Regulatory Enforcement

NYDFS Releases Consent Order in First Enforcement Action Brought Under the Cybersecurity Regulations

December 18, 2023 By Kate Hanniford, Lance Taubin, Ashley Miller and Kristen Bartolotta

After a three-year investigation/enforcement action by the New York Department of Financial Services (“NYDFS”), NYDFS entered into a Consent Order with a large title insurer (the “Company”) for its violation of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500) (the “Regulation”), specifically, its failure to protect non-public information (“NPI”). NYDFS originally brought the enforcement action in […]

Colorado AG Publishes Shortlist of Universal Opt-Out Mechanisms

November 21, 2023 By Daniel Felz and Hyun Jai Oh

On November 21, 2023, the Colorado Attorney General (the “AG”) published a shortlist of potential universal opt-out mechanisms (“UOOMs”) that the AG is considering recognizing as binding under the Colorado Privacy Act (the “CPA”). Beginning on July 1, 2024, the CPA will require covered controllers to comply with Colorado consumers’ requests to opt out of […]

New York Continues to Focus on Companies’ Data Security Practices

October 6, 2023 By Kim Peretti and Kristen Bartolotta

New York Attorney General Letitia James recently announced two agreements related to data breaches with entities that operate in the education industry. In both instances the entities paid the ransom and received evidence of deletion of the stolen data. Most recently, on October 5, 2023 the Office of the Attorney General (OAG) announced a $49.5 […]

Oregon Becomes the Fourth State to Enact a Data Broker Law

August 11, 2023 By Maki DePalo and Hyun Jai Oh

Oregon Governor Tina Kotek signed into law the Bill Relating to Registration of Business Entities that Qualify as Data Brokers (HB 2052) (the “Act”) on July 27, 2023. Effective January 1, 2024, the Act will require data brokers to annually register with the Oregon Department of Consumer and Business Services (the “Department”). The Act makes […]

EU Standard Contractual Clauses (SCCs) Deadline is Looming

November 28, 2022 By Wim Nauwelaerts and Paul Greaves

Companies relying on the SCCs as a data transfer tool have less than a month to update their existing contracts (if they haven’t done so already). WHAT HAPPENED? The EU General Data Protection Regulation (GDPR) allows companies that want to transfer personal data protected by the GDPR to third countries outside the EU/EEA to do […]