CISA Releases “Cyber Essentials” to Assist Small Businesses

Jonathan E. MeyerTownsend BourneBy Jonathan E. Meyer, Townsend Bourne and *Nikole Snyder on Posted in Cybersecurity, Data Security

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.  The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness:” (1) Yourself; (2) Your Staff; (3) Your Systems; (4) Your Surroundings; (5) Your Data; and (6) Your Actions Under Stress. The final section of the guide provides a list of steps that can be taken immediately to increase organizational preparedness against cyber risks. These include backing up data, implementing multi-factor authentication, enabling automatic updates, and deploying patches quickly. Continue Reading

California Follows Vermont, Requires Data Broker Registration

Liisa ThomasBy Liisa Thomas and Julia Kadish on Posted in California Privacy, CCPA, Consumer Privacy

Joining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information about consumers with whom they do not have a “direct relationship.” They must register with the AG by January 31, 2020. Continue Reading

Proposed CCPA Regs Released, Comments Due Dec. 6

Craig CardonLiisa ThomasRachel Tarko HudsonKari RollinsBrian AndersonBy Craig Cardon, Liisa Thomas, Rachel Tarko Hudson, Kari Rollins, Brian Anderson and Julia Kadish on Posted in CCPA

The California attorney general has released draft regulations for CCPA, giving companies further guidance on a variety of topics. The regulations are in draft, and comments are due to the attorney general’s office by December 6, 2019. The AGs office will also be holding a series of hearings across the state, on December 2 (Sacramento), 3 (Los Angeles), 4 (San Francisco), and 5 (Fresno). Among the many items that companies will be examining in more detail in the coming days, the regulations provide details about how to verify consumers and the need for website accessibility in the provision of notices. The proposal also calls on companies to acknowledge access and deletion requests within 10 days of receipt of such a request. Continue Reading

A Single Text Message May Not Violate TCPA

Shannon PetersenLiisa ThomasLisa YunElfin NoceBy Shannon Petersen, Liisa Thomas, Lisa Yun and Elfin Noce on Posted in Communication Privacy, Consumer Privacy, TCPA

As we reported in our sister blog, “One ‘Chirp, Buzz, Or Blink’ Is Not Enough To Sue Under the TCPA”, a recent court decision makes it more difficult for plaintiffs to establish standing under the Telephone Consumer Protection Act. In its decision, the Eleventh Circuit ruled that a single text message from an attorney to his former client did not amount to sufficient harm to sue in federal court. The Court concluded that the allegations regarding the single text message were not enough to state a concrete injury-in-fact necessary for federal jurisdiction. The Eleventh Circuit’s ruling appears to conflict with a previous Ninth Circuit decision regarding the same issue. Continue Reading

Modifications Under CCPA To Receipt of Consumer Requests

Liisa ThomasCraig CardonRachel Tarko HudsonRebecca MackinBy Liisa Thomas, Craig Cardon, Rachel Tarko Hudson and Rebecca Mackin on Posted in CCPA, Consumer Privacy

One of the CCPA amendments that has gone to the governor’s desk is AB 1564, which addresses the methods companies must make available to consumers to exercise their rights under CCPA. Businesses which operate exclusively online and have direct relationships with their consumers can (1) provide an email address for consumers to submit requests, and (2) if they have a website (which presumably all online businesses would!), have a method for consumers to submit requests on that website. It is not clear from the amendment if listing the email address on the website would fulfill the latter requirement, or if the intent is for companies to have an online form on their websites where requests can be submitted. Continue Reading

CNIL Issues Record-Keeping Guidance

Liisa ThomasSylvie RousseauRebecca MackinBy Liisa Thomas, Sylvie Rousseau and Rebecca Mackin on Posted in EU Privacy, GDPR

Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested. Continue Reading

Will More Clarity on Definition of ATDS Under TCPA Finally Be Here Soon?

Shannon PetersenLiisa ThomasLisa YunBy Shannon Petersen, Liisa Thomas, Lisa Yun and Julia Kadish on Posted in Communication Privacy, Consumer Privacy, TCPA

The Sixth Circuit is the latest court to weigh in on the definition of ATDS under TCPA. The TCPA defines ATDS as equipment that has the capacity “to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.” Generally, the TCPA prohibits calls and text messages to cell phones using an ATDS without prior express consent. Continue Reading

Maryland Adds Insurance Commissioner to Breach Notification Requirements

Liisa ThomasKari RollinsBy Liisa Thomas, Kari Rollins and Julia Kadish on Posted in Data Breach, Data Security, Healthcare Privacy

Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements. Continue Reading

What To Do About Employees Under CCPA: An Update

Liisa ThomasCraig CardonRachel Tarko HudsonElfin NoceBy Liisa Thomas, Craig Cardon, Rachel Tarko Hudson and Elfin Noce on Posted in California, CCPA, Consumer Privacy, Employee Privacy

One of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree