The U.S. Court of Appeals for the Eleventh Circuit recently issued its opinion in LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018), declaring unenforceable a Federal Trade Commission (FTC) order requiring LabMD to implement an extensive cybersecurity plan. The case is noteworthy for its lengthy procedural background—during which time LabMD became defunct—and its holding, which […]
Board Governance & Cyber Risk Management
Landmark New Privacy Law in California to Challenge Businesses Nationwide
Following our June 4 and July 2, 2018 blog posts tracking California’s November 2018 ballot measure turned hastily enacted new California privacy law titled The California Consumer Privacy Act of 2018 (CCPA), Alston & Bird’s Privacy & Data Security Group released a more detailed “first look” review of California’s sweeping new law. The advisory provides an overview of […]
German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided
Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018. For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization. On this blog, we have outlined the items we have seen as particularly time- or […]
GDPR Fragmentation May Appear More Significant than Intended
With the entry into application of the GDPR on May 25, 2018, the EU Member States were expected to have adopted national legislation implementing the regulation. To date, however, only 30% of Member States have effectively passed legislation, which still leaves the legal landscape to be precarious. The GDPR allows for deviations and specifications in […]
Oregon and Arizona Amend Breach Notification Laws
Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified […]