Tag Archives: Johanna Skrzypczyk

A New Era of Federal Trade Commission (“FTC”) Privacy and Cybersecurity Oversight: Top Ten Things Companies Should Know When Assessing FTC Compliance and Exposure

by Luke Dembosky, Avi GesserTed HassiPaul D. RubinJim Pastore, Johanna Skrzypczyk, Leah Martin, Melissa Runstenand Christopher S. Ford

Companies developing FTC compliance programs, or under investigation by the FTC’s Bureau of Consumer Protection, should be aware of significant developments impacting the Commission’s regulatory authority and enforcement priorities.

Despite a number of recent judicial defeats that have significantly hampered the FTC’s ability to obtain: (1) injunctive relief when purported violative behavior is not ongoing; and (2) monetary remedies in federal court under Section 13(b) of the Federal Trade Commission Act (the “FTCA”), new FTC Chair Lina Khan has indicated that the FTC intends to aggressively enforce existing FTC consumer protection laws—and in particular alleged privacy and cybersecurity violations.

Continue reading

Face Forward: Strategies for Complying with Facial Recognition Laws (Part II of II)

by Jeremy Feigelson, Avi Gesser, Anna Gressel, Andy Gutierrez, and Johanna Skrzypczyk

This is Part 2 in a two-part series of articles about facial recognition laws in the United States. In Part 1, we discussed how current legislation addresses facial recognition. In this part, we assess where the laws seem to be heading and offer some practical risk reduction strategies.

Continue reading

Face Forward: Strategies for Complying with Facial Recognition Laws (Part I of II)

by Jeremy Feigelson, Avi Gesser, Anna Gressel, Andy Gutierrez, and Johanna Skrzypczyk

This is Part I of a two-part post. 

Two huge cross-currents are sweeping the world of facial recognition—and head-on into each other. Companies are eagerly adopting facial recognition tools to better serve their customers, reduce their fraud risks, and manage their workforces. Meanwhile, legislatures and privacy advocates are pushing back hard. They challenge facial recognition as inherently overreaching, invasive of privacy, and prone to error and bias. Legal restrictions of different kinds have been enacted around the country, with more seemingly certain to come.

How will the tension sort itself out between new use cases on the one hand and the push for legal restrictions on the other – and when? And what’s a company to do right now, with facial recognition opportunities presenting themselves today while the law remains a moving target?

This two-part series aims to help. In this Part 1, we lay out the current laws governing facial recognition in the United States. In Part 2, we assess where the law is headed and offer some practical risk-reduction strategies.

Continue reading

Seven Tips for Reducing CCPA Litigation Risks – Lessons from the First 18 Months

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Alexandra P. Swain, and HJ Brehmer

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Consumers can seek damages for any harm actually incurred as well as statutory damages ranging from $100 to $750 per consumer per incident.

Not surprisingly, in these early days of CCPA private actions, plaintiffs are trying to push the boundaries of the law and testing who, when, and why a CCPA claim may be brought. In this post, we offer practical tips for reducing CCPA risk based on a review of the cases filed to date and the treatment of those cases in the courts. 

Continue reading

Effective Access Controls, Timely Breach Notification, and Other Takeaways from the Latest NYDFS Cyber Resolution

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Parker Eudy, and Mengyi Xu

On April 14, 2021, the New York State Department of Financial Services (the “DFS”)  announced that its cyber-enforcement action against National Securities Corporation (“National Securities”) has been resolved by a Consent Order (PDF: 550 KB) that imposes a $3 million penalty. This is the latest step in the DFS’s very active cyber-enforcement agenda. The charges against First American Title Insurance Company are pending with an August 16 hearing date, and last month, the DFS reached its first full cybersecurity resolution with Residential Mortgage Services.

Continue reading