Privacy & Cybersecurity

If your company is marketing any smart device, particularly if the device is involved with home security and collects personal information from users, it’s time to pay attention to the story of Tapplock. Tapplock, Inc. (“Tapplock”), is a Canadian Internet of Things (“IoT”) company that sells fingerprint-enabled padlocks that are connected to the Internet (“smart locks”).

We recently provided some insights regarding how countries across the world are using data to fight COVID-19. The United States Senate, Committee on Commerce, Science, and Transportation, has recently conducted a hearing with witnesses from academia, industry, and interested organizations on “Enlisting Big Data in the Fight Against Coronavirus.”

The US Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security has issued a rare joint alert with the UK’s National Cyber Security Centre (NCSC) regarding coronavirus-related threats. The alert warns that cybercriminals and nation -state hackers are trying to take advantage of the pandemic for criminal gain.

The COVID-19 pandemic and resulting office shutdowns has required many organizations to quickly transition to remote working environments. Going remote often requires a number of technology solutions and tools such as video conferencing, email, cloud file storage, file sharing, chat and communication platforms, and remote desktop applications, just to name a few.

The NYDFS has announced that it has extended the deadline for compliance with certain cybersecurity requirements due to the coronavirus emergency. The announcement from the Superintendent of Financial Services of the State of New York recognizes that COVID-19 may present compliance challenges for regulated entities and covered persons in meeting reporting obligations.

K-12 schools, colleges, and universities around the country have shuttered their doors—most, for the rest of the academic school year—in response to the COVID-19 pandemic.  Educational institutions are in uncharted waters, but most are rising to the occasion to provide engaging and robust online curricula to keep students educated and entertained.

The COVID-19 global pandemic presents unique legal and practical challenges for companies across all industries, including with respect to privacy and cybersecurity risks and protections. Join Mintz, ML Strategies, and one of our industry partners, The Crypsis Group, for a webinar addressing these critical issues and the dynamic and evolving cybersecurity threats.

While many companies around the world are coping with a global pandemic, some are facing additional challenges in light of a looming deadline triggered by the California Consumer Privacy Act (“CCPA”).  Citing #covid19 concerns, a coalition of more than 60 such companies made a plea this week to California’s Attorney General Xavier Becerra (“AG”) to delay the AG’s enforcement of the CCPA.

Although it may not seem like it, there are privacy-related issues to discuss beyond COVID-19.   Before the state of emergency, we saw the first complaint under the California Consumer Privacy Act (CCPA) filed in a California federal court.  This action, styled as Fuentes v. Sunshine Behavioral Health Group, LLC, Case No. 8:20-cv-00487 (C.D. Cal. March 10, 2020)[LINK TO PDF], arose from a data breach, which allegedly exposed highly sensitive personal and medical information of thousands of patients of Sunshine Behavioral Health Group (“Sunshine”).

With the advent of COVID-19, countries around the world are facing a novel challenge that affects them in unprecedented ways economically, socially, and otherwise.  From a public health perspective, now perhaps more than ever before, authorities are interested in understanding more about the movement patterns of those within their borders, including where certain individuals have traveled to, who they have met with, and where they are located now.  

Companies with employees in multiple European locations may well be feeling challenged both in keeping up with public health-driven guidance – and more recently, mandates – relating to the SARS-COV2 risks in the workplace.  On top of extraordinarily urgent efforts to limit the spread of the novel coronavirus while maintaining as much business continuity as possible, companies have legitimate concerns about their data protection obligations under the General Data Protection Regulation (GDPR) and national employment laws.

The Financial Industry Regulatory Authority (FINRA), the independent nongovernmental organization that writes and enforces the rules governing U.S. registered brokers and broker-dealers, has issued guidance to its member firms regarding pandemic-related planning. 

The New York Department of Financial Services (NYDFS) issued guidance to financial institutions engaged in virtual currency business activities, mandating that an emergency preparedness plan from each firm be submitted to NYDFS within 30 days from March 10, 2020.  The agency also outlined the respective responsibilities of the boards of directors, senior management, and CEOs (or their equivalents).

With cases of the Novel Coronavirus (COVID-19) emerging in nearly every state, many businesses are taking swift action in an effort to curb its spread.  Teleworking, “remote working,” or simply “working from home,” is a centerpiece of those efforts. While remote working arrangements may be effective to slow the community spread of COVID-19 from person to person, they present cybersecurity challenges that can be different than on-premise work. 

COVID-19 is not the only virus associated with the global outbreak. As predictably as night follows day, cybercriminals have been using the epidemic as a means to spread their malicious payloads. Companies should include information about cyber hygiene along with the CDC recommendations of hand washing, particularly given the potential for increased remote access to corporate IT systems.

Wrapping up our multi-part series on the recent revisions to the CCPA draft regulations issued earlier this month by the California Attorney General’s office, we look at Article 6 pertaining to non-discrimination and financial incentives.

It feels like we’ve been seeing a lot more health care breaches caused by hackers and other IT security incidents recently, and there’s a good reason why: a recent report by cloud security company Bitglass confirms that both the number of breaches and individuals affected by breaches caused by hackers and IT incidents grew significantly last year.  Bitglass analyzed data from the breach portal, affectionately known as the “Wall of Shame,” published by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  Pursuant to the HITECH Act, HHS is required to post a list of all reported breaches that affect 500 or more individuals. OCR classifies the types of breaches reported on the Wall of Shame, and the "Hacking/IT Incident" category includes a variety of breaches, including malicious intrusion, malware, ransomware, phishing, and general IT security failures.

In this post, we offer insights on the revisions recently made by the California Attorney General’s office to Article 5 of its draft regulations pertaining to special rules regarding minors. Article 5 imposes special requirements on businesses that sell the personal information of children and minors.  We previously reported on this part of the draft regulations.

In this post, we offer insights on the revisions recently made by the California Attorney General’s office to Article 4 of its draft regulations pertaining to verification requirements.  Article 4 specifies how businesses should verify consumers’ identities when they receive consumers’ data requests.  We previously reported on this part of the draft regulations.

The Washington Privacy Act has overwhelmingly passed the Washington state senate by a vote of 46-1.   Similar legislation passed the state senate last year and failed in the Washington house of representatives.  We will track the bill in the Washington house and update on its status.