Nameir Abbas

Nameir's international relations background gives him a breadth of experience in detailed review of his clients' technology and privacy initiatives and issues. Read more→

South Carolina Insurance Data Security Law Now Effective

Posted on: 07 Jan 2019

South Carolina’s prescriptive data security law for insurers took effect on January 1, 2019. Subject to specified exemptions, the law requires any person licensed pursuant to South Carolina insurance laws to take certain steps, including among other things notification of specified cybersecurity events to the South Carolina Department of Insurance. Covered persons are also required to implement a written information security program (by July 1, 2019) and to comply with provisions on third-party service providers (by July 1, 2020). Please see our previous coverage of the law for additional […] Read more

Department of Commerce Issues FAQs on UK’s Exit from the EU

Posted on: 02 Jan 2019

The Department of Commerce recently issued a number of FAQs on the effect of the UK’s impending exit from the EU on the Privacy Shield. As these FAQs make clear, there remains significant uncertainty as to how the UK’s exit will play out from a transitional perspective, and Privacy Shield participants will need to plan for at least two different scenarios. In the first scenario, the UK and the EU manage to finalize an agreement on a transitional period – from the planned date of the UK’s exit, March 30, 2019, to December 31, 2020 – during which EU law (and EU data protection law) will […] Read more

South Carolina Enacts Insurance Data Security Act

Posted on: 20 Aug 2018

South Carolina recently enacted a prescriptive data security law for insurers. The law bears resemblance to the New York Department of Financial Services (NYDFS) cybersecurity rules that entered into force last year. In short, the South Carolina law requires licensees (defined below) to develop and implement a comprehensive written information security program (a “WISP”) and to notify the South Carolina Department of Insurance of certain cybersecurity events. Effective on January 1, 2019, the law includes extended deadlines for compliance with the requirement to implement a WISP (July 1, 2019) […] Read more

Supreme Court Recognizes Reasonable Expectation of Privacy in Historical Cell-Site Location Information

Posted on: 27 Jun 2018

The Supreme Court recently held in Carpenter v. United States that an individual has a reasonable expectation of privacy in historical cell-site location information (CSLI) that provides a comprehensive view of the individual’s movement. A 5-4 decision, Carpenter marks a significant development for both the third-party doctrine and in the privacy space more generally. Carpenter signals a change in the Court’s traditional view of the third-party doctrine and highlights the ubiquity and all-encompassing nature of CSLI in the process. The petitioner, Timothy Carpenter, was convicted for his […] Read more

Oregon and Arizona Amend Breach Notification Laws

Posted on: 25 Jun 2018

Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified timeframe. In Oregon’s case, the amendments supplement already-existing data security requirements for companies the handle the personal data of Oregon residents. Oregon Broadened Definition of Personal Information Like […] Read more

Chicago City Council Considers Data Collection and Protection Legislation

Posted on: 21 Jun 2018

Unique and detailed data protection legislation is currently under consideration by the Chicago City Council. If passed in its current form, the Data Collection and Protection Ordinance (the “Ordinance”) would impose consent, notification, and registration obligations on regulated companies, as well as require a prescribed notice to users of location services on mobile devices and express consent for use of geolocation data by mobile applications. Consent requirements The consent provisions would apply to “operators,” defined to include any entity that (1) “owns a website on the […] Read more

Article 29 Working Party Issues Guidance on Administrative Fines

Posted on: 02 Nov 2017

The Article 29 Working Party (“WP29”) recently issued much-anticipated guidance on administrative sanctions under the General Data Protection Regulation (the “GDPR”). This guidance focuses on the holistic factors which Supervisory Authorities (the “SAs”) are to use in issuing assessments for violations of the GDPR. These factors make clear that WP29 views sanctions issued under the GDPR as a key deterrent and enforcement mechanism. Context Article 83 of the GDPR states the general conditions for imposing fines for non-compliance. These fines must be “effective, proportionate […] Read more

Data Monetization and State Privacy Laws

Posted on: 15 Jun 2017

On June 8, magazine publisher Trusted Media Brands, Inc. settled a class action lawsuit for $8.2 million after purportedly disclosing the personal information and magazine choices of customers to third parties.  The lawsuit, Taylor v. Trusted Media Brands, Inc., No. 7:16-cv-01812 (S.D.N.Y. June 8, 2017), alleged that the publisher’s actions violated Michigan’s Video Rental Privacy Act (VRPA), demonstrating the sometimes hidden legal risks of data monetization. VRPA, inspired by the federal Video Privacy Protection Act, was passed in 1988 and applies to the purchase, rental, or borrowing […] Read more

President Trump Signs Long-Awaited Cyber Executive Order

Posted on: 17 May 2017

On May 11, 2017, President Trump signed a long-awaited executive order on cybersecurity (the “Order”).  The Order directs executive agencies to complete a risk management report based on the NIST Cybersecurity Framework (the “Framework”) and also requires the Department of Homeland Security (DHS) and other agencies to undertake activities in support of effective cybersecurity risk management for operators of critical infrastructure.  More generally, the Order directs several agencies to submit reports to the President on a varied set of cybersecurity-related topics.  These measures demonstrate […] Read more

Outbreak of “WannaCry” and “Wanna Decryptor” Ransomware Affects Companies Across the Globe

Posted on: 14 May 2017

On Friday, May 12, companies in countries across the globe witnessed an unprecedented malware outbreak as ransomware labeled “WannaCry” and “Wanna Decryptor” infected a large range of critical systems. The malware exploits a vulnerability in older versions of Microsoft’s Windows, locks the systems it infects, and threatens to delete files unless a bitcoin ransom is paid. What happened? An attacker or group of attackers unleashed a wave of ransomware infections beginning on Friday, May 12. More so than previous attacks, this outbreak resulted in substantial disruption to regular […] Read more