Photo of Gerard Stegmaier

In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year

In response to a number of recent high-profile cyber attacks aimed at federal agencies, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO) on May 12, 2021. The EO which created a new Cyber Safety Review Board to review major cyber incidents and requires information and communications technology (ICT) service providers entering

In a ruling on April 22, 2021, the United States Supreme Court unanimously held that § 13(b) of the Federal Trade Commission Act (the Act) does not authorize the Federal Trade Commission (FTC) to seek, or a court to award, equitable monetary relief such as restitution or disgorgement. The FTC previously used § 13(b) as

The protection afforded by attorney-client privilege brings about a candid conversation between lawyers and clients. Privilege can attach to communications covering a variety of topics, from responding to a data subject access request (DSAR) to handling a security incident or managing complex and time consuming investigations on a multinational scale. Different privilege rules may apply

On September 9, a federal judge in California dismissed claims brought by hiQ Labs, Inc. (hiQ) against LinkedIn Corp. (LinkedIn) that alleged that LinkedIn’s attempts to prevent hiQ from accessing public information on its website violated various antitrust laws. In an opinion that will continue to fuel debate over the relationship between antitrust and privacy,

In April, the Federal Trade Commission settled charges against Progressive Leasing, a company that markets virtual rent-to-own payment plans to retail stores nationwide. Unlike traditional rent-to-own companies, Progressive does not operate its own brick-and-mortar stores. Instead, Progressive markets its rent-to-own payment plans to consumers who shop at certain retail stores or websites, primarily those in

As the U.S. economy and educational system adapt to work and life at home, it is important to remember that cybersecurity (and related privacy) risks remain and are evolving. Remembering to think through measures that are in place to protect personal information, proprietary information, confidential information, and information needed for ongoing operations can help businesses avoid and mitigate these risks. Appropriate protective measures are specific to changing circumstances, but fortunately, guidance and helpful resources have quickly emerged. We have set forth below some important considerations in assessing administrative, technical, and contractual cybersecurity safeguards in virtual business and educational settings.

New tools bring new vulnerabilities

Many entities whose employees are now working from home for the first time are implementing new, sometimes expensive, tools to help their employees collaborate and maintain business operations. These new tools include videoconferencing, file-sharing, and other communication platforms. Even if the employer does not provide the tools, employees may find and use their own.

There are good reasons for implementing these tools at the business level, including consistent-use practices in the entity’s system, a process for regular software patches and updates, and discounted pricing. When selecting and implementing these tools, or modifying the manner and extent by which these tools will be used, it can be easy to overlook or minimize better practices for use of third-party information technology services: reasonable and appropriate diligence, contractual protections, and ongoing oversight and validation.

In addition, it is important to remember that the cybersecurity posture of many (if not most) online tools can vary widely depending on how the tool is configured, maintained, and used. This means considering whether the right virtual-IT skill set has been engaged and applied, and helping ensure that users have the information they need to make better privacy and data security decisions. Addressing these issues effectively can be especially challenging as work and learning environments change radically.Continue Reading U.S. cybersecurity – points to remember when business is not as usual

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders.  In the post, titled New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Smith acknowledges that, upon arriving at the FTC, strengthening the FTC’s orders in data security matters was among Chairman Joseph J. Simons and his first priorities.  Smith’s blog post is a useful roadmap to help understand the practices the Commission requires of companies under its orders.  Lawyers often look to these orders to distill advice for clients in a challenging area where the public shaming of companies after data security incidents is rampant.

The FTC began working towards specific improved data security orders in 2019, and Smith cites seven different 2019 data security orders in an effort to lay out some of these improvements.  The improvements, he notes, resulted in part from a December 2018 FTC hearing addressing areas of improvement for data security orders, as well as a 2018 Eleventh Circuit Court of Appeals decision.

As a result, Smith highlights three major changes that “improve data security practices and provide greater deterrence” for companies and enhance enforceability.  These changes fall into the following three categories:

(1) The orders are more specific.

(2) The orders increase third-party assessor accountability.

(3) The orders elevate data security considerations to the C-Suite and Board level via executive certifications modeled after similar certifications in securities and other laws.Continue Reading New key features of FTC data security orders highlighted by Consumer Protection Bureau Director

Companies facing class action litigation stemming from Illinois’ Biometric Privacy Act, 740 ILCS 14/1 et seq. (BIPA), will not get conclusive guidance from the U.S. Supreme Court on the issue of Article III standing. Despite the substantial increase in BIPA class actions filed between 2018 and 2019, and amici briefs imploring the Supreme Court to review a Ninth Circuit holding for one such case, the high court declined to weigh in and denied certiorari. As a result, questions persist as to whether class action plaintiffs bringing BIPA claims in federal court have Article III standing due to continued inconsistent treatment within the Ninth Circuit and elsewhere regarding what constitutes real, concrete and particularized injury in cases relating to intangible harms. Therefore, companies with Illinois employees or consumers will continue to face uncertainty, and plaintiffs may aggressively shop for favorable fora (including California) to bring such cases.
Continue Reading Uncertainty persists in biometric litigation

With the Artificial Intelligence Video Interview Act (effective January 1, 2020), or “AI Video Act,” Illinois has passed a groundbreaking new law regulating the use of artificial intelligence (“AI”) in video recruitment practices.

Background
Employers increasingly seek tech-enabled tools to facilitate the hiring, evaluation, retention and development of their workforces. However, as the implementation of