Privacy & Cybersecurity

Connecticut Governor Ned Lamont has signed the country’s fifth comprehensive consumer privacy act. Our breakdown below outlines key concepts on how the Connecticut Data Privacy Act (CDPA) will impact businesses, and several notes about how its provisions compare to other US state privacy laws.

Ransomware is the “business pandemic.” Warnings have been issued by multiple agencies around the world to alert businesses to increase their protection and awareness. Most recently, the Department of Health and Human Services (HHS) has issued a warning to health care organizations related to what it calls “an exceptionally aggressive” ransomware group known as Hive.

On March 21, President Biden warned U.S. companies to be on guard against Russian cyberattacks, citing intelligence as a call to action.

Utah is on the brink of joining California, Colorado, and Virginia to become the fourth state in the US to enact a major comprehensive privacy law.  On February 25, the Utah Senate passed the Utah Consumer Privacy Act (“UCPA”), and on March 2, it was passed by the Utah House. The Mintz privacy team has reviewed the UCPA for answers to business’ most pressing questions about how this new law will affect them if it is enacted.

Facebook’s parent company Meta has agreed to settle one of the longest-running data privacy lawsuits in the country for $90 million. This dispute, originally filed in 2012 in a total of 21 related cases, alleged that Facebook continued to track its users even after they logged out of the social media platform. Specifically, the plaintiffs’ alleged that Facebook used cookies and various plug-ins in order to track and save information about its users’ visits to third-party websites and then sold to advertisers.

This alert covers the UK’s new international data transfer agreement and the implications for parties that transfer or receive personal data from the United Kingdom.

The UK Information Commissioner’s Office (ICO) has just published the final form of its much-anticipated new International Data Transfer Agreement (IDTA), along with a separate addendum to the EU SCCs (SCCs Addendum). The IDTA and the SCCs Addendum offer important alternative ways to ensure that UK personal data is adequately protected when exported from the UK. They have been laid before Parliament and, assuming there are no objections from MPs, will go into effect on March 21, 2022.

Data Privacy Week kicked off with a major message for US publicly-traded companies: the Securities and Exchange Commission will be looking at cybersecurity. SEC Chairman Gary Gensler asked SEC staff to make recommendations regarding companies’ cybersecurity practices and risk disclosures. Gensler also indicated that he will also be considering whether companies should update disclosures to investors when cyber events occur.

Read about key regulatory and other developments, including board diversity and other ESG matters, which public companies need to consider as they prepare for their fiscal year-end SEC filings and 2022 annual shareholder meetings.

Before the holidays, we warned of a critical vulnerability in a widely-used Java logging utility that could affect tens of thousands of companies.   Since that original alert, multiple US and foreign government cybersecurity agencies published a joint advisory and guidance for affected organizations recommending that patches or workarounds be applied immediately to mitigate the vulnerabilities and exposure.   The US Cybersecurity and Infrastructure Security Agency also ordered US federal civilian executive branch agencies to patch within days of the order. 

Unauthorized use of a trademark on the Internet occurs often and in many forms, usually involving the profiting, whether intentionally or unintentionally, from the goodwill associated with a trademark belonging to someone else. Such use, however, does not always rise to the level of trademark infringement. Unauthorized use of a trademark is only infringing if the particular use causes likely confusion among consumers. The most common type of confusion is confusion over source, which occurs at the time of purchase, but confusion can also arise as to affiliation, connection, or sponsorship, and confusion does not necessarily need to occur at the time of purchase.

CVE-2021-44228 — dubbed Log4Shell — can easily be exploited to gain complete access to the targeted system by getting the application to log  a specially crafted string. Government organizations and the private sector are responding to the disclosure of a critical vulnerability affecting the widely used Log4j logging utility, as exploitation attempts are on the rise.

Our Mintz Matrix has been updated to reflect the new 2021 requirements and should be a part of your information security toolbox.

Vice President of ML Strategies Christian Fjeld provided insights for a feature article published by The National Law Review examining the privacy implications of Facebook whistleblower Frances Haugen’s testimony before a Congressional Subcommittee regarding harms perpetuated by the tech giant.

Our previous blog post on pending California privacy legislation included a prediction that has since materialized: Governor Newsom signed the Genetic Information Privacy Act (“GIPA”) on October 6, 2021, and the law will go into effect on January 1, 2022. GIPA establishes a number of mechanisms to close the existing gap in the protection of genetic information under the current framework of federal and state privacy laws. As discussed in our earlier post, GIPA contains a robust penalty structure, but it includes a number of carve-outs and does not apply to entities already subject to regulation under other health information privacy laws. Notably, GIPA does not reduce or eliminate obligations under other laws, including California’s more broadly applicable consumer privacy laws, such as the CCPA and breach notification statute, as recently amended by AB 825. Given Governor Newsom’s former concern about GIPA’s interference with mandatory COVID-19 testing reporting, the law also does not apply to tests that are conducted exclusively to diagnose whether an individual has a specific disease.

Legislation is starting to move off California Governor Gavin Newsom’s desk including the Genetic Information Privacy Act, which will take effect on January 1, 2022.

California lawmakers wrapped up this year’s legislative session, passing roughly 900 bills this year. Among those were only a few privacy initiatives, which we outline here.