Three Paths to Final CCPA Regulations by July 1

The California Consumer Privacy Act (CCPA) requires the California Attorney General (AG) to issue regulations to “further the purposes of the title” by July 1, 2020. As that date quickly approaches, various rumors have been circulating about the status of the final regulations and whether they will actually be issued by July 1, or at all. Some have speculated that due to the current state of affairs related to COVID-19, the AG’s office may not even issue final regulations and that the current draft will become the final version enforced by the AG on July 1. Others have contended that due to the administrative law requirements of California, the AG’s apparent inaction, and a backlog at the Office of Administrative Law (OAL), the final regulations will now inevitably be delayed until Oct.1.

Despite the conjecture, there are three possible ways in which the CCPA regulations might be adopted on or before July 1. Continue Reading

DSIR Deeper Dive: Regulatory Investigation Landscape

HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties.

State attorneys general have been laboratories of privacy enforcement. Over the years, they have devoted significant time and energy to, and played an increasingly active role in, data privacy and security matters. They have used their broad consumer protection authority and authority given them under the HITECH Act to enforce the HIPAA privacy and security rule in order to investigate data security lapses. More recently, we have seen expanded authority given to nontraditional regulators, including state departments of insurance and financial regulation. A number of states have adopted or are adopting a model law promoted by the National Association of Insurance Commissioners that requires 72-hour notice of a cybersecurity event to the state insurance regulator. Continue Reading

DSIR Deeper Dive: The Ransomware Epidemic

Ransomware is among the most common and persistent threats faced by organizations of all sizes. In 2019, the ransomware threat landscape worsened in several significant ways: (1) average demands increased more than tenfold; (2) all industry segments saw increases in attack frequency, with stark increases seen by education and government entities; and (3) several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment.

Increased Ransom Demands. In our 2019 report, we dedicated a quarter page to ransomware, with the average ransom paid for the matters we handled being $28,920 and the largest payment being $250,000. For the 2020 report, we dedicated a full page to the epidemic, with the average ransom paid for matters we handled jumping to $302,539 and the largest payment being $5.6 million. Questions had arisen in years past as to why ransomware demands seemed relatively low. By deploying ransomware, the threat actors were crippling a company’s ability to function but would often settle for a five-figure ransom while the victims were losing hundreds of thousands or millions of dollars a day due to the business interruption. Whatever the reasons, threat actors changed their approach, and 2019 was the year they were ready to increase the stakes. 2020 has only seen these trends continue.

Continue Reading

CCPA Compliance Meets Trade Secret Protection: A Peaceful Coexistence?

Since the California Consumer Privacy Act (CCPA) went live on January 1, 2020, businesses have been working to develop procedures for lawfully complying with requests from California consumers relating to their personal information. Such requests may provoke a vexing question for which there currently is no definitive answer in the CCPA: What is the business obligated to do if information that would be responsive to a consumer request includes legally protectible trade secret data either owned by the business or held subject to confidentiality restrictions imposed by third-party data sources?

Generally, the CCPA allows California consumers to request that a business disclose the specific pieces of personal information the business has collected. “Personal information” (PI) is broadly defined to include data elements such as IP address, device identifier, browsing history and other internet activity, geolocation data, and inferences drawn about the consumer’s psychological or behavioral attributes. The consumer also may request that the business delete any PI about the consumer that the business has collected. Continue Reading

Privacy Litigation in the Age of Coronavirus

Now that new cases of COVID-19 appear to be waning in the United States, those of us stuck in our homes are asking the same question: How long before things get back to normal? The answer from epidemiologists appears to be no time soon, as any actions to completely lift the severe social distancing restrictions currently in place will lead to another spike in infections, at least until we can find a vaccine. At the same time, the economy is in jeopardy and jobless claims are already in the tens of millions, and rising. It is a brutal dilemma. Either let millions die or condemn tens of millions to economic hardship.

