New European Data Protection Board Guidance on Data Protection by Design and by Default

Liisa ThomasKari RollinsElfin NoceBy Liisa Thomas, Kari Rollins and Elfin Noce on Posted in Data Security, EU Privacy, GDPR

The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address GDPR’s requirement that companies take “appropriate” technical and organizational steps to protect personal information and individuals. Part of the law’s requirements, according to the guidelines, is that companies can show that the measures they took are effective. Continue Reading

New Artificial Intelligence Law for Illinois Employers in January 2020

Liisa ThomasBy Julia Kadish and Liisa Thomas on Posted in Employee Privacy

January 1, 2020, organizations that employ individuals based in Illinois will need to keep in mind the Artificial Intelligence Video Interview Act. This Act sets forth new requirements for video-recorded interviews using AI to analyze such recordings. The law is not limited to just Illinois residents. It applies to applicants for positions based in Illinois. While brief, and without any definitions, the Act requires three things before using AI technology in video interviews. Continue Reading

The Privacy Shield Survives Another EU Commission Review, For Now…

Liisa ThomasRachel Tarko HudsonRebecca MackinBy Liisa Thomas, Rachel Tarko Hudson, Rebecca Mackin and Julia Kadish on Posted in Consumer Privacy, EU Privacy

The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to facilitate transfers of personal data from the EU to the US. It is reviewed annually by the EU Commission, as we have discussed in prior posts. That body did express concern with some parts of the program. This included a fear that US Department of Commerce’s monthly pro-active checks of companies may be too surface level, and did not necessarily include review of  the companies’ privacy provisions in vendor contracts. Continue Reading

FTC and Software Company Reach Security Settlement Over Unfair Practices

Liisa ThomasBy Julia Kadish and Liisa Thomas on Posted in Consumer Privacy, Data Breach, Data Security

The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had failed to use reasonable security. According to the FTC, for almost two years, a hacker accessed InfroTrax’s server unnoticed at least seventeen times. The data accessed included social security numbers and payment card information. It also included unencrypted user IDs and passwords. Infotrax learned of the incident from an alert that one of its servers had reached maximum storage capacity. Continue Reading

CISA Releases “Cyber Essentials” to Assist Small Businesses

Jonathan E. MeyerTownsend BourneBy Jonathan E. Meyer, Townsend Bourne and *Nikole Snyder on Posted in Cybersecurity, Data Security

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.  The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness:” (1) Yourself; (2) Your Staff; (3) Your Systems; (4) Your Surroundings; (5) Your Data; and (6) Your Actions Under Stress. The final section of the guide provides a list of steps that can be taken immediately to increase organizational preparedness against cyber risks. These include backing up data, implementing multi-factor authentication, enabling automatic updates, and deploying patches quickly. Continue Reading

California Follows Vermont, Requires Data Broker Registration

Liisa ThomasBy Liisa Thomas and Julia Kadish on Posted in California Privacy, CCPA, Consumer Privacy

Joining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information about consumers with whom they do not have a “direct relationship.” They must register with the AG by January 31, 2020. Continue Reading

Proposed CCPA Regs Released, Comments Due Dec. 6

Craig CardonLiisa ThomasRachel Tarko HudsonKari RollinsBrian AndersonBy Craig Cardon, Liisa Thomas, Rachel Tarko Hudson, Kari Rollins, Brian Anderson and Julia Kadish on Posted in CCPA

The California attorney general has released draft regulations for CCPA, giving companies further guidance on a variety of topics. The regulations are in draft, and comments are due to the attorney general’s office by December 6, 2019. The AGs office will also be holding a series of hearings across the state, on December 2 (Sacramento), 3 (Los Angeles), 4 (San Francisco), and 5 (Fresno). Among the many items that companies will be examining in more detail in the coming days, the regulations provide details about how to verify consumers and the need for website accessibility in the provision of notices. The proposal also calls on companies to acknowledge access and deletion requests within 10 days of receipt of such a request. Continue Reading

A Single Text Message May Not Violate TCPA

Shannon PetersenLiisa ThomasLisa YunElfin NoceBy Shannon Petersen, Liisa Thomas, Lisa Yun and Elfin Noce on Posted in Communication Privacy, Consumer Privacy, TCPA

As we reported in our sister blog, “One ‘Chirp, Buzz, Or Blink’ Is Not Enough To Sue Under the TCPA”, a recent court decision makes it more difficult for plaintiffs to establish standing under the Telephone Consumer Protection Act. In its decision, the Eleventh Circuit ruled that a single text message from an attorney to his former client did not amount to sufficient harm to sue in federal court. The Court concluded that the allegations regarding the single text message were not enough to state a concrete injury-in-fact necessary for federal jurisdiction. The Eleventh Circuit’s ruling appears to conflict with a previous Ninth Circuit decision regarding the same issue. Continue Reading

Modifications Under CCPA To Receipt of Consumer Requests

Liisa ThomasCraig CardonRachel Tarko HudsonRebecca MackinBy Liisa Thomas, Craig Cardon, Rachel Tarko Hudson and Rebecca Mackin on Posted in CCPA, Consumer Privacy

One of the CCPA amendments that has gone to the governor’s desk is AB 1564, which addresses the methods companies must make available to consumers to exercise their rights under CCPA. Businesses which operate exclusively online and have direct relationships with their consumers can (1) provide an email address for consumers to submit requests, and (2) if they have a website (which presumably all online businesses would!), have a method for consumers to submit requests on that website. It is not clear from the amendment if listing the email address on the website would fulfill the latter requirement, or if the intent is for companies to have an online form on their websites where requests can be submitted. Continue Reading

CNIL Issues Record-Keeping Guidance

Liisa ThomasSylvie RousseauRebecca MackinBy Liisa Thomas, Sylvie Rousseau and Rebecca Mackin on Posted in EU Privacy, GDPR

Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree