On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation, 23 NYCRR 500.00, et seq. The significance of the NYDFS enforcement action cannot be overemphasized. This is the first action filed under the Cybersecurity
Subject Access Requests and Cross-Border Privilege: Tips for In-House Counsel
The EU’s General Data Protection Regulation (“GDPR”) contains the much-publicised right of subject access, which gives an individual the right to access a copy of all the personal data a controller holds in relation to him or her.
Under the GDPR, anything that can identify a living individual is personal data. Obvious examples include names,
Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities?
On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and
A Day Late, but Will it Fall Short? CPRA Ballot Initiative May Not Appear on Fall Ballot
On May 14, California Secretary of State Alex Padilla announced that the California Privacy Rights Act of 2020 (the “CPRA”) had obtained sufficient raw signatures to qualify for the November 3, 2020 ballot. Those signatures are currently being verified by the counties in which they were obtained. However, based on a complaint filed June 8
AG Submits Final CCPA Regulations—Is Enforcement Still on Track for July 1, 2020?
On June 1, 2020, the California Attorney General submitted the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”). This was the last step the AG needed to take before the Regulations become enforceable. But whether enforcement will still start on July 1, 2020 as set forth in the
Privacy vs. Containment, Part 2: The Democratic Answer to a Framework for Federal Privacy Legislation on COVID-19
Two weeks ago we wrote about proposed legislation, The COVID-19 Consumer Data Protection Act of 2020 (“CCDPA”), introduced by a group of senior Republican senators, which was designed to address privacy issues arising in the wake of the COVID-19 pandemic. In response, senior Democratic members of the Senate and House of Representatives introduced their own
OCR Warns Providers and Media: Patient Privacy Remains Protected Despite Pandemic
Since the outbreak of COVID-19, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued various notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, discussed previously. However, OCR issued guidance on May 5, 2020, reminding covered
The Virginia Insurance Data Security Act – What You Need to Know
On March 11th, 2020, Virginia Governor Northam signed the Insurance Data Security Act (the “Act”) — HB 1334 — imposing requirements on all entities regulated by the Virginia Bureau of Insurance (“BOI” or the “Bureau”) to:
- maintain an information security program,
- investigate all cybersecurity events,
- notify the Commissioner of Insurance of cybersecurity events,
Privacy vs. Containment: Federal Privacy Legislation Meets COVID-19
As the federal, state, and local governments and industry grapple with how to respond to and prevent the spread of COVID-19, a group of senior Republican senators recently announced consumer privacy legislation designed to protect personal “covered data” collected from consumers relating to personal health, geolocation, and proximity. The proposed legislation is a response to
Most COVID-19 Calls Are Not an “Emergency Purpose,” and Other Unexpected Developments
The COVID-19 pandemic has impacted nearly every facet of society in unpredictable ways, and the laws and regulations governing calls and text messages are no exception. The Federal Communications Commission (FCC) issued a recent declaratory ruling clarifying when calls and text messages relating to COVID-19 are permissible under the TCPA’s “emergency purposes” exception, but most