Photo of Zachary Heck

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Over the 4th of July holiday weekend, an affiliate of the Russia-linked criminal syndicate known as REvil succeeded in executing the single largest global ransomware attack on record with over one million firms affected worldwide. As a result of the intrusion, thousands of companies have reduced or entirely ceased operation. For example:


Continue Reading It May Take a Village: What the REvil Holiday Attack Teaches Us About the Evolving Threat

As we have been writing over the past year, COVID-19 has presented a huge opportunity for hackers to wreak havoc on businesses and consumers.  While confidentiality of data is usually the focus with such data breaches, system and data access is also at risk of attack by these same threat actors.  We have seen this play out on a national scale the past couple of weeks with the pipeline shutdown due to ransomware.

According to the New York Department of Financial Services (“NYDFS”), insurance claims resulting from ransomware increased by 180% between 2018 and 2019, and almost doubled that amount in 2020. (Indeed, the pipeline company paid a ransom of $4.4 million.)  As a result, the U.S. cyber insurance market was $3.15 billion in 2019 and is expected to exceed $20 billion in the next five years. And just recently, a carrier announced it would no longer pay out for ransomware claims in France.   Earlier this year,  in response to the increase in ransomware attacks, the NYDFS issued seven best practices (“Framework”) that insurers should adopt, including a recommendation that insurers should stop paying ransom payments. Insurers should be aware of what the Framework entails and what this means for them when implementing cybersecurity programs and trying to obtain insurance coverage in the future.


Continue Reading NYDFS Answers Age Old “To Pay the Ransom or Not Pay the Ransom” Question with Definitive DON’T

On February 3, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“VCDPA” or the “Act”). Upon approval from Governor Ralph Northam, Virginia will be the second state in the nation to adopt a comprehensive data privacy law. This proposed legislation places Virginia alongside California at the forefront of domestic data privacy regulations.

In 2020, California changed the landscape of data privacy laws in the United States with the California Consumer Privacy Act (CCPA). The CCPA, a result of a ballot initiative by California, introduced the idea of widespread data subject rights for American consumers. Nearly three years later, Virginia is securing the second place spot with its enactment of the VCDPA. The Act mirrors the CCPA and the European Union’s General Data Protection Regulation (GDPR) in many ways. For instance, the Act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, correct, delete, and request processing modifications with respect to their personal data.

Once signed into law, the VCDPA will be effective January 1, 2023. In the meantime, companies doing business in Virginia should start actively thinking of ways to incorporate VCDPA requirements into their existing privacy policies and procedures. The key features of the VCDPA are summarized below.
Continue Reading And Then There Were Two: The Commonwealth of Virginia Joins California in Enacting Comprehensive Privacy Rights Law

Each month, new developments in European privacy law demonstrate both how the times are changing, and how the 2010 Standard Contractual Clauses are increasingly antiquated.  Last month, the Commission of the European Union (the “Commission”) published two preliminary implementing decisions:

(1) a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the “Cross-Border SCCs”); and

(2) a draft of new standard contractual clauses for certain clauses in controller-processor data processing agreements (“DPAs”) pursuant to Article 28(7) of the General Data Protection Regulations (“GDPR”).

Both drafts, available here, were widely anticipated following the Court of Justice of the European Union (“CJEU”) Schrems II decision, which invalidated the EU-US Privacy Shield framework for cross-border data transfer. Once approved, these new clauses will replace the previous standard contractual clauses used by organizations as an appropriate safeguard for making international transfers of personal data under GDPR.


Continue Reading Oh the Times (and the Clauses), They are a-Changing’

After months of public comment and sporadic guidance issued by the California Attorney General’s Office, at long last we have the final regulations under the California Consumer Privacy Act, which have been approved by the Office of Administrative Law and filed with the Secretary of State’s Office. The regulations go into effect immediately, and include changes and withdrawn proposals that range from typographical to impactful.

The California Attorney General’s office has characterized the changes to the CCPA text as “non-substantive,” and has withdrawn certain proposed provisions “for additional consideration.” The non-substantive changes are designed to improve consistency in language, and are described in detail in the Addendum to the Final Statement of Reasons. Some withdrawn provisions, however, could impact companies expected to comply with CCPA. We discuss some notable sections below. 
Continue Reading Things Just Got Real: California Approves Final CCPA Regulations

What is Privacy Shield?  Since 2016, U.S. companies and organizations receiving personal data relating to individuals in the European Union have relied upon a self-certification program known as Privacy Shield. Rather than enter into numerous agreements and meet other requirements to process the personal data of individuals in the EU, U.S. companies have been able to self-certify to a level of compliance to meet EU law. Privacy Shield serves to address the General Data Protection Regulation’s (GDPR) requirement that adequate safeguards be in place for the protection of transatlantic transfers of personal data and the receiving entity’s handling of that data. Under Privacy Shield, self-certified companies that comply with the agreement’s requirements are considered to have met the EU’s higher standard for data privacy and obtained some level of “adequacy.” Since its implementation, more than 5,300 companies have operated under its terms. The future of Privacy Shield, however, is now in jeopardy.

