As consumer demand for new artificial intelligence (“AI”) tools continues to grow, businesses must be prepared to build tools with “privacy by design” principles in mind, and to remain educated about privacy best practices and risk mitigation strategies when working with AI. The following areas provide the greatest opportunities to manage data privacy risks and

Earlier this month, the Oregon state legislature introduced Senate Bill (SB) 619, “relating to protections for the personal data of consumers.”  The bill has since been referred to the Senate Committee on Judiciary and the Joint Committee on Ways and Means.  Of course, Oregon would not be the first state to enact general, or omnibus, privacy legislation; to date, five states (California, Virginia, Colorado, Connecticut, and Utah) have done so, with the first two operative as of today.  Likewise, Oregon is not the only state to introduce new omnibus privacy legislation this month.  The introduction of this bill (and other general state privacy legislation) remains significant because the prospect for omnibus federal privacy legislation (in the near term) fizzled out when the 117th Congress adjourned.   

No bill exists in a vacuum.  Structurally, SB 619 generally follows the Virginia Consumer Data Protection Act (VCDPA), as do the laws enacted by Colorado, Connecticut, and Utah. 

SB 619 is only 17 pages long, not as slim as the VCDPA (8 pages), but not as bulky as the California Consumer Privacy Act (59 pages).  Unlike the CCPA, SB 619 does not reference any implementing regulations; however, implementing regulations could be added.

As with any omnibus state privacy bill, the proposed legislation raises some key questions:

Continue Reading A New Consumer Data Protection Bill in Oregon: A Summary of SB 619

To say that class action litigation regarding the use or collection of “biometric information” – such as fingerprints, face records, or voice records – is expensive would be a gross understatement.  The damages sought, and sometimes recovered, in litigation under the Illinois Biometric Information Privacy Act and similar laws that impose statutory penalties can be

If you manage a company that collects and otherwise processes personal data (which is just about every company, these days), you may need to protect your own pocketbook.  As governments across the globe continue to enact and enforce data privacy, data protection, and cybersecurity laws, data becomes more readily available, and the volume of incidents

It’s a great time to be a privacy attorney.  On October 17, 2022, the California Privacy Protection Agency (CPPA) released the next draft of the regulations under the California Privacy Rights Act of 2020 (CPRA) as well as a document explaining the proposed modifications.  Two days of public hearings were recently held on October 21-22

In Illinois, the Biometric Information Privacy Act (“BIPA”) regulates the collection and use of “biometric information” such as fingerprints, facial images, and voice records.  It imposes significant penalties and has generated a cottage industry of class action litigation—hundreds of cases have been filed and millions of dollars in liability have been assessed.  It is also the most well known and heavily litigated of a slew of newly enacted, or soon to be passed, state and local laws aimed to regulate biometric information.

Many Illinois defendants had hoped that their liability under BIPA could be limited because, they argued, a one-year statute of limitations should apply to BIPA claims.  But, in a recently issued decision, Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the Illinois Court of Appeals rejected this position for a majority of BIPA claims.  It held that a five-year statute of limitations applies to the most frequently cited sections of the statute.
Continue Reading Illinois Court of Appeals: Statute of Limitations for Most Biometric Privacy Claims Remains at Five Years

The U.S. Department of Education released some FAQs related to the Family Educational Rights and Privacy Act (FERPA) and corona virus. The Department’s Student Privacy Policy Office prepared the FAQs to assist officials in educational agencies and institutions such as school districts, schools, colleges and universities in managing public health issues related to COVID-19 while

As states fill the legal void for consumer privacy rights,[1] a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities.

What the PF Does

In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.

Used primarily as ’banking

For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”

These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.

With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear”[1] and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.

Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.”[2] Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.[3]

In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[4] A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:

[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.[5]

The CSF can be found here: https://www.nist.gov/cyberframework.

Continue Reading Achieving Industry Standards