As the cannabis industry continues to grow and evolve, so do the challenges it faces, particularly in the realm of cybersecurity. With increasing digitization, cyber threats pose a significant risk to cannabis businesses,...more
2/4/2026
/ Business E-Mail Compromise (BEC) ,
Cannabis-Related Businesses (CRBs) ,
Cyber Insurance ,
Cyber Threats ,
Cybersecurity ,
Data Privacy ,
Data Security ,
Incident Response Plans ,
Payment Processors ,
Ransomware ,
Sensitive Personal Information
In the prior two alerts in this series, we explained that California (along with 16 other states) now requires businesses to conduct privacy risk assessments in certain circumstances where consumer privacy may face heightened...more
1/26/2026
/ California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Data Privacy ,
Data Protection ,
Personal Data ,
Privacy Laws ,
Regulatory Requirements ,
Risk Assessment ,
Risk Mitigation ,
Sensitive Personal Information ,
State Privacy Laws
As noted in last week’s post, privacy risk assessments are now required in several states. Of the 19 U.S. states with comprehensive consumer data privacy laws, all but two mandate that businesses conduct privacy risk...more
1/21/2026
/ Corporate Counsel ,
Data Privacy ,
Data Protection ,
Data Protection Impact Assessments (DPIAs) ,
EU ,
General Data Protection Regulation (GDPR) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Personal Data ,
Privacy Laws ,
Risk Assessment ,
Risk Management ,
State Privacy Laws
Colorado hospitality businesses are now operating under Colorado House Bill 25-1090, the “Protections Against Deceptive Pricing Practices” law, which took effect on Jan. 1st. The law doesn’t specifically define “junk fees,”...more
As of Jan. 1st, the California Consumer Protection Act (“CCPA”) and accompanying regulations now require businesses to complete a risk assessment before engaging in certain “high-risk” personal information processing. ...more
1/9/2026
/ California Consumer Privacy Act (CCPA) ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Data Privacy ,
Data Sellers ,
Data-Sharing ,
Effective Date ,
New Regulations ,
Personal Data ,
Regulatory Requirements ,
Risk Assessment ,
Sensitive Personal Information ,
State Privacy Laws
On Dec. 11th, President Trump issued an AI Executive Order titled “Ensuring A National Policy Framework For Artificial Intelligence” that poses an existential threat to Colorado’s AI Act....more
In 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). It developed out of the federal government’s perceived need to be better prepared for cybersecurity...more
12/1/2025
/ Commercial Property Owners ,
Covered Entities ,
Critical Infrastructure Sectors ,
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Mapping ,
Incident Response Plans ,
Infrastructure ,
Penalties ,
Recordkeeping Requirements ,
Reporting Requirements
We are seeing an increase in sophisticated social engineering attacks in which threat actors impersonate financial institutions and use accurate banking information to trick employees into disclosing credentials or...more
10/27/2025
/ Bank Accounts ,
Business E-Mail Compromise (BEC) ,
Employee Training ,
Financial Institutions ,
Fraud ,
Fraudulent Transfers ,
Internal Controls ,
Phishing Scams ,
Risk Management ,
Social Engineering ,
Verification Requirements
Those familiar with the industry know that cannabis retailers find themselves in a unique position compared to other product retailers. Cannabis retailers face significant regulatory hurdles to their operation—particularly in...more
2/26/2025
/ Cannabis-Related Businesses (CRBs) ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Marijuana ,
Marijuana Related Businesses ,
Payment Systems ,
Personal Information ,
Popular ,
Regulatory Requirements ,
Retailers ,
Risk Management ,
Third-Party
In today's business landscape, businesses are increasingly relying on third-parties to manage their information, especially those hosting their information in the cloud. This reliance on third parties and the nature of cloud...more
3/4/2024
/ Artificial Intelligence ,
Cloud Computing ,
Cloud Service Providers (CSPs) ,
Data Management ,
Data Processors ,
Data Protection ,
Data Rights ,
Data-Sharing ,
Intellectual Property Protection ,
SaaS ,
Scope of Work ,
Webinars
On Sept. 11, 2023, Governor John Carney of Delaware signed into law the new Delaware Personal Data Privacy Act. Advertised as the “strongest privacy bill in the nation,” the law adds to the growing complex tapestry of state...more
Nevada’s legislature passed its Consumer Health Data Privacy bill on June 5. The bill, if signed into law by Governor Joe Lombardo, would take effect on March 31, 2024. If signed into law, the Nevada bill would join...more
On March 28, Iowa’s six-year-long effort to pass comprehensive consumer data privacy legislation was finally completed, making Iowa the sixth state to pass such a law. Just over two weeks later, Indiana’s legislature passed...more
The U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), recently issued a Notice of Proposed Rulemaking (NPRM) that would prohibit the use or disclosure of protected health information (PHI) to...more
With the new year, there is a lot to be excited and concerned about in the area of cybersecurity and data privacy. This alert identifies some key issues that should be top of mind in this area and thoughts on how they may...more
Have you ever downloaded an app outside of the Apple app store? Probably not, because the current setup of app marketplaces like the Apple app store makes that very difficult. That is about to change. On Feb. 3, 2022, the...more
On May 10, Connecticut joined other states by passing a state consumer data privacy law. This law gives Connecticut consumers more control over what companies can do with personal data collected from Connecticut consumers....more
Within the past year, several states have passed major data privacy protection acts designed to provide rights for their citizens in the area of data privacy and to provide substantial protections for their citizens in...more
On March 2, Virginia passed HB 2307 (Ch. 36) to enact the Consumer Data Protection Act (VCDPA), which becomes effective Jan. 1, 2023. The privacy concepts included in this act are similar to those found in the California...more
4/29/2021
/ CDPA ,
Consent ,
Consumer Privacy Rights ,
Data Collection ,
Data Controller ,
Data Privacy ,
Information Governance ,
Opt-Outs ,
Personal Data ,
Privacy Laws ,
Virginia
Modern business requires the engagement of professional services providers, such as IT services, marketing, software, data hosting, or other needed services. Far too often, though, the agreements governing these relationships...more
3/4/2021
/ Confidential Information ,
Data Breach ,
Data Protection ,
Data Retention ,
Indemnification ,
Information Technology ,
Liability ,
Risk Management ,
Service Contracts ,
Third-Party Service Provider ,
Warranties
On July 16, 2020, the European Union’s Court of Justice (“CJEU”) issued its much-anticipated decision in the Schrems II case. The decision invalidates the EU-US Privacy Shield mechanism for transferring data from the EU to...more
As we noted just earlier this week, the California Privacy Rights Act (CPRA), first introduced in May 2020, is poised to push consumer privacy protections well past the protections found in the not yet fully enforced...more
Passed in 2018, the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, although enforcement by the Attorney General was delayed until July 1, 2020. The CCPA embodied a significant move to provide consumers...more
Working remotely can open up more risk to business email compromise....more
The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, granting Californians new privacy rights concerning their personal information. Among those are the rights to know what personal information is...more