Earlier this month, the Oregon state legislature introduced Senate Bill (SB) 619, “relating to protections for the personal data of consumers.” The bill has since been referred to the Senate Committee on Judiciary and the Joint Committee on Ways and Means. Of course, Oregon would not be the first state to enact general, or omnibus, … Continue Reading
To say that class action litigation regarding the use or collection of “biometric information” – such as fingerprints, face records, or voice records – is expensive would be a gross understatement. The damages sought, and sometimes recovered, in litigation under the Illinois Biometric Information Privacy Act and similar laws that impose statutory penalties can be … Continue Reading
If you manage a company that collects and otherwise processes personal data (which is just about every company, these days), you may need to protect your own pocketbook. As governments across the globe continue to enact and enforce data privacy, data protection, and cybersecurity laws, data becomes more readily available, and the volume of incidents … Continue Reading
It’s a great time to be a privacy attorney. On October 17, 2022, the California Privacy Protection Agency (CPPA) released the next draft of the regulations under the California Privacy Rights Act of 2020 (CPRA) as well as a document explaining the proposed modifications. Two days of public hearings were recently held on October 21-22, … Continue Reading
In Illinois, the Biometric Information Privacy Act (“BIPA”) regulates the collection and use of “biometric information” such as fingerprints, facial images, and voice records. It imposes significant penalties and has generated a cottage industry of class action litigation—hundreds of cases have been filed and millions of dollars in liability have been assessed. It is also … Continue Reading
The U.S. Department of Education released some FAQs related to the Family Educational Rights and Privacy Act (FERPA) and corona virus. The Department’s Student Privacy Policy Office prepared the FAQs to assist officials in educational agencies and institutions such as school districts, schools, colleges and universities in managing public health issues related to COVID-19 while … Continue Reading
As states fill the legal void for consumer privacy rights,[1] a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities. What the PF Does The … Continue Reading
In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge. Used primarily as ’banking Trojans” … Continue Reading
For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?” These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a … Continue Reading
The Internet Society’s Online Trust Alliance (OTA) released a report this week that measured 1200 U.S.-based organizations’ readiness for three major global privacy regulations: the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States that goes into effect January 1, 2020, and the Personal Information … Continue Reading
This past Wednesday, the Senate Commerce Committee held another hearing on consumer data privacy, this time giving voice to prominent privacy advocates. Previous testimony in September from leading technology businesses focused on concerns with the complexity of having to comply with a patchwork of different state privacy regulations, broad definitions of “personal information” in the … Continue Reading
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced recently that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. According to NIST Director Walter G. Copan, “The development of a privacy framework through an open process of stakeholder engagement is intended to … Continue Reading
As illustrated in this recent article in Wired, email tracking services and their counterparts, anti-tracking services, have been rapidly gaining ground on the web; to the point that 40% of all email being sent, and 99% of the majority of the emails you receive (newsletters, marketing materials, notifications and transactional emails) are now being tracked. … Continue Reading
According to a recent Genpact study: Nearly two-thirds of consumers (63%) are worried that Artificial Intelligence is going to make decisions that will impact their lives without their knowledge Less than one-third (30%) are at least “fairly comfortable” with the idea of companies using AI to access their personal data Almost three-quarters (71%) say they … Continue Reading
Per the Freedom of Information Act, US citizens have the right to access information from the federal government. We can visit Data.gov to search the more than 197,000 current datasets currently indexed on the site. While the intent is to leverage that data for the public good, there’s also an enormous amount of information available … Continue Reading
CNIL, the French DPA, published a new Compliance Pack called “Connected Vehicles: A Compliance Pack for Responsible Data Use” on October 17, 2017. CNIL broke its guidance into three scenarios: Personal data remains in the car Personal data is transmitted externally to provide a service to the individual Personal data is transmitted outside to trigger … Continue Reading
The Article 29 Working Party published two Guidelines related to GDPR: Guidelines on Personal data breach notification under Regulation 2016/679, wp250 Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679, wp251 The Guidelines are open for comments until November, 28, 2017. Comments should be sent to JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr.… Continue Reading
We received a proposed data breach bill (available here) recently circulated in Salem. This draft is a variant of Oregon House Bill 2581 that died in committee. That bill would have required, among other things, merchants impacted by security breaches to notify issuing banks of all the credit cards subject to the breach. Compared to … Continue Reading
Facebook’s experience with regulators is a cautionary tale. Several European Union Data Protection Authorities formed a Contact Group to coordinate their investigations of Facebook. The moral of this story is that when one regulator in the EU becomes interested in reviewing privacy compliance, do not become surprised if there are soon several DPA’s who coordinate … Continue Reading
Should I Place A Fraud Alert vs. Security Freeze? As a privacy professional, almost all your fellow employees were affected by the Equifax data breach. You may be asked about whether to place a fraud alert or a security freeze. You can send this guidance from the FTC on the difference between fraud alerts and … Continue Reading
Yawn – Another Company Failed to Patch. Wait! 144 Million Affected? A PR Disaster? Failure to promptly patch is an incredibly common cause of data breaches. Learn from Equifax’s situation about patching and communication. Boards, Senior Management and privacy personal should confirm that patches are applied promptly. Also, when breaches occur, hire and listen to … Continue Reading