BillOn March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law without further amendments. Virginia now joins California as the second U.S. state to enact comprehensive privacy legislation. The CDPA will come into effect January 1, 2023 simultaneously with California’s Consumer Privacy Rights Act (CPRA). While similar, the laws reflect somewhat differing approaches to a consumer data law, and covered businesses should begin preparing compliance strategies now. In particular, the new Virginia law may well presage movement in other states, such as Washington, New York, etc., or perhaps movement on a federal privacy law. In light of these developments, many clients are shifting away from jurisdiction-specific policies and towards a rationalized national or global approach to privacy and data protection – with local variations as appropriate.
Continue Reading Step Aside California: Virginia Consumer Data Protection Act Becomes Law

Since passage of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), many states have proposed data protection bills that have floundered in the legislative process. Virginia, previously a dark horse in the race amongst US states to pass data protection legislation, is now poised to take the lead with the Virginia Consumer Data Protection Act (“CDPA”). Unlike bills that have repeatedly stalled in key states like Washington, the CDPA has progressed swiftly and easily in this now “trifecta Blue” Virginia, with the Virginia Senate passing a version of the bill on February 3, less than a week after the House passed a near-identical companion bill. If the governor signs the CDPA into law, the CDPA will take effect January 1, 2023, simultaneously with the CPRA.
Continue Reading Virginia Poised to Join California with Comprehensive Data Protection Framework

UPDATE July 17, 2020: Representatives of the U.S., British and Canadian governments reported yesterday that Russian hackers affiliated with known hacking group APT29 (or “Cozy Bear”) are targeting attacks on health care organizations researching COVID-19 vaccines. Cozy Bear, previously involved in the 2016 hacking of the Democratic National Committee, has reportedly been using spear-phishing and malware in an effort to steal the research. This announcement comes on the heels of a spate of attacks against research universities and health care organizations in recent months, described below.”

While the pandemic has brought economic downturn to many industries, a recent uptick in data security breaches suggests business is booming for cybercriminals. Universities and health care institutions dealing with the coronavirus have been particularly targeted by hackers attempting to exploit the current climate of confusion, urgency, and stress. In this post, we discuss the attacks and provide steps organizations can take to prevent and respond to breaches.
Continue Reading Universities and Hospitals Facing Increased Cyber Attacks

BillKarl Racine, the first elected Attorney General for the District of Columbia, will likely be more of a factor when responding to data breaches in light of a new Washington, D.C. law, which passed at the end of March. Slated to take effect by June 12, 2020, the new Security Breach Protection Amendment Act of 2019 requires entities to maintain “reasonable security safeguards,” significantly expands the definition of “personal information,” imposes new requirements to notify the Attorney General’s Office, and mandates 18 months of free credit monitoring for breaches involving social security or tax identification number.
Continue Reading New D.C. Data Security Requirements and Amended Breach Requirements to Take Effect by June 12, 2020

BillThis article appeared in Law360 on May 14, 2020.  A group of Republican senators have introduced a new privacy bill that would impose strict privacy obligations on contact tracing apps operated by entities not subject to the Health Insurance Portability and Accountability Act.

Most notably, the COVID-19 Consumer Data Protection Act would obligate such entities to obtain express affirmative consent from individual consumers before using their geolocation, proximity or personal health data.
Continue Reading Pandemic-Related Privacy Bill May Be Unconstitutional

BillA group of Republican Senators have introduced a new privacy bill that would impose strict privacy obligations on contact-tracing apps operated by entities not subject to HIPAA. Most notably, the COVID-19 Consumer Data Protection Act of 2020 would obligate such entities to obtain express affirmative consent from individual consumers before using their geolocation, proximity, or personal health data.
Continue Reading Pandemic Privacy: Republican Senators Announce Plan to Introduce COVID-19 Consumer Data Protection Act of 2020