Andreas Kaltsounis

Subscribe to all posts by Andreas Kaltsounis

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

Photo of Adam CohenPhoto of Andreas KaltsounisPhoto of Jeewon SerratoPhoto of Shruti AroraBy Adam Cohen, Andreas Kaltsounis, Jeewon Serrato and Shruti Arora on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches
As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final … Continue Reading

Are More European Standard Contractual Clauses Coming?

Photo of Andreas KaltsounisPhoto of Nichole SterlingBy Andreas Kaltsounis and Nichole Sterling on Posted in Data Protection, GDPR
On November 18, 2021, the European Data Protection Board (EDPB) adopted its new draft guidance on the interplay between Article 3 of the European Union’s General Data Protection Regulation (GDPR) and Chapter V of the same law. This new guidance specifies that personal data processing by organizations in countries outside the European Economic Area (EEA) is … Continue Reading

International Data Protection Update – Summer 2021

Photo of Nichole SterlingPhoto of Melinda L. McLellanPhoto of Andreas KaltsounisBy Nichole Sterling, Melinda L. McLellan and Andreas Kaltsounis on Posted in Data Protection, Enforcement, EU, GDPR, International Privacy Law
This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer. Asia-Pacific China’s Data Security Law and Personal Information Protection Law – This summer, the People’s Republic of China passed two new data protection laws. The Data Security Law (DSL) passed in June … Continue Reading

Colorado’s Privacy Act: A Curve Ball on Consent and Targeted Ads

Photo of Andreas KaltsounisPhoto of Shea M. LeitchPhoto of Stanton BurkeBy Andreas Kaltsounis, Shea M. Leitch and Stanton Burke on Posted in Advertising
On July 7, 2021, Gov. Jared Polis signed the Colorado Privacy Act (CoPA) into law, making Colorado the third state to enact a comprehensive privacy law, joining California and Virginia. The Act goes into effect on July 1, 2023, and shares many of the rights and obligations provided in other comprehensive privacy laws such as … Continue Reading

The Brave New World of Cybersecurity Compliance—Key Takeaways from Recent Government Action on Cybersecurity

Photo of Andreas KaltsounisPhoto of Seungjae LeeBy Andreas Kaltsounis and Seungjae Lee on Posted in Cybersecurity
After a series of high-profile supply chain and ransomware attacks, the federal government is ramping up its effort to improve the nation’s cybersecurity. In the past several months, multiple federal departments and agencies announced new policy initiatives and regulatory directives to drive their cybersecurity agenda forward, and state regulators are following the trend. It is … Continue Reading

Updated EU Standard Contractual Clauses Are Finally Here

Photo of Nichole SterlingPhoto of Andreas KaltsounisPhoto of Melinda L. McLellanBy Nichole Sterling, Andreas Kaltsounis and Melinda L. McLellan on Posted in EU, GDPR
On June 4, 2021, the European Union’s (EU) executive branch, the European Commission (EC), released their new Standard Contractual Clauses (SCCs) for compliant cross-border data transfers under the EU’s General Data Protection Regulation (GDPR), ending a long wait for revised SCCs. The new SCCs resolve certain practical issues companies faced when using the older versions but … Continue Reading

Responding to Supply-Chain Risk—It’s Not Just About Vendor Management

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in Supply Chain
Organizations around the globe began 2021 grappling with two significant supply-chain attacks. First, the SVR, Russia’s foreign intelligence service, planted malicious code in Orion, SolarWinds’ flagship network management suite. When 18,000 Orion customers updated their software, they also unwittingly installed the SVR’s malicious code, giving the Russian intelligence agency direct access to the customers’ networks. … Continue Reading

International Data Protection Update – First Quarter 2021

Photo of Nichole SterlingPhoto of Andreas KaltsounisPhoto of Melinda L. McLellanBy Nichole Sterling, Andreas Kaltsounis and Melinda L. McLellan on Posted in Data Protection
This quarterly update highlights some of the international data protection issues that have caught our attention, and the attention of our clients, in the past three months. Europe, the Middle East and Africa Cookies and Tracking Technologies – On March 31, 2021, the revised guidelines on cookies and trackers from the French data protection authority, … Continue Reading

A Risk-Based Approach to the SolarWinds Vulnerability Disclosures

Photo of Andreas KaltsounisPhoto of Adam CohenBy Andreas Kaltsounis and Adam Cohen on Posted in Cybersecurity
On December 13, 2020, SolarWinds disclosed that an unknown attacker compromised its network and inserted malicious code (referred to as the Sunburst vulnerability) into software updates for the Orion platform. In what will likely become known as one of the most widespread and damaging cyber attacks in history, approximately 18,000 private and government organizations installed … Continue Reading

5 Key Things to Know about the Landmark Schrems II Decision

Photo of Andreas KaltsounisPhoto of Melinda L. McLellanPhoto of Jeewon SerratoPhoto of Nichole SterlingBy Andreas Kaltsounis, Melinda L. McLellan, Jeewon Serrato and Nichole Sterling on Posted in EU-U.S. Privacy Shield Framework, GDPR
Quick Links CJEU Press Release CJEU Decision Press Releases from the Parties Irish Data Protection Commission Max Schrems U.S. Department of Commerce Electronic Privacy Information Center (EPIC) BSA The Software Alliance DIGITALEUROPE 1. Is the EU-U.S. Privacy Shield framework dead? Yes, the Privacy Shield framework has been invalidated. The Court of Justice of the European … Continue Reading

