Amazon’s Alexa, Google devices such as Google Assistant and Google Home, Apple’s Siri, and Microsoft’s Cortana are now commonplace in many homes. These devices and other lesser-known counterparts allow users to control nearly everything in their homes with only their voice. That convenience, however, comes at the cost of some degree of privacy. While seldom viewed as presenting a live microphone inside one’s home or office, these otherwise passive listening devices begin recording upon initiation of a verbal cue. While the use (or even presence) of such voice assistants may present privacy concerns when used in consumers’ homes, with millions of people working remotely across the world due to COVID-19, these potential privacy concerns can quickly escalate to a much broader concern, especially for attorneys, who, as we discussed earlier, are bound to maintain confidentiality regarding information concerning the representation of their clients. But this concern extends far beyond “just” attorneys, because so many business dealings involve the exchange of confidential information. What one thinks of as a private or confidential discussion with a business partner is now taking place at home, perhaps with others around, but all too frequently in close proximity to these devices. Continue reading “Privacy Takes Many Forms”
Cybersecurity Concerns with Remote Work
While likely not the first topic that comes to mind amidst a global pandemic, organizations and businesses that now find themselves entirely (or almost entirely) remote would be remiss not to consider the potential data and cybersecurity issues raised by this sudden and unexpected shift to remote work. For much of the country, COVID-19 has resulted in an abrupt shift in the way we work. Even for those businesses that maintained robust work-from-home policies and systems, this shift presents a learning curve. The more traditional data and cybersecurity concerns ever-present in normal business operations are compounded by the difficulties presented by an extensive remote workforce. Preoccupied remote workers can be more susceptible to online threats such as phishing emails or malware and ransomware, thereby “opening the door” and providing unauthorized access to bad actors. The other, often lesser considered concern is accidental disclosure of confidential business information. Continue reading “Careful With The Remote”
Are Your Employees Telecommuting Now? COVID-19 and Cybersecurity Concerns for Businesses
A topic of immediate concern to businesses that has not received a great deal of attention (but should) is cybersecurity. There are unscrupulous people out there who will try to take advantage of the situation! This is especially worrisome with the increased usage of telecommuting to facilitate business continuity.
Within the Dept. of Homeland Security sits the Cybersecurity and Infrastructure Security Agency or CISA which is “responsible for protecting the Nation’s critical infrastructure from physical and cyber threats.” CISA, through its National Cyber Awareness System, released Defending Against COVID-19 Cyber Scams, see here for the full text. In short, beware of emails with malicious attachments and hyperlinks. Also be careful about social media pleas, texts and calls having to do with COVID-19.
The NCAS recommends:
On March 11, 2020, the California Attorney General (CA AG) issued additional revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA). The CA AG published a redline against the earlier proposed regulations highlighting the latest changes. A copy can be found here. The latest modified draft regulations are subject to a public comment period which ends on March 27, 2020, at 5:00 p.m. (PDT). Information about where to submit comments can be found at the end of this Alert.
While many of the latest changes consist of technical corrections or clarifications, there are some significant modifications, all are effective on July 1, 2020. Below, we summarized the key changes: Continue reading “CCPA: More Regulatory Changes Proposed”
The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.
To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes. Continue reading “New Revisions to the CCPA”
In Part 1, we summarized the recent legislative changes regarding the California Consumer Privacy Act (“CCPA”). Bearing in mind the CCPA takes effect on January 1, 2020 and the Attorney General is required to issue regulations by July 1, 2020, these regulations both meet that time frame, but also seek to provide much-needed guidance to industry.
Most of the legislative changes focused on narrowing the definition of personal information, clarified the time frame which applies when a consumer demands information the business possesses about him or her, and also confirmed the CCPA applies to businesses, not non-profits or government entities. In this Alert, we summarize the regulations which were recently issued. However, even in the regulatory context, the starting point remains the same. Companies should begin by asking the following questions: Continue reading “California Consumer Privacy Act: Are You Ready? (Part 2)”
In the last few weeks we have seen both regulatory and legislative action that has helped to clarify the scope and impact of the California Consumer Privacy Act (“CCPA”). By way of a refresher, the CCPA seeks to protect the personal information of California consumers by giving them greater knowledge about the nature and extent of the data collected about them, how it is used (sold or shared) by those who possess it, and how the individual consumer can control the use of his/her personal data. The CCPA applies to companies, regardless of where they are located, which:
- Have annual gross revenues in excess of $25 million;
- Alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50% or more of their annual revenues from selling consumer personal information.
This framework leaves companies to ask some very basic questions before deciding next steps:
- What is our annual gross revenue (not limited to California income)?
- Do we have the personal information of at least 50,000 consumers, households or devices located in California?
- Do we sell the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
- Even if we do not sell that personal data, do we disclose any portion of it to any third parties?
If you answered more than $25 million to the first question or yes to any of the remaining questions, you could be subject to the CCPA, but there is more to the analysis. The next important question is: do you hold personal data belonging to any California consumers, households or devices? If you answered no, you can breathe a sigh of relief. If not, get ready for the year-end push! Continue reading “California Consumer Privacy Act: Are You Ready? (Part 1)”
When the law was signed by then Governor Brown (see our prior Alert here), the expectation was that Attorney General Becerra would issue the enabling regulations by July of this year, which would allow a phase-in period. Then by January 1, 2020, the requirements would be clear and companies would be able to properly formulate and implement their compliance policies. Regretfully, things are not going as expected.
First, in accordance with the law, General Becerra organized a series of public meetings: Continue reading “CA Consumer Privacy Act Gets a Rewrite”
In the last week, both the Dept. of Homeland Security and the Food and Drug Administration have issued a consumer alert about the potential hacking risk regarding cardiac devices, specifically because those devices have no encryption on their software. The devices in question are implantable cardiac devices, clinic programmers and home monitors which are used to regulate one’s heartbeat rate – to speed it up or slow it down, as needed. The focus this time is on the Medtronic Conexus Radio Frequency Telemetry Protocol. Given this latest notice, one has to wonder what will be the impact of the California IoT law.
What both federal agencies had to say is short range access allows interference with, generation, modification or interception of communications. There is also the ability to read/write any valid memory location on the implanted device and, therefore, impact its intended functionality. Continue reading “CA IoT Law: Devices at Risk?”
In a compromise to avoid a ballot measure, at the very last moment on the very last day, just before the stroke of midnight, on June 29, 2018, the California legislature passed and Governor Brown signed into law the California Consumer Privacy Act of 2018 (the “Act”), which takes effect on January 1, 2020. Many of its provisions are similar to the General Data Protection Regulations (“GDPR”), which took effect in Europe at the end of May, and required companies to institute new internal data privacy regimes. So, while those companies which prepared for the GDPR are well on their way to gaining compliance with this new law, there is still much to be done by them and especially those companies which were not impacted by the GDPR. Continue reading “California Consumer Privacy Act of 2018 – GDPR Lite?”