On August 30, 2020, the California Legislature passed AB-1281 which, if signed by Governor Newsom, will extend two key exemptions to the California Consumer Privacy Act (the “CCPA”) until January 1, 2022.  The extension of these exemptions, which will otherwise expire on January 1, 2021 without legislative or voter action, will come as

CSG/LIFARS webinar_Cybersecurity and Data Protection Best Practices Amid COVID-19

CSG’s Michelle A. Schaap will join Ondrej Krehel, CEO and Founder of LIFARS, LLC, and Roota Almeida, CISO with Delta Dental of New Jersey and Connecticut, on Wednesday, July 29, from 3:00 – 3:45 PM EDT for a virtual discussion around strategy and best practices in the face of the current escalated legal and cyber

Today, July 16, 2020, the Court of Justice1 invalidated Privacy Shield as a means to self-certify that a business is securely and appropriately protecting personal data when transferring such data from the EU to the United States. In part, the Court found that the Privacy Shield did not adequately ensure individuals’ audit rights or appropriate recourse, and therefore, the Court invalidated Privacy Shield, effective immediately. There is no grace period

This same court invalidated the Safe Harbor in 2015, and Privacy Shield then replaced that Safe Harbor.

This ruling impacts more than 5,000 companies that incurred the time and expense to self-certify under Privacy Shield.
Continue Reading No More Safe Harbor… Take Two: Immediate Invalidation of Privacy Shield

Even if your business is based on the East Coast, you are likely to feel the effects of the California Consumer Privacy Act (“CCPA”), which will be effective January 1, 2020.

CCPA applies to for-profit businesses that:

  • Do business in the state of California; collect, or contract with a vendor for the collection of, personal information of “consumers[1]”; and determine the means or purpose of processing the data and
    • Have annual gross revenues in excess of $25,000,000 OR
    • Buy, receive, sell or share information about 50,000 or more consumers, households or devices for commercial purposes OR
    • Derive more than half of their revenue from selling consumers’ personal information.

So… if you are not doing business in California, or you do not fall into one of the sub-categories enumerated above, why do you need to worry about CCPA?
Continue Reading Not in California? Here’s Why the CCPA Should Still Be on Your Radar

States continue to pass legislation addressing the protection and breach of private information and, on July 25, 2019, New York joined the growing trend when Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”) into law.  The SHIELD Act significantly amends New York’s data protection and data breach notification laws – expanding their reach beyond businesses operating in New York and imposing new requirements on persons and businesses in possession of New York residents’ private information.

Effective March 2020, the proactive portion of the SHIELD Act will:

  • Apply to any business that has personal information (“PI”) regarding any New York resident
  • Require those businesses to adopt proactive measures to safeguard that PI
  • Require businesses to vet vendors entrusted with or with access to that PI

The amendments to the current New York breach notification law, effective on October 23, 2019, “redefine a “breach” to include the “mere” unauthorized access to PI (expand the law beyond the actual acquisition of such PI without authorization).

While the amendment to the breach notification requirements may not greatly impact businesses’ current practices, the proactive requirements will be felt by any business that is not already taking “reasonable” measures to safeguard PI in their control.  And if you are a vendor to any of these businesses, and you are not prepared to adopt the requisite proactive measures to protect PI entrusted to you, then you may lose that business.
Continue Reading The Long Reach of New York’s SHIELD Act

In the continuing void at the federal level, more and more states are being proactive in adopting legislation that seeks to protect US residents’ personal data, and to impose stricter guidelines on companies that experience a data breach.

Although Washington State did not pass its previously pending bill that would have been more stringent on

On November 21, 2018, the Pennsylvania Supreme Court, the highest ranking state court in Pennsylvania, ruled that an employer had a common law duty to exercise reasonable care to protect employees’ personal data where, as a condition to employment, the employer (i) required employees to provide sensitive data, (ii) the employer chose to store such

In the wake of GDPR and California’s new data privacy law, website privacy policies continue to be a hot topic for the business community.

These pieces of legislation, the FTC Act, and various other sectoral and state laws and regulations set forth a myriad of complex rules and guidelines for website privacy policies.  At