Privacy & Cybersecurity
Viewpoints
Filter by:
European Commission Adopts New Service Providers Standard Agreement (Controller-Processor SCCs)
June 8, 2021 | Blog
The new standard agreement for service providers (which we’ll refer to as the Controller-Processor SCCs) adopted by the European Commission on June 4th was understandably a bit overshadowed by the release on the same date of the Standard Contractual Clauses for data transfers. But the new Controller-Processor SCCs, which organizations can use with their service providers to meet their GDPR Article 28 obligations, is another welcome addition to the EU’s small but growing library of standard documents.
Read more
Transferring Personal Data from Europe – Working with the New Standard Contractual Clauses and Getting to Grips with Your Schrems II Assessment
June 4, 2021 | Advisory | By Cynthia Larose
This alert covers the European Commission’s updated Standard Contractual Clauses (SCCs), the most commonly used legal mechanism for transferring personal data from the European Union to non-EEA countries
Read more
European Commission Adopts Final Version of New Data Transfer Agreement (SCCs)
June 4, 2021 | Blog
The European Commission has adopted (at long last) an updated version of the Standard Contractual Clauses (SCCs), bringing this popular data transfer mechanism in line with the GDPR – and, we hope, the Schrems II decision. The SCCs are the most commonly used legal mechanism for transferring personal data from the EEA to non-EEA countries (known as “third countries”), so the new SCCs are very big news for organizations that transfer or receive personal data from the EEA (that is, the European Union plus Norway, Iceland and Liechtenstein).
Read more
White House to Business: “Take Ransomware Crime Seriously”
June 3, 2021 | Blog | By Cynthia Larose
As we come out of the COVID-19 pandemic, it appears that another type of infection is threatening business and ransomware continues to spread.
Read more
CCPA Breach Class Action Settlement About to Get “Minted”
May 20, 2021 | Blog | By Cynthia Larose, Matthew Novian
Although the California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and over 100 class actions referencing the CCPA have been filed to date, very few class actions have actually made their way to court approval. That is about to change.
Read more
Cyber Policy Legislative Tracker
May 5, 2021 | Resources | By Alexander Hecht, Christian Tamotsu Fjeld
The bills listed reflect a relatively active cybersecurity agenda for the 117th Congress. As reflected in the proposed legislation, many Members are interested in focusing federal policy on matters such as supply chain security, cyber workforce training, and international competitiveness, particularly with China. The most ambitious bill may be the Endless Frontiers Act, which would establish a Directorate for Technology and Innovation within the National Science Foundation and further establish regional hubs (i.e., partnerships between government, private, and academic stakeholders) to drive R&D and commercial innovation in key areas of technology. Endless Frontiers could be the centerpiece of a legislative agenda to ramp up the U.S.’s technological competitiveness with China. The Senate Commerce Committee was scheduled to mark-up the bill last Wednesday, but it was pulled after over 230 amendments were reportedly filed, and Members failed to garner a critical mass of bipartisan support. The committee will likely work through the recess to seek bipartisan agreement for passage.
Read more
US State Privacy Law Check-In - UPDATE
May 4, 2021 | Blog | By Christopher Buontempo, Cynthia Larose
In a previous update, we provided a comprehensive round-up of several notable pending US state privacy laws. We are checking-in on the progression of some of those laws in this further update. The next installment will update the remaining state laws in progress.
Read more
Beware Dark Patterns – What are They and What Should Your Business Do About Them?
April 2, 2021 | Blog
While the term “dark patterns” is not new, it has recently been getting a more attention, not least because the newly passed California Privacy Rights Act (“CPRA”) will regulate dark patterns. In this article, we will focus on what dark patterns are, how your business should be thinking about them, and how CPRA is approaching this issue.
Read more
Hearings on the SolarWinds Hack and Possible Policy Responses
March 4, 2021 | Blog | By Christian Tamotsu Fjeld
The 117th Congress kicked off its First Session with, among other initiatives, oversight hearings on the SolarWinds cyber hack. On February 23, the Senate Intelligence Committee held a hearing on the high profile, far-reaching breach; followed by a joint hearing on February 26 in the House of Representatives held by the Oversight and Reform and Homeland Security Committees. At both hearings, Sudhakar Ramakrishna, President and CEO of SolarWinds, Kevin Mandia, CEO of FireEye, and Brad Smith, President and Chief Legal Officer of Microsoft, testified. In addition, George Kurtz, the President and CEO of Crowdstrike, testified at the Senate Intelligence hearing, while Kevin Thompson, the former CEO of SolarWinds, testified in front of the joint House hearing. Together, the hearings represent what will likely be the first of several congressional forays into the SolarWinds hack, including possible legislative initiatives to address future possible incidents and supply chain security.
Read more
Virginia Passes Comprehensive Data Privacy Law – Mintz’s Hot Take
March 3, 2021 | Blog | By Cynthia Larose, Christopher Buontempo
On Tuesday, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (“CDPA”) into law, making Virginia the second U.S. state after California to pass a comprehensive data privacy law. While not quite as expansive as the GDPR in every respect, the CDPA is a very broad-based privacy law that is on par with the California Consumer Privacy Act. Below, we break down some of its key elements.
Read more
It’s Not Such a Breeze: Assessing Your Service Providers after SolarWinds
March 2, 2021 | Blog | By Michael Graif, Cynthia Larose
In the recent SolarWinds hack, the routine task of downloading a software update turned into a cybersecurity nightmare for over 18,000 organizations including the Treasury Department, AT&T and up to 85% of Fortune 500 companies. New York has the SHIELD Act, a statute that requires that organizations select third party service providers “capable of maintaining appropriate cybersecurity safeguards”.
Read more
Virginia Consumer Data Protection Act Awaits Governor’s Signature -- Consumer Reports Proposes “Model State Privacy Act”
February 26, 2021 | Blog | By Cynthia Larose
We summarized Virginia’s Consumer Data Protection Act (CDPA) in advance of its passage by the legislature and it now awaits Governor Ralph Northam’s signature. This will make Virginia the second state (behind California) with a comprehensive state data privacy law. There are some key differences between the Virginia CDPA and the California Consumer Privacy Act and Consumer Privacy Rights Act (CPRA). We will have a full analysis of the Virginia CDPA next week, so watch this space.
Read more
European Commission Publishes Draft Adequacy Decision for Transfers of Personal Data from the EU to the UK
February 19, 2021 | Blog
In a solid step forward for EU to UK personal data transfers, the European Commission has published its draft adequacy decision that will (if finally adopted) permit personal data to flow freely from the EU to the UK.
Read more
The Ongoing March toward Privacy Law in the US – A State Legislative Roundup
February 16, 2021 | Blog | By Cynthia Larose, Christopher Buontempo
Based on what we are already seeing in terms of the impressive volume of state-level proposed privacy legislation in the early days of 2021, it appears that we may see a big year for US privacy law. Below is a sampling of where things stand in Virginia, Washington, New York, Minnesota, Oklahoma, Utah, and North Dakota.
Read more
Webinar Recording: How to Assess US National Security Laws and Explain Them to Your EU Data Exporters: Satisfying the New Due Diligence Requirements After Schrems II
February 2, 2021 | Webinar | By Cynthia Larose
Watch this webinar by Cynthia Larose and Susan Foster as they explore the key US national security laws that need to be taken into account, how to evaluate whether those laws potentially affect the personal data in question, potential risk mitigation measures, and how European data exporters and US data importers can work together to address these issues.
Read more
Happy Data Privacy Day!
January 28, 2021 | Blog | By Cynthia Larose
January 28 is known worldwide as “Data Privacy Day” or “Data Protection Day,” and it’s a good opportunity to remind everyone of some privacy basics – particularly as people are still working remotely and threats to information and security increase. Privacy and data protection is no longer “nice to have”. It is business imperative.
Read more
Fifth Circuit Vacates $4.3M HIPAA Penalty and Potentially Opens the Door for Future HIPAA Enforcement Challenges
January 25, 2021 | Blog | By Dianne Bourque
With a notably sharply worded opinion, the Fifth Circuit recently vacated over $4.3 million in penalties levied against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) by the Department of Health and Human Services (HHS) for a series of alleged HIPAA violations. The case stems from three separate incidents that occurred between 2012 and 2013. In two instances, M.D. Anderson workforce members lost unencrypted protected health information (PHI), while the third incident involved the theft of a faculty member’s laptop also containing unencrypted PHI. On appeal, the Fifth Circuit concluded that HHS’s civil monetary penalties order against M.D. Anderson was arbitrary, capricious, and contrary to law, vacating the penalties and pointedly criticizing the agency’s actions and arguments in this matter.
Beyond its harsh words for HHS, this opinion is notable for calling into question some longstanding HHS enforcement practices and interpretations of the HIPAA regulations. The opinion also makes clear that regulated entities should check the math when HHS levies a fine. Although limited in its precedential authority, the Fifth Circuit’s opinion, at the very least, gives HIPAA-regulated entities some new food for thought if faced with an HHS enforcement action.
Read more
Beyond its harsh words for HHS, this opinion is notable for calling into question some longstanding HHS enforcement practices and interpretations of the HIPAA regulations. The opinion also makes clear that regulated entities should check the math when HHS levies a fine. Although limited in its precedential authority, the Fifth Circuit’s opinion, at the very least, gives HIPAA-regulated entities some new food for thought if faced with an HHS enforcement action.
Action Items on Technology and Communication Policies in front of the Senate Commerce Committee
January 14, 2021 | Blog | By Christian Tamotsu Fjeld, Christopher Harvie
Transferring Personal Data from the EU to the UK: Interim Solutions
January 13, 2021 | Blog
The new 1,246-page Trade and Cooperation Agreement (TCA) between the United Kingdom and the European Union has ended the suspense over what restrictions will apply to the transfer of personal data between the EU and the UK now that the Brexit transition period has run its course. As expected, the UK has chosen to allow UK personal data to be transferred to the EU freely on the basis that the EU’s GDPR provides adequate protection for the transferred data. But the EU has not yet agreed that EU personal data can be transferred freely to the UK.
Read more
Vendor Management Fail: FTC Settles with Mortgage Analytics Company following Vendor Security Issues
January 11, 2021 | Blog | By Christopher Buontempo, Cynthia Larose
An oft-used business management concept is to “hire people smarter than you.” The concept also applies to hiring vendors – hire vendors that are better than you (especially when it comes to information security). Texas-based Ascension Data & Analytics LLC (Ascension), a technology and data analytics company used by the mortgage industry, did not utilize that concept in its vendor hiring process, and as a result, recently entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following charges that it violated the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule by failing to ensure that its third-party vendor adequately protected mortgage holder personal information.
Read more
Explore Other Viewpoints:
- Antitrust
- Appellate
- Arbitration, Mediation & Alternate Dispute Resolution
- Artificial Intelligence
- Awards
- Bankruptcy & Restructuring
- California Land Use
- Class Action
- Complex Commercial Litigation
- Construction
- Consumer Product Safety
- Cross-Border Asset Recovery
- Debt Financing
- Direct Investing (M&A)
- Diversity
- EB-5 Financing
- Education & Nonprofits
- Employment, Labor & Benefits
- Energy & Sustainability
- Environmental Enforcement Defense
- Environmental Law
- FDA Regulatory
- Federal Circuit Appeals
- Financial Institution Litigation
- Government Law
- Growth Equity
- Health Care
- Health Care Compliance, Fraud and Abuse, & Regulatory Counseling
- Health Care Enforcement & Investigations
- Health Care Transactions
- Health Information Privacy & Security
- IP Due Diligence
- IPRs & Other Post Grant Proceedings
- Immigration
- Insolvency & Creditor Rights Litigation
- Institutional Investor Class Action Recovery
- Insurance & Financial Services
- Insurance Consulting & Risk Management
- Insurance and Reinsurance Problem-Solving & Dispute Resolution
- Intellectual Property
- Investment Funds
- Israel
- Licensing & Technology Transactions
- Life Sciences
- Litigation & Investigations
- M&A Litigation
- ML Strategies
- Medicare, Medicaid and Commercial Coverage & Reimbursement
- Mergers & Acquisitions
- Patent Litigation
- Patent Prosecution & Strategic Counseling
- Portfolio Companies
- Privacy & Cybersecurity
- Private Client
- Private Equity
- Pro Bono
- Products Liability & Complex Tort
- Projects & Infrastructure
- Public Finance
- Real Estate Litigation
- Real Estate Transactions
- Real Estate, Construction & Infrastructure
- Retail & Consumer Products
- Securities & Capital Markets
- Securities Litigation
- Special Purpose Acquisition Company (SPACs)
- Sports & Entertainment
- Strategic IP Monetization & Licensing
- Tax
- Technology
- Technology, Communications & Media
- Technology, Communications & Media Litigation
- Trade Secrets
- Trademark & Copyright
- Trademark Litigation
- Venture Capital & Emerging Companies
- White Collar Defense & Government Investigations
- Women's Health and Technology