Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to

In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19

March 2020 will long be remembered as the month and year of en masse shutdowns.  But the pandemic has done little if anything to slow new cybersecurity and data privacy laws.  As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).

California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General

After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval.  The final text of the regulations demonstrates how granular enforcement could be.  Here are five examples:

  1.  A business’s required privacy policy must include the date it was last updated.
  2. A business must provide at least two methods for consumers to send requests for deletion of their information.
  3. A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
  4. A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
  5. A business must have a documented policy for verifying the identity of a person making a request related to their personal information.


Continue Reading Coast to Coast and Back Again – Cybersecurity and Data Privacy Rules

Last July, Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.[1]  Within days, lawsuits were filed nationwide asserting an assortment of claims relating to the data breach.

Last week, in a class action filed in Virginia a federal magistrate ordered Capital One to provide its incident report for the data breach to counsel for the plaintiffs.  Capital One had contended that the report is protected attorney work product and that it shouldn’t have to.  The Virginia court disagreed, for reasons that are instructive.

When an Incident Report Is Not Attorney Work Product

Since 2015, Capital One had retained Mandiant to provide various cybersecurity services.  The data breach occurred in March 2019, but it was not confirmed until July 19 of that year.  A day later Capital One retained outside counsel which then retained Mandiant to assist with its investigation on July 24.  Then, on July 29 the public was notified about the data breach.

The issue the court decided last week was whether the Mandiant incident report was privileged and therefore protected from disclosure by the work product doctrine.[2]  This doctrine generally preserves the privacy of attorneys’ case materials, but it has limits.  To guide its decision in Capital One the court stated:

In order to be entitled to protection, a document must be prepared “because of” the prospect of litigation and the court must determine “the driving force behind the preparation of each requested document” in resolving a work product immunity question.[3]

Applying this standard, the court believed the incident report would have been prepared anyway even if the data breach had not occurred and determined that it needed to be disclosed.  In reaching this conclusion, after “considering the totality of the circumstances,” the court found these facts compelling:
Continue Reading Court Orders Disclosure of Capital One’s Incident Report

A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention.[1]  In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems.  Within days, millions of computers were infected as the virus compromised files and caused widespread email outages.  The virus appeared in inboxes as fake messages with infected attachments:

Since then, scores of novel viruses have been deployed as destructive malware.  The ILOVEYOU virus, MyDoom worm, SOBig spam, and WannaCry ransomware alone are said to be responsible for $95 billion in financial damages.  As a result, anti-virus software has become a multi-billion-dollar, must-have computer program, and cybersecurity has become a multidisciplinary industry fighting an evolving threatscape.
Continue Reading Is Your Incident Response Plan Ready for Novel Computer Viruses?

Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of

As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has

The U.S. Department of Education released some FAQs related to the Family Educational Rights and Privacy Act (FERPA) and corona virus. The Department’s Student Privacy Policy Office prepared the FAQs to assist officials in educational agencies and institutions such as school districts, schools, colleges and universities in managing public health issues related to COVID-19 while

According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks  where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware

Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers,[1] and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”[2]

But several states provide legal safe harbors to organizations with written cybersecurity programs. Now, Utah is considering joining them. Under House Bill 158, referred to as the Cybersecurity Affirmative Defense Act (the “Proposed Act”),[3] if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program it has an affirmative defense to a civil tort claim.
Continue Reading Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.