Partners Ann O’Brien and Jeewon Serrato and Associate Alyse Stach authored an article published by the International Association of Privacy Professionals (IAPP) on June 23, 2020. The article, “The Thin Line Between Privacy and Antitrust,” discusses how the lines between antitrust and privacy objectives and enforcement are becoming increasingly blurred. The authors describe real-world scenarios in which companies need to find ways to compete, innovate and serve customers while navigating antitrust and privacy issues.
This blog post has been updated to account for additional information related to the California Privacy Rights Act (CPRA) ballot initiative released following original publication of this post.
On Friday, June 19, 2020, the Superior Court of California issued a ruling that paved the way for Californians to see the CPRA on the ballot in November. In its ruling, the court recognized that Alastair Mactaggart, the individual responsible for both the CCPA and the CPRA, sometimes referred to as “CCPA 2.0,” was “confronted with numerous obstacles unique to the COVID-19 pandemic.”
As a result, the ruling will allow Mactaggart to remedy certain procedural deficiencies related to a random sampling process by certain counties that were not met, which would have jeopardized the ability for the CPRA ballot initiative to be included on the November ballot.
As of the publication of this blog post, the CPRA needed fewer than 50,000 signatures to meet the certification requirement and automatically be qualified on the November ballot, and three counties still have not reported their signature counts (San Diego, San Mateo and Placer). On the evening of June 24, the California secretary of state confirmed that the CPRA ballot initiative garnered enough signatures to remedy the procedural deficiencies and will be on the ballot in November.
If passed, the CPRA will amend certain sections of the CCPA in phases, starting Jan. 1, 2021.
Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process as the ability to cloak an investigation in privilege and work product. So there have been surprised reactions to recent decisions finding that work product did not apply to a report written by a forensic investigation firm that had been engaged by a law firm on behalf of the organization. There are legitimate grounds for criticizing the analysis used to reach those decisions based on the facts of each case. But the decisions reveal a path for steering through the process. And for organizations that have taken thoughtful measures to prepare to respond to security incidents, such as working with external counsel and building a relationship with a forensic firm, it does not mean they need to abandon their plans and start over. There is not an approach that works in all incidents. That is where the value of experienced counsel is most evident – in the ability to provide advice that generates an incident-specific response plan to help an organization meet its legal obligations and operational needs. Continue Reading
In January, we announced the creation of the firm’s 6th practice group—Digital Assets and Data Management. Since September 2010, members of our group have been covering privacy and security topics through our Data Privacy Monitor blog. Today, we are excited to launch our rebranded blog – Data Counsel – to more fully capture our group’s commitment to “everything data and technology”. BakerHostetler’s elevation of the importance of this practice reflects the significance our clients associate with these issues.
The Data Counsel blog now addresses all of the issues important to our clients related to all things data and technology. The content and commentary will be expanded to include enterprise risks, disputes, compliance, and opportunities through the lifecycle of data, technology, advertising, and innovation, including brand strategies and monetization. Yes, we will continue to cover privacy, data security, CCPA updates—and a lot more! For example, our newest team, Digital Transformation and Data Economy, is hard at work keeping up with demands related to interacting with customers, structuring businesses, and delivering goods and services in a post-COVID-19 world.
Thank you for subscribing. If you have suggestions on content, let us know!
On June 1, 2020, the Office of the California Attorney General (OAG) submitted the final proposed regulations (final regs) under the California Consumer Privacy Act (CCPA or the Title) to the California Office of Administrative Law (OAL). OAL now has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the regs for procedural compliance with the Administrative Procedure Act. Although we do not expect OAL to make any substantive changes to the regs, we are still one procedural step away from the regs being filed with the secretary of state by OAL and becoming enforceable by law. Noting the July 1, 2020, statutory mandate for the regulations, the OAG petitioned OAL for expedited review and submission to the secretary of state prior to that date and for effectiveness upon submission to the secretary. As we have previously explained, there is a legal basis for this approach. BakerHostetler and several industry groups filed comments with the OAG in mid-March, as the pandemic was breaking, asking for a continuation of delay in the enforcement of the CCPA until six months after the regs become final, in part to help companies focus on COVID-19. Those comments now have been rejected by the OAG, and enforcement of the CCPA will begin on July 1, 2020, regardless of when final regulations are promulgated, absent action by the governor or the Legislature. The final regulations remain unchanged from the third version published for comment in March. Businesses should complete their CCPA compliance work based on these proposed final regulations in advance of July 1.
