On August 20, 2021, the Standing Committee of the National People’s Congress promulgated the Personal Information Protection Law (PIPL), which will become effective on November 1, 2021. The PIPL is the first comprehensive national level personal information protection law in China, which systematically regulates the processing of personal information by entities and individuals. The PIPL, together with the Cybersecurity Law, which was promulgated in 2017, and the Data Security Law, which was promulgated earlier this year, form the three pillars of China’s comprehensive data protection legal regime.

This Alert provides a summary of the highlights of the PIPL, discusses the implications on domestic and foreign businesses operating in China, and compares the PIPL with the European Union (EU) General Data Protection Regulation (GDPR), which has greatly influenced many of the concepts included in the PIPL. Continue Reading China Passes Personal Information Protection Law

On June 3, 2021, in a 6-3 decision that created a diverse majority—uniting the most recent conservative additions—Justices Barrett, Kavanaugh, and Gorsuch—with the more liberal Justices Breyer, Sotomayor, and Kagan, the Supreme Court resolved a split among the Circuit courts regarding the Computer Fraud and Abuse Act (the CFAA), The language of the CFAA creates civil and criminal liability for intentional access of a computer if that access is either “without authorization” or “exceeding authorized access.” In Van Buren v. United States, the Supreme Court granted review to determine whether someone who was authorized to use a computer system exceeded authorized access under the CFAA by using that computer system to access information for an unauthorized purpose. Justice Barrett wrote the majority opinion which determined that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer. Continue Reading

A recent SEC settlement has again demonstrated the Commission’s continued attention to public companies’ disclosures of cybersecurity incidents and its commitment to a broad notion of what constitutes such an incident. On August 16, the SEC entered a settlement agreement with Pearson plc, a UK-based educational publishing company that is publicly traded on both the London Stock Exchange and New York Stock Exchange via ADRs. While Pearson made no admissions in the agreement, it will pay a $1 million civil penalty to settle the SEC’s allegations that Pearson misled investors in its disclosures related to a 2018 cybersecurity breach.

Five key aspects of this settlement merit attention from a cybersecurity perspective because they are arguably more aggressive than the practices that have developed under state data breach laws:

Continue Reading

LockThe FTC’s recent settlement with Flo Health, announced on June 22, 2021, offers insights into what practices could invite FTC investigation, especially when companies that collect sensitive information make specific promises about high levels of health privacy and data security. More than 100 million consumers use Flo, an app developed by Flo Health Inc., to help women track their periods and fertility. Although the settlement contains no admissions by Flo, the agency alleged that Flo shared users’ health information with outside data analytics providers; an arrangement that is not uncommon for apps that deal with less-sensitive data, but one which contradicted the company’s promise to keep users’ personal information private. Continue Reading Recent FTC Settlement with Flo Health Focuses on Notice and Consent for Companies Sharing Sensitive Data

There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.

In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read. Continue Reading De-stressing Distress Disputes

Cyber SecurityWhat Is Tax-Related Identity Theft?

Fraudulent tax refunds issued as a result of identity theft occur when an individual steals a victim’s personally identifiable information (PII), such as a Social Security number (SSN), and files a tax return claiming to be the victim. More than 89,000 Americans filed complaints with the Federal Trade Commission (FTC) reporting tax fraud linked to identity theft in 2020. Similarly, businesses may also fall victim to tax fraud, where an individual steals a business’s employer identification number (EIN) to file fraudulent returns. In both scenarios, the victims usually discover they have fallen victim to such fraud when their tax returns are rejected, or when the business receives notice about Forms W-2 they didn’t file with the Social Security Administration or notices for balances due to the Internal Revenue Service (IRS) that are not owed. Most frequently, neither businesses nor individuals will have any reliable information as to how their information has been exposed. The IRS has noted such tax fraud tends to increase during tax season and time of crisis, and cybercriminals have undeniably taken advantage of the COVID-19 pandemic to unleash an unprecedented number of tax fraud schemes to steal information from taxpayers. Continue Reading Best Practices to Avoid Tax-Related Identity Theft

BillOn July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (the “Colorado Law”), a comprehensive privacy law that will take effect on July 1, 2023, into law. Colorado is the third U.S. state to pass a comprehensive privacy law, following California (the CCPA, as modified by the CPRA) and Virginia (the CDPA).

The Colorado Law generally resembles both the California and Virginia privacy laws, but more closely tracks the Virginia CDPA in terms of structure, approach, and language. The Colorado Law also contains some notable deviations from either law, including novel provisions regarding a mandatory universal opt-out mechanism for targeted advertising or sales of personal data. Continue Reading Colorado Privacy Law Signed Into Law

LockFollowing months of cyber-attacks from nation states, Present Biden issued an executive order that may usher in a new era of the federal government’s approach to cybersecurity. The Executive Order, which the White House has indicated was forthcoming for several weeks now, represents the Biden administration’s first step in taking decisive action to remedy systemic vulnerabilities that were discovered in the wake of recent cybersecurity attacks from nation-states like Russia and China and prevent the occurrence of similar attacks that could affect federal agencies and critical supply-chain infrastructure in the future. The extensive order leverages the federal government’s significant role as a purchaser of cybersecurity goods and services in order to make its effects felt on the private sector.  It focuses on five key objectives: Continue Reading Five Key Takeaways from President Biden’s Executive Order on Cybersecurity

In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.

The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes).  The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both. Continue Reading COVID-19 Vaccination Booking Site May Reveal Vaccination Status