This is Part 3 of a three-part series. Part 1 and Part 2 can be accessed here and here. Continue Reading ›
Here’s what businesses need to know.
Until recently, the privacy rule under the Health Insurance Portability and Accountability Act, (“HIPAA”), was not the focus of political or legal controversy. However, in June 2025, a federal judge in Texas vacated most of a privacy rule that would apply to reproduction. Continue Reading ›
New York ‘s Child Data Protection Act, available here, took effect on June 20. This is a landmark piece of legislation designed to enhance the online privacy and safety of minors. As concerns over children’s digital footprints grow, New York’s approach is drawing national attention for its distinctive legal standards. Continue Reading ›
In the recent high-profile civil class action, Frasco v. Flo Health, a California federal court issued a significant ruling partially certifying a nationwide class and California subclass of individuals who used the Flo Health mobile app. The decision highlights the growing legal complexity of class action privacy claims in the age of Big Tech and health apps. Continue Reading ›
The U.S. Court of Appeals for the Ninth Circuit has issued a pivotal ruling that is likely to reshape privacy litigation for e-commerce platforms. Continue Reading ›
When evaluating where artificial intelligence has had the most impact, many think of their personal use of AI or the integration of AI into many consumer applications. The use of AI in the employment context is on the back burner for many, but it has become a significant issue. Continue Reading ›
The Constangy Cyber Team continues to expand our capabilities with the addition of three exceptional attorneys who joined the team this month. Continue Reading ›
On April 16, attorneys general from seven states and a state agency announced that they were forming the Consortium of Privacy Regulators, a new effort to better protect consumers’ privacy. Continue Reading ›
Consumers have been trading their DNA for a personal genetic history lesson with 23andMe since 2007. Continue Reading ›
EDITOR’S NOTE: This is Part Two of a two-part series. You can read Part One here. Continue Reading ›
EDITOR’S NOTE: This is Part One of a two-part series. Continue Reading ›
The California Invasion of Privacy Act continues to be a focal point for privacy litigation, particularly concerning website tracking practices. A recent case, Gabrielli v. Insider Inc. sheds new light on whether collecting and sharing an IP address violates the law. Continue Reading ›
With the number of data breaches increasing each year, it’s becoming more important to know what personal data you have and where you have it. On personal or even work devices, you may be surprised at how much of your data is just waiting to be taken advantage of by a bad actor. Continue Reading ›
Chile has amended its data privacy law granting significant rights to data subjects, and imposing stricter obligations on data controllers and processors. Published in the Official Gazette (Diario Oficial) on December 13, 2024, Chile’s new Personal Data Protection Law takes effect on December 1, 2026. Continue Reading ›
On December 24, New York Gov. Kathy Hochul (D) signed into law an amendment to section 899-aa of the N.Y. General Business Law, also known as The Shield Act, modifying the law’s data breach notification requirements. Continue Reading ›
In a significant move to regulate the growing impact of artificial intelligence, Oregon lawmakers recently passed Senate Bill 1571, requiring campaigns to disclose when they use AI to manipulate audio or video images, including deepfakes, to influence voters. Although SB 1571 applies only to political campaigns, the Attorney General has issued guidance that may be helpful to businesses seeking to minimize their legal risks in connection with the use of AI. Continue Reading ›
Just in time for setting a new year’s resolution, the New York Senate passed health privacy bill S-929. This bill was first introduced during the 2024 legislative session but failed to pass. Now in the early weeks of 2025, S-929 has passed without any changes since 2024. The bill will now move to the Assembly Codes and Science & Technology Committees for further consideration. Continue Reading ›
The Constangy Cyber Team continues to grow with the addition of five outstanding new attorneys, allowing us to quickly and effectively respond to our clients' data privacy and cybersecurity needs. Please join us in welcoming Ryan Steidl, Lindsey Smith, Rob Yang, Matthew Basilotto, and Seth Greenwald to the Constangy Cyber Team. Each brings a wealth of knowledge and experience, underscoring our commitment to providing top-tier legal counsel. Continue Reading ›
Tomorrow is International Data Privacy Day, so a happy day to all! Continue Reading ›
The California Privacy Protection Agency released proposed regulations in November 2024 that will, if finalized, create significant new hurdles for employers using artificial intelligence to assist with a variety of employment decisions. Continue Reading ›
Some FAQs about the law and the litigation that has ensued. Continue Reading ›
The NJ Data Privacy Act takes effect tomorrow. Continue Reading ›
A Written Information Security Plan, or “WISP,” is essential for any organization that handles sensitive personal information. Here’s a quick breakdown of who needs a WISP and why, as well as a checklist to develop one: Continue Reading ›
Amid the continued wave of consumer class action lawsuits targeting the use of cookies, pixels, beacons, and other tracking tools on organizations’ websites, a recent decision from the Massachusetts Supreme Judicial Court departed from other jurisdictions by holding that the state’s wiretap act did not apply to the use of these emerging technologies. Continue Reading ›
You've been hit by a ransomware attack, and a cybercriminal group is demanding a cryptocurrency payment in exchange for your data's safe return. Should you pay? Continue Reading ›
Happy Cyber Monday!
