David Kessler (US)

Subscribe to all posts by David Kessler (US)

California Age-Appropriate Design Code Act

On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”).  The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading

Another Day, another large BIPA Settlement

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”).  The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties.  Indeed, Snap joins a string of other companies that have already … Continue reading

More New York SHIELD Act guidance

On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements.  Wegmans does not confirm or deny the NYAG’s findings. In brief, on April 5, 2021, a security researcher contacted Wegmans about … Continue reading

Apply the law where breached servers are located?

On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were located—in this case, Massachusetts.  In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JFA, … Continue reading

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard.  Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading

CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline

On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency.  They also shared their projected timeline for rulemaking.  The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA).   The big news is that the Board … Continue reading

Illinois Supreme Court Rules that Compensation Act is not a bar to BIPA Damages

Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information.  It’s also one of the most popular class action suits today – hundreds, if not thousands of … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

US banking regulators promulgate a final rule for 36-hour notice of breach

On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading

Notice of employer electronic monitoring

On November 8, 2021, New York became the third state to require private employers to provide employees with notice of employer monitoring of phone, email, and internet access/usage.  New York’s new law (SB 2628) goes into effect on May 7, 2022.  New York joins Connecticut and Delaware, whose laws are already in effect.  Unfortunately for … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers.  In re Blackbaud, Inc. Customer … Continue reading

Over-retention of personal data

The declining cost of electronic data storage may have caused some company executives to conclude that retaining personal data forever is “cheap.”  Perhaps the CNIL’s  €1.75 million (USD $2,051,930) penalty for over-retention will lead to a different view. The matter involved one of France’s largest insurers, SGAM AG2R LA MONDIALE, which was subject to an … Continue reading

To be or not to be . . . an “autodialer”

On April 1, 2021, the U.S. Supreme Court decided the question whether the Telephone Consumer Protection Act’s (TCPA) definition of “autodialer” encompasses equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.” It does not. To qualify as an “automatic telephone dialing system,” a … Continue reading

Virginia’s new Consumer Data Protection Act

On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023. But first, you need to determine whether the law … Continue reading

US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” … Continue reading

Just when you thought it was safe—California AG issues proposed CCPA regulation changes

The California Attorney General has just issued some proposed revisions to the California Consumer Privacy Act (CCPA) regulations and our readers may be surprised by one of the proposed changes.  You may recall that California’s Office of Administrative Law (OAL) had rejected some the proposed CCPA regulations during the summer, but accepted most of them.  … Continue reading
LexBlog