by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Suchita Mandavilli Brundage, and Marissa MacAneney
On July 13, 2020, the Federal Trade Commission (“FTC”) hosted a virtual workshop on its proposed changes to the Standards for Safeguarding Customer Information (“Safeguards Rule”). The workshop followed up on the FTC’s 2019 notice of proposed rulemaking requesting public comment on its proposal to amend the Safeguards Rule.
As covered in our previous blog post, the CJEU has invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data from the EU to the U.S. (the “Schrems II” decision) and cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (“SCCs”) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.
by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Zila Reyes Acosta-Grimes, Michael Bloom, Christopher S. Ford, and Mengyi Xu
The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (PDF: 278 KB) (the “Charges”) on July 21, 2020 against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (PDF: 97.4 KB) (the “Regulation”), including:
The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and a sample of 1,000 documents found that 30% contained nonpublic information.
by Friedrich Popp, Robert Maddox, Christopher Garrett, Fanny Gauthier, Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Thomas Schurrle, Alexandre Bisch, and Anna Gressel
Yesterday, the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data. The CJEU’s decision also cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (SCCs) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes. The CJEU’s lengthy decision is here and its short-form press release is here (PDF: 319.62 KB).
What does this mean for organizations that rely on Privacy Shield or SCCs? History suggests that privacy enforcement authorities in the EU may hold their fire while efforts are made to come up with a replacement system for data transfers. EU authorities hopefully will clarify their enforcement intentions soon. In any event, organizations that have relied on Privacy Shield will have to turn immediately to considering what practical alternatives they might adopt. U.S. government authorities will also have to turn to the knotty question of what data transfer mechanisms might ever satisfy the CJEU, given persistent EU concerns about U.S. government surveillance of personal data.
By Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Anna R. Gressel, Joshua B. Pickar, Suchita Mandavilli Brundage, and Samantha B. Singh
Each passing week of lockdown brings mounting economic and social costs, increasing the urgency to find ways to get more people back to work safely. A large part of that effort involves the development of contact tracing applications (“apps”) for mobile phones. These apps promise to allow low-risk individuals to return to some normal activities in the near term while continuing to isolate those with higher risks. But they also present cybersecurity and privacy concerns, as well as other potential legal issues, which we discuss below. Continue reading
by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Tricia Bozyk Sherno, Hilary Davidson, and Christopher S. Ford
As companies dust off their Business Continuity Plans to prepare for possible disruptions and remote working due to COVID-19, here are 10 cybersecurity considerations to add to the list of preparations: Continue reading
by Avi Gesser, Henry Lebowitz, Jeffrey P. Cunard, Jim Pastore, Lisa Zornberg, Luke Dembosky, Anna R. Gressel, and Steve Tegrar
It is only February, but, so far, 2020 looks like it is going to be the year that courts and regulators look seriously at artificial intelligence (“AI”).
Recent developments in both Europe and the United States provide some insight into where AI is likely to face tough scrutiny and ways to mitigate risks of using AI. Continue reading
by Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Javier Alvarez-Oviedo, Jeremy C. Beutler, H Jacqueline Brehmer, Christopher S. Ford, and Kate Saba
On Friday evening, February 7, the California Attorney General released a new round of proposed changes to the draft regulations implementing the California Consumer Privacy Act. Some thoughts to help guide interested parties through the AG’s dense 32-page release (PDF: 1.25 MB), which redlines the proposed modifications against the prior draft regulations:
The draft proposes to clarify the definition of “personal information,” which turns on whether the information can be associated or linked with a particular consumer or household. It then provides an example: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” Continue reading