In honor of Computer Security Day (which was Saturday), we have a quiz designed to test your grasp of key laws, regulations, and best practices that keep your personal, financial, and sensitive information safe. Continue Reading ›
Financial institutions are now required to notify the Federal Trade Commission about any security breach that involves the information of 500 customers or more. The breach must be reported no later than 30 days after it is discovered. Continue Reading ›
Joseph Sullivan, Uber’s beleaguered former Chief Information Security Officer, was back in the news last month when he appealed his 2023 conviction for his role in concealing a 2016 breach of Uber’s network and customer data. Continue Reading ›
We’re thrilled to announce exciting new additions to the Constangy Cyber Team, with three new partners and a law clerk. Each new team member brings unique experience and skills to our offices in Philadelphia, Chicago, and New York. Continue Reading ›
New York’s Cybersecurity Regulation continues its phased roll-out on November 1, when licensed financial services companies face a host of new requirements aimed at bolstering breach readiness and improving their ability to recover from disastrous situations. Companies will be required to put in writing how they would address several common pressure points in the breach response and mitigation process – including how they plan to recover from backups if critical data is lost. Continue Reading ›
Data breaches have become a serious issue for businesses, leading to numerous putative class action lawsuits alleging that the defendants failed to prevent the unauthorized disclosure of personally identifiable information or protected health information of their employees or customers. Continue Reading ›
The NetDiligence Cyber Risk Summit, which was held September 30-October 2 in Philadelphia, featured panels focused on the latest developments and challenges in cyber risk. Speakers included insurance, legal, and technology experts from a wide variety of organizations in the cyber risk industry. Continue Reading ›
On October 1, Montana became the newest state with a comprehensive data privacy law, the Montana Consumer Data Privacy Act. Continue Reading ›
The Commonwealth of Pennsylvania has amended its Breach of Personal Information Notification Act. The amendments, available here 2024 Act 33 - PA General Assembly (state.pa.us), took effect last week, on September 26. The key provisions are as follows: Continue Reading ›
On April 24, the Federal Trade Commission announced that it had finalized changes to its Health Breach Notification Rule - to address emerging technologies.
Specifically, the Rule was broadened to (1) apply to entities not currently subject to the Health Insurance Portability and Accountability Act, (2) clarify what a breach of security is, (3) expand notification methods, (4) impose additional requirements for the content of notifications, and (5) amend the timeframe for issuing required notifications to the FTC. Continue Reading ›
Businesses continue to be subjected to a steady stream of consumer class action lawsuits alleging improper collection or disclosure of information from their websites. A variety of laws and legal claims are used to support the suits. Some lawsuits assert violation of laws that are not particularly cutting edge, such as the Video Privacy Protection Act, or cite to non-disclosed use of more modern technology such as tracking pixels. In many of the lawsuits, both types of claims are asserted. Continue Reading ›
Laura Balson in our Chicago office recently discussed an amendment to the Illinois Biometric Information Privacy Act. At that time, the Illinois House and Senate had passed an amendment to Illinois Biometric Information Privacy Act, or “BIPA,” which was awaiting the signature of Gov, J.B. Pritzker (D). The amendment has now been signed and must be a consideration in BIPA litigation and in the use of biometric data.
