The California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article here). The third set of proposed modifications restores certain provisions the OAG had previously withdrawn from its draft regulations submitted to the OAL in July, as well as clarifies and adds illustrative examples to some provisions. Overall, the modifications do not significantly alter the CCPA regulatory landscape, and if accepted, are not likely to impact businesses greatly. Nonetheless, businesses should review the changes, which address the following topics, to confirm that they would not require any adjustment in business practice: Continue Reading California AG Proposes Third Amended Regulations to CCPA
On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued. Continue Reading British Airways Fined £20 Million by ICO for Data Breach
The Court of Justice of the European Union (CJEU) dealt a blow to transatlantic data flows in July with its decision in Schrems II, invalidating the EU-U.S. Privacy Shield while conditionally approving the continued use of Standard Contractual Clauses (SCC). In a white paper published late last month, the U.S. government responded to the CJEU’s critical appraisal of American intelligence agencies’ data-collection practices by identifying Schrems II’s shortcomings and offering guidance to companies seeking to comply with it. Schrems II is problematic in various ways, the multi-agency paper concludes, but with minor adjustments, most EU-U.S. digital dealings should be able to continue as before. Continue Reading What the CJEU Missed in Schrems II: American Agencies Respond
On October 1, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published an advisory to alert companies on potential sanctions risks related to ransomware payments (the “Advisory”). While ransomware attacks, by design, create business critical problems requiring swift attention and remediation, the Advisory cautions that victims of ransomware attacks, and ransomware-related services providers, must balance such considerations against the risk of sanctions liability. Continue Reading Between a Rock and a Hard Place: OFAC Issues Advisory on Ransomware Payments
On September 15, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert regarding its recent observation of growing “credential stuffing” attacks against SEC-registered investment advisers and broker-dealers (“firms”). These attacks use compromised usernames and passwords from the dark web to access investors’ accounts. The increase in credential stuffing exploits presents considerable financial, legal, and reputational risks. OCIE’s alert encourages firms to consider various mitigation efforts to reduce the risk of credential stuffing, particularly the use of multi-factor authentication (MFA). Although the alert is phrase as encouragement, OCIE is certainly suggesting that the industry standard should be for firms to protect against these attacks, even those these attack stem primarily from a client’s behavior in re-using username/password combination and another website’s loss of that combination. Continue Reading New OCIE Guidance on Credential Stuffing Attacks
A federal judge in Oregon, Hon. Michael H. Simon, has recently upheld a $925 million statutory damages award against health supplement maker ViSalus for its violation of the Telephone Consumer Protection Act (“TCPA”)—making this the largest TCPA damages award to date.
The underlying class action against ViSalus alleged the company placed nearly 2 million unsolicited robocalls nationwide to advertise its weight-loss and dietary products. The class argued that the robocalls constituted unlawful telemarketing practices and violated the TCPA, and after a three-day trial in April of 2019, a jury agreed. Continue Reading $925M TCPA Robocall Award Upheld
The Supreme Court generally upheld the constitutionality of the Telephone Consumer Protection Act (TCPA) in Barr v. American Association of Political Consultants, Dkt. No. 19-631, issued on July 6, 2020. Multiple stakeholders have been pressing on constitutionality of the TCPA, including advocates against “nuisance” robocalls, service providers weary of uncertain class action liability, and free speech advocates wanting less regulation. The Supreme Court determined that only an exception to the TCPA permitting automated government debt collector calls was an unconstitutional restriction on free speech. To remedy this violation, the Court rejected requests to find the entirety of the TCPA statute unconstitutional and instead affirmed the Fourth Circuit’s approach of severing of the offending exception from the statute.
The Supreme Court’s concerns about the governmental debt exception, however, could point to a vulnerability in other privacy statutes, such as the California Consumer Privacy Act, which exempts non-profits. Going forward, privacy advocates will need to be particularly mindful of free speech concerns as privacy legislation grows. Continue Reading Supreme Court Upholds Constitutionality of the TCPA But Severs the Government Debt Carve-Out on First Amendment Grounds
On August 14, 2020, California Attorney General Xavier Becerra announced the California Office of Administrative Law’s approval of the final California Consumer Privacy Act (CCPA) regulations, and filed them with the California Secretary of State. The AG’s office stated that the regulations are effective immediately.
The OAL made additional revisions to the March 11, 2020 regulations, summarized here, which itself comprised of revised regulations followed several rounds of public forums, hearings, and comment periods. At a high level, the final texts’ noteworthy substantive revisions from the March submission (noted in the OAG’s Addendum to the Final Statement of Reasons) include the following: Continue Reading CCPA Regulations Approved
On July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500. Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach. Continue Reading NYDFS Brings its First Cybersecurity Enforcement Action
On August 13, two California contact tracing bills, AB-660 and AB-1782, were approved by the California Senate Judiciary Committee. These bills would affect how public agencies can collect, store and disclose personal information that is used to facilitate COVID-19 contact tracing.
- If enacted, AB-660 would prohibit any use or disclosure of data collected for purposes of contact tracing other than further contact tracing efforts.
- If enacted, AB-1782 would require businesses using or providing contact tracing technologies to provide individuals with the right to consent, access, correct, and delete personal information about them, and to carry out other measures regarding use, security. and maintenance of the data.