Tag Archives: Jim Pastore

Updating the Safeguards Rule: FTC Touts Proposed Changes at Virtual Workshop

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Suchita Mandavilli Brundage, and Marissa MacAneney

On July 13, 2020, the Federal Trade Commission (“FTC”) hosted a virtual workshop on its proposed changes to the Standards for Safeguarding Customer Information (“Safeguards Rule”). The workshop followed up on the FTC’s 2019 notice of proposed rulemaking requesting public comment on its proposal to amend the Safeguards Rule.

Continue reading

Schrems II – Where are we now?

As covered in our previous blog post, the CJEU has invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data from the EU to the U.S. (the “Schrems II” decision) and cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (“SCCs”) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.

Continue reading

First Enforcement Action by New York DFS Under Its Cyber Rules Shows Where Companies Face Regulatory Risk – Six Quick Takeaways

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Zila Reyes Acosta-Grimes, Michael BloomChristopher S. Ford, and Mengyi Xu

The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (PDF: 278 KB) (the “Charges”) on July 21, 2020 against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (PDF: 97.4 KB) (the “Regulation”), including:

    • Failure to perform an adequate risk assessment
    • Failure to maintain proper access controls
    • Failure to provide adequate security training for cybersecurity employees
    • Failure to encrypt certain nonpublic information

The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and a sample of 1,000 documents found that 30% contained nonpublic information.

Continue reading

Schrems II: Privacy Shield Invalid and Severe Challenges for Standard Contractual Clauses

by , and  

Yesterday, the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data.  The CJEU’s decision also cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (SCCs) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.  The CJEU’s lengthy decision is here and its short-form press release is here (PDF: 319.62 KB).

What does this mean for organizations that rely on Privacy Shield or SCCs?  History suggests that privacy enforcement authorities in the EU may hold their fire while efforts are made to come up with a replacement system for data transfers.  EU authorities hopefully will clarify their enforcement intentions soon.  In any event, organizations that have relied on Privacy Shield will have to turn immediately to considering what practical alternatives they might adopt.  U.S. government authorities will also have to turn to the knotty question of what data transfer mechanisms might ever satisfy the CJEU, given persistent EU concerns about U.S. government surveillance of personal data.

Continue reading

Can Contact Tracing Apps Help Get Many of Us Back to Work Soon? A Framework for Evaluating the Various Options and Legal Concerns

By Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Anna R. Gressel, Joshua B. Pickar, Suchita Mandavilli Brundage, and Samantha B. Singh

Each passing week of lockdown brings mounting economic and social costs, increasing the urgency to find ways to get more people back to work safely. A large part of that effort involves the development of contact tracing applications (“apps”) for mobile phones. These apps promise to allow low-risk individuals to return to some normal activities in the near term while continuing to isolate those with higher risks. But they also present cybersecurity and privacy concerns, as well as other potential legal issues, which we discuss below. Continue reading

Debevoise Coronavirus Checklists—Cybersecurity

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Tricia Bozyk Sherno, Hilary Davidson, and Christopher S. Ford

As companies dust off their Business Continuity Plans to prepare for possible disruptions and remote working due to COVID-19, here are 10 cybersecurity considerations to add to the list of preparations: Continue reading

Fifteen Ways to Reduce Regulatory and Reputational Risks for Your AI-Powered Applications – Lessons from Recent Court Decisions and Regulatory Activity

by Avi Gesser, Henry Lebowitz, Jeffrey P. Cunard, Jim Pastore, Lisa Zornberg, Luke Dembosky, Anna R. Gressel, and Steve Tegrar

It is only February, but, so far, 2020 looks like it is going to be the year that courts and regulators look seriously at artificial intelligence (“AI”).

Recent developments in both Europe and the United States provide some insight into where AI is likely to face tough scrutiny and ways to mitigate risks of using AI. Continue reading

Proposed Modifications to CCPA Regulations—Top Takeaways

by Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Javier Alvarez-Oviedo, Jeremy C. Beutler, H Jacqueline Brehmer, Christopher S. Ford, and Kate Saba

On Friday evening, February 7, the California Attorney General released a new round of proposed changes to the draft regulations implementing the California Consumer Privacy Act. Some thoughts to help guide interested parties through the AG’s dense 32-page release (PDF: 1.25 MB), which redlines the proposed modifications against the prior draft regulations:

Guidance on “Personal Information”

The draft proposes to clarify the definition of “personal information,” which turns on whether the information can be associated or linked with a particular consumer or household. It then provides an example: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” Continue reading