On October 27, 2023, the Federal Trade Commission (FTC) announced a significant amendment to the agency’s Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). This amendment, reflecting an increasingly strident stance by the FTC on cybersecurity topics, mandates that non-banking financial institutions report certain data breaches and security events. Interestingly, the prudential banking regulators introduced data breach notice requirements, using GLBA authority in 2005. READ MORE

On Friday, July 14, the California Privacy Protection Agency (“CPPA”) Board held a public meeting to address a broad, fourteen-point agenda that ranged from updates on the Agency’s budget to the status of ongoing rulemaking to enforcement. READ MORE

The Illinois Supreme Court’s most recent rulings have cut both ways while further clarifying the contours of litigating Illinois Biometric Information Privacy Act (“BIPA”) claims. On one hand, its decision in the Cothron v. White Castle System case seemingly continues its trend to expand theoretical BIPA liability by both greatly magnifying the scope of theoretical liquidated damages while spurring even more litigation. READ MORE

On March 15th, the Securities and Exchange Commission (“SEC”) issued a proposed rule to revise Regulation S-P (“Proposed Regulation S-P”) which implements the privacy and security requirements of the Gramm-Leach-Bliley Act (“GLBA”) and certain other laws. The new proposed rule was issued almost exactly 15 years after the SEC issued proposed, but never finalized, revisions to Regulation S-P. On the same day, the SEC released a proposed cybersecurity risk proposed rule for several types of regulated securities entities (“Cyber Risk Proposal”). READ MORE

In February, the Federal Student Aid (FSA) office of the U.S. Department of Education issued Electronic Announcement General-23-09 on the updated and strengthened requirements of the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act Safeguards Rule. The new Electronic Announcement summarizes many of the requirements added by the FTC in the Safeguards Rule, most of which become effective June 9, 2023. READ MORE

The Federal Trade Commission (“FTC”) has kicked off what may be a new wave of digital health compliance enforcement. On February 1, 2023, the FTC announced its first enforcement action under the Health Breach Notification Rule. READ MORE

On October 24, 2022, the Transportation Security Administration (“TSA”) released Security Directive 1580/82-2022-01 regarding “Rail Cybersecurity Mitigation Actions and Testing.” The directive is applicable to freight railroad carriers identified in 49 C.F.R. 1580.101 and other TSA-designated freight and passenger railroads. READ MORE

On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora resolving alleged violations of the California Consumer Privacy Act (CCPA). Although the CCPA has been in effect since January 2020, this marks the first time that an enforcement action under the statute has led to fines for a business. READ MORE

On August 22, 2022, the Federal Trade Commission (“FTC”) published an advance notice of proposed rulemaking (“ANPR”) that requests “public comment on the prevalence of commercial surveillance and data security practices that harm consumers. The ANPR contains 95 questions for consideration and comment. READ MORE

Connecticut and Utah both enacted comprehensive privacy laws this spring. On March 24, 2022, Utah became the fourth state to enact a comprehensive data privacy law when Governor Spencer Cox signed Senate Bill 227, known as the Utah Consumer Privacy Act (“UCPA”). Connecticut Governor Ned Lamont signed Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Privacy” on May 10. READ MORE

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The proposed rules would require, among other things, periodic disclosures about a company's policies and procedures to identify and manage cybersecurity risks. READ MORE

Multiple privacy bills were introduced in California on or just before February 18, 2022, the last day for bills to be introduced in the legislature’s current session. READ MORE

On Monday, February 14, 2022, the State of Texas by and through the Attorney General of Texas, Ken Paxton, filed suit against Meta Platforms, Inc. for alleged violations of the state’s biometric and deceptive trade practices laws. READ MORE

On February 9, 2022, the SEC announced proposed rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. READ MORE

On October 27, 2021, the Federal Trade Commission (“FTC”) announced significant updates to the Safeguards Rule. The FTC asked for comments on the Rule in 2019, and held a public workshop on the Rule in 2020. The Final Rule was published in the Federal Register on December 9, 2021. The Rule is effective on January 10, 2022, however, most of the substantive provisions of the Rule take effect a year from the publication date. READ MORE

