Tag Archives: Will Schildknecht

Navigating Cross-Border Data Transfers: Lessons from the Sedona Conference Commentary

by Matthew Kelly and Will Schildknecht 

New commentary from a respected think tank attempts to provide guidance on cross-border data transfers. The guidance proposes principles for determining which country’s law to apply to a cross-border transfer. Although there is no guarantee that the guidance will gain favor with courts or regulators, it is an important indicator of what the future may hold for this important and undeveloped area of law. While the commentary does not provide concrete steps to lawfully effect cross-border data transfers today, companies can infer several lessons, detailed below, from the issues highlighted in the commentary. Continue reading

Data Privacy and Security Requirements During Coronavirus? Little Relief in Sight

by Will Schildknecht

As we have discussed here previously, the coronavirus outbreak has driven many companies further into the digital workplace, putting new strains on information technology systems and related privacy and security compliance controls.  Despite these burdens on companies, few regulators have offered relief from their privacy and security requirements.  As detailed below, while the Securities Exchange Commission (“SEC”), the Department of Health and Human Services (“HHS”), and the New York Department of Financial Services (“NYDFS”) are offering some relief from regulatory requirements, the broader trend is for regulators on both sides of the Atlantic to maintain, and even heighten, data privacy and security compliance expectations. Continue reading

The Risks of Fraudulent CCPA Access Requests – Guidance from a $10.7 Million GDPR Fine for Poor Customer Authentication

by Avi Gesser, Daniel Forester, Will Schildknecht, Jennifer Leather, and Dr. Carolin Raspé (Hengeler Mueller) 

Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests. But how do you know that the person making the request is actually who they say they are? As we have previously noted on Davis Polk’s Cyber Blog, significant amounts of personal information are publicly available as a result of major data breaches, and that stolen data can be used to make fraudulent access requests. So, how can a company avoid turning a good-faith effort to comply with its GDPR or CCPA access rights obligations into a privacy violation by unknowingly providing the personal information of customer X to someone pretending to be customer X? A recent GDPR enforcement action in Germany, as well as guidance from German and California regulators, shows that companies must exercise diligence in making sure that they have properly authenticated the data subject who is making the access request. Continue reading

A 14.5 Million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation

by Avi Gesser, Matthew Kelly, Will Schildknecht, Dr. Vera Jungkind (Hengeler Mueller), and Dr. Carolin Raspé (Hengeler Mueller)

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have implemented effective data minimization programs are careful to collect only the data that they are likely to use, and routinely get rid of old data that they no longer need, thereby significantly reducing their data protection risks.  A recent enforcement action by the Berlin Data Protection Commissioner echoes recent U.S. regulatory developments in suggesting that companies without data minimization procedures face not only increased cybersecurity and privacy risks, but also regulatory risks—ones that can lead to penalties even when they don’t lead to a specific cyber incident.  In other words, data minimization is becoming a stand-alone regulatory obligation, in addition to being a key component of cybersecurity best practices. Continue reading

The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare

by Avi Gesser, Matthew Kelly, Will Schildknecht, and Clara Y. Kim

By now, most major U.S. companies are generally aware of the new privacy requirements (PDF: 187 KB) that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information.  But, at least in the short term, it is likely that the CCPA’s cybersecurity requirements will have the most significant impact on companies.

Unfortunately, the CCPA does not spell out its cybersecurity requirements explicitly.  Rather, it creates a private right of action for California consumers against companies that have experienced a cyber breach if their personal information has been taken by an unauthorized person.  A successful action requires that the exfiltration or disclosure be of unencrypted personal data and result from the company’s violation of its duty to implement and maintain reasonable security procedures and practices. § 1798.150(a)(1). Continue reading

Cyber Monitoring Employees Part 2 – Insider Threats Continue After Employees Leave

By Avi Gesser, Will Schildknecht, and Christine LiCalzi

We recently wrote about companies monitoring employees to reduce cybersecurity risks.  Those insider threat risks do not end when employees leave the company.  Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith.  Companies must therefore take steps to protect their data from walking out the door with exiting employees. Continue reading

2019 Predictions – Top 10 Cybersecurity/Privacy Trends to Prepare for Now

by Avi Gesser, Daniel Forester, Will Schildknecht, Clara Kim, Daniela Dekhtyar-McCarthy, Mikaela Dealissia, Dan Thomson, and Mengyi Xu

2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc.  But 2019 is looking to be even busier.  Below are our predictions for the Top 10 things that will keep us busy in 2019, and what companies should be preparing for: Continue reading