Privacy & Cybersecurity

In Part 5 of our Roadmap Series, we take a closer look at COVID-19 screening and testing, including best practices and legal implications, as potential tools to maintain a safe workplace.

As we previously discussed, FINRA issued guidance to member firms and their associated persons in April 2020 to remain “vigilant in their surveillance against cyber threats and take steps to reduce the risk of cyber events.”

The organization known as Californians for Consumer Privacy announced yesterday that it successfully secured enough signatures to qualify adding the California Privacy Rights Act (“CPRA”) to the state’s November 2020 ballot. The group’s founder Alastair Mactaggart is a well-know public figure who was the driving force behind the infamous California Consumer Privacy Act of 2018 (the “CCPA”), which just went into effect in January.

We have been discussing the abrupt roll-out of remote workforce capabilities both in this space and in our recent webinar. As companies raced to get employees up and running remotely, business continuity was the primary focus, while privacy and cybersecurity issues likely took a backseat.

Kestra Investment Services LLC (“Kestra”) was fined $125,000 by FINRA for sharing personal customer data with a third-party vendor.

The Coronavirus Aid, Relief and Economic Security (“CARES”) Act has created a flurry of far reaching considerations for affected businesses, ranging from tax, employment, and even telehealth.

The New York Department of Financial Services (“NYDFS”) recently issued new guidance to regulated entities regarding cybersecurity awareness during the COVID-19 pandemic - citing a significant increase in cybercrime and criminals seeking to exploit the pandemic.

The Mintz Privacy team has been tracking privacy issues related to COVID-19. We have been featured in various publications talking about cybersecurity risks, GDPR regulations, the California Consumer Privacy Act, and more.

If your company is marketing any smart device, particularly if the device is involved with home security and collects personal information from users, it’s time to pay attention to the story of Tapplock. Tapplock, Inc. (“Tapplock”), is a Canadian Internet of Things (“IoT”) company that sells fingerprint-enabled padlocks that are connected to the Internet (“smart locks”).

We recently provided some insights regarding how countries across the world are using data to fight COVID-19. The United States Senate, Committee on Commerce, Science, and Transportation, has recently conducted a hearing with witnesses from academia, industry, and interested organizations on “Enlisting Big Data in the Fight Against Coronavirus.”

The US Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security has issued a rare joint alert with the UK’s National Cyber Security Centre (NCSC) regarding coronavirus-related threats. The alert warns that cybercriminals and nation -state hackers are trying to take advantage of the pandemic for criminal gain.

The COVID-19 pandemic and resulting office shutdowns has required many organizations to quickly transition to remote working environments. Going remote often requires a number of technology solutions and tools such as video conferencing, email, cloud file storage, file sharing, chat and communication platforms, and remote desktop applications, just to name a few.

The NYDFS has announced that it has extended the deadline for compliance with certain cybersecurity requirements due to the coronavirus emergency. The announcement from the Superintendent of Financial Services of the State of New York recognizes that COVID-19 may present compliance challenges for regulated entities and covered persons in meeting reporting obligations.

K-12 schools, colleges, and universities around the country have shuttered their doors—most, for the rest of the academic school year—in response to the COVID-19 pandemic.  Educational institutions are in uncharted waters, but most are rising to the occasion to provide engaging and robust online curricula to keep students educated and entertained.

The COVID-19 global pandemic presents unique legal and practical challenges for companies across all industries, including with respect to privacy and cybersecurity risks and protections. Join Mintz, ML Strategies, and one of our industry partners, The Crypsis Group, for a webinar addressing these critical issues and the dynamic and evolving cybersecurity threats.

While many companies around the world are coping with a global pandemic, some are facing additional challenges in light of a looming deadline triggered by the California Consumer Privacy Act (“CCPA”).  Citing #covid19 concerns, a coalition of more than 60 such companies made a plea this week to California’s Attorney General Xavier Becerra (“AG”) to delay the AG’s enforcement of the CCPA.

Although it may not seem like it, there are privacy-related issues to discuss beyond COVID-19.   Before the state of emergency, we saw the first complaint under the California Consumer Privacy Act (CCPA) filed in a California federal court.  This action, styled as Fuentes v. Sunshine Behavioral Health Group, LLC, Case No. 8:20-cv-00487 (C.D. Cal. March 10, 2020)[LINK TO PDF], arose from a data breach, which allegedly exposed highly sensitive personal and medical information of thousands of patients of Sunshine Behavioral Health Group (“Sunshine”).

With the advent of COVID-19, countries around the world are facing a novel challenge that affects them in unprecedented ways economically, socially, and otherwise.  From a public health perspective, now perhaps more than ever before, authorities are interested in understanding more about the movement patterns of those within their borders, including where certain individuals have traveled to, who they have met with, and where they are located now.  

Companies with employees in multiple European locations may well be feeling challenged both in keeping up with public health-driven guidance – and more recently, mandates – relating to the SARS-COV2 risks in the workplace.  On top of extraordinarily urgent efforts to limit the spread of the novel coronavirus while maintaining as much business continuity as possible, companies have legitimate concerns about their data protection obligations under the General Data Protection Regulation (GDPR) and national employment laws.

The Financial Industry Regulatory Authority (FINRA), the independent nongovernmental organization that writes and enforces the rules governing U.S. registered brokers and broker-dealers, has issued guidance to its member firms regarding pandemic-related planning.