Banks and other companies that provide services to banks have just a few short months to prepare for a major new federal notification requirement should an institution experience a “computer-security incident.” What are the parameters of the upcoming requirement and what qualifies as a notification incident? READ MORE

The Second Circuit recently joined a growing number of federal courts to decide when a data breach of personally identifiable information (“PII”) is actionable. According to the Second Circuit, plaintiffs do not have standing to bring a lawsuit when there is no allegation their PII was targeted or misused. READ MORE

The California Privacy Rights and Enforcement Act (“CPRA”), formerly known as Proposition 24, passed on November 3, 2020. The CPRA is intended to supplement privacy protections for Californians that were first established by the California Consumer Privacy Act (“CCPA”). READ MORE

The U.S. Supreme Court’s 5-4 decision in TransUnion LLC v. Ramirez may make the road to privacy class actions harder. But recent decisions in the wake of Ramirez suggest the full impact of the decision remains to be seen. READ MORE

On August 31, 2021, New York Governor Kathy Hochul announced that Adrienne Harris has been nominated as the next Superintendent of the New York State Department of Financial Services. Ms. Harris began her career at Sullivan and Cromwell LLP and later worked for the United States Department of the Treasury under President Obama. READ MORE

On August 12, 2021, Judge Childs of the United States District Court for the District of South Carolina declined to dismiss claims against Blackbaud premised on California’s California Consumer Privacy Act (“CCPA”). The claims relate to a well-publicized ransomware attack on the company in early 2020. READ MORE

Connecticut Governor Ned Lamont approved two privacy and cybersecurity laws which take effect on October 1, 2021. Connecticut now offers protection to businesses that implement cybersecurity safeguards from punitive damages in tort lawsuits, while strengthening the state’s reporting requirements in the event of a data breach. READ MORE

On June 14, Texas Governor Greg Abbott signed House Bill 3746, which amends Texas’s data breach notification law. In doing so, Texas joins other states in requiring its attorney general to maintain a public listing of data breaches on its website. The amendments take effect September 1, 2021. READ MORE

Colorado has enacted the nation’s third comprehensive consumer privacy law, after Governor Jared Polis signed Senate Bill 21-190 into law. The Colorado Senate voted 34-1 to send the privacy legislation to the governor’s desk, after the House approved the measure in a 57-7 vote. Colorado is the second state this year to pass a law making it easier for consumers to protect personal data online. READ MORE

Former California Attorney General Xavier Becerra recently announced new regulations under the CCPA to “prohibit companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out.” READ MORE

A number of states have proposed new privacy legislation this year, including Florida, Oklahoma and more. Virginia is now the second state in the U.S. to enact comprehensive privacy legislation. READ MORE

New York’s proposed Biometric Privacy Act would require entities that possess biometric information or identifiers to obtain specific consumer consent for collecting, capturing, purchasing or trading such information, and would be privately-actionable as well. READ MORE

In the new reality of transparent data collection, use, and security, companies may be forced to strike a careful balance between protecting their confidential and privileged information and complying with various laws requiring them to be transparent and to keep consumers informed. READ MORE

On December 10, the Attorney General of California released a fourth set of proposed modifications to the California Consumer Privacy Act. These new modification follow the Attorney General’s proposed regulations released on October 11, 2019, as well as the California Attorney General’s previous modifications on February 10 and March 11, 2020. READ MORE

California Proposition 24, the California Privacy Rights and Enforcement Act, passed on November 3, 2020. The CPRA amends and supplements some of the key provisions in California’s existing consumer privacy law, the California Consumer Privacy Act. READ MORE

On August 14, California Attorney General Xavier Becerra announced that the Office of Administrative Law had approved the regulations for the CCPA and filed the regulations with the California Secretary of State. The regulations take effect immediately. READ MORE

The Court of Justice of the European Union has invalidated Decision 2016/1250, which found that the EU-US Privacy Shield – a primary mechanism used by US companies to transfer personal data from the EU to the US – provided adequate protections for personal data. READ MORE

The California Privacy Rights Act of 2020 has officially qualified for this November’s ballot. If passed, some provisions of the law would take effect five days after the California Secretary of State files the statement of vote, but the CPRA would be effective January 1, 2023 with a July 1, 2023 enforcement date. READ MORE