California AG Begins CCPA Enforcement

Photo of Jeewon SerratoPhoto of Andreas KaltsounisPhoto of Stanton BurkeBy Jeewon Serrato, Andreas Kaltsounis and Stanton Burke on Posted in CCPA
Last week, the International Association of Privacy Professionals hosted a keynote session with Stacey Schesser, supervising deputy attorney general (AG) of the California Department of Justice, to discuss the July 1 start of the AG’s enforcement authority under the California Consumer Privacy Act (CCPA). The deputy AG discussed the current scope of the AG’s enforcement authority and confirmed that on July 1, … Continue Reading

Belgian Authority Raises Red Flag for DPOs with Multiple Roles

Photo of Nichole SterlingPhoto of Andreas KaltsounisPhoto of Melinda L. McLellanBy Nichole Sterling, Andreas Kaltsounis and Melinda L. McLellan on Posted in Enforcement
Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO). This decision should cause entities to reconsider appointing … Continue Reading

COVID-19 Cybersecurity Exposure

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in Cybersecurity
Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting to track the coronavirus’s spread across the globe. These opportunistic attacks were an expected variation on well-known themes that use fear to engineer an … Continue Reading

The Washington Privacy Act Is Back

Photo of Shea M. LeitchPhoto of Andreas KaltsounisBy Shea M. Leitch and Andreas Kaltsounis on Posted in Consumer Data, State Legislation
After the Washington Privacy Act (“WPA”) failed to pass in 2019, state legislators promised to renew their efforts in the 2020 legislative session. Lawmakers kept this promise last month, introducing three bills targeted at an array of consumer privacy issues. The first bill, SB 6281, or the Washington Privacy Act, introduced in the Senate on … Continue Reading

Key takeaways for app development and data protection by design from recent enforcement action

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in Application Security, GDPR, Privacy by Design
The Norwegian Data Protection Authority (DPA) recently announced a €200,000 fine against Oslo’s municipal education agency for several security flaws associated with an app the agency developed for communications between school employees, parents and pupils. At first, this may seem like an obscure case of only local importance, but the DPA’s rationale for the fine … Continue Reading

Standing Guard – Digital Risk Advisory and Cybersecurity Team

Photo of Craig A. HoffmanPhoto of Andreas KaltsounisBy Craig A. Hoffman and Andreas Kaltsounis on Posted in Cybersecurity
The Digital Assets and Data Management (DADM) Practice Group offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – chaired by Theodore J. Kobus III – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal … Continue Reading

Reexamining the GDPR’s Territorial Scope

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in GDPR
Key Takeaways From the European Data Protection Board’s New Guidance In November 2019, the European Data Protection Board (EDPB) issued its final guidance on territorial scope of the General Data Protection Regulation (GDPR), following release of the draft guidelines in November 2018 and a lengthy public consultation period. Comparing the final and draft versions provides … Continue Reading

Deeper Dive: GDPR a Game-Changer for Data Breach Notification

Photo of Andreas KaltsounisBy Laura E. Jehl and Andreas Kaltsounis on Posted in Data Breach Notification Laws, Data Security Incident Response, GDPR
When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to have violated the GDPR’s data security and breach reporting obligations could face much steeper regulatory fines than those available … Continue Reading

Insurance Data Security Model Law Picks Up Steam

Photo of Andreas KaltsounisPhoto of Shea M. LeitchBy Andreas Kaltsounis and Shea M. Leitch on Posted in Cybersecurity, State Legislation
Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements apply to certain banking, insurance and financial service entities licensed in the state of … Continue Reading

Washington State Proposes Sweeping Privacy Legislation

Photo of Andreas KaltsounisPhoto of Shea M. LeitchBy Andreas Kaltsounis and Shea M. Leitch on Posted in GDPR, State Legislation
On Jan. 17, 2019, a new privacy law was proposed in the Washington state Senate. If passed, the Washington Privacy Act would impose far-reaching responsibilities on companies to protect the privacy of “personal data.” Lifting many provisions almost entirely from the text of the European Union’s General Data Protection Regulation (GDPR), the legislation would arguably … Continue Reading

SEC Investigation Highlights BEC Risk and Need for Comprehensive Risk Assessments by Public Companies

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in Cybersecurity, Data Breaches
The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in … Continue Reading

Last but not least: Alabama enacts a data breach notification law with strong notification and security requirements

Photo of Andreas KaltsounisPhoto of Sara GoldsteinBy Andreas Kaltsounis and Sara Goldstein on Posted in Data Breach Notification Laws
Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws. The Alabama Data Breach Notification Act of 2018 takes effect on May 1, 2018, and imposes information security, breach notification and data disposal requirements on organizations handling Alabama residents’ personal information. Alabama requires organizations to implement and … Continue Reading
LexBlog