Ransomware – a demand for a monetary payment to regain access to one’s data or network – continues to rock the charts as cyber criminals’ go-to, get-rich-quick scheme. As we know, the pandemic spurred the work-from-home or hybrid movement that likely will continue for years to come. With more and more employees working from home, more data is being shared remotely, leaving the door open for missed or inadequate computer and technology security. Phishing and fraud schemes and social engineering methods used to demand ransom are particularly attractive as they target and take advantage of the number one security risk – a company’s people.
Continue Reading Multi-Factor Authentication: The New Norm for Cyber Insurance Coverage

The California Attorney General’s office recently announced that French multinational personal care and beauty products retailer Sephora, Inc. has agreed to pay $1.2 million to resolve allegations that the company violated the California Consumer Privacy Act (CCPA), making it the first settlement under California’s landmark privacy law.

The CCPA is a first-in-the-nation law that was passed in 2018 and went into effect in 2020.  It gives Californians the right to know what information a business collects about them and shares; the right to delete personal information collected from them; the right to opt out of the sale of their personal information; and the right to not be discriminated against for exercising all the right the CCPA gives them.  Oftentimes, online retailers allow third-party companies to install tracking software to monitor a consumer’s shopping trends.
Continue Reading The CCPA Strikes the First Major Blow: Sephora Settles Allegations for $1.2 Million

If you haven’t already seen the notifications in the Taft Privacy and Data Security Mobile App, we wanted to make you aware or remind you about some important security updates issued by Apple affecting multiple products. CISA (Cybersecurity & Infrastructure Security Agency) is recommending consumers update their devices as soon as possible.


Continue Reading Important Security Updates Issued by Apple

Employers have various interests in monitoring employees’ electronic activity on company systems. With an increasing number of businesses allowing remote work throughout and following the Covid-19 pandemic, some companies have sought to implement technical means to keep an eye on their employees’ online activity.  For example, employers may want to monitor this activity as a means to manage productivity and performance.  Enter: “Bossware.”
Continue Reading Paying the Cost to be the Boss(ware): Considerations Surrounding Employee Monitoring Technologies

Quite often, business data can be characterized as intellectual property. But you want to share your data with the world, or maybe just customers or clients. This can be tricky. Improper, premature, or unlawful disclosure of certain intellectual property can be damaging and detrimental to your business. So, how do you protect it?

As you have read here on Privacy and Data Security Insights, data privacy is concerned with properly handling one’s personal data – ensuring you get consent, provide notice, and meet applicable regulatory obligations. Another concern should be whether or how data is shared with third parties. However, it is essential to remember that some data, depending on the content, may be considered and protected as intellectual property.
Continue Reading The Intersection of Data & Intellectual Property: You Want to Share it, but How do You Protect it?

Last week, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion to ensure that companies that use and share credit and background reports have a “permissible purpose” under the Fair Credit Reporting Act (“FCRA”). The credit, criminal, job, and rental records of individuals are a few items consumer reporting agencies gather, compile, and assess. This information is then packaged into a report and used across various industries by creditors, insurers, landlords, employers, and others to make eligibility and other decisions about consumers. This collection, assembly, evaluation, dissemination, and use of vast quantities of often highly sensitive personal and financial information contained within consumer reports pose significant risks to consumer privacy. Thus, to combat these risks and better safeguard individuals’ personal data, the CFPB’s new advisory opinion makes clear that users of credit reports also have express obligations to protect this sensitive data. For these reasons, entities must have a “permissible purpose” when obtaining such reports.
Continue Reading The Consumer Financial Protection Bureau Issues an Advisory Opinion Strengthening Consumer Privacy

We are officially six months away from the California Privacy Rights Act (“CPRA”) taking effect and amending the California Consumer Privacy Act (“CCPA”).  Even for companies that have grown comfortable with requirements under the CCPA, the CPRA changes require planning and preparation.  With CPRA taking effect on January 1, 2023, here are six tips to begin that preparation:
Continue Reading Are You Ready for CPRA? 6 Tips for the Final 6 Months

On Friday, June 3, 2022, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act (the “ADPPA”).  The ADPPA is a draft bill that has yet to be introduced in the U.S. House or Senate, which means that any provision is subject to amendment.  However, even in draft form, the ADPPA is a notable advance in the efforts for a federal privacy law with sponsorship from both democrats and republicans, as well as members of the U.S. House and Senate.
Continue Reading What is the American Data Privacy and Protection Act?

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019.
Continue Reading Am I A Data Broker?: A Quick Primer on State Laws Regulating a Growing Industry