On June 1, California Attorney General Xavier Becerra submitted final CCPA regulations for review by the Office of Administrative Law. The final regulations are substantively the same as the second modified regulations that the AG released back in March, but the timing of the release creates new questions. READ MORE

On May 5, 2020, the Seventh Circuit held that a plaintiff who brought claims under the Illinois Biometric Information Privacy Act had suffered an injury-in-fact sufficient to confer Article III standing, and therefore her case could be heard in federal court. In doing so, the Seventh Circuit reversed the District Court’s prior order remanding the case back to state court. READ MORE

In response to COVID-19, many companies have shifted their workforce to working remotely. This creates some entirely new security challenges. In the new remote work reality, company personnel may need to assume a more active role in securing data and information systems. READ MORE

On March 17, 2020, more than 30 trade groups and companies co-signed a letter to California Attorney General Xavier Becerra asking him to postpone the enforcement date for the California Consumer Privacy Act from July 1, 2020, to January 2, 2021. The letter cites the COVID-19 crisis and the CCPA’s implementing regulations still being developed as justification for the delay. READ MORE

The California Attorney General released a new set of proposed modifications to the California Consumer Privacy Act, following the Attorney General’s proposed regulations released on October 10, 2019. The new modifications include some welcome changes for businesses and clarifying language for a number of the law’s sections. READ MORE

A class-action lawsuit against facial-recognition company Clearview AI alleges they unlawfully scraped biometric data from other websites and sold the resulting data to other entities. The case tests yet another provision of the CCPA relating to the law’s private right to action. READ MORE

A class-action lawsuit against Ring LLC alleging the plaintiffs’ rights to privacy were violated includes a cause of action under the CCPA, alleging plaintiffs were entitled to a CCPA notice informing them what information Ring was collecting and how it would be used. The case may lead to what could be the first judicial interpretation of the CCPA’s private right of action. READ MORE

On February 7, California’s Attorney General released modified proposed regulations implementing the California Consumer Privacy Act. Many of the revisions can be reasonably interpreted to lessen the burden on businesses attempting to comply with the CCPA. READ MORE

The Supreme Court’s denial of Facebook’s petition for certiorari regarding standing and class certification issues in a suit under Illinois’ BIPA portends some similarly large privacy settlements in the coming years. Given BIPA’s broad scope, companies should familiarize themselves with the statute and consider their risks. READ MORE

Two recent online privacy bills introduced in the U.S. Senate highlight some of the key privacy and data security issues that Congress may tackle next year. While they share much in common, key differences between the two include whether a federal bill would be privately-actionable and if it preempts state laws. READ MORE

The CCPA takes effect in less than a month. It will be the strictest privacy law in the country, and may be a model for other states as well. If they haven’t already, educational institutions—including both for-profit and non-profit schools—should take immediate steps to familiarize themselves with the statute and develop a plan to comply. READ MORE

Recent polls suggest that many companies covered by the CCPA are not yet compliant, creating interesting issues and pitfalls for merger & acquisition deals beginning in 2020. With the CCPA taking effect on January 1, the implications for covered business and those acquiring or merging with them deserve careful consideration. READ MORE

On October 10, 2019, California’s Attorney General released its long-awaited draft regulations explaining how the state intends to enforce the requirements of the California Consumer Privacy Act. The regulations leave much to the best judgment of businesses that will be doing their best to comply and are in response to questions raised during the comment-gathering process. READ MORE

Before the CCPA has even gone into effect, privacy advocates have already introduced new legislation further tightening California’s consumer laws. The vast majority of the new initiative would impose additional requirements on companies that want to do business with California consumers. READ MORE

Although the California Consumer Privacy Act will be effective in only a few short months, key amendments are still awaiting the Governor’s signature. Some of the amendments make exemptions from the CCPA, while others provide clarification of the Act’s terms. READ MORE

With no imminent legislative action curtailing the rush of BIPA litigation since Rosenbach v. Six Flags, it is critical that employers have the appropriate policies and procedures in place to comply with BIPA. This includes compliance requirements and best practices to avoid statutory penalties. READ MORE

The United States Supreme Court has remanded Frank v. Gaos back to the District Court after wrestling with the continuing challenges of “standing” in internet privacy litigation. The decision may have lasting implications for cybersecurity litigation brought under Article III. READ MORE

