Tech Industry & Consumer Advocates Share Support for Federal Data-Privacy Legislation, Differ on the Details

In late September and early October, the Senate Commerce Committee held a pair of hearings with tech companies and consumer advocates to explore the possibility of federal data-privacy legislation.  The Committee invited representatives from tech giants such as Google, Amazon, and Twitter to testify in September, then in October invited Dr. Andrea Jelinek, Chair of the European Data Protection Board;… More

SEC Brings First Enforcement Action for Identity Theft Red Flags Rule Violations

On September 26, in the Securities and Exchange Commission’s (“SEC”) first enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), Voya Financial Advisors Inc. (“VFA”), an SEC-registered investment adviser and broker-dealer, has agreed to settle charges relating to failures in its cybersecurity policies and procedures concerning a cyber-intrusion that compromised thousands of customers’ personal information. VFA agreed to pay a $1 million penalty as well as retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule.… More

GDPR Creates Rugby Scrum

In a recent trip to Ireland, I was surprised to see two subjects that Ireland is known for — GDPR and rugby — coming into conflict.   As reported in the Sunday Business Post, World Rugby was lobbying the Irish government to create new data protection laws to address the interaction of anti-doping testing and the laws regarding transfer of data among and between different countries.  … More

China Expands Its Cybersecurity Regulations

As noted recently in the Wall Street Journal, “New cybersecurity rules will give Chinese authorities sweeping powers to inspect companies’ information technology and access proprietary information—steps that are likely to deepen concerns among foreign businesses about their China operations.”  These regulations were issued pursuant to the Cybersecurity Law of the People’s Republic of China, which came into force on June 1, 2017.… More

Senator Warner’s White Paper Gives Congress Options for Regulating Social Media and Technology Companies

Senator Mark Warner of Virginia has released a white paper outlining policy proposals for regulating social media and technology companies. The paper has gained significance in recent weeks as pressure builds on Congress to pass federal data privacy legislation. In the wake of Europe’s GDPR and California’s Consumer Privacy Act, industry groups, tech companies, and privacy activists alike have urged Congress to act.… More

California Amends its Consumer Privacy Act

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the Golden State’s landmark Consumer Privacy Act (“CCPA”). California enacted the CCPA in June after legislators reached a last-minute compromise with a group of privacy activists who would have put a more stringent data protection measure on the November ballot. Given the hasty enactment of the law,… More

New Law Provides Free Credit Freezes and Year-Long Fraud Alerts

As summarized nicely in the FTC FAQs below, there is a new law, the Economic Growth, Regulatory Relief, and Consumer Protection Act, that makes credit freezes free and extends fraud alerts to last a full year.  Here are some of the most common questions raised about this new law, and the FTC’s answers:

Q: I already had a credit freeze in place when the new law took effect on September 21,… More

French Data Protection Authority Takes Stock After 4 Months of GDPR

Four months after the GDPR came into effect, the French Data Protection Authority (“CNIL“) published a first assessment with some impressive figures:

  • It received more than 600 personal data breach notifications, ‎i.e., about 7 notifications each day, involving approximately 15 million individuals.
  • It received 3,767 complaints from individuals. As we commented on this blog,…
  • More

Three Things Not to be Forgotten about the GDPR’s “Right to be Forgotten”

Our experience in advising clients about GDPR and assisting them in the compliance process is that there are often misconceptions about the so-called “right to be forgotten”. The purpose of this post is to address some of these misconceptions.

  • The “right to be forgotten” was not created by the GDPR

The GDPR replaced the EU’s 1995 Directive which provided in Article 12(b) that “Member States must guarantee every data subject the right to obtain from the controller: (…),… More

Hacker Fails to Establish “Necessity” of DDOS Attack on Hospital

In a recent decision from the District of Massachusetts, the alleged perpetrator of cyber-attacks against Wayside Youth and Family Support Network and Boston Children’s Hospital (“BCH”) failed in his attempt to assert a novel defense:  necessity.  In what most would view as a positive development, the court found that the defendant and alleged hacker did not “offer[] competent evidence that it was objectively reasonable to anticipate a causal relationship between the alleged cyber attack and the purported harm to be averted.”… More