Most significantly, the amendment specifies that an individual is limited to one recovery, even if there were multiple scans that violated the Act. This is good news for businesses. Continue Reading ›
Minnesota has become the 18th state to enact a comprehensive consumer privacy law. On May 24, Gov. Tim Walz (D) signed the Minnesota Consumer Data Privacy Act into law to provide privacy rights to Minnesotans and to impose new requirements on businesses and organizations handling personal data. For most covered entities, the law will go into effect on July 31, 2025. Continue Reading ›
Effective May 24, 2024, the Office of the Privacy Commissioner of Canada (OPC) has introduced a new online PIPEDA breach reporting form for federal institutions and businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Continue Reading ›
The past couple of years have seen a number of states enact comprehensive privacy laws. Thus far, California, Colorado, Connecticut, Utah, and Virginia have enacted state privacy laws. In July, we will see three new privacy laws take effect in Texas, Oregon, and Florida. A privacy law in Montana will become effective on October 1. Continue Reading ›
The State of Utah recently amended its general data breach notification statute to update the content that must be reported to the Utah Attorney General or the Utah Cyber Center. The amendments also clarify when notifications can be considered confidential or classified under the state’s public records law. Continue Reading ›
On April 17, Colorado Gov. Jared Polis (D) signed into law a bill that will extend privacy rights to individuals’ neural data. Although certain states have enacted privacy laws that include protection of sensitive and biometric data, Colorado’s law is the first that explicitly addresses neural data. Continue Reading ›
On April 6, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024, sending the bill to the state’s governor for signing. The bill comes on the heels of the Kentucky Consumer Data Protection Act, which was signed into law on April 4. If the Act is signed into law, it will bring the number of states with comprehensive privacy laws to 16. Continue Reading ›
Yesterday, March 27, the U.S. Cybersecurity and Infrastructure Security Agency published the Notice of Proposed Rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It is important to note that these are draft rules and do not, on their own, require organizations to report any incidents until after a Final Rule is published. CISA expects to publish the Final Rule in late 2025 with an effective date at least 60 days after publication. This is likely to push the effective date into 2026. Continue Reading ›
On Monday, the U.S. Department of Health and Human Services Office for Civil Rights issued updated guidance on the use of online tracking technologies by covered entities and business associates (here, referred to as “regulated entities”) under the Health Insurance Portability and Accountability Act Privacy Rule. The intent of the guidance is to provide regulated entities with considerations when using tracking technologies on their websites and mobile applications. Continue Reading ›
Last week, the California Attorney General announced its second-ever settlement under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. The settlement was with the online food ordering and delivery platform DoorDash. Continue Reading ›
In an opinion filed on Friday, California’s Third District Court of Appeal reversed a lower court ruling that postponed until the end of March the enforcement of regulations promulgated pursuant to the California Privacy Rights Act. Continue Reading ›
On January 16, Gov. Phil Murphy (D) of New Jersey signed Senate Bill No. 332 into law. The New Jersey privacy law generally follows the same framework found in many of the comprehensive privacy laws enacted by other states and contains many of the same standard features. However, there are a few notable differences, highlighted below, that will require covered businesses to adjust their privacy programs. Continue Reading ›
The ever-increasing privacy and security risks via third-party vendors and service providers were apparent in 2023 with news of large organizations such as MOVEit, Okta and AT&T being affected. Research has shown that 98 percent of organizations have at least one third-party vendor that experienced a cyber incident within the past two years. With this growing trend, it is increasingly important for organizations to develop robust third-party risk management programs and to consistently review their third-parties to safeguard against security threats and ensure the security and privacy of their data. Continue Reading ›
On December 20, the Federal Trade Commission released a notice of proposed rulemaking to update the Children’s Online Privacy Protection Rule, known as the “COPPA Rule.” (We are linking to the official version of the proposed rule that was published in the Federal Register on January 11.) In a press release published on December 20, the FTC announced that the proposed amendments “would place new restrictions on the use and disclosure of children’s personal information and further limit the ability of companies to condition access to services on monetizing children’s data.” Continue Reading ›
