs of unprocessed claims. Adding to claimants’ frustrations are a number of security incidents affecting several states’ agencies. We previously reported that the Small Business Administration experienced a breach compromising personal data for thousands of applications for financial assistance. Now we are seeing state level entities experiencing security compromises.
Pandemic Unemployment Assistance (PUA) is unemployment compensation available to self-employed and “gig” workers. In the past several weeks, thousands of workers in several states who applied for PUA received notice that their personal information was possibly exposed to other users. The personal information exposed included social security numbers, addresses, names, and the amount workers were receiving in benefits. Fortunately, at least at this time, there is no evidence personal information was misused and the alerts from the states were preventative.
Continue Reading Adding Insult to Injury: Government Agency Security Incidents Expose Unemployed Personal Data