Tagged: Data Privacy

States Step Up Data Privacy and Security Regulation

States Step Up Data Privacy and Security Regulation

State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its...

Proper Planning Means You Do Not Need to Shed Tears When Hit with the Likes of WannaCry

Proper Planning Means You Do Not Need to Shed Tears When Hit with the Likes of WannaCry

Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims. The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack. Implement a Written Information Security Program. Knowing how to mitigate the...

Seventh Circuit Affirms Dismissal of Data Privacy Class Action on Article III Standing Grounds

Seventh Circuit Affirms Dismissal of Data Privacy Class Action on Article III Standing Grounds

Since the United States Supreme Court decided Spokeo, Inc. v. Robins in May 2016, lower courts have struggled to consistently determine whether a plaintiff has standing to sue in federal court, which, as the Spokeo court explained, “requires a concrete injury even in the context of a statutory violation.” That is, even when Congress has made something unlawful and authorized an award of statutory damages for the unlawful act, the mere violation of that law is not itself sufficient to confer standing to sue under Article III of the U.S. Constitution. But precisely what is required to demonstrate sufficient “injury” under Article III remains unclear after Spokeo, especially in the data-breach and data-privacy contexts. In Gubala v. Time Warner Cable, Inc., however, a unanimous Seventh Circuit decision, authored by Judge Posner, held that the defendant’s possible failure to comply with a requirement contained in the Cable Communications Policy Act (requiring the destruction of personally identifiable information (“PII”) if the information is no longer necessary for the purpose for which it was collected) did not afford the plaintiff Article III standing to sue for violation of the statute where his personal information was not released or disseminated in any way. The plaintiff...