Companion Cybersecurity Disclosure Bills Introduced in U.S. Congress

Written by

On February 28 and March 13, 2019, members of the U.S. Senate and U.S. House of Representatives introduced legislation designed to enhance the transparency of cybersecurity risk oversight at certain SEC reporting companies. Although the text of the House bill, H.R. 1731 is not yet publicly available, the bipartisan Senate bill, S. 592, would require the U.S. Securities and Exchange Commission to issue final rules in less than one year that would require SEC-registered issuers to make certain disclosures in its annual reports, or annual proxy statement as appropriate, regarding cybersecurity risk […] Read more

Washington Privacy Act Passes State Senate Laying Pathway for the Bill to Become the Second Comprehensive State Privacy Act

Written by

On March 6, the Washington state Senate voted 46-1 to approve the Washington Privacy Act (WPA or the Act), otherwise known as SB 5376.  If the bill passes the House, the bill would become the second comprehensive state privacy legislation behind the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020.  The bill would provide consumer rights, impose obligations on businesses collecting and selling personal information, and create an office of privacy and data protection to interface with state agencies on data privacy and data protection policy matters.  The bill draws […] Read more

Proposed Amendment to California Consumer Privacy Act Would Expand Private Right of Action

Written by

On February 25, California's Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced new legislation to amend the California Consumer Privacy Act (CCPA).  The CCPA as currently enacted establishes a private right of action for consumers impacted by cyber security breaches.  The amendment, known as SB-561, would expand the private right of action to cover any violation of a consumer’s rights under the CCPA.  This would materially increase the risk to businesses of class action litigation from failures to comply with the privacy standards in the new law. The amendment [...] Read more

The FTC Decides to Uphold the CAN-SPAM Rule Without Any Changes

Written by and

On February 12, 2019, the Federal Trade Commission announced that it completed its first review of the CAN-SPAM Rule, a rule governing commercial e-mail. Based on its review, the FTC announced its decision, available here, to “retain the [R]ule in its present form.” The FTC reviewed public comments and proposals in making its determination. According to the FTC’s confirmation of the Rule available here, of the 92 comments received, most were submitted by individual consumers and many suggested modifications to the Rule. Many comments were responses to specific issues raised by the FTC […] Read more

NYDFS Cybersecurity Regulations Nearly Fully Effective

Written by

The February 15, 2019 NYDFS compliance certification deadline represents the last annual compliance certification subject to the transition period for covered entities to come into compliance with the cybersecurity regulations.  NYDFS now expects covered entities to certify as to their compliance with all but one provision of the cybersecurity regulations which relates to the implementation of third party service provider security policies and procedures. This 2019 compliance certification is the first certification to cover compliance with the provisions relating to audit trail, application […] Read more

Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration

Written by

As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data.  One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users.  The amount of the Google fine startled many companies, but with time the shock faded.  Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not […] Read more

Illinois Supreme Court Empowers Claims Under Biometric Information Privacy Act

Written by

In an opinion issued Friday, the Illinois Supreme Court handed a potentially significant victory to plaintiffs advancing claims under Illinois’ Biometric Information Privacy Act and seeking statutory damages under that law. The Court held that plaintiffs do not need to assert injury or harm outside of a relevant violation of the statute itself in order to bring claims and seek statutory damages for relevant violations of the statute. Friday’s decision represents a potentially significant victory for members of the class action plaintiffs’ bar seeking to bring claims under the law. Illinois’s […] Read more

EU and Japan Publish a Joint Release on Their Mutual Adequacy Decisions

Written by

On January 23, 2019, the Personal Information Protection Commission of Japan (the “PPC”) and the European Commission (the “Commission”) jointly announced the adoption of the decisions recognizing each other’s personal data protection systems as equivalent. The Commission launched the process leading to the adoption of the adequacy decision in September 2018 and successfully completed the process by obtaining the green light from a committee composed of representatives of the European Union (“EU”) Member States.  In parallel, the PPC adopted a decision to designate the EU as equivalent […] Read more

Massachusetts Amends Data Breach Notification Law

Written by

Massachusetts Governor Charlie Baker has signed legislation amending the state’s data breach notification law, and the amendments will take effect on April 11, 2019. The new requirements relate to the timing and content of individual and regulator notifications, as well as credit monitoring services offered to affected residents. The key amendments include the following provisions. No Fees for Security Freezes: The amended law does not allow consumer reporting agencies to charge fees for consumers who elect to place, lift, or remove a security freeze from their consumer report. Individual […] Read more

SEC Files Complaint Against Hacker, Traders in EDGAR Data Breach Case

Written by

The Securities and Exchange Commission has filed a Complaint against eight traders, one alleged hacker, and others, in connection with a previously disclosed cybersecurity attack that infiltrated the SEC’s EDGAR system in 2016.  The Complaint brings claims for violations of federal securities and antifraud laws and unjust enrichment, and seeks injunctions against future securities law violations as well as disgorgement, prejudgment interest, and civil penalties. The Complaint alleges that in 2016, a Ukrainian hacker infiltrated the EDGAR system and extracted “test files” containing non-public […] Read more