The New York Department of Financial Services recently amended its Cybersecurity Regulation. The revisions aim to strengthen cybersecurity and technology controls to address evolving threats to consumer data and ensure the continued integrity of financial systems. Here are a few key elements of the amendments to Regulation and what we think will be their immediate impact on financial institutions. Continue Reading ›
‘Tis the season for the hustle and bustle of year-end holiday activities. With that comes the increased risk of cybercriminals exploiting the season to find vulnerabilities. This includes taking advantage of increased online transactions, employee vacations, and holiday gift-giving to launch attacks on organizations large and small. Below are some steps companies can consider taking to increase their defenses against the most common holiday cybersecurity threats: Continue Reading ›
As we near the end of another year, it is time to look ahead to developments in the information security and privacy landscape. One area of particular importance is the development of regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Continue Reading ›
Data processing agreements are a standard part of business arrangements involving personal data due to the European Union’s General Data Protection Regulation as well as the ever-expanding number of U.S. consumer privacy statutes. Continue Reading ›
Amendments have recently been proposed to two of the three statutes to be enacted under Canada’s Bill C-27: The Digital Charter Implementation Act. The statutes that may be amended are the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act. The proposed amendments would beef up the protections in both statutes. Continue Reading ›
The Federal Trade Commission has approved an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act that creates a new data privacy regulatory reporting requirement for non-banking financial entities. Covered entities must notify the FTC within 30 days of discovery of a “notification event” that involves the unauthorized acquisition of unencrypted customer information of 500 or more consumers. The new rule, announced on October 27, takes effect 180 days after publication in the Federal Register, meaning approximately May 2024. Continue Reading ›
Last week, we discussed action taken by three states, Texas, California, and Ohio, to enhance protection of children’s data online. In this second installment, we shift our attention to address the 2023 legislative efforts of three additional states: Utah, Arkansas, and Connecticut. Continue Reading ›
On Monday, President Biden signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. This Executive Order follows several other AI-related government initiatives, including the Blueprint for an AI Bill of Rights, the National Institute of Standards and Technology AI Risk Management Framework, the National AI R&D Strategic Plan, and the National AI Research Resource Roadmap. Continue Reading ›
Over the past few years, states have launched various legislative expansion efforts to enhance the protection of children on social media and generally online. For example, this summer, Texas Gov. Greg Abbott (R) signed into law the Securing Children Online through Parental Empowerment Act (SCOPE Act), which goes into effect September 2024. By doing so, Texas joins a multitude of other states that have passed similar legislation, including Arkansas, California, Connecticut, Minnesota, Ohio, and Utah. In part one of this two-part series, we discuss the child data protection laws in Texas, California, and Ohio. Continue Reading ›
California Gov. Gavin Newsom (D) has signed AB 947 and AB 1194 into law. Continue Reading ›
The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework. Continue Reading ›
On May 22, 2022, Minnesota Gov. Tim Walz (D) signed the Student Data Privacy Act (the “Act”), H.F. No. 2353, into law which amends Minnesota’s Government Data Practices Act. The Act went into effect beginning with the 2022-2023 school year. Continue Reading ›
Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days. Continue Reading ›
It’s an understatement to say that companies are excited about Artificial Intelligence. AI has the potential to optimize productivity and improve efficiency in many areas of a business. The potential benefits are undeniable, but there are some uses that present significant risk to businesses. One area that warrants caution is in the context of employment. Continue Reading ›
On September 11th, Gov. John Carney (D) signed the Delaware Personal Data Privacy Act into law. The Act will take effect January 1, 2025. With the DPDPA on the books, the number of states with comprehensive privacy laws increases to twelve. Continue Reading ›
The new Swiss Federal Act on Data Protection, known by the acronym “nFADP,” took effect on September 1. The law was enacted by the Swiss parliament in 2020.
