Many races and initiatives that California voters considered on November 3 are still undecided, but Proposition 24, the California Privacy Rights Act of 2020 (the “CPRA”) isn’t one of them. The California electorate approved Proposition 24 by a comfortable margin – 56% of Californians voted in favor. Like its predecessor the California Consumer Privacy Act of 2018 (the “CCPA”), the impact of the CPRA won’t be felt immediately. It goes into effect on January 1,…

Are your cybersecurity management practices reasonable? Do you know your risk tolerance? Are you covering all the cybersecurity bases that make up reasonable cybersecurity? The California Consumer Privacy Act (CCPA) and other emerging laws require organizations to have “reasonable cybersecurity practices.” The challenge is that there is no accepted definition of exactly what “reasonable” means. Addressing this challenge, Robert Braun, co-chair of JMBM’s Cybersecurity & Privacy Group, will participate as a panelist for the online…

On September 29, California Governor Gavin Newsom signed an amendment (AB 1281) that extends the California Consumer Privacy Act (CCPA) partial employee and business-to-business exemptions through December 31, 2021. The extended exemptions may provide some relief to businesses struggling to comply with changing local, state and federal COVID-19 requirements. Partial Employee and B2B Exemptions The amendment extended the exception for businesses from complying with certain CCPA requirements with respect to the personal information of California…

The Blackbaud Breach In July of this year, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of administration, fundraising, and financial management software, notified its clients that it had discovered and stopped a ransomware attack.  In a public statement, Blackbaud described the attack: In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber…

Shrems II – Groundhog Day, All Over Again Past is Prologue One of the keys to the European’s Union data protection regime has been the prohibition against transferring personal data from EU countries to jurisdictions that do not have regimes that, in the determination of the EU, provide adequate protection to consumers. Beginning in 2000 the U.S. – EU Safe Harbor Framework allowed U.S. companies to certify their compliance with EU data protection requirements, and…

Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group, will host a panel of industry leading experts for the webinar, The Right Stuff: Validating Reasonable Information Security Date: Thursday, June 18, 2020 Time: 10 AM – 11:15 AM PDT; 1 PM –  1:15 PM EDT Register Now Most organizations have never had to prove that they have reasonable information security. Business and legal pressures are changing this dramatically. The California Consumer Privacy Act exposes…

As a privacy and cybersecurity lawyer, I’m often asked by clients and potential clients about preparing a privacy policy – whether they need one, and how much it costs. And underlying the question is an assumption – privacy policies are really just formalities, and all they need to do is find the right form, or a competitor’s model, make sure to change the name and contact information, and they’re done. They are right about one…