The Payment Card Industry Security Standards Council (PCI SSC) has issued an FAQ for ecommerce merchants that outsource their payment card processing to a vendor using an embedded payment page or form (such as an "iframe")....more
On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) released its long-awaited "Required Rulemaking on Personal Financial Data Rights" (Proposed Rule) for public comment. The Proposed Rule was issued under...more
10/26/2023
/ Compliance ,
Consumer Financial Protection Act (CFPA) ,
Consumer Financial Protection Bureau (CFPB) ,
Consumers ,
Data Privacy ,
Enforcement ,
Fair Credit Reporting Act (FCRA) ,
Financial Institutions ,
FinTech ,
Gramm-Leach-Blilely Act ,
Liability ,
Open Banking ,
Proposed Rules ,
Shareholders
The Delaware Personal Data Privacy Act (DPDPA or Act) became law on September 11, 2023, making Delaware the 13th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut,...more
9/14/2023
/ Advertising to Minors ,
B2B Organizations ,
Commodity Exchange Act (CEA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Data Privacy ,
Data Processors ,
Data Protection ,
Delaware ,
Enforcement ,
Fair Credit Reporting Act (FCRA) ,
FERPA ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Nonprofits ,
Opt-Outs ,
Personal Data ,
Privacy Notice Rule ,
Private Right of Action ,
Securities Exchange Act of 1934 ,
State Privacy Laws
Oregon becomes the 12th state with a comprehensive consumer data privacy law -
The Oregon Consumer Privacy Act (OCPA) became law on July 18, 2023. Oregon is the twelfth state to enact a comprehensive consumer data privacy...more
7/20/2023
/ Consumers ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Protection Acts ,
Data Security ,
Legislative Agendas ,
New Legislation ,
New Regulations ,
Oregon ,
Personal Data ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws
The Texas Data Privacy and Security Act (TDPSA) became law on June 16, 2023. Texas becomes the 11th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa,...more
7/7/2023
/ Biometric Information ,
Compliance ,
Consent ,
Data Privacy ,
Data Protection ,
Data Security ,
Fair Credit Reporting Act (FCRA) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Non-Discrimination Rules ,
Notice Requirements ,
Opt-Outs ,
Popular ,
Private Right of Action ,
Reporting Requirements ,
SBA ,
Sensitive Personal Information ,
Small Business ,
State Privacy Laws ,
Texas
Montana is the ninth state to enact a comprehensive consumer data privacy law -
Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MTCDPA) on May 19, 2023, after unanimous passage through the...more
INCDPA takes business-friendly approach to data privacy, following Virginia, Utah, and Iowa -
Indiana has become the seventh state to enact a "comprehensive" data privacy law, joining California, Virginia, Colorado,...more
On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the "Act"), which will regulate the collection, use, and disclosure of "consumer health data" ("Consumer Health Data" or "CHD"). The...more
5/2/2023
/ Business Associates ,
Covered Entities ,
Data Privacy ,
Data Protection ,
Data Security ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
Patient Privacy Rights ,
PHI ,
Private Right of Action
Regulators, both in the United States and around the globe, are showing greater concern about the potential risks of using generative artificial intelligence (AI) systems for commercial and business purposes. The Federal...more
March 2023 was a consequential month for data privacy law. The California Office of Administrative Law (OAL) formally approved regulations issued by the California Privacy Protection Agency (CPPA) implementing the California...more
With the unanimous passage of Senate File 262 by the Iowa House and Senate and the Governor's signature Tuesday, the Hawkeye State joins California, Colorado, Connecticut, Virginia, and Utah as one of six states with a...more
3/31/2023
/ Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
New Legislation ,
Personal Information ,
Privacy Laws ,
Regulatory Reform ,
State Data Breach Notification Statutes ,
State Data Privacy Laws
For businesses subject to data breach notification requirements in Utah and Pennsylvania, a series of significant amendments will soon go into effect in both states. ...more
The Securities and Exchange Commission (SEC or Commission) voted on March 15, 2023, to propose three new sets of rules for data security, cybersecurity, and IT operational resilience. The newly proposed rules would, among...more
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the formation of a new program aimed at identifying and preventing ransomware attacks. The initiative is known as the Ransomware Vulnerability Warning...more
The Biden-Harris Administration has unveiled its highly anticipated National Cybersecurity Strategy — a sweeping and ambitious document calling for "fundamental changes to the underlying dynamics of the digital ecosystem."...more
The California Privacy Protection Agency ("CPPA" or "Agency") is seeking preliminary comments on proposed rulemaking for risk assessments and cybersecurity audits for higher-risk data processing activities, and consumer...more
One can scarcely browse the internet without encountering a story on the use of Artificial Intelligence (AI) by businesses or websites. While recently most attention has focused on generative AI and the increasing use of chat...more
The Colorado Attorney General's Office has published its much-anticipated proposed rules (Proposed Rules) implementing the Colorado Privacy Act (CPA), which, as we discussed in an earlier blog post, was enacted on July 7,...more
The Federal Trade Commission (FTC) may have just taken its first steps towards the creation of generally applicable federal privacy and security rules. On Aug. 11, 2022, the FTC published an advance notice of proposed...more
Since first announced in December 2021, the critical Log4j vulnerability has stolen the attention of many cybersecurity professionals. The Federal Trade Commission (FTC) has taken notice too....more
Privacy and security diligence has become standard in M&A transactions, but a one-size-fits-all approach won’t work. While form questionnaires have their place, companies need to know when to take a deeper, more technical...more
It has been a busy summer for data breach and cybersecurity laws. Several states have shortened their data breach notification timelines, expanded their definitions of personal data breaches triggering notification...more
The Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) recently announced its first cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act of...more
4/28/2021
/ Benefit Plan Sponsors ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Department of Labor (DOL) ,
EBSA ,
Employee Benefits ,
Employee Retirement Income Security Act (ERISA) ,
Popular ,
Retirement Plan ,
Retirement Plan Providers ,
Risk Management