Cybersecurity: SEC and Other Regulators

In today’s world, cybersecurity breaches and threats are pervasive concerns for any business entity, without exception. Working from home arrangements due to COVID-19 constraints only magnify the risk and create further vulnerabilities for companies. Companies should be aware of (1) the key cyber threats they face, (2) the consequences of a breach, and (3) the statutory and regulatory framework governing cybersecurity. Cybersecurity breaches are unique in that an entity can both be the victim of the breach and still be found to have a degree of responsibility. Fortunately, there are precautionary measures that companies can implement to help prevent a breach and to mitigate the scope and damage of a breach if one were to occur. We will elaborate on the steps to take to guard against a breach and how to effectively respond to a breach in a forthcoming post.

Read the full post on Proskauer’s Minding Your Business blog.

* * *

Proskauer’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team is focused on supporting and addressing client concerns. Visit our Coronavirus Resource Center for guidance on risk management measures, practical steps businesses can take and resources to help manage ongoing operations.

Tags: California Consumer Privacy Act of 2018, CCPA, coronavirus, COVID-19, cyber threats, cybersecurity, data breach, FEDERAL TRADE COMMISSION (FTC), Financial Crimes Enforcement Network (FinCEN, Graham Leach Bliley Act of 1999, Regulation S-P, Regulatory Framework, Securities and Exchange Commssion

French DPA Issues Guidance Surrounding Practice of Web Scraping

By Jeffrey Neuburger, Stéphanie Martinier, Jonathan Mollod and Mathilde Pepin on May 13, 2020 Posted in Data Privacy Laws, European Union, France, GDPR

On April 30, 2020, the French data protection authority, the CNIL, published a guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes. The guidance is significant in two respects. First, it speaks to the CNIL’s view of this activity in the context of the GDPR and privacy concerns. Second, beyond the context of direct marketing related privacy issues, the guidance lays out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data. Continue Reading

Tags: CNIL, data collection, data security, direct marketing, French Data Protection Authority, General Data Protection Regulation (GDPR), guidance, personal data, web scraping

Trends in Privacy and Data Security

By Jeffrey Neuburger on April 17, 2020 Posted in Cybersecurity, Data Breaches, Data Privacy Laws, Privacy Law

Privacy and cybersecurity remain top priorities for regulators and companies alike, as the threats posed by large-scale data breaches and other cyber incidents show no signs of waning. Companies and their counsel must monitor privacy and data security-related enforcement trends, new laws and regulations, and key emerging issues to mitigate risks and minimize potential liability.

Read our Practical Law article for an overview of recent privacy and data security legal developments (pre COVID-19).

Tags: California Consumer Privacy Act of 2018 (“CCPA”), Children’s Online Privacy Protection Act of 1998 (COPPA), cybersecurity, data security breach, FTC enforcement, FTC Guidance, HIPAA Privacy Rule, State Privacy Laws

FTC Issues New Guidance on Artificial Intelligence Technology

By Colin Kass, David Munkittrick and Nicollette R. Moser on April 15, 2020 Posted in Data Privacy Laws, Telecommunications

In the largest piece to come out of the FTC’s new focus on emerging technologies, the FTC Bureau of Consumer Protection issued new guidance on the use of artificial intelligence (“AI”) and algorithms. The guidance follows up on a 2018 hearing where the FTC explored AI, algorithms, and predicative analysis. As the FTC recognizes, these technologies already pervade the modern economy. They influence consumer decision making – from what video to watch next, to what ad to click on, or what product to purchase. They make investment decisions, credit decisions, and, increasingly, health decisions, which has also sparked the interest of State Attorneys General and the Department of Health & Human Services. But the promise of new technologies also comes with risk. Specifically, the FTC cites an instance in which an algorithm designed to allocate medical interventions ended up funneling resources to healthier, white populations.

Read the full post on our Minding Your Business blog.

Tags: AI TECHNOLOGY, ALGORITHMS, ARTIFICIAL INTELLIGENCE (AI), data security, EMERGING TECHNOLOGIES, Fair Credit Reporting Act, FEDERAL TRADE COMMISSION (FTC), FTC BUREAU OF CONSUMER PROTECTION

HHS to Exercise Enforcement Discretion to Permit HIPAA Business Associates to Use and Disclose PHI to Public Health Authorities during the COVID-19 Health Crisis

By Ryan Blaney on April 3, 2020 Posted in HIPAA, Legislation, Privacy Law, Security Breach Notification Laws

On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services released a notification related to the discretion that OCR will exercise concerning HIPAA enforcement during the COVID-19 public health emergency. Effective immediately, OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against business associates for “good faith uses and disclosures of PHI by business associates for public health and health oversight activities.” HIPAA already permits covered entities to provide this data. With this new guidance from OCR, now business associates can disclose this data to certain public health authorities without risk of a HIPAA privacy enforcement action or penalty. Continue Reading

Tags: breach notification, coronavirus, COVID-19, HIPAA Privacy Rule, law enforcement, Office for Civil Rights, protected health information (PHI), U.S. Department of Health and Human Services

Amid Pandemic Remaining New York SHIELD Act Data Security Requirements Have Taken Effect

By Stephanie A. Diehl on April 2, 2020 Posted in Data Breaches, Data Privacy Laws

The developing coronavirus pandemic affects businesses and personnel within the state and elsewhere. With more New Yorkers working from home, there are more opportunities for cyberattacks through unsecure remote connections and the public concern growing each day.

The New York SHIELD (“Stop Hacks and Improve Electronic Data Security”) Act was signed to law on July 25, 2019. It is an amendment to New York’s data breach notification law. The SHIELD Act provides a number of changes that we reported last year, including expanding the definitions of “private information” and “breach.” The definition of “private information” now covers emails and passwords or security questions and answers, credit card details, and biometric data among others. A “breach of the security system” now covers unauthorized access, where such access may have occurred if “the information was viewed, communicated with, used, or altered” without authorization. Continue Reading

Tags: coronavirus, COVID-19, data security, malware, New York’s data breach notification law, safeguard, SHIELD Act, Stop Hacks and Improve Electronic Data Security

FTC Ramps up COVID-19 Activity After Improving its Data Security Enforcement Orders

By Ryan Blaney, Stephanie Kapinos and Kevin Milewski on March 31, 2020 Posted in Cybersecurity, Data Privacy Laws

With the spread of the novel coronavirus (COVID-19), cybersecurity criminals and scammers are ramping up their efforts to target vulnerable employers and workforces. The FTC announced today that since January they have received more than 7,800 fraud complaints from consumers related to the COVID-19 pandemic. But the FTC isn’t slowing down either. Even with the FTC having to change its own procedures due to COVID-19, the FTC has been publishing guidance on COVID-19 scams and also sending out warning letters to sellers of false treatments. Continue Reading

Tags: consumer protection, coronavirus, COVID-19, cybersecurity, Federal Trade Comission, fraud complaints, FTC, FTC enforcement, scammers