The law introduces new rights for Swiss citizens, but also corresponding obligations for businesses that process personal data subject to the law. The law is intended to be more closely aligned to the European Union’s General Data Protection Regulation and allows for a free flow of information between EU and Swiss companies. Continue Reading ›
This summer, Gov. Joe Lombardo (R) signed the Consumer Health Data Privacy Act into law. The Act, which will take effect March 31, 2024, provides protections for consumer health data collected and maintained by regulated entities. Continue Reading ›
Boards of Directors for public companies across the country are likely to be taking stock of their companys’ cybersecurity practices and strategies after the Securities and Exchange Commission’s adoption of the Cybersecurity Incident Disclosure Rule on July 26. Although the SEC removed the requirement for corporate boards to include members with cybersecurity expertise, it still intends for the Rule to result in greater transparency of companies’ cybersecurity governance and to aid in investor understanding. The Rule presents additional reasons for companies to determine who, if anyone, on their Boards can help with oversight of cybersecurity governance. Continue Reading ›
As a former Special Agent for the Federal Bureau of Investigation who investigated cybercrimes involving children, I know from experience that the topic of increasing online protections for minors provoked intense debates among law enforcement, social services, parents, and the civil rights communities.
Often the discussions focused on how to preserve the positive impact of the internet while addressing the negative aspects, such as the facilitation of cyber bullying, narcotics trafficking, and various forms of exploitation. While others continue the discussion, Texas has stepped beyond the debate and enacted a new regulatory regime intended to shield certain materials from being viewed by minors, and to limit the collection and usage of their data. Continue Reading ›
This year has proven to be active in terms of state privacy legislation. In addition to Montana’s Consumer Data Privacy Act, the state has now passed a Genetic Information Privacy Act. Continue Reading ›
On July 31, the California Privacy Protection Agency’s Enforcement Division announced that it would be reviewing connected vehicle manufacturers’ and technologies’ privacy practices. Connected vehicles contain features that collect information about owners and riders, including location sharing, web-based entertainment, cameras, and smartphone integrations. Continue Reading ›
EDITOR’S NOTE: This is part three of “Cyber AI Chronicles” – written by lawyers and named by ChatGPT. This series will highlight key legal, privacy, and technical issues associated with the continued development, regulation, and application of artificial intelligence
As with all other products and technologies, we can expect to see (and in fact already do see) the emergence of varying approaches to governance for artificial intelligence systems. Currently, AI oversight may be addressed within independent federal, state, and international frameworks – for instance, within the regulation of autonomous vehicle development, or laws applicable to automated decision-making. So, how can we expect regulatory frameworks to develop for AI as an independently regulated field? Continue Reading ›
On July 26, the Securities and Exchange Commission adopted a new rule regarding cybersecurity risk management, strategy, governance, and incident disclosure. The “Cybersecurity Incident Disclosure Rule” will be applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934. It is premised on the belief that investors will benefit from more timely and consistent disclosure about material cybersecurity incidents, and follows interpretive guidance the SEC issued in 2011 and 2018. The Final Rule will take effect 30 days after being published in the Federal Register – likely by September 1. Continue Reading ›
EDITOR’S NOTE: This is part two of “Cyber AI Chronicles” – written by lawyers and named by ChatGPT. This series will highlight key legal, privacy, and technical issues associated with the continued development, regulation, and application of artificial intelligence.
Recent developments in Artificial Intelligence have opened the door to exciting possibilities for innovation. From helping doctors communicate better with their patients to drafting a travel itinerary as you explore new locales (best to verify that all the recommendations are still open!), AI is beginning to demonstrate that it can positively affect our lives.
However, these exciting possibilities also allow malicious actors to abuse the systems and introduce new or “improved” cyber threats. Continue Reading ›
On July 10, 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”). Continue Reading ›
EDITOR’S NOTE: This is part one of “Cyber AI Chronicles” – written by lawyers and named by ChatGPT. This series will highlight key legal, privacy, and technical issues associated with the continued development, regulation, and application of artificial intelligence.
