Photo of Jessica Grischkan

Jessica Grischkan

Subscribe to Jessica Grischkan's Posts
Contact:Read more about Jessica Grischkan
24_1742_12 Days of Data_Graphic_10295

Throughout 2024, financial sector regulators sharpened their focus on data protection and cybersecurity issues impacting financial institutions and the public. Key federal agencies like the Securities and Exchange Commission (“SEC”), the Federal Trade Commission (“FTC”), and the Consumer Financial Protection Bureau (“CFPB”) have been joined by state regulators, such as the New York Department of Financial Services (“NYDFS”), in proposing and finalizing significant rulemaking, pursuing novel enforcement actions, and issuing influential guidance. 2025 promises to be a continuation of this considerable trend.  Continue Reading Dashing Through Cybersecurity Regulations in the Financial Services Sector in 2024

Rhode Island

With the Rhode Island Data Transparency and Privacy Protection Act (the “Act”), Rhode Island is the latest state to pass a comprehensive privacy law and join the evolving U.S. privacy landscape. The Act will take effect on January 1, 2026, the same date as the Indiana and Kentucky privacy laws.Continue Reading Rhode Island Joins the Fray with New Comprehensive State Privacy Law

On the first Day of Data, we recap a busy year for the Federal Trade Commission (“FTC”), highlighting key enforcement decisions from 2023 and reading the tea leaves for what promises to be an equally active 2024 for the agency on topics ranging from online tracking technologies to artificial intelligence.Continue Reading Walking in a Data Wonderland: A Look Back at the FTC’s 2023 Privacy Enforcement Actions

At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs.  The proposed regulations would also impose broad rules

Private funds that are excluded from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”) will face significantly stricter cybersecurity requirements under the FTC’s revised Safeguards Rule, which comes into full effect as of December 9, 2022. The FTC’s updated Safeguards Rule breaks new ground for

As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.
Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote

Hexagon Cyber security technology concept , Shield With Keyhole icon with world map background , personal data , vector illustration.

Private employers in New York will now need to notify and obtain employee acknowledgement prior to engaging in any electronic monitoring under the provisions of S2628, signed by Governor Kathy Hochul on November 8, and effective May 7, 2022. With this law, New York joins Connecticut and Delaware in mandating that employers provide employee notice of monitoring, which, in practice, can be integrated into the sort of employee privacy notice required under the California Consumer Privacy Act.

Applicability and Obligations for Businesses

S2628 applies to any private employer with a place of business in New York that electronically monitors employees’ communications and internet activity. The law’s core provisions require that upon an employee’s hiring, the employer must provide prior written notice alerting the employee that their telephone conversations, e-mails, and internet access or usage may be monitored using any electronic device or system such as a computer, telephone, wire, radio, or electromagnetic, photoelectronic, or photo-optical systems. The notice must be in writing or electronic form and acknowledged by the employee in writing or electronically. Employers must also post the notice describing the electronic monitoring in a conspicuous place that is readily available for employees to view.Continue Reading New York Law Will Require Employee Notice and Acknowledgement Prior to Electronic Monitoring by Employer

10_Article29_SS_566044504

Preeminent privacy scholar and George Washington University Law School professor, Daniel Solove joined Ropes & Gray’s virtual conference on “The Future of Global Data Protection,” for a wide-ranging discussion with Edward McNicholas, co-leader of the Ropes & Gray data, privacy & cybersecurity practice, in which the pair explored:

  • The state of complexity and inconsistency in the international privacy law landscape
  • The inherent flaws in the models on which privacy laws are currently based
  • The risks of moving toward a regulatory model
  • Theories of harm in data breach cases
  • The role of the courts in adjudicating privacy laws

Please see below for an overview of some of these topics, or to access a recording of the session please visit our blog: RopesDataPhiles.Continue Reading How Data Breaches Are Shaping the Global Data Protection Debate

BillBuilding on the momentum of the California Consumer Privacy Act (“CCPA”)California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“CDPA”), and the consideration of similar laws in states like Washington and New York, Minnesota’s legislature is debating HF 36, introduced on January 7, 2021, and HF 1492, introduced on February 22, 2021. Significantly, HF 36 grants consumers a private right of action for any violation of its provisions—something that was considered but not ultimately included in the CCPA, which provides for a private right of action only in the event of a data breach.  In contrast, HF 1492 joins Virginia’s CDPA by relying on regulatory enforcement and generally pursuing  an approach that is closer to Europe’s General Data Protection Regulation (“GDPR”). If passed, HF 36 would take effect on June 30, 2022, and HF 1492, also known as the Minnesota Consumer Data Privacy Act (“MCDPA”) on July 31, 2022.
Continue Reading Minnesota Debates New Privacy Bills

BillFlorida joined the fray of state legislatures vying to become the third state to enact comprehensive data privacy legislation following the passage of Virginia’s Consumer Data Protection Act (“CDPA”). Introduced in February with the support of Governor DeSantis, House Bill 969 (“HB 969”) shared many similarities with the California Consumer Privacy Act (“CCPA”), including a private right of action. At the same time, the previously identical Senate Bill 1734 (“SB 1734”) was recently amended to limit the scope of the law and remove the private right of action.  As with some many other state laws, the Florida bills have died for the present legislative session due to the breakdown over the private cause of action. 
Continue Reading Florida House and Senate Privacy Legislation Fails to Pass