In a notable application of the European Court of Justice’s “Schrems II” decision, the data protection authority for the German state of Bavaria recently held that use by a German
Continue Reading Bavarian DPA Holds SCCs Alone Not Enough for European Use of US Email Service
Utah recently amended its breach notice law to provide certain defenses to companies who suffer a data breach. It is now the second state, after Ohio, to include such provisions. Specifically, entities that create and reasonably comply with a written cybersecurity program may have an affirmative defense to litigation resulting after a data breach. For the safe harbor to apply, the written cybersecurity program must:
Continue Reading Utah Creates Data Breach Safe Harbor
Artificial intelligence continues to remain a focus in 2021, as we predicted at the start of the year. From the FTC, to the EU, to others, regulators of all kinds are paying attention to companies’ use of these tools. In the latest, five US federal agencies are seeking input on how financial institutions are using AI tools. Comments from stakeholders are due by June 1, 2021.
Continue Reading Federal Financial Agencies Seek Comments on Use of Artificial Intelligence
As the first quarter of 2021 comes to a close, cyberattacks are only gaining momentum. As we reported last month, these attacks have become big business for threat actors, and companies are working hard to be prepared. Taking stock of potential risks – and risk management techniques – can be a useful exercise in this environment. For this, tools from change management can help. Change management, particular sustainable change management, teaches us not to jump head-first into action, but first to take stock of what actions will be most helpful.
Continue Reading Understanding Risk in An Increasingly Risky World
The Illinois Biometric Information Privacy Act (BIPA) has spawned hundreds of class action lawsuits and a raft of unresolved issues. A core issue from a litigation perspective—as well as for companies bracing for potential lawsuits—is one of “standing,” and in particular, what BIPA claims can be brought by plaintiffs in what venues.
Continue Reading Beware BIPA Bifurcation: Plaintiffs’ New Gambit to Split BIPA Claims Between State and Federal Courts
The new acting FTC chair, Rebecca Kelly Slaughter, recently signaled that the FTC may increase enforcement and penalties in the privacy and data security realm. Slaughter pointed to several areas of focus for the FTC this year, which companies will want to keep in mind:
Continue Reading What Is FTC’s Course Under Biden?
Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), namely the California Privacy Rights Act). Although this new Virginia law has been compared by many to California’s current CCPA and the EU’s GDPR, there are some differences. Businesses will find most of the differences a relief, although the law does introduce a few new concepts.
Continue Reading Virginia is for…Privacy: Comprehensive Law Passed, Effective January 2023
Many states require insurance providers that do business in their states to complete annual certifications of compliance. As examples, the deadline in New Hampshire is coming up on March 1. The deadline in Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, Ohio, and South Carolina was February 15. (The deadline under new laws in Michigan and Virginia will be February 15 as well, starting in 2022 and 2023, respectively.) The deadline in New York is April 15.
Continue Reading Insurance Cybersecurity Certifications: A State Roundup
The FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared. In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies. Namely, third parties who provided marketing and analytics services to the app.
Continue Reading FTC Settles with Fertility Tracking App For Alleged Deceptive Data Sharing Practices
Artificial intelligence continues to be a focus and concern for businesses, regulators, and lawmakers alike. As we recently wrote, there was much activity and focus on artificial intelligence and the impact on privacy laws. In addition to legal developments, there have been advancements in AI business technologies by major multinational technology firms, something focused on this post in our sister Intellectual Property Law Blog. There has been an arms race underway by the world’s leading economies to win the estimated $13 Trillion of GDP this field stands to award the winner. In a recent podcast episode, partners Siraj Husain and Michael P.A. Cohen discuss these developments, risks, and solutions that businesses are experiencing.
Continue Reading What to Watch in Artificial Intelligence in 2021
Many have been watching facial recognition law developments closely, and saw that Portland became the first US city to regulate the use of such technology by private entities operating “places of public accommodation” within the city. Of particular concern for the Portland city council was the use potentially discriminatory use of these technologies, and its impact on “children, Black, Indigenous and People of Color, people with disabilities, immigrants, refugees, and other marginalized communities and local businesses.”
Continue Reading Portland’s Facial Recognition Law: Impact on National Companies