Cybersecurity

California Consumer Privacy Act of 2018 – GDPR Lite?

By Susan Kohn Ross and Aaron Wais

In a compromise to avoid a ballot measure, at the very last moment on the very last day, just before the stroke of midnight, on June 29, 2018, the California legislature passed and Governor Brown signed into law the California Consumer Privacy Act of 2018 (the “Act”), which takes effect on January 1, 2020. Many of its provisions are similar to the General Data Protection Regulations (“GDPR”), which took effect in Europe at the end of May, and required companies to institute new internal data privacy regimes. So, while those companies which prepared for the GDPR are well on their way to gaining compliance with this new law, there is still much to be done by them and especially those companies which were not impacted by the GDPR. (more…)

The GDPR is Coming – Are You Ready?

GDPR Webinar Invite l BackgroundBy Susan Kohn Ross and Aaron Wais

On May 25, 2018, important European regulations regarding data privacy and protection go into effect that will have a major impact on American companies, many of whom don’t realize they will be subject to compliance with its requirements. The General Data Protection Regulations (the “GDPR”) will have severe penalties for non-compliance (as high as €20 million or 4% of annual worldwide turnover). The GDPR will also have very broad territorial reach applying not only to European entities, but also to entities located outside of Europe (including those in the U.S.) that process the personal data of living European individuals residing in the covered countries, including if the company:

  • Offers goods or services to individuals in the covered countries (e.g., e-commerce, capital raising, fund raising, immigration);
  • Employs individuals in one or more of the countries;
  • Monitors the behavior of individuals in any of these countries; and
  • Collects, stores, or processes the personal data of affected individuals on behalf of others.

For these purposes, the European definition of personal data mirrors nicely the American definition of personally identifiable information. Given the severe penalties and broad reach, it is important that each company in the U.S. consider whether the GDPR applies to its operations and, if so, how best to comply. (more…)

SEC Cyber Unit & Task Force

Security.

Photo credit: iStock.com/artisteer

By Melanie Figueroa

With increased attention to how securities laws may apply to digital token sales and the disruptive nature of increased cyber threats to the investor community, the Securities Exchange Commission (“SEC”) last week announced two new initiatives.  The SEC’s press release, found here, outlined the creation of the Cyber Unit (“Unit”) and the Retail Strategy Task Force (“RSTF”).

According to the press release the Unit will focus the Enforcement Division’s substantial cyber-related expertise on targeting cyber-related misconduct, including: (more…)

If You SEC Something, Say Something

Cybersecurity of network of connected devices and personal data security

Photo credit: iStock.com/NicoElNino

By Melanie Figueroa and Susan Kohn Ross

Just about every survey of General Counsels reveals the same #1 culprit of sleepless nights….. a cybersecurity hack. If you run a business in today’s global environment, it is hard to escape the fundamental reality that it is more than likely a matter of when, not if, you will face a cyber threat. And depending on the nature of your business, that threat can have a wide range of implications. If you are a public company, there is an additional issue to consider… what do you have to disclose to your investors and shareholders?

Being prepared for a hack with a comprehensive written information security plan and an equally robust incident response plan is just one component to be considered if you are a public company. You must also have a plan to meet your reporting and disclosure obligations to a variety of governmental bodies. While measuring your response needs in the wake of a hack, and determining if there are state, federal or international laws and regulations that require reporting, you must also pay close attention to possible disclosure obligations in your SEC filings. Specifically, if you have tripped a disclosure to a state attorney general or your company’s customers, then it is possible you may also have a disclosure obligation to your shareholders. (more…)

Data Breaches: An Employer’s Duty to Protect Employees’ Personal Information

By Aaron Wais

It is tax season, which means that criminals are busy trying to steal people’s tax information (e.g., names, addresses, social security numbers, income information), which they can use to file fraudulent tax returns and steal tax refunds.

As an employer, you likely maintain your employees’ tax information and, thus, are a target.  Indeed, criminals regularly target employers and hack their databases or pose as company executives and send a phishing email asking for all employees’ W-2s for accounting purposes.

As such, it is important to understand your duty to protect your employees’ personal information, as well as potential liability for failing to do so.  Most states, including California, make clear that employers have a legal duty to protect their employees’ personal information.  These courts also make clear that whether an employer has legally compliant, written policies for protecting private information and responding to data breaches will heavily inform whether and the extent of an employer’s liability for a data breach.

(more…)

Importance of Maintaining Cybersecurity Measures – Assessing the Ashley Madison Data Breach Settlement

By Aaron Wais

Daily headlines of data breaches, resulting class actions, governmental investigations and enforcement actions, and the settlements of those actions serve as constant reminders of the need to implement and maintain reasonable cybersecurity measures. Yet another example can be found in the recent announcement by the Federal Trade Commission, which states that the operators of Ashley Madison have agreed to settle the charges brought against them by the FTC and over a dozen state attorneys generals arising out of the July 2015 data breach of Ashley Madison’s network. Analyzing the settlement also provides additional guidance on what regulators mean when they refer to reasonable safeguards.

(more…)

Shielded but Not Covered – Privacy Demands Better Protection

By Susan Kohn Ross 

Yesterday, the Article 29 Working Party took action which some found surprising and others predicted. It found the EU-U.S. Privacy Shield did not contain adequate protections and needs further improvement. The Working Party’s statement can be found here.

While acknowledging the Privacy Shield contains “significant improvements” over the previous Safe Harbor, the Working Party also stated its objective is to “make sure that an essentially equivalent level of protection is maintained when personal data is processed subject to the provisions of the Privacy Shield.” (more…)

The More Things Change – The More They Stay The Same

By Susan Kohn Ross

Originally published by the Journal of Commerce in January 2016

In writing this article, it was interesting to look back and see whether the old crystal ball was accurate in its predictions in earlier years. Truthfully, the expectation was the old themes were similar over time, and that turned out to be the case. Those earlier articles made clear, the challenges facing businesses in the context of import and export remain complex. By way of example, one constant theme is the rising cost of compliance. A related theme has to do with the expanding complexity of issues demanding compliance efforts. (more…)

Cyber Bill No Real Help to Supply Chain Security

By Susan Kohn Ross

Originally published by the Journal of Commerce in January 2016

In the lead-up to President Obama signing into law on December 18, 2015 the Cybersecurity Act of 2015, Public Law. 114-113, there was hope that finally there would be a vehicle through which the federal government would be able to share broad ranges of supply chain security information with C-TPAT members. Alas, that did not turn out to be the case. (more…)

DOJ Sets Its Sights on Directors and Officers

By Susan Kohn Ross

Originally published in September 2015.

Whether publicly traded or privately held, corporate boards have been put on notice – the Department of Justice (Justice or DOJ) is after you! On September 9th, DOJ issued a memo entitled: Individual Accountability for Corporate Wrongdoing. In it, Main Justice made clear to all offices that any activity which involves the potential for liability on the part of a corporation can and must also focus on the potentially culpable individuals. (more…)