Artificial Intelligence is not a new concept or endeavor. In October 1950, Alan Turing published “Computing Machinery and Intelligence,” proposing the question: Can machines think? Since then, the concept has been studied at length, with an immediately recognizable example being IBM Watson, which memorably defeated Jeopardy! champions Ken Jennings and Brad Rutter in 2011. AI has been captured and fictionalized in movies, video games, and books. Even if we are not aware of it, AI underlies many technical tools that we use every day. Continue Reading ›
The national impact of ransomware is expanding. Following a dip in the recorded number of ransomware attacks for 2022, there have been multiple nationwide events with devastating effect in 2023. Given the damage across private and public enterprises, the federal government has sought to provide additional information and resources to assist those who are preparing to defend against an attack or for businesses who have already experienced a ransomware attack. Continue Reading ›
On Friday, the Sacramento Superior Court issued a ruling delaying the enforcement of recently enacted California Privacy Rights Act regulations until March 2024. The CPRA, which amended the California Consumer Privacy Act, directs the California Privacy Protection Agency to promulgate regulations that further explain and detail the requirements of the CPRA. The agency was supposed to issue regulations by July 1, 2022, with an enforcement date of July 1, 2023. However, the agency did not issue those regulations until March 24, 2023. Continue Reading ›
Oregon will soon join Iowa, Indiana, Florida, Montana, Texas, and Tennessee in passing a comprehensive data privacy law. On June 25, the Oregon legislature passed the Oregon Consumer Privacy Act. The OCPA has moved to the desk of Gov. Tina Kotek (D), who is expected to sign it into law. Assuming she does, the law will take effect on July 1, 2024. Continue Reading ›
The European Court of Justice has issued two important decisions interpreting the European Union’s General Data Protection Regulation. One addresses the right to compensation for GDPR violations, and the other addresses the scope of an individual’s right of access when his or her data has been provided by a controller to other recipients. Each decision is discussed below. Continue Reading ›
This year has so far proven to be quite active in terms of state privacy legislation. In 2022, California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws on the books, all set to take effect in 2023. Then, earlier this year, Iowa, Indiana, and Tennessee enacted their own respective comprehensive privacy laws. Iowa’s and Tennessee’s laws will take effect in 2025, and Indiana’s law will take effect in 2026. Continue Reading ›
On Thursday, May 11, Gov. Bill Lee (R) signed into law the Tennessee Information Protection Act. The new TIPA follows the recent enactment of data privacy laws in Iowa and Indiana. The other states with data privacy laws are California, Colorado, Connecticut, Utah, and Virginia. Continue Reading ›
On the heels of the unanimous passage of Iowa’s Act Relating to Consumer Data Protection on March 28, Indiana’s Consumer Data Protection Act was passed by the state legislature on April 13 and has been signed into law by Gov. Eric Holcomb (R). Continue Reading ›
Plaintiffs are becoming increasingly creative in their attempts to seek relief involving alleged privacy violations resulting from their online activity. This includes raising allegations of violations of the Video Privacy Protection Act, a federal law enacted in 1988 largely in response to privacy concerns surrounding businesses’ use of individuals’ video tape rental histories. Continue Reading ›
It’s only April, but 2023 has already been a big year for new and evolving data privacy legislation. In January, the California Privacy Rights Act took effect, expanding and clarifying the rights and obligations within the California Consumer Privacy Act. In addition, exceptions for business-to-business and employee and applicant data expired, ushering in new requirements and broadening the reach of the California laws. At the same time, the second major state data privacy law – the Virginia Consumer Data Protection Act – took full effect. Continue Reading ›
By now, you have probably heard about OpenAI’s ChatGPT, an artificially intelligent chatbot, and similar chatbots that have launched in its wake. (Chris Deubert and I have previously written about it here.) Continue Reading ›
The Illinois Biometric Information Privacy Act, enacted in 2008, was designed to provide individuals with control over their biometric information and to establish standards for collection. The Illinois Supreme Court has recently issued three opinions interpreting provisions of the BIPA, two of which are likely to result in a spike in BIPA claims and related litigation. Continue Reading ›
The Nigerian prince seems almost quaint.