A solution in some parts of the world has been to combine rigorous testing with tracking and surveillance. This approach has apparently worked with varying levels of success in parts of Asia and elsewhere. In the United States, technology companies have taken note and are developing capabilities to enable a similar approach. These efforts include, notably, a joint effort by Apple and Google to develop a cellphone application programming interface designed to operate independently of any central health authority. In addition, numerous developers are rushing to make tracking and surveillance tools that work via the acquisition and storage of a user’s health status, biometrics, geolocation, and proximity to others. Continue Reading

Positioning for What’s Beyond the Horizon: What Digital Transformation and the Data Economy Mean for You

BakerHostetler’s new Digital Transformation and Data Economy Team (DTDE) is presenting a four-part webinar series in May where attorneys will cover legal implications surrounding COVID-19 for business leaders. Panelists, including in-house attorneys and industry experts, will discuss how companies can determine where opportunities and vulnerabilities lie in managing, protecting and leveraging digitization and data assets.

In the May 6, 2020 webinar, “Positioning for What’s Beyond the Horizon: What Digital Transformation and the Data Economy Mean for You,” the panelists provided insight into how companies and individuals are reacting to COVID-19. They discussed how hiring trends indicate the larger role digital transformation and the data economy will have, both now and in a post-COVID-19 world.

Click here for a recording of the webinar. Click here to for more information and to register for the next three webinars in this series.

Continue Reading

DSIR Deeper Dive: Using Compromise Threat Intelligence

Organizations are under tremendous pressure to be agile and resilient. A key part of building a mature cybersecurity posture to enable the goals of the organization is conducting ongoing risk assessments and then implementing risk-prioritized measures.

Organizations contact us during this process to ask what emerging threats to guard against. Our answer always includes a list of the issues that have already emerged and that are still causing incidents. We call this “compromise threat intelligence” – identifying the causes behind actual incidents affecting organizations. Focusing on risks that are identified in a lab but are not being exploited “in the wild” may not be the best use of time and resources, especially if it distracts from efforts to combat the risks that are frequently exploited. No one is happy if you spend time guarding against fraud from deep fakes if an accounting employee is tricked by a spoofed email into wiring a large sum to a criminal. Continue Reading

Sixth Annual Data Security Incident Response Report Released – Managing Enterprise Risks and Leveraging Data in a Digital World

We are excited to present our sixth Data Security Incident Response Report (DSIR). We hope this issue finds you safe and healthy while working from home (WFH). Each year, we talk about last year’s trends and where we think the current year is taking us. Ransomware was, and continues to be, a big issue. We expect ransomware to continue full speed ahead. We are hopeful, however, that businesses are taking extra care with WFH rules to keep their data secure so that we do not see an increase in breaches due to simple mistakes.

This year, we are reporting on statistics from 950 of the 1,000+ incidents we helped manage in 2019. The incidents we worked on cover all industries and sizes of organizations. Although threats are always changing, we are hopeful that the information we are sharing in the Report will help you and your organization be better equipped to be “compromise ready.”

For more in-depth analysis on key items in the report, watch for our “DSIR Deeper Dive” posts in the coming weeks.

We hope you enjoy the report and you are welcome to reach out to any one of the DADM Group’s members with questions or suggestions.

Download the Report >>

Register for the Digital Transformation and Data Economy Four-Part Webinar Series starting on May 6

Join BakerHostetler’s NEW Digital Transformation and Data Economy Team (DTDE) for a four-part webinar series where attorneys will cover legal implications surrounding COVID-19 for business leaders and provide practical answers and actionable advice.

The DTDE team is designed to help you determine where your opportunities and vulnerabilities lie and design a plan to manage, protect and leverage digitization and data assets. If you are positioning for what’s beyond the horizon and looking for your North Star, we can be your crew that moves the ship forward.

Register now for one or all of the webinars in this series.

Meeting Client Needs: Our New Digital Transformation and Data Economy Team

I am excited to announce the seventh practice team under our Digital Assets and Data Management (DADM) Practice Group. By focusing on capitalizing on innovations that maximize IP, data, and technology, this team advises on optimal strategies to accelerate business growth, pivot into new service lines, or fundamentally revamp business models.  Co-leading the Digital Transformation and Data Economy Team is Janine Anthony Bowen (Atlanta), Chad Rutkowski (Philadelphia), and Jeewon Kim Serrato (San Francisco).  Jeewon, Janine and Chad each bring different skills to the team’s leadership, enabling us to offer cross-practice support as our clients use new technology to drive innovation and revenue.

Digital transformation and data strategies can be incredibly critical in a post-COVID-19 world as companies are constantly shifting to adjust to new ways of operating and dealing with market disruptions.  More information about this practice team can be found here.  We will also soon be announcing a webinar series that will provide an overview of the service offerings.