The Illinois Supreme Court has decided individuals need not allege injury other than a violation of their rights to bring suit under the Illinois Biometric Information Privacy Act, leaving the door open for future individual suits and class actions. READ MORE

A recent decision from the Supreme Court of Pennsylvania in Dittman v. UPMC may signal a significant change in fortunes for plaintiffs in data breach cases. Anyone storing or collecting data should be aware of the potential increase in security breach litigation in an employer/employee context. READ MORE

As more employees work remotely from home, the risk of a cyber breach stemming from a home network is increasing. With the immense repercussions of a breach at risk, companies should augment their cyber protection and breach response plans to include protections for home networks. READ MORE

The framework is significant for several reasons and is intended to help organizations manage the data privacy risks they are now exposed to more than ever thanks to new technologies. READ MORE

The CFPB’s long-awaited final rule affecting when financial institutions need to send out annual privacy notices is here. Our Cybersecurity Bits & Bytes blog has a great summary of the new rule and how it could save significant time and money for regulated institutions. READ MORE

In a blow to retailers and other businesses subjected to data breaches, the Seventh Circuit has reinstated a class action brought by consumers against Barnes & Noble arising from a 2012 breach. READ MORE

On March 28, 2018, Alabama Gov. Kay Ivey signed a bill that made Alabama the 50th and final state to enact a consumer data breach notification law. Prior to the signing, Alabama had been the last remaining state without such a law after South Dakota passed its data breach law last month. What do you need to know? READ MORE

On March 21, 2018, South Dakota’s Senate Bill 62 was signed into law, adding a 49th square to the nation’s patchwork of state data breach notification laws. South Dakota requires notification to an impacted individual – anyone whose personal information or “protected information” was accessed without authorization – within 60 days of discovery of a breach. READ MORE

In a February 21 Release, the U.S. Securities and Exchange Commission (SEC) announced new interpretive guidance for public companies regarding cybersecurity risk and incident disclosures. The new guidance (which expands on the 2011 statement from the SEC’s Division of Corporate Finance, which identified the cybersecurity risk—and consequence—disclosure obligations for public companies) introduces two new areas of focus which had not previously been addressed by the SEC. READ MORE

The IRS is warning the public about the emerging scams this tax season, which includes cyber-attacks targeting tax preparers and businesses. The statement includes the steps to take if you or your clients' tax data or financial information has been compromised. READ MORE

Addressing and managing operational cybersecurity risks is important not only to lessen the risks and fallout of a cyber-attack but also to demonstrate that your company has taken appropriate steps and implemented necessary procedures to protect itself and its financial or strategic partners. READ MORE

The increase in cybersecurity attacks on small businesses has gotten the attention of Congress. We take a look at the bipartisan bills aimed at bolstering cybersecurity protections for small business. READ MORE

If it isn’t already, cyber insurance should be top of mind for all industries and companies, regardless of size, as they find that they are increasingly vulnerable to a cyber attack and data breach. READ MORE

Illinois is one of the states that has enacted a number of laws designed to protect the privacy of employee information. Businesses that wish to avoid fines and other sanctions should be aware of the protections afforded to employees under these laws. READ MORE

Schools should take notice of the Missouri Auditors’ recommendations and carefully consider those recommendations when looking at their own cybersecurity programs. READ MORE

In what appears to be the closing act of the saga that is the Target data breach, on May 23 the retailer announced it had reached a historic $18.5 million settlement agreement with a coalition of 47 states’ attorneys general. It is almost certainly only a matter of time before the settlement is eclipsed by another major data breach. READ MORE

The May 11 Executive Order is a strong effort toward upgrading and addressing the United States’ cybersecurity capabilities. But it remains to be seen what sort of commitment the efforts identified will receive from Congress, private enterprises, and the rest of the government. READ MORE

The New York Department of Financial Services has created a new set of regulations designed to force certain regulated businesses to protect consumer and corporate financial information. READ MORE

Many more eyes than normal will be on what would ordinarily be a nondescript policy review of a data transfer agreement in September as the EU and US meet to assess the EU-US Privacy Shield. READ MORE

