In 2019, Hanna Andersson, a children’s apparel store, suffered a data breach while using a Salesforce e-commerce platform. As a result of the breach, customers filed a class action lawsuit, alleging customer data was stolen and asking that both Hanna Andersson and Salesforce be held liable under the California Consumer Protection Act (CCPA). Background Barnes v. Hanna Andersson and Salesforce (4:20-cv-00812-DMR) was one of the first cases filed under the newly effective CCPA, and it…

On December 15, 2020, the FTC announced a proposed settlement with Ascension Data & Analytics, LLC, a mortgage industry analytics company, related to alleged violations of the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. In particular, the FTC claimed that Ascension Data & Analytics’ vendor, OpticsML, left “tens of thousands of consumers[’]” sensitive personal information exposed “to anyone on the internet for a year” due to an error configuring the server and the storage location. The FTC…

In a roller coaster of an election week, it was easy for smaller ballot measures to become overshadowed. One ballot measure that you may have missed is Massachusetts’s Ballot Question 1 regarding the “right to repair” motor vehicles. The ballot measure expands access to a driver’s motor vehicle data. Vehicles are increasingly becoming more computerized due to the use of “telematics systems.” Telematic systems are systems that collect and wirelessly transmit mechanical data to a…

The most intimate information can be found in the data on our cellphones and laptops, from geo-location data to search history. The level of privacy protections afforded to electronic data and communications have been unclear and ambiguous for years, but after this election, Michigan now has some clarity. On November 03, 2020, Proposal 2 was passed by an overwhelming majority, amending Article 1, Section 11 of Michigan’s Constitution. Proposal 2 will provide personal protections by…

The Department of Defense (DoD) continues to enhance cybersecurity requirements in its supply chain. A new rule requires some contractors to assign a numerical score to their current cybersecurity practices. Additionally, the rule begins rolling out requirements for all defense contractors to have their cybersecurity certified by a third party. For years, the gold standard for defense contractors has been NIST SP 800-171 (the NIST Standard). The NIST Standard establishes cybersecurity practices for companies that…

The privacy law landscape is constantly changing, and it can feel like a daunting task for businesses to keep up with the laws of 50 states in the U.S. plus any international laws that also may be applicable. 2020 seems to be a banner year for change on many fronts. COVID-19 and the 2020 elections have caused profound changes this year, but for those who are affected by changing privacy laws, this has been a…