Taft partners Scot Ganow and Phil Schenkenberg will be featured speakers for the “Cybersecurity for In-house Legal Counsel” Seminar on Oct. 26. The virtual seminar will help in-house counsel understand the legal constructs and terminology widely used within the cybersecurity space, and to provide practical ways they can be more responsive and efficient when cyber issues arise. Taft is a sponsor of the event.

Ganow will present “Legal Overview and Key Cyber Risks for Businesses,” which covers the laws, regulations, standards, and best practices affecting not only an organization’s obligations but its opportunities with its most powerful asset:  Its Data.

Schenkenberg will moderate the panel discussion “Governance and Working Relationship Considerations in Privacy and Data Security.” The panel will explore how governance structures and relationship building within the C-suite can drive success in meeting privacy and security goals.

Register to attend here.

After months of public comment and sporadic guidance issued by the California Attorney General’s Office, at long last we have the final regulations under the California Consumer Privacy Act, which have been approved by the Office of Administrative Law and filed with the Secretary of State’s Office. The regulations go into effect immediately, and include changes and withdrawn proposals that range from typographical to impactful.

The California Attorney General’s office has characterized the changes to the CCPA text as “non-substantive,” and has withdrawn certain proposed provisions “for additional consideration.” The non-substantive changes are designed to improve consistency in language, and are described in detail in the Addendum to the Final Statement of Reasons. Some withdrawn provisions, however, could impact companies expected to comply with CCPA. We discuss some notable sections below.  Continue Reading Things Just Got Real: California Approves Final CCPA Regulations

Thank you, reader, for taking time out of your day to read this blog post. I trust before clicking on this link you first sought out our website’s Privacy Policy and reviewed it in full, took mental notes while silently nodding throughout, and finished with an audible “I agree” before moving on to review this content. Correct?

Very likely you did not, but take solace in knowing you are in good company. Only 22% of Americans report “often” or “always” reading online privacy policies, and that’s solely for websites which require browsers to affirmatively agree to a privacy policy (i.e., flashing a pop-up with some form of “check the box” affirmation). This does not engender much confidence that Americans are actively seeking out and consenting to the privacy policies embedded within the myriad of websites they visit on a daily basis. And who can blame them – a 2008 study estimated it would take 244 hours each year to read every privacy policy in full for all the websites an average web browser visited annually. So put down your summer beach novel and start reading privacy policies – you’re already 10 weeks behind.

All kidding aside, this is a real problem for the United States’ federal data privacy legal framework, which is guided in part upon the Federal Trade Commission’s Fair Information Practice Principles. Notably, those include (i) consumer notice and awareness (“Consumers should be given notice of an entity’s information practices before any personal information is collected from them”), and (ii) consumer choice and consent (“In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice”). If the vast majority of websites utilize privacy policies which consumers are willfully ignoring or otherwise failing to recognize the existence of, much less comprehending their contents, how can one reasonably claim consumers are “on notice and aware” of privacy policies and exercising real “choice and consent” to the management of their personal data? Continue Reading You Read the Privacy Policy, Right? Sure You Did. A New Federal Bill Seeks to Address the Transparency Gap.

What is Privacy Shield?  Since 2016, U.S. companies and organizations receiving personal data relating to individuals in the European Union have relied upon a self-certification program known as Privacy Shield. Rather than enter into numerous agreements and meet other requirements to process the personal data of individuals in the EU, U.S. companies have been able to self-certify to a level of compliance to meet EU law. Privacy Shield serves to address the General Data Protection Regulation’s (GDPR) requirement that adequate safeguards be in place for the protection of transatlantic transfers of personal data and the receiving entity’s handling of that data. Under Privacy Shield, self-certified companies that comply with the agreement’s requirements are considered to have met the EU’s higher standard for data privacy and obtained some level of “adequacy.” Since its implementation, more than 5,300 companies have operated under its terms. The future of Privacy Shield, however, is now in jeopardy.

EU Court holds Privacy Shield to be Inadequate.  On July 16, 2020, Europe’s highest court, the Court of Justice of the European Union (CJEU) held that United States law is inadequate to protect EU citizens’ personal data to the extent that EU law requires. Specifically, the CJEU held that the “limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by U.S. public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” To put it another way, Privacy Shield’s fundamental flaw, according to the court, is not so much that member companies’ practices are inadequate, but rather that the U.S. government cannot be trusted to maintain the confidentiality, integrity, and availability of personal data.  Specifically, the justices found that federal laws such as the Foreign Intelligence Surveillance Act “cannot be regarded as limited to what is strictly necessary” and fails to meet “minimum safeguards” guaranteed by the EU. Continue Reading Warning! Shields are Down: Top EU Court Invalidates EU-US Privacy Shield Protections

It is summer and you just finished all the hard work to make sure your organization addressed all applicable California Consumer Privacy Act (CCPA or the “Act”) requirements.  You sit down, take a deep breath, and see what California has been up to during your CCPA preparations.  Well, lo and behold, California wants to give the nation’s most aggressive data protection law a facelift in a new ballot initiative to be voted on this November.

