Companies are becoming increasingly aware of the reach of biometric privacy laws, which are designed to protect an individual‘s biometric identifiers or biometric information (“biometric data”), such as fingerprints, voiceprints, hand scans, and face geometry. Since the Illinois Biometric Information Privacy Act (“BIPA”) became effective in 2008, a number of states have passed or are considering [1] similar laws protecting such biometric data.
Continue Reading Biometric Data Protection Laws – Coming to a Jurisdiction Near You

On January 6, 2021, the proposed Biometric Privacy Act (the “Act”) was introduced to the New York State legislature.  If adopted as drafted, the Act will require:

  • Any private entity that “possesses”¹ any biometric identifiers and/or information² (or “biometric data”) must have a written policy, publicly available³, establishing its retention and destruction schedule, as well as a secure means of destroying the data on the sooner of (i) when no longer needed for its original purpose of collection or (ii) after three years from the private entity’s interaction with the person providing the data.
  • A private entity cannot acquire, collect, trade, store, purchase or capture biometric data, whether from the person themselves or a third party unless the entity first:
    • Informs the subject that their data is being so collected, stored, captured, purchased and/or traded
    • Informs the subject of the underlying legal purpose the data is being collected, stored and/or used
    • Receives a written release4 from the person or their legal representative.

To be clear, this will apply whether the data is collected from an employee (consider a biometric time clock) or a customer (think thumb prints used at amusement parks and to unlock devices).

Further, the draft legislation proscribes
Continue Reading First, There Was The New York Shield Act, and Now… The New York Biometric Privacy Act?

Earlier this month, we learned that the SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1*, released between March 2020 and June 2020, were compromised by an advanced persistent threat actor (or APT).  The perpetrators of this sophisticated attack implanted a Trojan into a legitimate update to the Orion Platform

For those businesses located in the State of New Jersey, the state does not (yet) have proactive legislation in place requiring businesses to take “reasonable” measures to protect personal information of residents.  However, if you have customers and/or personnel from outside the State, you may already be subject to the proactive legislation requirements of other

On October 29, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the U.S. Department of Health and Human Services (HHS) warned of an increased, imminent threat to U.S. hospitals and healthcare providers. The agencies have credible information that malicious cyber actors are targeting the healthcare and public health

On August 30, 2020, the California Legislature passed AB-1281 which, if signed by Governor Newsom, will extend two key exemptions to the California Consumer Privacy Act (the “CCPA”) until January 1, 2022.  The extension of these exemptions, which will otherwise expire on January 1, 2021 without legislative or voter action, will come as

Today, July 16, 2020, the Court of Justice1 invalidated Privacy Shield as a means to self-certify that a business is securely and appropriately protecting personal data when transferring such data from the EU to the United States. In part, the Court found that the Privacy Shield did not adequately ensure individuals’ audit rights or appropriate recourse, and therefore, the Court invalidated Privacy Shield, effective immediately. There is no grace period

This same court invalidated the Safe Harbor in 2015, and Privacy Shield then replaced that Safe Harbor.

This ruling impacts more than 5,000 companies that incurred the time and expense to self-certify under Privacy Shield.
Continue Reading No More Safe Harbor… Take Two: Immediate Invalidation of Privacy Shield

The FBI issued an alert warning of an attack targeting e-commerce websites.  The bad actors are embedding code directly into the e-commerce site to then skim account information.

The notice, found here, provides the details of this attack.

As always, the best defense against this and other cyberattacks is to have layers of defenses

You are in a fantasy football league registered under your email and your password.  Unbeknownst to you, however, the leagues site has been breached, and access credentials have been stolen.  The site discovers the breach, investigates the breach, and gives notice to impacted individuals.

If you are lucky, the time frame from when the original breach occurred and when you receive notice is 60 days;  more likely it will be a longer time frame – potentially 18 months or longer.  In the meantime, because you reuse your password for multiple accounts, the bad actor that compromised the fantasy league site has already used your password to access your Gmail or AOL account, reset your password, and has logged into your bank account and drained your funds.

Sound like a bad made-for-TV movie or detective show episode?

Sadly, the scenario outlined above is true and happened to a gentleman in Texas, and was shared during a recent InfraGard¹ webinar.
Continue Reading The Life of a Data Breach: The “Gift” That Keeps on Giving