Tag Archives: Jeremy Feigelson

Getting Ready for 2023: What Companies Can Do Now to Prepare for New Privacy Laws

by Jeremy Feigelson, Avi GesserJohanna Skrzypczyk, Michael Bloom, Michael R. Roberts, Tricia Reville, and Kate Saba

The Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”)—enshrined in the California Privacy Rights Act (“CPRA”)—take effect on January 1, 2023.  In addition, the Colorado Privacy Act (“ColoPA”) takes effect on July 1, 2023.  These developments have companies understandably concerned about complying with a patchwork of state laws.

How can companies prepare?

Continue reading

The FTC’s Strengthened Safeguards Rule and the Evolving Landscape of Reasonable Data Security

by Jeremy Feigelson, Avi Gesser, Satish Kini, Johanna Skrzypczyk, Lily D. Vo, Corey Goldstein, and Scott M. Caravello

On October 27, 2021, the Federal Trade Commission (the “FTC”) announced significant updates to the Standards for Safeguarding Customer Information (PDF: 835 KB) (the “Safeguards Rule” or “Amended Rule”).  This rule, promulgated pursuant to the Gramm-Leach-Bliley Act, is designed to protect the consumer data collected by non-bank financial institutions, such as mortgage lenders and brokers, “pay day” lenders, and automobile dealerships, among many others (“subject financial institutions”).  The Amended Rule is likely to have a far-reaching ripple effect and inform the meaning of reasonable data security requirements industry-wide.  In this blog post, we highlight the Amended Rule’s more novel requirements and provide an overview of the potential impacts. 

Continue reading

Face Forward: Strategies for Complying with Facial Recognition Laws (Part II of II)

by Jeremy Feigelson, Avi Gesser, Anna Gressel, Andy Gutierrez, and Johanna Skrzypczyk

This is Part 2 in a two-part series of articles about facial recognition laws in the United States. In Part 1, we discussed how current legislation addresses facial recognition. In this part, we assess where the laws seem to be heading and offer some practical risk reduction strategies.

Continue reading

Face Forward: Strategies for Complying with Facial Recognition Laws (Part I of II)

by Jeremy Feigelson, Avi Gesser, Anna Gressel, Andy Gutierrez, and Johanna Skrzypczyk

This is Part I of a two-part post. 

Two huge cross-currents are sweeping the world of facial recognition—and head-on into each other. Companies are eagerly adopting facial recognition tools to better serve their customers, reduce their fraud risks, and manage their workforces. Meanwhile, legislatures and privacy advocates are pushing back hard. They challenge facial recognition as inherently overreaching, invasive of privacy, and prone to error and bias. Legal restrictions of different kinds have been enacted around the country, with more seemingly certain to come.

How will the tension sort itself out between new use cases on the one hand and the push for legal restrictions on the other – and when? And what’s a company to do right now, with facial recognition opportunities presenting themselves today while the law remains a moving target?

This two-part series aims to help. In this Part 1, we lay out the current laws governing facial recognition in the United States. In Part 2, we assess where the law is headed and offer some practical risk-reduction strategies.

Continue reading

SEC Levies $1 Million Penalty for Allegedly Misleading Cybersecurity Incident Disclosures

by Jeremy Feigelson, Avi GesserPaul Rodel, Joshua Samit, Charu Chandrasekhar, and Corey Goldstein 

The U.S. Securities and Exchange Commission this week took the rare step of penalizing a company for its allegedly poor disclosure of a cyber incident. The SEC announced a $1 million civil penalty against Pearson plc (“Pearson”), a London-based educational publishing company that is a U.S. securities issuer. The penalty resolves charges that Pearson misled investors related to a 2018 data breach. Continue reading

Key Takeaways from the First Year of CCPA Enforcement

by Jeremy Feigelson, David Sarratt, Jim Pastore, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, and Christopher S. Ford

On July 19, 2021, California Attorney General Rob Bonta announced his first-year enforcement update on the California Consumer Privacy Act (CCPA), and unveiled a tool to help the Attorney General’s office (CAAG)—the primary enforcer of the CCPA until the California Privacy Protection Agency takes over—identify CCPA violations. 

Over a year ago, on July 1, 2020, the first day of enforcement, the CAAG sent a number of statutorily-required violation notices to companies, making clear that the CAAG planned to aggressively enforce the statute.  Last week’s update is a clear continuation of this trend, with the CAAG introducing a new tool that California residents can use to easily report violations to the Attorney General’s office.  The CAAG also put the market on notice by providing enforcement statistics and examples of potential enforcement actions.  Both the tool and examples provide much-needed guidance on the CAAG’s enforcement priorities for the CCPA.    

Continue reading

Seven Tips for Reducing CCPA Litigation Risks – Lessons from the First 18 Months

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Alexandra P. Swain, and HJ Brehmer

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Consumers can seek damages for any harm actually incurred as well as statutory damages ranging from $100 to $750 per consumer per incident.

Not surprisingly, in these early days of CCPA private actions, plaintiffs are trying to push the boundaries of the law and testing who, when, and why a CCPA claim may be brought. In this post, we offer practical tips for reducing CCPA risk based on a review of the cases filed to date and the treatment of those cases in the courts. 

Continue reading

Effective Access Controls, Timely Breach Notification, and Other Takeaways from the Latest NYDFS Cyber Resolution

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Parker Eudy, and Mengyi Xu

On April 14, 2021, the New York State Department of Financial Services (the “DFS”)  announced that its cyber-enforcement action against National Securities Corporation (“National Securities”) has been resolved by a Consent Order (PDF: 550 KB) that imposes a $3 million penalty. This is the latest step in the DFS’s very active cyber-enforcement agenda. The charges against First American Title Insurance Company are pending with an August 16 hearing date, and last month, the DFS reached its first full cybersecurity resolution with Residential Mortgage Services.

Continue reading

Destruction Emerges as a Powerful Enforcement Measure for AI: FTC Requires Company to Delete Models Trained with Improperly Utilized Consumer Data

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Justin C. Ferrone, Anna R. Gressel, Paul D. Rubin, and Melissa Runsten

For those following emerging artificial intelligence (“AI”) regulations and enforcement closely, one issue of great interest is remedies. In particular: in what circumstances, if any, would regulators or courts find that a flawed machine learning or AI model must be scrapped entirely? A hot-off-the-press decision from the U.S. Federal Trade Commission (the “FTC”) suggests regulators will not shy away from saying “scrap it.”

Continue reading

Post-Election Law Privacy Law Prospects

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Frank Colleluori, Mengyi Xu, Jeffrey Cunard, Luke Dembosky, and Tigist Kassahun

California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below we sum up these important changes emerging from Sacramento. We also note some possible Election Day impacts on the privacy law reforms that have been percolating in Washington, D.C.

Continue reading