Privacy & Data Security

By Rodger A. Heaton on October 22, 2019

Continuing our coverage of cybersecurity issues during National Cybersecurity Awareness Month (NCSAM), we have identified 5 important cybersecurity questions and talking points you can use to start a meaningful cybersecurity conversation at your business. Counsel and business executives take note: cybersecurity is not just an IT problem, robust cybersecurity starts with a healthy dialogue between legal, business, and IT. The chart below illustrates how failure to engage in meaningful oversight of your company’s data…

Privacy Compliance & Data Security

Poll Shows Strong Public Support in California for CCPA, Even Stronger Privacy Laws

By Odia Kagan on October 21, 2019

A survey of 777 registered voters in California showed 88 percent would support The California Privacy Rights Enforcement Act (CPREA), a 2020 ballot measure related to expansion of protections for personal information. The survey also concluded that 88 percent of respondents support the California Consumer Privacy Act, and 81 percent believe a potential federal U.S. privacy law should be as strong or stronger than the CCPA. Details on the survey from Californians for Consumer Privacy.…

Privacy Compliance & Data Security

What Does GDPR Say About Requests for Personal Data Being Used in Machine Learning Training?

By Odia Kagan on October 21, 2019

The UK’s Information Commissioner’s Office shares its thoughts on the complexity of producing or deleting data used to train machine learning algorithms in data subject requests under GDPR. Key points: It can be be much harder to link to a particular individual but this is not the same as anonymization. It may still be considered personal data, because it can be used to ‘single out’ the individual it relates to, on its own or in…

Privacy Compliance & Data Security

EU Member States Submit Comments on GDPR Enforcement

By Odia Kagan on October 21, 2019

In preparation for the first Article 97 evaluation and review of the General Data Privacy Regulation (GDPR), member states have submitted comments, reports Muge Fazliogu of the International Association of Privacy Professionals (IAPP) Key points: Businesses and government agencies feel overwhelmed, uncertain and confused. (Germany) Recommend to publish real cases of best practices, as well as cases of bad practices. (Czech Republic) GDPR’s approach to the protection of children is “fragmented and disjointed.” (Ireland) Children’s…

Privacy Compliance & Data Security

Proposal Would Hold Executives Personally Responsible for Lying to the FTC About Privacy and Data Security

By Odia Kagan on October 21, 2019

“Company executives would face possible jail time for lying to the Federal Trade Commission about privacy and data security matters, under a new bill by U.S. Sen. Ron Wyden, a Democrat representing Oregon,” reports Daniel R. Stoller, Esq. for Bloomberg Law. “The Mind Your Own Business Act would give the FTC new authorities and resources to police privacy. It would allow the FTC to issue fines for first-time privacy violators of up to 4 percent of annual…

HL Chronicle of Data Protection

OCR Provides Insight into Enforcement Priorities and Breach Trends

By Marcy Wilder, Paul Otto & Katherine Kwong on October 21, 2019

Regulators, industry experts, and researchers provided insight into health privacy and security enforcement trends, emerging threats, and new tools at a recent conference focused on the Health Insurance Portability and Accountability (HIPAA) regulatory framework. Moving into 2020, organizations with health data should be aware of: Shifting OCR enforcement priorities; Regulators’ continued attention to key HIPAA compliance activities; The changing threat landscape for health data; and New guidance and frameworks for health data not…

Steptoe Cyberblog

Episode 283: Is intelligence “reform” a self-licking ice cream cone and compliance trap?

By Stewart Baker on October 21, 2019

Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on…

Privacy Compliance & Data Security

California Adds Biometric Data, Other Identifiers, to Breach Notification Law

By Odia Kagan on October 21, 2019

California has amended its data breach notification law to include biometric and other identifiers. The bill (AB 1130), signed by Gov. Gavin Newsom on October 11, revises the definition of personal information for purposes of data breach notification requirements to add specified unique biometric data and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to…

CyberAdviser

Analysis: Verifying Consumer Requests Under the CCPA

By Philip N. Yannella & Gregory P. Szewczyk on October 21, 2019

For businesses, one of the more worrisome scenarios under the CCPA occurs when they mistakenly provide personal information of a consumer to the wrong party in response to a consumer request, whether because of fraud or simple mistake. Because the definition of data breach under the CCPA is very broad, the unauthorized sharing of personal information with the wrong party could theoretically give rise to a civil cause of action with statutory penalties of $100-$750,…

Carpe Datum Law

Look Out Marvel, There’s a NEW SHIELD in Town

By Richard Lutkus, EnCE, EnCEP, CEH, Edward "Ted" Murphree & Jamila Hemmerich on October 21, 2019

For Marvel Entertainment fans, this one’s for you: Step aside Nick Fury, New York has a new SHIELD. New York state recently passed a new law extending protections against cyber-attacks for its residents with NY Senate Bill S5575B, also known as the “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, for short. This Act expands New York’s data breach notification statute in definition, notice, scope, and compliance requirements of any individual or…