The travel giant Sabre Corp. has reached an agreement with multiple State Attorneys General to pay $2.4 million and make certain changes in its cybersecurity policies to settle a multi-state investigation into a 2017 data...more
1/5/2021
/ Credit Cards ,
Customers ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Investigations ,
Online Marketplace ,
Online Payments ,
Online Platforms ,
Settlement ,
State Attorneys General
Throughout 2020, companies have been negotiating with their business partners the issue of “selling” under CCPA. Is the partner a service provider? A third party? Is there an exchange of consideration? These issues will not...more
Throughout 2020 we saw many enforcement actions brought by EU and U.S. regulators. Whether for allegations of deception (misleading privacy representations) or unfairness (failure to protect information), COVID did not appear...more
12/28/2020
/ Biometric Information Privacy Act ,
CAN-SPAM Act ,
COPPA ,
Coronavirus/COVID-19 ,
Cybersecurity ,
Enforcement Actions ,
FERPA ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Online Safety for Children ,
TCPA
Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title...more
9/24/2020
/ Cybersecurity ,
Data Breach ,
Data Protection ,
Enforcement Actions ,
Financial Services Industry ,
First American Title Insurance Co. ,
Internal Investigations ,
Non-Public Information ,
NYDFS ,
Popular ,
State Attorneys General
The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address...more
The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had...more
11/21/2019
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
Hackers ,
Personally Identifiable Information ,
Popular ,
Settlement ,
Software Developers ,
Technology Sector
Joining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information...more
10/14/2019
/ Amended Legislation ,
California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Brokers ,
Data Collection ,
E-Commerce ,
Governor Newsom ,
Privacy Laws ,
Registration Requirement ,
State Attorneys General ,
State Data Privacy Laws
Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many...more
9/30/2019
/ CNIL ,
Cybersecurity ,
Data Controller ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
New Guidance ,
Personal Data ,
Recordkeeping Requirements
Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements.
In August 2019, the Maryland...more
Illinois has updated its breach notice law to require, effective January 1, 2020, notice to the Illinois Attorney General of a data breach involving more than 500 Illinois residents.
The law contains specific requirements...more
As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective...more
New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required...more
8/27/2019
/ Cybersecurity ,
Data Breach ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
New Legislation ,
Personally Identifiable Information ,
Policies and Procedures ,
Security Risk Assessments ,
SHIELD Act ,
State Data Breach Notification Statutes
International companies should keep in mind recent developments coming out of Asia on the privacy front. Chinese authorities are reported to be confiscating smartphones at the border to install surveillance apps. Companies...more
7/25/2019
/ China ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Government Investigations ,
Hong Kong ,
Law Enforcement ,
Memorandum of Understanding ,
Personal Data ,
Popular ,
Singapore ,
Trade Secrets
Modern sock maker, Bombas, recently settled with New York over a credit card breach, agreeing to pay $65,000 in penalties. According to the NYAG, malicious code was injected into Bombas’ Magento ecommerce platform in 2014...more
Maryland has amended its breach notification law to require businesses that maintain data, not just those that own or license the data, to conduct “a reasonable and prompt investigation” into whether personal information has...more
7/3/2019
/ Amended Legislation ,
Cooperation ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Duty to Investigate ,
Personally Identifiable Information ,
State Data Breach Notification Statutes ,
Vendors
New requirements to the Texas data breach statute, including a requirement to notify the Texas attorney general of a breach, are set to go into effect January 1, 2020. The legislation, signed by Texas Governor, Greg Abbot, on...more
The FTC recently settled with LightYear Dealer Technologies, maker of DealerBuilt software, over allegations that the company failed to provide adequate protection for the personal data it houses. The companies’ clients...more
6/25/2019
/ Car Dealerships ,
Cybersecurity ,
Data Breach ,
Data Collection ,
Data Processors ,
Data Protection ,
Data Security ,
Data Storage ,
Federal Trade Commission (FTC) ,
Gramm-Leach-Blilely Act ,
Hackers ,
Personally Identifiable Information ,
Safeguards Rule ,
Section 5 ,
Security Risk Assessments ,
Settlement
California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to...more
5/29/2019
/ Amended Legislation ,
California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Rights ,
Data-Sharing ,
Pending Legislation ,
Personal Data ,
Personally Identifiable Information ,
Privacy Laws ,
Private Right of Action
Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in...more
Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has...more
The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being...more
4/24/2019
/ Comment Period ,
Cybersecurity ,
Data Privacy ,
Data Processors ,
Data Protection ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Public Comment
As we enter into the second quarter of the year, the FTC has released its annual report on privacy and data security, and the steps it took in those areas over the course of 2018. The report includes summaries of its actions...more
The European Data Protection Board (EDPB) has released its priorities for 2019/2020 in its two-year “Work Program.” The EDPB is charged with issuing guidelines and opinions about GDPR, advising the European Commission about...more
Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273, applies to insurers authorized to do...more
3/21/2019
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Hackers ,
Incident Response Plans ,
Information Security ,
Insurance Industry ,
Insurer Liability ,
New Legislation ,
Personally Identifiable Information ,
Risk Assessment ,
State Data Breach Notification Statutes ,
Third-Party Service Provider
Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11,...more
3/12/2019
/ Amended Legislation ,
Corporate Counsel ,
Credit Monitoring ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Hackers ,
Personally Identifiable Information ,
State Attorneys General ,
State Data Breach Notification Statutes