You may remember that California pioneered the first sweeping privacy reform in the United States in 2018 when the CCPA was passed. The Act was amended in 2019 and went into effect January 1, 2020, with enforcement beginning July 1 of this year. Taft’s Privacy & Data Security group has provided information regarding the data requirements of the CCPA in previous blog posts, but generally, the Act affords consumers the right to know what information is being collected from them, the right to prohibit businesses from keeping their information, and the right to opt-out of the sale of their personal information, among other things.  The CCPA already reaches outside California state lines, as it applies to companies that do business within the state that have revenues of over $25 million per year, derive at least 50% of its revenue from selling information, or buy, sell or share personal information of at least 50,000 California consumers, households or devices.

Continue Reading Data Déjà vu? Data Protection Back On the Ballot in California

Just a friendly reminder from the Taft Law Privacy and Data Security Practice Group that the Attorney General of California will commence enforcement of the California Consumer Privacy Act (CCPA) on July 1, 2020. While we have all understandably been focused on the many important issues of this year, both personally and professionally, let us not forget that the Attorney General of California explicitly declined to extend the enforcement date due to COVID-19 for this first of its kind state privacy law.

While it is obviously late in the game, and impossible to provide you all the ins and outs of CCPA compliance in this single post, you can always check older posts on our Taft Privacy & Data Security Insights.  That said, it doesn’t mean you can’t get started or continue making progress to understand and meet any applicable requirements for your business. Here are some quick points and additional resources to consider. Continue Reading Don’t Forget! CCPA Enforcement Commences July 1, 2020

Like so many companies navigating the challenges and changes demanded by COVID-19, we at Taft have had to move our entire workforce home while maintaining a high level of support for our employees and clients. Whether in crisis, design, or other business strategy, companies should carefully and methodically approach the transition of its employees, equipment, and data to a remote environment. Such an approach should be followed in all such moves, whether temporary or permanent. In this article we share what we have learned and some best practices that will benefit any company considering making the move.

A. Operational Support (Andrea Markstrom, CIO, Taft Stettinius & Hollister LLP)

Faced with COVID-19 and moving a firm of 620+ attorneys to home offices, I knew this was not just another business continuity tabletop exercise. I needed to plan thoroughly while still reacting quickly. To do so, I thought about how we were going to be able to keep our employees safe, fully productive, and continue providing excellent service to our clients. To be successful, I think you need to consider and accomplish the following three things. Continue Reading It’s more than giving ‘em a laptop: Operational & Security Considerations for Supporting the Remote Workforce

The road to hell is paved with good intentions. While the proverb may be a stretch for now, the latest lawsuit by the American Civil Liberties Union of Illinois (ACLU) against Clearview AI certainly shows that good intentions, when acted upon, may have unintended consequences. Technology utilized in the name of public protection—whether from global pandemics or criminal activity—can have disastrous effects when it comes to civil liberties and privacy.

The ACLU filed a lawsuit against Clearview AI based on violations of Illinois residents’ privacy rights. Clearview AI is a technology company that scrapes images from the internet, primarily from various social media platforms, in order to create a searchable database of individual’s face prints. The company claimed that it sold access to its searchable database to hundreds of police departments and federal agencies in order to protect children and aid victims of crimes. However, a recent data breach showed that Clearview AI actually also sold or provided access to its searchable database to retail chains Walmart and Macys, the NBA, Equinox, and many other non-law enforcement entities.

Continue Reading Crossing the Line? ACLU challenges Clearview AI’s Facial Recognition Technology

Businesses in all industries and of all sizes are collecting data about their customers, potential clients, and workforce. This collection can be as simple as processing credit cards for purchases or gathering data about consumer behavior on websites or social media platforms, or can include a robust collection of sensitive financial, location, or health information. In the event that an incident occurs, a business is obligated to respond quickly to address the pitfall and potentially inform consumers that their information may have been subject to an unauthorized access according to applicable national or state laws. Navigating these unchartered waters usually involves bringing in counsel to assess whether a “breach” has occurred, how much, whose and what information was accessed, and to potentially prepare for litigation from those consumers whose data was subjected to the breach.

As part of this response, counsel often calls on cybersecurity experts to provide incident response services and breach analysis to understand the severity of the breach and the company’s data security posture. These forensic assessments can be used in a variety of ways, including helping determine the immediate steps that need to be taken to comply with data breach laws, ensure that the compromise is resolved, or troubleshoot potential weak points in the company’s cybersecurity safeguards to develop a stronger infrastructure to avoid future incidents.

Continue Reading The Aftermath of a Breach: Evidentiary Protections Related to Forensic Investigations in Limbo

Losing a job and struggling with finances have added significant stress to those trying to stay safe during the COVID-19 pandemic. It is no secret that for weeks, state departments administering unemployment compensation have been under fire due to massive backlogs of unprocessed claims. Adding to claimants’ frustrations are a number of security incidents affecting several states’ agencies. We previously reported that the Small Business Administration experienced a breach compromising personal data for thousands of applications for financial assistance. Now we are seeing state level entities experiencing security compromises.

Pandemic Unemployment Assistance (PUA) is unemployment compensation available to self-employed and “gig” workers. In the past several weeks, thousands of workers in several states who applied for PUA received notice that their personal information was possibly exposed to other users. The personal information exposed included social security numbers, addresses, names, and the amount workers were receiving in benefits. Fortunately, at least at this time, there is no evidence personal information was misused and the alerts from the states were preventative. Continue Reading Adding Insult to Injury: Government Agency Security Incidents Expose Unemployed Personal Data