On March 6, 2020, the China Standardization Administration and the State Administration for Market Regulation jointly released an updated version of the Personal Information Security Specification (the “Specification”) which will become effective on October 1, 2020. The updated Specification updates the current Specifications that have been in effect since May 1, 2018, and is the result of a revision effort by the Specification’s drafters, that included a series of interim drafts published for public comment on January 30, 2019, June 21, 2019, and most recently, on October 22, 2019, in order to address certain loopholes and practices leading to excessive collection of personal information. Continue Reading China Updates its Personal Information Security Specification
The SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert related to Ransomware on July 10, 2020. In the publication, Cybersecurity: Ransomware Alert, OCIE alerts companies to the increase in sophisticated campaigns orchestrated to invade financial institution networks in order to obtain confidential information and plant ransomware. The attacks generally involve perpetrators using “phishing and other campaigns designed to penetrate financial institution networks … to access internal resources and deploy ransomware.” Once the ransomware is deployed, institutions typically lose control of the ability to use and maintain the integrity of their systems and data until they pay a ransom to the attackers. Continue Reading OCIE’s Guidance on Ransomware Attacks
Latin American privacy laws may pose special challenges for businesses considering when and how to reopen their facilities during the coronavirus pandemic. As elsewhere, many companies operating in Latin America may decide to screen employees for their COVID-19 risk-levels before allowing them to enter a shared workspace. Already in place in many European and Asian countries, screening options primarily involve contact tracing or temperature checks. As they focus on health and safety, however, companies should also bear in mind a potentially competing interest: protecting employees’ privacy. Continue Reading Returning to the Office – Data Privacy Concerns for Companies in Latin America
The European Court of Justice this morning issued a significant – and fairly surprising – ruling on international data transfers in the Schrems II case. Standard contractual clauses remain valid, but the Privacy Shield is invalid and cannot be relied on to legitimise transfers of personal data from the EEA to the US. Continue Reading Privacy Shield Invalid but SCCs Survive… What next for international personal data transfers?
UPDATE July 17, 2020: Representatives of the U.S., British and Canadian governments reported yesterday that Russian hackers affiliated with known hacking group APT29 (or “Cozy Bear”) are targeting attacks on health care organizations researching COVID-19 vaccines. Cozy Bear, previously involved in the 2016 hacking of the Democratic National Committee, has reportedly been using spear-phishing and malware in an effort to steal the research. This announcement comes on the heels of a spate of attacks against research universities and health care organizations in recent months, described below.”
While the pandemic has brought economic downturn to many industries, a recent uptick in data security breaches suggests business is booming for cybercriminals. Universities and health care institutions dealing with the coronavirus have been particularly targeted by hackers attempting to exploit the current climate of confusion, urgency, and stress. In this post, we discuss the attacks and provide steps organizations can take to prevent and respond to breaches. Continue Reading Universities and Hospitals Facing Increased Cyber Attacks
On November 3, 2020, Californians will vote on whether to approve a ballot initiative to enact a new California Privacy Rights Act (CPRA). If, as current polling suggests, California voters pass the CPRA into law in November, it will significantly revise the California Consumer Privacy Act (CCPA) of 2018, which entered into force only in January of this year.
The CPRA expands the provisions of the CCPA, removes the ability of businesses to remedy some violations before they are penalized, and creates a new agency – the California Privacy Protection Agency – to implement and enforce it. The CPRA’s substantive provisions would take effect on January 1, 2023, but its new obligations would apply to personal information collected after January 1, 2022. Continue Reading New California Privacy Initiative Certified for November Ballot
Even with states easing COVID-19 related restrictions, suggestions that social distancing could last through the summer (or even longer) have led many companies that traditionally rely on in-person promotional visits to consider other options. One obvious alternative is telephone or text marketing, but companies that are new to the practice should be aware of the numerous federal and state laws and regulations governing telemarketing, which impose significant fines or statutory damages for violations. In one notable example, Dish Network was assessed $280 million in penalties in an action brought by the FTC and state attorneys general for alleged violations of the Telemarketing Sales Rule (TSR) and related state laws, and in a separate class action, plaintiffs were awarded $61 million in statutory damages.
Both the federal government and all 50 states plus the District of Columbia have laws applicable to the use of telephones for marketing purposes. Some of the restrictions may also apply to non-marketing communications. This post provides a high-level overview of the rules applicable to the space; but before engaging in telemarketing activities, companies should be sure to review both federal and state laws to ensure their practices are fully compliant.
On June 1, 2020, the Office of the California Attorney General submitted its final proposed CCPA regulations to the California Office of Administrative Law (OAL) to review for compliance with the California Administrative Procedures Act. The text of the final proposed regulations is the same as the second set of modifications, released on March 11 and summarized here. Accompanying the proposed regulations is a Statement of Reasons setting out modifications from the initial proposed text of the regulations published on October 11, 2019. If the regulations are approved by OAL, the final text will be filed with the California Secretary of State and will become enforceable. The core provisions of the CCPA became operational on January 1, 2020, and the AG may bring enforcement actions under the CCPA as of July 1, 2020, although it could not premise enforcement actions on its regulations until they are final.
In addition to the adoption by the European Data Protection Board (“EDPB”) of Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, various other European guidance regarding the use of data and technology in connection with COVID-19 has also been published. Continue Reading COVID-19 Contact Tracing Apps Essential Requirements and Best Practices
On April 21, the European Data Protection Board (“EDPB”) released guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guidelines”).
The Guidelines note that the GDPR includes various provisions which permit health data to be collected and processed for scientific research purposes connected with COVID-19 and also envisages specific derogations to the prohibition on processing certain special categories of personal data, such as health data, where necessary for scientific research purposes. Continue Reading European Guidelines Adopted on Health Data Processed in the Context of the Covid-19 Outbreak