EU Court holds Privacy Shield to be Inadequate.  On July 16, 2020, Europe’s highest court, the Court of Justice of the European Union (CJEU) held that United States law is inadequate to protect EU citizens’ personal data to the extent that EU law requires. Specifically, the CJEU held that the “limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by U.S. public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” To put it another way, Privacy Shield’s fundamental flaw, according to the court, is not so much that member companies’ practices are inadequate, but rather that the U.S. government cannot be trusted to maintain the confidentiality, integrity, and availability of personal data.  Specifically, the justices found that federal laws such as the Foreign Intelligence Surveillance Act “cannot be regarded as limited to what is strictly necessary” and fails to meet “minimum safeguards” guaranteed by the EU.
Continue Reading Warning! Shields are Down: Top EU Court Invalidates EU-US Privacy Shield Protections

It is summer and you just finished all the hard work to make sure your organization addressed all applicable California Consumer Privacy Act (CCPA or the “Act”) requirements.  You sit down, take a deep breath, and see what California has been up to during your CCPA preparations.  Well, lo and behold, California wants to give the nation’s most aggressive data protection law a facelift in a new ballot initiative to be voted on this November.

You may remember that California pioneered the first sweeping privacy reform in the United States in 2018 when the CCPA was passed. The Act was amended in 2019 and went into effect January 1, 2020, with enforcement beginning July 1 of this year. Taft’s Privacy & Data Security group has provided information regarding the data requirements of the CCPA in previous blog posts, but generally, the Act affords consumers the right to know what information is being collected from them, the right to prohibit businesses from keeping their information, and the right to opt-out of the sale of their personal information, among other things.  The CCPA already reaches outside California state lines, as it applies to companies that do business within the state that have revenues of over $25 million per year, derive at least 50% of its revenue from selling information, or buy, sell or share personal information of at least 50,000 California consumers, households or devices.


Continue Reading Data Déjà vu? Data Protection Back On the Ballot in California

For years, the idea of a federal privacy law in the same vein as GDPR seemed to be a far-fetched dream.  Then came the nightmare: coronavirus.  As mobile device and other monitoring services are being considered for employers and retail, because of the COVID-19 pandemic, the U.S. Senate announced a bill, which would apply to the collection of American health, geolocation, and proximity information.

The COVID-19 Consumer Data Protection Act (the “Act”) aims to heighten protection for American’s data by imposing requirements on businesses similar to those seen in the GDPR and CCPA.  Specifically, the Act is designed to protect information that constitutes “precise geolocation data, proximity data, and personal health information.”  Any entity or person who “collects, processes, or transfers covered information” and is also subject to the Federal Trade Commission Act, is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization would be subject to the law.


Continue Reading COVID-19 Inspires Federal Consumer Privacy Act

While hardly a new topic for anyone doing business with the government, current events and the challenges of COVID-19 provide a cautionary tale and proactive reminder that doing business with the government carries with the burden of ensuring applicable data privacy and security protections are in place.  As companies consider existing relationships with the U.S. government, or potentially pursuing new business with the U.S. government in responding to current challenges, we thought it a good time to provide a high-level summary of what to expect.

All organizations store, maintain, and process data to some extent.  However, organizations that contract with the federal government may also be storing controlled unclassified information (“CUI”).  The federal government requires that CUI be protected from public disclosure; or other unauthorized use.  Protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly affect the ability of the federal government to successfully conduct its essential missions and functions. For example, over the last decade, cyber criminals have increasingly targeted contractor organizations to extract information in an attempt to weaken the federal government’s supply chain. Accordingly, companies can expect to see an emphasis on security of CUI when contracting with the federal government as they process CUI and other types of data on the government’s behalf, whether directly as a prime contractor or subcontractor to a prime contractor of the government.


Continue Reading COVID-19 Bulletin: Dreaming of a government contract? Neglecting data security can be a nightmare.

On Thursday, March 26, 2020, the Senate passed the Coronavirus Aid, Relief, and Economy Security Act (the “CARES Act”), which provides economic relief for individuals, businesses and industries affected by the COVID-19 pandemic. In addition, some provisions specifically relate to nascent privacy and data security concerns to be addressed both during and after the pandemic:

  • Financial Assistance for Training: Qualifying small businesses and minority owned businesses may apply for financial assistance in the form of grants to cover training and advising for employees on risks of and mitigation of cybersecurity threats in remote customer service or telework practices. The economic landscape following the COVID-19 pandemic will highlight businesses’ increased reliance upon technology, and the nascent need for increased attention to data security education. The financial assistance available to small and minority-owned businesses provides a great opportunity for companies to get ahead of the curve with respect to myriad information security threats.
  • Credit Reporting: The Fair Credit Reporting Act is revised so that furnishers of consumer and payment information, who make an accommodation with respect to one or more payments on a consumer’s account or credit obligation, must report the account or obligation as “current,” unless it was delinquent prior to the accommodation.
  • Public Health Service Act Amended to Conform with HIPAA: The Public Health Service Act is amended to include breach notification and consent requirements consistent with HIPAA. In addition, within one year after the date of enactment, the Secretary of Health and Human Services shall update 45 C.F.R 164.520 so that covered entities and entities creating or maintaining records relating to substance abuse education, training, treatment, and research shall provide easily understandable notices of privacy practices. As a result, some entities not currently regulated by HIPAA will need to adapt to some of the HIPAA requirements related to breach notification and notice of privacy practices.
  • Cybersecurity & Infrastructure Security Agency: $9 million is allocated for supply chain and information analysis, as well as impacted critical infrastructure coordination.
  • Funding for Public Health Surveillance: $500 million is allocated for public health data surveillance and analytics infrastructure modernization.


Continue Reading COVID-19 Bulletin: CARES Act Provides Attention to Privacy & Data Security Precautions