Photo of Julia Kadish

Julia Kadish is an associate in the Intellectual Property Practice Group in the firm's Chicago office and is a member of the Privacy and Cybersecurity Team.

On June 1, 2020, the California AG submitted the final text of the proposed CCPA regulations to the Office of Administrative Law (OAL). There were no changes to the final text from the last version released in March, which we previously summarized here.
Continue Reading Final Draft CCPA Regulations Submitted, Effective Date Unclear

For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

At the end of March, Washington, D.C. signed the Security Breach Protection Amendment Act of 2019, which adds some significant changes to D.C.’s existing data breach law, first enacted in 2007. The law is projected to take effect by June 13, 2020. Some of the major changes are summarized below.
Continue Reading D.C. Amends Data Breach Notification Law, Adds Security Requirements

During COVID-19, in certain areas of the law, we have seen significant flexibility from regulators and government agencies in how they are addressing typical approval processes and/or compliance requirements. In the context of privacy and cybersecurity regulations, largely, regulators are emphasizing that personal privacy and data security are important now more than ever. New information is being collected and used in new ways. Certain data security vulnerabilities may be more prevalent in this work-from-home environment.
Continue Reading Privacy and Data Protection Enactment and Enforcement Timelines During COVID-19

The FTC recently settled with smart lock maker Tapplock, Inc., a Canadian company, over allegations that it deceived consumers with false claims about its product’s security practices. These allegations arose based on vulnerabilities that a security researcher demonstrated – not in the aftermath of a data security breach where these complaints often originate.
Continue Reading FTC Settles with Company Over Alleged Deceptive Security Practices

A number of private and government entities have released apps and software development kits (SDKs) relying on location tracking data to help tackle the COVID-19 pandemic. While the use of such technologies are being hotly debated, commentary continues to emerge from the EU about developing such applications in compliance with EU data protection laws.
Continue Reading Using Mobile Apps and Location Data to Combat COVID-19

Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19.
Continue Reading EDPB Announces Scope of COVID-19 Guidance

On March 11, 2020, the second set of modifications (or the third version) of the CCPA draft regulations were released. While the number of substantive changes dwindled in this version, there are a number of drafting corrections and a few modifications of note. Namely:
Continue Reading Can you Zigzag? California AG Releases Latest Draft of CCPA Regulations

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:
Continue Reading NY SHIELD Act Data Security Requirements Effective This Month

The FTC recently released its annual privacy and security report, providing a snapshot of the issues focused on in the previous year. These reports are often looked at as a signal for insights into the agency’s upcoming priorities. Generally, the report contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions from 2019, a year where we saw several record-setting fines. The report also discusses privacy/security workshops, consumer education, and international engagement. Some of the highlights from 2019 discussed in the report include:
Continue Reading FTC Releases 2019 Privacy and Security Year in Review