The final regulations provide guidance on certain key requirements under the CCPA, including definitions (Article 1), notice requirements (Article 2), businesses’ obligations in handling consumer rights requests (Article 3), requirements for verification of consumers making requests (Article 4), special rules regarding minors (Article 5) and use cases for applying the CCPA’s non-discrimination mandate (Article 6). The regs also flesh out what service providers can and must do (Section 999.314), expand on training and record- keeping requirements (Section 999.317), and explain what businesses can and must do in response to a request putatively made by an agent acting on behalf of a consumer (Section 999.326). Notably absent are guidance on the design of a standard “do not sell” opt-out button, guidance on the meaning and scope of “sell,” and information about how to treat third-party cookies. An analysis of the regulations with practical takeaways is available here.
The New York SHIELD Act, officially titled the Stop Hacks and Improve Electronic Data Security Act, amends New York’s existing data breach notification law in several significant ways and adds a number of data security protection requirements. The amended data breach notification obligations went into effect on Oct. 23, 2019, with the data security requirements going into effect on Mar. 21, 2020. Though consumers do not have a private right of action to enforce its mandates, the SHIELD Act is enforceable by the New York Attorney General.
Amendments to New York Breach Notification Obligations
Unauthorized Access. The SHIELD Act expands the existing breach notification obligation to require any person or business which owns or licenses computerized data that includes private information to provide notice for any breach to any New York resident whose private information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. The previous New York law applied only to data that was acquired by an unauthorized person. The Act contains a list of non-exclusive factors to consider in determining whether information has been accessed, including indications that the information was viewed, communicated with, used or altered by a person without valid authorization or by an unauthorized person.
In May, BakerHostetler’s new Digital Transformation and Data Economy (DTDE) team presented a four-part webinar series for business leaders that covered the legal implications surrounding COVID-19. Panelists, including in-house attorneys and industry experts, discussed how companies can determine where opportunities and vulnerabilities lie in managing, protecting, and leveraging digitization and data assets.
In the May 20, 2020 webinar, “Accelerate: Getting to Your North Star Faster,” the panelists discussed the issues businesses face in accelerating their digital transformation to fuel growth. Continue Reading
Phishing and social engineering attacks to divert wire transfers or invoice payments are not new fraud techniques, but they have recently taken a back seat to ransomware as posing the greatest cyberthreat to businesses. However, over the past few weeks, we have seen a surge in new matters where the fact pattern is the same as it has been for almost a decade:
- The accounting department starts seeing an increase in accounts receivable for one or more customers.
- The accounting department follows up on outstanding invoices.
- The customer reports that he/she already paid the invoices and provides proof of the wire transfer.
- The accounting department alerts the customer that he/she sent the wire to the wrong bank account.
- The customer states that he/she was just following the accounting department’s instructions, attaching an email with “new” wire instructions that appeared to come from the accounting department.
BakerHostetler’s new Digital Transformation and Data Economy (DTDE) Team presented a four-part webinar series in May that covered the legal implications surrounding COVID-19 for business leaders. Panelists, including in-house attorneys and industry experts, will discuss how companies can determine where opportunities and vulnerabilities lie in managing, protecting and leveraging digitization and data assets.
In the May 13, 2020 webinar, “How to Pivot and Transform Your Digital Assets into Alternate Revenue Streams,” the panelists discussed how their businesses made the transition from traditional tech-savvy and tech-enabled, the lessons learned along the way, and the legal and business considerations that affected these pivots. Continue Reading
Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of compliance, risk and audit as its data protection officer (DPO). This decision should cause entities to reconsider appointing a DPO who holds another senior role in the organization.
Article 38.6 of the EU’s General Data Protection Regulation (GDPR) allows that a DPO may fulfill other tasks and duties assigned by an organization, provided such duties do not result in a conflict of interest. Since the GDPR came into effect in May 2018, we have seen limited regulatory enforcement focused on the DPO’s role. The Belgian DPA’s fine complicates this landscape and highlights key considerations for organizations with respect to the appointment of a DPO. Continue Reading