Canada’s Privacy Commissioner Recommends Consent for Cross Border Data Transfers
On April 9, 2019, the Office of the Privacy Commissioner of Canada (OPC) issued a new Consultation on transborder dataflows, recommending that organizations be required to obtain individuals’ consent — express or implied — for transfers of personal data outside of Canada. The OPC is accepting comments on the Consultation […]
UK regulator focuses on GDPR challenges faced by the adtech industry
On 6 March 2019, the UK data protection regulator, the Information Commissioner’s Office (ICO) convened an adtech fact-finding forum of industry stakeholders, aimed at developing its understanding of the adtech ecosystem (with a particular focus on programmatic advertising and real-time bidding) and exploring key themes raised by adtech from a […]
Credential Stuffing Attacks and What they Mean for Businesses
Over the past few months, Cooley’s incident response team has seen an increase in “Credential Stuffing” attacks. Credential Stuffing is an account takeover attack in which actors obtain user names and passwords available on the dark web from prior data breaches, and then attempt to login to various online accounts […]
FTC’s Proposed Amendments to the GLBA Safeguards Rule Seek to Incorporate Requirements from NY DFS Cybersecurity Regulations
On March 5, the FTC announced proposed amendments to the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (“Safeguards Rule” or “Rule”). The FTC version of the Safeguards Rule applies to financial institutions that are not governed by federal banking regulators (e.g., FDIC, Federal Reserve, OCC, and NCUA) or […]
California Privacy Legislation Update
With the promulgation of the California Consumer Privacy Act of 2018 (“CCPA”), California has continued its role in pushing bleeding edge privacy and data security legislation. From the first data breach notification law back in 2003, to the first IoT data security law in 2018, it seems that California will […]
Brexit and its Possible Impact on Data Transfers
In its strictest construction, what ‘Brexit’ means is clear, what it entails and what comes next is absolutely not. Therefore, this article will not focus on matters relating to any such future relationship, but rather only on the terms on which the UK may leave the EU and how that […]
Cooley’s Michael Rhodes Joins 41 California Privacy Experts Urging Major Changes to the California Consumer Privacy Act
Michael Rhodes, chair of Cooley’s cyber/data/privacy practice, joins 41 California privacy lawyers, professionals and professors urging major changes to the California Consumer Privacy Act (CCPA). Led by Santa Clara University School of Law professor, Eric Goldman, the group is urging the legislature to address six significant issues posed by the […]
The Department of Health and Human Services Issues Guidelines on Cybersecurity
On December 28, 2018, the U.S. Department of Health and Human Services (“HHS”) released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication (the “Cybersecurity Guidelines”), which provides voluntary cybersecurity practices designed to reduce security risks and improve security for various healthcare organizations. Specifically, the Cybersecurity Guidelines […]
Notes from first CCPA Public Forum in San Francisco
On Tuesday in San Francisco, the California Department of Justice (“DOJ”) held its first of six public forums on the California Consumer Privacy Act of 2018 (“CCPA”) before a packed room of industry representatives and public citizens. The forums are intended to fulfill the Attorney General’s mandate under CCPA to […]
“New” Application to an Old Problem: Pennsylvania Supreme Court’s Ruling Likely to Lead to More Cybersecurity Negligence Lawsuits
Pennsylvania’s Supreme Court (“Court”) cleared a path for employees seeking to hold employers responsible for data breaches affecting their information. The Court found that employers are legally obligated to implement and maintain reasonable security measures to protect employees’ personal data in their possession. The Court’s logic, however, may extend beyond […]