Photo of Zachary Heck

Zachary Heck

Subscribe to Zachary Heck's Posts

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Follow: Read more about Zachary HeckZachary's Linkedin Profile

As expected, another state has joined the privacy party. This month, Iowa positioned itself to become the sixth state in the nation to pass legislation establishing consumer data privacy protections. Iowa Senate File 262 (the “SF 262”) unanimously passed in the Iowa House and Senate and is now awaiting signature by Iowa Governor Kim Reynolds. When signed into law, SF 262 will become effective on January 1, 2025. The new SF 262 mirrors many of the protections and rights provided in the data privacy laws of the five other states (California, Colorado, Connecticut, Utah, and Virginia). Below are the key highlights that businesses should know about the bill.

Continue Reading Six down, 44 to go? Iowa Joins Privacy Party by Passing New Privacy Law

For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. Originally, November 30, 2020, was the deadline for DoD to implement a standard methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Concurrently, the DoD would roll out CMMC as a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. This certification, in turn, would be required for performance of DoD contracts.

Continue Reading CMMC – Where Do We Stand in 2023?

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.
Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance

The Colorado Attorney General (AG) recently published proposed rules for the Colorado Privacy Act (CPA). These draft rules shed light and clarify how the Attorney General plans to carry out the CPA when it goes into effect on July 1, 2023. These proposed CPA rules are a draft that is not yet finalized and therefore are subject to change. In the upcoming months, the Colorado AG will engage with key stakeholders and the public on feedback regarding these proposed rules. While the draft CPA draft rules are months away from finalization, the proposed rules are intended to help entities understand the AG’s requirements for when the CPA becomes effective. Below are a few key highlights of the draft CPA rules as they currently stand, which supplement the AG’s prior guidance from April 2022.

Continue Reading Colorado AG Publishes CPA Proposed Rules

Last week, the California Legislature passed Assembly Bill 2273:  the California Age-Appropriate Design Code Act (“CAADCA”).  CAADCA is an online safety bill, which contains unique privacy requirements to protect minors under the age of 18.

Covered Businesses:  Covered businesses under the bill include any “business,” as defined by the California Consumer Privacy Act, “that provides an online service, product, or feature likely to be accessed by children.”  This means that if your company conducts business in California and (a) has an annual gross revenue of more than $25 million; or (b) alone or in combination, buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or (c) derives 50% or more of its annual revenue from selling consumers’ personal information, then you will need to evaluate whether your products or services must also address CAADCA requirements.
Continue Reading Child’s Play: Latest California Bill Creates Significant Increase in Regulation for Covered Businesses Collecting Personal Data of Children

Employers have various interests in monitoring employees’ electronic activity on company systems. With an increasing number of businesses allowing remote work throughout and following the Covid-19 pandemic, some companies have sought to implement technical means to keep an eye on their employees’ online activity.  For example, employers may want to monitor this activity as a means to manage productivity and performance.  Enter: “Bossware.”
Continue Reading Paying the Cost to be the Boss(ware): Considerations Surrounding Employee Monitoring Technologies

We are officially six months away from the California Privacy Rights Act (“CPRA”) taking effect and amending the California Consumer Privacy Act (“CCPA”).  Even for companies that have grown comfortable with requirements under the CCPA, the CPRA changes require planning and preparation.  With CPRA taking effect on January 1, 2023, here are six tips to begin that preparation:
Continue Reading Are You Ready for CPRA? 6 Tips for the Final 6 Months

On Friday, June 3, 2022, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act (the “ADPPA”).  The ADPPA is a draft bill that has yet to be introduced in the U.S. House or Senate, which means that any provision is subject to amendment.  However, even in draft form, the ADPPA is a notable advance in the efforts for a federal privacy law with sponsorship from both democrats and republicans, as well as members of the U.S. House and Senate.
Continue Reading What is the American Data Privacy and Protection Act?

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

One year ago this week, we posted a blog explaining that the New York Department of Financial Services (NYDFS) issued a framework of seven best practices that insurers should adopt, including a recommendation that insurers stop paying ransom payments in response to ransomware. Now, North Carolina has enacted a statute that not only forbids its public entities from paying ransoms, but also prohibits public entities from communicating with ransomware threat actors. Instead, North Carolina public entities, including public schools and universities, are required to consult with the North Carolina Department of Information Technology (NCDIT).
Continue Reading To Pay the Ransom or Not to Pay the Ransom? North Carolina Tells its Public Entities the Answer is an Emphatic NO