Photo of Zenus Franklin

Zenus is a business and finance attorney in Taft’s Dayton office, where he focuses on corporate governance, privacy and data security and data governance planning.

In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest  state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.

The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:

  • Right to opt out
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability

That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider.
Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law

GDPR Image

The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.

On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.


Continue Reading Freezing the Cloud: Microsoft Takes a Hardline on Data Privacy in the EU

As we have been writing over the past year, COVID-19 has presented a huge opportunity for hackers to wreak havoc on businesses and consumers.  While confidentiality of data is usually the focus with such data breaches, system and data access is also at risk of attack by these same threat actors.  We have seen this play out on a national scale the past couple of weeks with the pipeline shutdown due to ransomware.

According to the New York Department of Financial Services (“NYDFS”), insurance claims resulting from ransomware increased by 180% between 2018 and 2019, and almost doubled that amount in 2020. (Indeed, the pipeline company paid a ransom of $4.4 million.)  As a result, the U.S. cyber insurance market was $3.15 billion in 2019 and is expected to exceed $20 billion in the next five years. And just recently, a carrier announced it would no longer pay out for ransomware claims in France.   Earlier this year,  in response to the increase in ransomware attacks, the NYDFS issued seven best practices (“Framework”) that insurers should adopt, including a recommendation that insurers should stop paying ransom payments. Insurers should be aware of what the Framework entails and what this means for them when implementing cybersecurity programs and trying to obtain insurance coverage in the future.


Continue Reading NYDFS Answers Age Old “To Pay the Ransom or Not Pay the Ransom” Question with Definitive DON’T

On April 1, 2021, the Supreme Court decided Facebook, Inc. v. Duguid, which narrowed the scope of the Telephone Consumer Protection Act of 1991 (TCPA). The Court unanimously ruled that Facebook did not violate the TCPA by sending unsolicited text messages to individuals without their consent, overturning the Ninth Circuit’s decision to broadly define automatic telephone dialing systems (“autodialers”) under the federal statute. The case boiled down to everyone’s favorite subject—grammar.
Continue Reading Comma Again? The Supreme Court Provides a Grammar Lesson and Hands Down a Big Decision Impacting TCPA Compliance

Last month we discussed California’s Proposition 24, called the California Privacy Rights Act (“CPRA”), and that California voters approved the CPRA on November 3, 2020.  The CPRA amends the California Consumer Privacy Act (“CCPA”), which the final regulations of the CCPA were only recently approved by Attorney General Xavier Becerra in August, 2020. The CPRA makes a few substantial changes to the CCPA, such as additional rights to consumers, additional obligations on businesses that apply to the CPRA, an increased focus on “sharing” information for behavioral advertising, and the creation of a new governing entity to enforce the CPRA. The CPRA is set to become effective on January 1, 2023.  Until then, the CCPA will remain in full force and effect.
Continue Reading Meet the California Privacy Rights Act (CPRA): California Voters Approve Additional Consumer Rights and Business Obligations

In the midst of an unprecedented presidential campaign, you might have missed that California’s Proposition 24, also called the California Privacy Act (CPRA), was poised to amend the California Consumer Privacy Act (CCPA) a mere three months after Attorney General Xavier Becerra approved the final regulations for the CCPA.

On November 3, California voters approved the CPRA by a count of 56% (YES) to 44% (No). In July, we discussed the CPRA’s proposed changes to the CCPA, such as
Continue Reading California Voters Approve California Consumer Privacy Act; Amendments to CCPA

As businesses continue to apply for relief through Small Business Administration (SBA) programs, SBA’s Carol R. Wilkerson announced that nearly 8,000 business owners’ information may have been exposed to unauthorized users on March 29, 2020. This incident only affected the Disaster Loan Program and not the Paycheck Protection Program. The SBA has notified the business owners that may have been affected and offered them a year of free credit monitoring.

At this time, the SBA has stated that the
Continue Reading SBA Data Breach: Disaster Loan Applicants’ Information Possibly Exposed

As the majority of states execute stay at home orders to curb the effects of COVID-19, businesses (and educational institutions) have had to set up ways for employees and students to work remotely. As we have discussed before, companies and employees must make sure both company and employee data is secure while working on home networks and remote devices. Employee use of video conference software is no different. In an effort to keep employees connected and working efficiently, many businesses and educational institutions have had to adopt video conference software in an expedited fashion. This can be seen by looking at Zoom, a video and audio conferencing software. At the end of December 2019, Zoom had approximately 10 million daily meeting participants. Now, in just over several months, Zoom has reached 200 million daily meeting participants. While a useful and effective tool, Zoom has also experienced some challenges with security.  Even in these unique, difficult, and fast moving situations, the Zoom experience stresses the importance of still following best practices in all use of technology to process your company’s data.
Continue Reading COVID-19 Bulletin: Recent Zoom Security Issues Serve as a Cautionary Tale for Businesses in Times of Crisis (and not)

As we discussed before, educational institutions are closing campuses and are meeting legal obligations to educate their students by conducting online schooling. Now, some school districts across the country are banning teachers from using Zoom for online schooling during the COVID-19 pandemic due to security and privacy issues surrounding the videoconferencing app.  Reported cases of classroom “Zoombombings” included an incident where hackers broke into a class meeting and displayed a swastika on students’ screens, which led the FBI to issue a public warning about Zoom’s security vulnerabilities. New York City School District and Nevada Clark Public Schools disabled Zoom access, while schools in Utah and Washington State are reassessing its use at the time of this posting.

Amid the raised safety concerns, Zoom responded and advised schools to protect video calls with passwords and to lock down meeting security with currently available privacy features in the software. On March 18, 2020, Zoom added a privacy policy specific for K-12 schools and districts stating that it is “designed to reflect our compliance” with student privacy laws and also posted best practices for teachers to use.


Continue Reading COVID-19 Bulletin: ZOOM Challenges Provide Timely Reminder about Need for Diligence in Managing Privacy and Security and Student Data

While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.

Continue Reading How am I supposed to do this? Part Trois: California Attorney General issues CCPA modifications