Gone are the days when the Nigerian prince was the only nefarious figure menacing our inboxes. A simple yet elegant scheme – our supposed prince unexpectedly fell upon a large sum of money, left behind by a fallen war hero, bequeathed by a terminally-ill spouse, or, perhaps, borne from the fruits of new age oil exploration. The funds are (somehow) rightfully yours, but a bureaucratic quagmire has them tied up, and they cannot be released until you pay a *small* fee. Just send a few million dollars to a specified bank account, and the endless riches are yours. Continue Reading ›
Recent amendments to Pennsylvania’s data breach law -- the Breach of Personal Information Notification Act – will take effect May 3. The amendments were enacted in November.
Originally enacted in 2006, the Act provides for the security of computerized data and requires notification to Pennsylvania residents whose personal information data was, or may have been, disclosed due to a breach of the security of an entity’s system. Continue Reading ›
The life cycle of a data security incident begins and ends with preparation.
Unfortunately, there is no such thing as a network or system with “zero vulnerabilities.” There are jokes about absolute network security, including that the only secure network is one without users or one with no access. There is no perfect code, no perfect software, no perfect hardware, and even the most well-intentioned user can be socially engineered. Consequently, preparation at all levels of information security is critical to protect businesses from catastrophic attacks. Continue Reading ›
A significant HIPAA reporting deadline is fast approaching for all covered entities. Continue Reading ›
Fight back against this major cyber threat.
Business Email Compromise is one of the greatest cyber threats to businesses of all sizes and industries, particularly those involved in regular wire transfers of funds. According to the Federal Bureau of Investigation, between June 2016 and December 2021, BEC scams were reported in all 50 states and 177 countries, with more than 140 countries receiving fraudulent transfers. These statistics are based on information reported to the FBI by victims, law enforcement, and the banking community. Actual and attempted dollar losses associated with these reports exceed $43 billion. Because these numbers are based only on compromises that have been reported, the true cost of BEC scams is in all likelihood much greater. Continue Reading ›
Proposed regulations have been submitted for review.
On February 3, the Board of the California Privacy Protection Agency held its latest public meeting, focused on the anticipated regulations interpreting the California Consumer Privacy Act, as now amended by the California Privacy Rights Act. Continue Reading ›
An updated version of the NIST Cybersecurity Framework is on the way.
In 2013, President Barack Obama directed the National Institute of Standards and Technology (“NIST”) to lead the development of a cybersecurity framework to “reduce cyber risks to critical infrastructure.” The result was the NIST Cybersecurity Framework (formally, the “Framework for Improving Critical Infrastructure Cybersecurity”), a comprehensive, flexible, and scalable approach that provides a structure that can be used by entities to create, guide, assess, or improve their cybersecurity programs. The first version, v1.0, of the CSF was released in February 2014. NIST subsequently released v1.1 of the CSF in April 2018 to clarify, refine, and enhance the framework. Since its release, the CSF has been widely adopted across a range of industries within the United States and internationally. Continue Reading ›
In Jones v. Google, LLC, a three-judge panel of the U.S. Court of Appeals for the Ninth Circuit held that a district court judge erred in finding that state privacy claims were preempted by the federal statutory framework referred to as the Children’s Online Privacy Protection Act, or “COPPA.” The district court had dismissed a class action brought by children based on allegations “that Google used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent…” Continue Reading ›
Welcome to the Constangy Cyber Advisor! Our 44-member cybersecurity and data privacy team is excited to announce we have joined the nationally renowned labor and employment law firm Constangy, Brooks, Smith & Prophete, LLP! As part of this move, the Constangy Cyber Team will regularly post blogs to the Constangy Cyber Advisor about significant data privacy and information security issues. Our blog posts will be informed by the thousands of data breaches we have managed, the dozens of new data breaches we manage each week, the robust compliance advisory services we provide to our clients, and the complex data privacy and security litigation on which we consult with our class action litigators. Continue Reading ›
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
