Privacy & Cybersecurity

As we come out of the COVID-19 pandemic, it appears that another type of infection is threatening business and ransomware continues to spread. 

Although the California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and over 100 class actions referencing the CCPA have been filed to date, very few class actions have actually made their way to court approval.  That is about to change.

In a previous update, we provided a comprehensive round-up of several notable pending US state privacy laws. We are checking-in on the progression of some of those laws in this further update. The next installment will update the remaining state laws in progress.

While the term “dark patterns” is not new, it has recently been getting a more attention, not least because the newly passed California Privacy Rights Act (“CPRA”) will regulate dark patterns. In this article, we will focus on what dark patterns are, how your business should be thinking about them, and how CPRA is approaching this issue.

The 117th Congress kicked off its First Session with, among other initiatives, oversight hearings on the SolarWinds cyber hack.  On February 23, the Senate Intelligence Committee held a hearing on the high profile, far-reaching breach; followed by a joint hearing on February 26 in the House of Representatives held by the Oversight and Reform and Homeland Security Committees.  At both hearings, Sudhakar Ramakrishna, President and CEO of SolarWinds, Kevin Mandia, CEO of FireEye, and Brad Smith, President and Chief Legal Officer of Microsoft, testified.  In addition, George Kurtz, the President and CEO of Crowdstrike, testified at the Senate Intelligence hearing, while Kevin Thompson, the former CEO of SolarWinds, testified in front of the joint House hearing.  Together, the hearings represent what will likely be the first of several congressional forays into the SolarWinds hack, including possible legislative initiatives to address future possible incidents and supply chain security.

On Tuesday, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (“CDPA”) into law, making Virginia the second U.S. state after California to pass a comprehensive data privacy law. While not quite as expansive as the GDPR in every respect, the CDPA is a very broad-based privacy law that is on par with the California Consumer Privacy Act. Below, we break down some of its key elements.

In the recent SolarWinds hack, the routine task of downloading a software update turned into a cybersecurity nightmare for over 18,000 organizations including the Treasury Department, AT&T and up to 85% of Fortune 500 companies. New York has the SHIELD Act, a statute that requires that organizations select third party service providers “capable of maintaining appropriate cybersecurity safeguards”.

We summarized Virginia’s Consumer Data Protection Act (CDPA) in advance of its passage by the legislature and it now awaits Governor Ralph Northam’s signature.   This will make Virginia the second state (behind California) with a comprehensive state data privacy law.   There are some key differences between the Virginia CDPA and the California Consumer Privacy Act and Consumer Privacy Rights Act (CPRA).   We will have a full analysis of the Virginia CDPA next week, so watch this space. 

In a solid step forward for EU to UK personal data transfers, the European Commission has published its draft adequacy decision that will (if finally adopted) permit personal data to flow freely from the EU to the UK.

Based on what we are already seeing in terms of the impressive volume of state-level proposed privacy legislation in the early days of 2021, it appears that we may see a big year for US privacy law. Below is a sampling of where things stand in Virginia, Washington, New York, Minnesota, Oklahoma, Utah, and North Dakota.

January 28 is known worldwide as “Data Privacy Day” or “Data Protection Day,” and it’s a good opportunity to remind everyone of some privacy basics – particularly as people are still working remotely and threats to information and security increase.   Privacy and data protection is no longer “nice to have”.  It is business imperative.

The new 1,246-page Trade and Cooperation Agreement (TCA) between the United Kingdom and the European Union has ended the suspense over what restrictions will apply to the transfer of personal data between the EU and the UK now that the Brexit transition period has run its course.   As expected, the UK has chosen to allow UK personal data to be transferred to the EU freely on the basis that the EU’s GDPR provides adequate protection for the transferred data.  But the EU has not yet agreed that EU personal data can be transferred freely to the UK.  

An oft-used business management concept is to “hire people smarter than you.” The concept also applies to hiring vendors – hire vendors that are better than you (especially when it comes to information security). Texas-based Ascension Data & Analytics LLC (Ascension), a technology and data analytics company used by the mortgage industry, did not utilize that concept in its vendor hiring process, and as a result, recently entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following charges that it violated the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule by failing to ensure that its third-party vendor adequately protected mortgage holder personal information.

As businesses continue to work on compliance with the California Consumer Privacy Act (CCPA) and the multiple versions of regulations issued by the Attorney General’s Office, Attorney General Becerra has issued yet another set of proposed modifications to the regulations implementing the CCPA.  This fourth set of proposed modifications comes on the heels (and builds on) the third draft set of modifications issued in October.   That October revision had not been finalized after comments had been received. 

The Home Depot, Inc. (“Home Depot”) recently entered into a multi-state Assurance of Voluntary Compliance with Attorneys General of 46 states and the District of Columbia (the “Settlement”) stemming from a massive 2014 data breach that exposed the payment card information of approximately 40 million Home Depot customers.  In addition to the steep penalty, Home Depot is required to undergo an extensive security overhaul.

The European Commission has just published a consultation draft of the long-promised updated version of the Standard Contractual Clauses (SCCs).  The SCCs are the most commonly used legal mechanism for transferring personal data from the EEA to non-EEA countries (known as “third countries”).  In a nutshell, the new SCCs have finally caught up with the GDPR, which came into effect nearly two and a half years ago.  Once the Commission formally adopts the new SCCs, organizations will have a one-year grace period to transition from the old SCCs to the new SCCs.

US companies and other organizations whose activities involve the use of personal information from Europe were unsettled by the EU Court of Justice’s July 2020 Schrems II decision that cast doubt on the lawfulness of transferring personal data from the EU to the US. The European Data Protection Board (EDPB) has now published its long-awaited guidance as to what it expects organizations to do to bolster protections for transfers of personal data. The new guidance imposes a very high burden on transferors and recipients of EU personal data.