Rebekah Mackey, Taft summer associate, contributed to this article.

Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.

The California Consumer Privacy Act (“Act”) was originally a ballot initiative to be voted on by California residents in November, but the fate of the policy changed course rapidly when AB 375 passed within one week of being introduced in the state’s legislature. Here are some of the key provisions of which businesses and consumers should be aware when the law goes into effect Jan. 1, 2020.


Continue Reading

As you put together your resolutions and plans for the new business year, it is important to remember that the European Union’s (“E.U.”) General Data Protection Regulation (“GDPR”) will go into effect on May 25, 2018. The impact that it could have on U.S. companies will depend on whether a company processes the personal data of E.U. citizens (note: the definition of “personal data” under the GDPR is quite broad). If you think this doesn’t apply to your company, think again – even without a physical presence in the E.U., the internet makes it easier than ever to collect personal data from E.U. residents while operating solely in the U.S. So, whether it’s the information of your customers, the customers of your clients, or even the personal data of your own employees, it is important to be aware of your obligations under GDPR and the ways by which you can comply.

As we introduced last year, underpinning the GDPR is the view that privacy is a fundamental human right. Accordingly, the GDPR takes a comprehensive approach to privacy law – much more so than the sectoral approach used here in the U.S. In the U.S., privacy tends to be regulated based on the category of information collected (e.g., protected health information under HIPAA). Under the GDPR, as well as its predecessor, the Data Protection Directive 95/46/EC, the focus is on personal data in all sectors of industry. And we should take a moment to remind everyone that stringent regulations on transferring personal data from the E.U. to the U.S. are not something new. U.S. companies should have been complying with the Data Protection Directive since 1995. Indeed, many companies are just now starting to do what they should have been doing for a long while. In truth, in some part, this lack of compliance or sufficient protection of personal data is why the GDPR has come to be.


Continue Reading

Ohio is poised to lead the nation by incentivizing businesses to implement certain cybersecurity controls, which can be an affirmative defense to a data breach claim based on negligence. Under the proposed legislation, if a business is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the business can assert its compliance with the cybersecurity control as an affirmative defense at trial.

For years we have counseled our clients to implement a comprehensive data
Continue Reading

This is part one of a multi-part look into the EU’s General Data Protection Regulation (GDPR) and why U.S. companies need to concern themselves with an EU law, the difference from U.S. regulations and the different mechanisms available to comply. We will conclude this series with a webinar in 2018 that will review the series and provide further insights and comments on any updates that may have occurred since the beginning of the series.

The GDPR is a new privacy
Continue Reading

DOD New Cybersecurity regulationsThe US Department of Defense’s (DoD) new cybersecurity regulations require defense contractors to cooperate with Government support services contractors investigating a “cyber incident that affects a covered contractor information system or the covered defense information residing therein or that affects the contractor’s ability to provide operationally critical support.”  DoD’s Defense Industrial Base Cybersecurity Activities Final Rule, 32 CFR 236.4(b), (m)(5) (effective Nov. 3, 2016); Response to Public Comments, 81 FR 68312 (Oct. 4, 2016).

It doesn’t take much imagination to
Continue Reading

Threat Intelligence is, very simply, network defense techniques that leverage knowledge (i.e. intelligence and counter intelligence) about adversaries so that organizations can build a superior information base which decreases the chances of an attacker compromising their networks. Gartner more specifically defines it as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to the menace or hazard.”

Vulnerability
Continue Reading

Taft Privacy and Data Security Practice Group attorneys Diane D. Reynolds and Matthew D. Lawless are attending the annual International Association of Privacy Professionals (“IAPP”) Global Privacy Summit 2015 in Washington, D.C. on March 4-6. The IAPP is a comprehensive body of resources, knowledge and experts that provide the groundwork to navigate the complex landscape of today’s data-driven world.

Both Reynolds and Lawless hold the Certified Information Privacy Professional/United States (“CIPP/US”) credential, the global standard in privacy certification, through the
Continue Reading