Photo of Zachary Heck

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.
Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance

The Colorado Attorney General (AG) recently published proposed rules for the Colorado Privacy Act (CPA). These draft rules shed light and clarify how the Attorney General plans to carry out the CPA when it goes into effect on July 1, 2023. These proposed CPA rules are a draft that is not yet finalized and therefore are subject to change. In the upcoming months, the Colorado AG will engage with key stakeholders and the public on feedback regarding these proposed rules. While the draft CPA draft rules are months away from finalization, the proposed rules are intended to help entities understand the AG’s requirements for when the CPA becomes effective. Below are a few key highlights of the draft CPA rules as they currently stand, which supplement the AG’s prior guidance from April 2022.

Continue Reading Colorado AG Publishes CPA Proposed Rules

Last week, the California Legislature passed Assembly Bill 2273:  the California Age-Appropriate Design Code Act (“CAADCA”).  CAADCA is an online safety bill, which contains unique privacy requirements to protect minors under the age of 18.

Covered Businesses:  Covered businesses under the bill include any “business,” as defined by the California Consumer Privacy Act, “that provides an online service, product, or feature likely to be accessed by children.”  This means that if your company conducts business in California and (a) has an annual gross revenue of more than $25 million; or (b) alone or in combination, buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or (c) derives 50% or more of its annual revenue from selling consumers’ personal information, then you will need to evaluate whether your products or services must also address CAADCA requirements.
Continue Reading Child’s Play: Latest California Bill Creates Significant Increase in Regulation for Covered Businesses Collecting Personal Data of Children

Employers have various interests in monitoring employees’ electronic activity on company systems. With an increasing number of businesses allowing remote work throughout and following the Covid-19 pandemic, some companies have sought to implement technical means to keep an eye on their employees’ online activity.  For example, employers may want to monitor this activity as a means to manage productivity and performance.  Enter: “Bossware.”
Continue Reading Paying the Cost to be the Boss(ware): Considerations Surrounding Employee Monitoring Technologies

We are officially six months away from the California Privacy Rights Act (“CPRA”) taking effect and amending the California Consumer Privacy Act (“CCPA”).  Even for companies that have grown comfortable with requirements under the CCPA, the CPRA changes require planning and preparation.  With CPRA taking effect on January 1, 2023, here are six tips to begin that preparation:
Continue Reading Are You Ready for CPRA? 6 Tips for the Final 6 Months

On Friday, June 3, 2022, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act (the “ADPPA”).  The ADPPA is a draft bill that has yet to be introduced in the U.S. House or Senate, which means that any provision is subject to amendment.  However, even in draft form, the ADPPA is a notable advance in the efforts for a federal privacy law with sponsorship from both democrats and republicans, as well as members of the U.S. House and Senate.
Continue Reading What is the American Data Privacy and Protection Act?

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

One year ago this week, we posted a blog explaining that the New York Department of Financial Services (NYDFS) issued a framework of seven best practices that insurers should adopt, including a recommendation that insurers stop paying ransom payments in response to ransomware. Now, North Carolina has enacted a statute that not only forbids its public entities from paying ransoms, but also prohibits public entities from communicating with ransomware threat actors. Instead, North Carolina public entities, including public schools and universities, are required to consult with the North Carolina Department of Information Technology (NCDIT).
Continue Reading To Pay the Ransom or Not to Pay the Ransom? North Carolina Tells its Public Entities the Answer is an Emphatic NO

You may have heard of a security vulnerability from December 2021 called Log4j that allows attackers to remotely gain control of a vulnerable device. You may also think this is old news and no longer an issue.  Wrong. According to an April 26, 2022 report from researchers at the cybersecurity company Rezilion, there are currently over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed. That’s right – four months after the vulnerability was disclosed, a majority of affected open-source components remain unpatched and companies continue to use vulnerable versions of this tool. So, what is it anyways and do you need to take any action to mitigate the risk?
Continue Reading Apache Log4j Security Vulnerability Is STILL a Problem – What is it, Who Does it Impact, and Should I do Anything About It?

The Colorado Privacy Act (“CPA”) takes effect July 1, 2023, and will provide express consumer rights, as well as controller and processor obligations, relating to personally identifiable information of Colorado consumers. This month, the Office of the Colorado Attorney General (the “Office”) outlined the pre-rulemaking considerations for the CPA (“Pre-Rulemaking Considerations”), in an effort to educate regulated entities on the trajectory of this new law, and how such entities may address the upcoming requirements. The Pre-Rulemaking Considerations were also forecasted in Colorado AG Phil Weiser’s address to the International Association of Privacy Professionals 2022 Global Privacy Summit.
Continue Reading Colorado AG Explains Rocky Mountain Way for Data Privacy Law