Alston & Bird Issues Advisory on Applying GDPR Experience to CCPA Implementation

Written by

Alston & Bird recently issued an advisory entitled, “Applying GDPR Process Lessons to the CCPA,” authored by Jim Harvey and Karen Sanzaro. The recently and hastily adopted California Consumer Privacy Act of 2018 (CCPA) has already been compared to the General Data Protection Act (GDPR), though the two greatly differ in scope and content.  However, there are valuable insights to glean from the GDPR adoption process that can give companies a heads start on implementing the CCPA. The advisory examines these five lessons from which companies can learn: Leadership and multidisciplinary [...] Read more

DOJ Releases “Best Practices for Victim Response and Reporting of Cyber Incidents,” Version 2.0

Written by

On September 27, 2018, the Department of Justice Computer Crime and Intellectual Property (CCIPS) Cybersecurity Unit released Version 2.0 of its “Best Practices for Victim Response and Reporting of Cyber Incidents.” Originally issued in 2015, the updated guidance seeks to help organizations better equip themselves to be able to respond effectively and lawfully to cyber incidents. The updated version distills insights from private and public sector experts, incorporating new incident response considerations in light of technical and legal developments in the past three years. While the guidance [...] Read more

CBDF Research Fellow Theodore Christakis Publishes Article on E-Evidence Request Review Procedures

Written by

Theodore Christakis, Professor of International at the University Grenoble Alpes and Senior Fellow at the Cross-Border Data Forum, has a published a new article examining the right of European Union Member States to review European Production Orders under the draft E-Evidence framework. Prof. Christakis looks at Statewatch’s recently released key EU Council documents on the E-Evidence negotiations, written comments from Member States, and Professor Martin Böse’s recent LIBE Committee-commissioned study on the Commission’s proposals on electronic evidence. Prof. Christakis’s article [...] Read more

SEC Brings First Enforcement Action for Violation of the Identity Theft Red Flags Rule

Written by and

On September 26, 2018, the SEC brought its first ever enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), 17 C.F.R. § 248.201, in addition to violations of Regulation S-P, 17 C.F.R. 30(a) (the “Safeguards Rule”). Regulation S-ID and Regulation S-P apply to SEC-registered broker-dealers, investment companies, and investment advisers, and require those entities to maintain written policies and procedures to detect, prevent and mitigate identity theft, and to safeguard customer records and information, respectively. The SEC’s action against Voya Financial […] Read more

Governor Jerry Brown Signs Amendment to the California Consumer Privacy Act

Written by

On September 23, 2018, Governor Jerry Brown signed SB 1121, the amendment to the California Consumer Privacy Act (CCPA).  SB 1121 attempts to clean up some drafting errors and ambiguities in the original legislation (AB 375), but it also effectively reduces the procedural obstacles to the CCPA’s private right of action by removing the requirement that a plaintiff first notify the Attorney General before filing a lawsuit pursuant to the CCPA, which would have provided the Attorney General the opportunity to order a plaintiff not to proceed.  For a more in-depth analysis of the private right of […] Read more

Ohio Enacts Cybersecurity Safe Harbor Law

Written by

Ohio recently enacted the Ohio Data Protection Act (2018 SB 220), a law that offers a breach litigation safe harbor to businesses meeting specific cybersecurity standards. While the law does not prevent a plaintiff from filing a lawsuit following a data breach, it does provide an affirmative defense to companies defending themselves against such claims. If an entity’s data security policies conform to one of several listed cybersecurity frameworks, the entity can invoke the safe harbor as a defense, and possibly defeat a tort claim alleging that the company’s failure to comply with reasonable […] Read more

India’s Draft Data Protection Bill: Another GDPR Around The Corner?

Written by

India recently introduced the Personal Data Protection Bill 2018 (“Bill”). The transfer of personal data in India is currently governed by the SPD Rules (Sensitive Personal Data and Information, 2011), which is however considered outdated and not fully protective of personal data. The Bill comes as a result of the country’s Supreme Court recent judgment that declared privacy a fundamental right of an individual. The Srikrishma Committee (“Committee”) was responsible for drafting the Bill and coined a legal framework that is aimed to shape the country’s digital agenda. The Committee […] Read more

An Update on the California Consumer Privacy Act and Its Private Right of Action

Written by

While it remains to be seen what the final text of the California Consumer Privacy Act (CCPA) looks like when it is ultimately implemented on January 1, 2020, at present it seems likely that businesses and employers can expect an influx of lawsuits from individual consumers proceeding under the CCPA’s private right of action.  Under the current version of the CCPA, the Act provides a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and […] Read more

California Legislature Amends CCPA

Written by

Last Friday, the California Senate and Assembly passed SB-1121, amending the California Consumer Privacy Act (“CCPA”) as enacted in June. We previously issued an advisory following the June enactment, and will host a webinar discussing the law (as now amended) on September 12. This blog post highlights some of the key amendments to the CCPA. SB-1121 amends the CCPA as follows: Exemptions for Health Providers. The bill clarifies that the CCPA does not apply to protected health information (“PHI”) or medical information governed by the Health Insurance Portability and Accountability […] Read more

Brazil Transitions from Sectoral to Omnibus Privacy Regime

Written by

On August 14, Brazil adopted its new General Data Protection Law (LGPD) designed to replace and/or supplement its existing sectoral privacy framework.  Brazil’s LGPD echoes many of the components of the GDPR and will likely serve as part of Brazil’s own push for a reciprocal adequacy finding from the European Commission similar to the one Japan received this past July.  In addition to the LGPD, President Temer has stated that the government will establish a Brazilian national data protection authority (DPA) with a separate bill. Scope Like the GDPR, Brazil’s LGPD includes an expanded […] Read more