This settlement is a potent reminder that a data breach’s greatest financial impact on the victim entity may arise from liabilities to financial institutions — although this comes with the considerable caveat that lost sales and consumer goodwill resulting from a data breach can be more difficult to measure. READ MORE

Whether or not the 2nd Circuit follows the 7th Circuit’s lead will likely have far reaching consequences for the development of Article III standing jurisprudence in data breach cases. READ MORE

One of only a few states without its own data breach notification law, New Mexico is about to join the ranks of 47 states with such laws. HB15, awaiting the governor's signature, requires an expedient 45-calendar-day notification window. READ MORE

President Trump’s efforts to withdraw privacy protections for non-U.S. citizens are coming in direct conflict with recent efforts by the European Union to strengthen privacy protections for its citizens, no matter where in the world they travel. READ MORE

More and more, regulators are focusing their rulemaking power not just on how a company responds (or doesn’t respond) to a data breach, but the steps it took far in advance to prevent or mitigate such a breach. READ MORE

Like the EU-U.S. Privacy Shield, the U.S.-Swiss Privacy Shield provides U.S. companies with a single mechanism for complying with Swiss data protection and privacy laws when transferring data from Switzerland to the U.S. READ MORE

FINRA has sent a clear message to member firms that it is very serious about enforcing its cybersecurity regulations. Requirements to protect personal information as well as to preserve necessary evidence are not being taken lightly by FINRA. READ MORE

Just two weeks after we discussed an influential case that outlined the duty of oversight that directors of public and private Delaware corporations owe with regard to legal compliance risks like cybersecurity, a federal court issued an order that made the connection crystal clear. READ MORE

This holding limits the ability for the FTC enforce actions against entities who are involved in activities that only have distant chances of causing harm to consumers. READ MORE

A recent Letter of Consent issued by the SEC's Financial Industry Regulatory Authority (FINRA) contained some startling new requirements that, if enforced by FINRA, could place a significant burden on financial firms in regard to their privacy and cybersecurity policies. READ MORE

In a new opinion, the Delaware Chancery Court has stated that the standards of “bad faith” that must exist in order for directors to be held liable for failing to exercise oversight with regard to the corporation’s compliance with law in a risky area. READ MORE

A recent decision seriously challenges the CFPB’s executive power under Dodd-Frank. That challenge, in turn, raises questions about the ability of the CFPB to act as charged under Dodd-Frank. READ MORE

Companies are incurring significant damages from email spoofing, executive impersonation, and misuse of company trademarks and website content. Here are some steps to take before and after an attack. READ MORE

From smart thermostats that can be adjusted and set remotely to toasters and coffee makers that can be programmed to operate at specific times on specific days, smart devices are fast becoming a part of all of our lives. But are these smart devices and their connectivity secure? READ MORE

A new report from NIST highlights the many security threats associated with mobile devices. These threats are even more concerning for businesses whose employees use unsecured mobile devices to conduct business or send communications about proprietary or financial information. READ MORE

Yahoo’s announcement that a hacker exposed the information of over 500 million of its users is a strong reminder to all companies the importance of a breach response plan. Here we outline some tips for key elements of such a plan. READ MORE

A set of joint resources from NIST and FAIR can help cybersecurity professionals to both prioritize risks in their organization and allocate security resources to the most critical areas of exposure. READ MORE

Businesses must plan for the failure of technologies like firewalls, strong passwords, anti-malware, two-factor authentication and data sandboxing. In the event that unauthorized individuals gain access to sensitive data, businesses are increasingly turning to data encryption to safeguard the data itself. READ MORE

There is little question that 3D printing is an important part of technology and manufacturing development. But a recent study may raise some concern over the security of that technology in an unexpected way. READ MORE

The U.S. and EU have negotiated a new pact that would allow for U.S. companies to collect and store personally identifying information about EU citizens and to protect those citizens’ privacy pursuant to EU standards. So what are the requirements of this new Privacy Shield and what do they mean for U.S. companies doing business with European customers? READ MORE

With the passage of the Illinois Personal Information Protection Act (HB1260) last month, Illinois substantially broadened the definition of personally identifiable information, and imposed requirements on data collectors for the protection of Illinois residents’ information. READ MORE