The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had failed to use reasonable security. According to the FTC, for almost two years, a hacker accessed InfroTrax’s server unnoticed at least seventeen times. The data accessed included social security numbers and payment card information. It also included unencrypted user IDs and passwords.…

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.  The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of…

Joining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information about consumers with whom they do not have a “direct relationship.” They must register with the AG by January 31, 2020.…

The California attorney general has released draft regulations for CCPA, giving companies further guidance on a variety of topics. The regulations are in draft, and comments are due to the attorney general’s office by December 6, 2019. The AGs office will also be holding a series of hearings across the state, on December 2 (Sacramento), 3 (Los Angeles), 4 (San Francisco), and 5 (Fresno). Among the many items that companies will be examining in more…

As we reported in our sister blog, “One ‘Chirp, Buzz, Or Blink’ Is Not Enough To Sue Under the TCPA”, a recent court decision makes it more difficult for plaintiffs to establish standing under the Telephone Consumer Protection Act. In its decision, the Eleventh Circuit ruled that a single text message from an attorney to his former client did not amount to sufficient harm to sue in federal court. The Court concluded that…

One of the CCPA amendments that has gone to the governor’s desk is AB 1564, which addresses the methods companies must make available to consumers to exercise their rights under CCPA. Businesses which operate exclusively online and have direct relationships with their consumers can (1) provide an email address for consumers to submit requests, and (2) if they have a website (which presumably all online businesses would!), have a method for consumers to submit requests…

Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of…