Photo of Bart Huffman

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with

Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the policies, procedures, and operational changes necessary to comply with the law.

Five amendments passed: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. Significant impacts of the amendments that were enacted include:

  • The amendments clarify that, at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business interactions but only in certain respects.
  • The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
  • The amendments exclude from CCPA applicability certain processing of consumer report data is already governed by the federal Fair Credit Reporting Act.
  • The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
  • The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.

Continue Reading Last minute amendments likely finalize CCPA language for January 1 deadline.

On April 18, 2019, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) requesting comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1. As written, CIP-012-1 will require responsible entities to implement controls to protect communication links and data transmissions in an effort to mitigate cybersecurity risks to communications between

On January 25, 2019, a settlement agreement was reached between a utility company, which allegedly violated the Critical Infrastructure Protection (CIP) Reliability Standards, and the North American Reliability Corporation (NERC). Through this settlement, NERC provides guidance to the electric industry for compliance with the CIP Reliability Standards. The substantial penalties should prompt companies to educate

The update to the existing Massachusetts data breach notification statute (set to go into effect on April 11, 2019) introduces novel requirements for notices to both affected individuals and regulators and requires credit monitoring services to be offered in some instances for at least 18 months. The legislation updates the statute in a number of particulars, but we focus here on the most notable new requirements.

Notable updates

Notices to affected individuals. The updated statute may require an organization to provide affected individuals with multiple (that is, repeat) notifications if after the initial notice the organization discovers information that updates or corrects the information required to be in such notifications. Other breach notification laws, like the EU’s General Data Protection Regulation and Canada’s breach notification law, may impose an ongoing obligation on organizations to notify regulators with updated information about breaches, but the Massachusetts statute may apply that same obligation to individual notices. The statute also sets forth additional content categories that the notices must contain.Continue Reading Notable challenges from the updated Massachusetts data breach notification law

In late 2018, the Federal Energy Regulatory Commission (FERC) published a final rule updating and adding to the Critical Infrastructure Protection (CIP) Reliability Standards, which are intended to help protect the bulk electric system (BES) in North America against cybersecurity risks. The final rule:

  • Creates a new Supply Chain Risk Management Reliability Standard (CIP-013-1)
  • Updates

Following our previous blog on the upcoming second annual review of the EU-U.S. Privacy Shield, the European Commission published its report on 19 December 2018.

In its report, the Commission concludes that the level of protection for personal data transferred under the Privacy Shield from the European Union to the United States continues to be adequate.

The Privacy Shield’s terms must be reviewed every year. You can find our blog post on the first annual report here.

Second annual review

The second annual review took place on 18 and 19 October 2018 in Brussels. The review was conducted against the backdrop of challenges to data privacy, abuses of personal data, and the ongoing debate about federal privacy legislation in the United States.

The review covered two distinct areas: the commercial aspects of the Privacy Shield and U.S. government access to personal data.

The report notes the steps that the United States has taken in relation to the Commission’s recommendations from the first annual review:

  • The certification process has been strengthened, and new oversight procedures have been introduced. Companies can no longer publicise their Privacy Shield certification until the Department of Commerce (DoC) has finalised it.
  • The monitoring of companies’ compliance with the Privacy Shield has been improved. In particular, administrative subpoenas have been issued to request further information for the purpose of investigations.
  • The protections offered by Presidential Policy Directive 28 were not incorporated into the Foreign Intelligence Surveillance Act when it was reauthorised, contrary to the Commission’s recommendation. However, the safeguards in the act have not been restricted, and some additional privacy safeguards have been introduced in relation to transparency.
  • The Privacy and Civil Liberties Oversight Board has been reinstalled to its full quorum. The board released its report on Presidential Policy Directive 28 on 16 October 2018.
  • A permanent Privacy Shield ombudsperson has not yet been appointed, contrary to the Commission’s recommendation.

Continue Reading European Commission publishes second annual report on EU-U.S. Privacy Shield

Security bugs may have wildly disparate paths of extermination. Some are quietly patched with code updates, while others make the national news and trigger companies’ incident response plans. Is your company aware of the data security vulnerabilities it should be addressing? Is your company prepared to respond to a researcher who notifies you of a serious bug, or perhaps notifies the media without any prior notice?

Bugs in all shapes and sizes. Data security vulnerabilities exist for any number of reasons. For example, companies cause their own, such as by misconfiguring implementations or poorly coding websites and mobile applications, leaving them open to common attacks. They also may be using flawed software provided by a vendor and have little control over the vulnerabilities or resolving them, other than waiting for a vendor patch. Or the underlying platforms, operating systems, and transmission methodology may have a vulnerability.

The bug hunt. Companies use various techniques for identifying and resolving vulnerabilities, including code reviews and third-party scans of networks, websites, and mobile applications. Companies can also monitor the many online resources documenting known vulnerabilities, such as the United States Computer Emergency Readiness Team website. Using supported software and promptly implementing security patches are key. Responsible use of open-source software is also strongly recommended. Recent events have shown that an unpatched vulnerability to an open-source application framework can lead to a breach. The infamous Heartbleed bug in the OpenSSL open source cryptographic software library left millions of websites at risk. Notably, for anything other than the most simple systems, assessing the criticality and implications of implementing security patches is not an easy task – among other things, a given patch may have unintended effects on related system components, or the patch may not really be necessary, given the protections provided by other layers of defense. And a company with complex systems could receive dozens, hundreds, or even thousands of patches every week.
Continue Reading Thinking about Bugs

Following our previous blog on the upcoming first annual review of the EU-US Privacy Shield, the European Commission (“Commission”) published its report on 18 October 2017 (“Report”).

The Commission’s Findings

Overall, the Report confirms that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US, with the necessary structures and procedures having been put in place to ensure the correct functioning of the Privacy Shield. Further, it indicates that complaint-handling and enforcement procedures have been set up, and there is increased cooperation with the European data protection authorities.

However, as Věra Jourová, Commissioner for Justice, Consumers and Gender Equality notes, “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”

The Report includes a number of recommendations that could be implemented to further improve the functioning of the Privacy Shield. These include:
Continue Reading European Commission publishes first annual report on EU-US Privacy Shield.