Held to Ransom: How Cyberattacks Can Become a Legal and Regulatory Odyssey for a Private Investment Fund

Where business-critical information or platforms are at stake, many commercial parties will seriously consider immediately paying the ransom hoping to regain control of operations, secure client data and avoid continued business disruption and negative publicity. However, businesses may wish to pause. Cyberattacks, by their very nature, know no borders and nor therefore should a private fund’s response.

In the first of this two-part series for Cybersecurity Law Report, Proskauer outlines immediate incident response steps and analyses whether to pay a ransom, from U.S., U.K. and E.U. perspectives.

Read the full article here.

Tags: anti-money laundering, contractual Prohibitions, Crypto Assets, cyber attack, cyber incidents, cybersecurity, cybersecurity incidents, cybersecurity risk management, data breach, E.U. sanctions, EU privacy regulators, incident response, portfolio companies, private investment fund, private investment fund manager, Ransomware attacks, sanctions, terrorist financing

Happy “Labor …” More Privacy Rights for Employees: California Legislature Closes Session Without Extending Employee and B2B Data Exemptions Under the CCPA

By Ryan P. Blaney and Jonathan Mollod on September 6, 2022 Posted in California, Data Privacy Laws, Workplace Privacy

As summer nears its end, uncertainty and complexity lie ahead for many companies as they evaluate how to operationalize compliance with the California Privacy Rights Act (CPRA), existing California employment laws and potentially the passage of a federal privacy law, the American Data Protection and Privacy Act, H.R. 8152 (ADPPA), that may preempt some but not all rights under the CCPA and the CPRA. To increase the headache for companies doing business in California, two business friendly exemptions are set to expire at the end of the year.

On August 31, 2022, the final day of the 2022 California legislative session, the legislature failed to extend exemptions that would have excluded certain employee and human resource (HR) related personal information collected within the business context from the scope of the California Consumer Privacy Act (CCPA) when the CRPA amendments to the CCPA go into effect on January 1, 2023. It should also be noted that similar CCPA exemptions for personal information collected in the course of certain business-to-business (B2B) transactions or communications were not extended. Thus, on January 1, 2023, the current CCPA exemptions for HR and B2B information will sunset and the CPRA will go into effect without such exemptions that businesses have relied upon for the last several years, making California the first state to have a comprehensive data privacy law covering HR data. In short, beginning next year, employers will have to honor the host of data privacy rights under the CCPA not only for consumer data, but also for HR data concerning employees, job applicants and independent contractors (unless another exception within the CCPA applies).

Tags: American Data Protection and Privacy Act ("ADPPA"), California Consumer Privacy Act of 2018 (“CCPA”), california employment law, California Privacy Protection Agency, California Privacy Rights Act (“CPRA”), CCPA, Compliance, consumer data, cpra, data privacy, Data Privacy Laws, employee privacy rights, federal privacy law, personal information, workplace privacy

Message Sent! California Attorney General Announces $1.2 Million CCPA Settlement with Retailer and Its Focus on the Sale of Customer Information

By Ryan P. Blaney and Jonathan Mollod on August 25, 2022 Posted in California, Data Privacy Laws, Privacy Law, Privacy Litigation

On August 24, 2022, California Attorney General (AG) Rob Bonta announced a settlement with beauty products retailer, Sephora USA, Inc. (“Sephora”), resolving claims that Sephora violated the California Consumer Privacy Act (CCPA) for, among other things, failing to disclose to consumers that it was selling their personal information (including precise location data) and failing to honor opt-out requests via global privacy controls (GPC) broadcasted from users’ web browsers. The proposed settlement has been submitted to a California state court for approval. Continue Reading

Tags: California Consumer Privacy Act (CCPA), California Privacy Rights Act of 2020, CCPA, confidential information, consumer data, lobal privacy controls (GPC), personal information

Businesses That Use Consumer Data or Data Products (Everyone?) Take Heed: FTC Moves Ahead with Rulemaking Process on “Commercial Surveillance” Practices

By Jeffrey Neuburger and Jonathan Mollod on August 12, 2022 Posted in Data Privacy Laws, Mobile Privacy, Privacy Law

On August 11, 2022, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPR) and announced it was exploring a rulemaking process to “crack down on harmful commercial surveillance” and lax data security. The agency defines commercial surveillance as “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”

Read the full post on Proskauer’s New Media and Technology Law Blog.

Tags: commercial surveillance, consumer data, cybersecurity regulations, data privacy, data security, FEDERAL TRADE COMMISSION (FTC)

DOJ’s Civil Cyber-Fraud Initiative Secures More Than $9 Million in Two False Claims Act Settlements for Alleged Cybersecurity Violations

By Ryan P. Blaney and Matthew J. Westbrook on July 21, 2022 Posted in Cybersecurity, Data Privacy Laws, Invasion of Privacy, Legislation, Privacy Law, Privacy Litigation

Last fall, the United States Department of Justice (“DOJ”) launched its Civil Cyber-Fraud Initiative (“CCFI”) as part of its effort to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” Led by the Civil Fraud Section of DOJ’s Commercial Litigation Branch, the CCFI leverages the False Claims Act (“FCA”) to prosecute, in part, government contractors and federal grant recipients for cybersecurity-related fraud. Continue Reading

Tags: Civil Cyber-Fraud Initiative, Compliance, Comprehensive Health Services, cybersecurity, cybersecurity regulations, data breaches, Data Privacy Laws, Defense Federal Acquisition Supplement (“DFARS”), False Claims Act (“FCA”), Federal Acquisition Regulations ("FAR"), privacy law

“A Full Plate”: FTC’s Open Meeting on PBMs, AI, Privacy and Online Harms

By Ryan P. Blaney on June 17, 2022 Posted in Data Privacy Laws, Legislation, Online Privacy, Privacy Law

During a much anticipated Open Commission Meeting announced by Commission Chair Lina M. Khan, the Federal Trade Commission (“FTC”) voted in favor of issuing one new policy statement and one new report to Congress. Continue Reading

Tags: AI TECHNOLOGY, ARTIFICIAL INTELLIGENCE (AI), FEDERAL TRADE COMMISSION (FTC), FTC initiatives, health care, legislation, online privacy, online privacy rights, pharmaceuticals, privacy law, privacy policy, technology

California Privacy Protection Agency Released Proposed CPRA Regulations

By Ryan P. Blaney and Vincent J. Tennant on June 2, 2022 Posted in Data Privacy Laws, Legislation, Online Privacy, Privacy Law

The California Privacy Protection Agency (the “Agency”) released draft regulations to the California Privacy Rights Act (“CPRA”) on May 31, 2022 (the “Proposed Regulations”). The Proposed Regulations are drafted as comments to the California Attorney General’s regulations for the California Consumer Privacy Act, California’s landmark privacy law, which was amended by CPRA. Continue Reading

Tags: California Consumer Privacy Act, California Consumer Privacy Act (CCPA), California Privacy Protection Agency, California Privacy Rights Act (“CPRA”), consumer data, consumer protection, Proposed Regulations, U.S. privacy law