Tag Archives: Michael Bloom

Getting Ready for 2023: What Companies Can Do Now to Prepare for New Privacy Laws

by Jeremy Feigelson, Avi GesserJohanna Skrzypczyk, Michael Bloom, Michael R. Roberts, Tricia Reville, and Kate Saba

The Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”)—enshrined in the California Privacy Rights Act (“CPRA”)—take effect on January 1, 2023.  In addition, the Colorado Privacy Act (“ColoPA”) takes effect on July 1, 2023.  These developments have companies understandably concerned about complying with a patchwork of state laws.

How can companies prepare?

Continue reading

Tips for Creating a Sensible Cybersecurity and AI Risk Framework for Critical Vendors

by Avi Gesser, Anna Gressel, Zila Reyes Acosta-Grimes, and Michael Bloom

Companies face increasing cybersecurity and AI risk from third-party vendors. Cybersecurity risks arise when companies share sensitive personal data or company information with their vendors or when their vendors have direct access to the company’s information systems. Companies using AI technology that is developed by a vendor can also face risk if the AI behaves unexpectedly, and that results in negative impacts including on critical business operations. In recognition of these kinds of third-party data risks, on October 30, 2020, federal banking agencies—including the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (“OCC”) and the Federal Deposit Insurance Corporation (“FDIC”)—released a joint paper (the “Joint Paper”) outlining sound practices designed to help banks increase operational resilience.

Continue reading

First Enforcement Action by New York DFS Under Its Cyber Rules Shows Where Companies Face Regulatory Risk – Six Quick Takeaways

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Zila Reyes Acosta-Grimes, Michael BloomChristopher S. Ford, and Mengyi Xu

The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (PDF: 278 KB) (the “Charges”) on July 21, 2020 against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (PDF: 97.4 KB) (the “Regulation”), including:

    • Failure to perform an adequate risk assessment
    • Failure to maintain proper access controls
    • Failure to provide adequate security training for cybersecurity employees
    • Failure to encrypt certain nonpublic information

The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and a sample of 1,000 documents found that 30% contained nonpublic information.

Continue reading

Six Tips for Getting Rid of Old Electronic Files, Which Reduces Cyber and Privacy Risk and Is Now a Legal Requirement for Most Companies

by Avi Gesser, Michael Bloom, Mengyi Xu, and Dr. Friedrich Popp

Much has been written recently on the increased cybersecurity and privacy risks that companies are facing. One of the most effective ways for organizations to mitigate those risks is to significantly reduce the amount of data that they collect and maintain. Having less data means that there is less sensitive information to protect from hacks or leaks which is why regulators are increasingly focused on the following data minimization requirements:

  • Collecting only the data that you actually need;
  • Using collected data only for authorized purposes; and 
  • Retaining only data that you actually need.

Companies that have failed in the third element of data minimization, effectively getting rid of old data, have recently been the subject of regulatory action. In this Data Blog post, we discuss the regulatory requirements for getting rid of old data and offer six tips for complying with this new and difficult obligation.

Continue reading