David Kessler (US)

Subscribe to all posts by David Kessler (US)

California proposes rules for automated decision-making

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) released a first draft of rules for automated decision-making technologies under California’s privacy law. The proposed rules revolve around providing notice of the technology’s use, opting out, and consumer access to business information. In general, the proposed rules would require businesses using automated decision-making technology … Continue reading

NYDFS finalizes cybersecurity rule amendments

By David Kessler (US) and Susan Ross (US) on November 2, 2023 Posted in General

On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulations, which are available here. The rules contain the provisions we had described in the original NYDFS proposal a year ago (see our blog post here), but include some changes. NYDFS included comments on the proposed … Continue reading

Court delays new California privacy regulations

By David Kessler (US) and Susan Ross (US) on July 1, 2023 Posted in CCPA

On June 30, 2023—the day before the regulations were scheduled to go into effect—the Superior Court of California halted the enforcement of the California regulations that had been finalized on March 29, 2023 until March 29, 2024. (California Chamber of Commerce v. California Privacy Protection Agency, No. 34-2023-80004106-CU-WM-GDS (Cal. Super. June 30, 2023) (minute order).) … Continue reading

Texas enacts comprehensive privacy law

By David Kessler (US), Susan Ross (US) and Seth Allen (US) on June 21, 2023 Posted in Privacy law

On June 13, 2023, the Texas Governor signed HB4, making Texas the tenth state to have a comprehensive privacy law, joining California, Colorado, Connecticut, Montana, Virginia, and Utah (all in effect or going into effect in 2023), Montana and Tennessee (which, like Texas, go into effect in 2024), Iowa (effective 2025) and Indiana (effective 2026). … Continue reading

FTC proposed consent order prohibits perpetual retention of personal information

By David Kessler (US), Susan Ross (US) and Susana Medeiros (US) on March 21, 2023 Posted in General

We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information. On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit the company from perpetual retention of personal information—a broader category. Also unlike the previous matter, … Continue reading

“Forever and forever, farewell”: FTC prohibits indefinite retention of PHI in consent order

By David Kessler (US), Susan Ross (US) and Susana Medeiros (US) on February 15, 2023 Posted in General

On February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule. Under the Rule, the FTC interpreted a “breach” to include disclosures of personal health information without notice to the individual and consent by … Continue reading

ICYMI – Late December in privacy and cybersecurity

By David Kessler (US) and Susan Ross (US) on January 30, 2023 Posted in Cybersecurity, Privacy law

Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time. We have set out some updates in the form of questions, with some links where you can find more information. Answers are below. 1. Colorado issued a revised draft … Continue reading

BIPA and the record retention requirement

By David Kessler (US), Anna Rudawski (US), Susan Ross (US) and Susana Medeiros (US) on December 6, 2022 Posted in BIPA

On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data. In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading

NYDFS settles with EyeMed for $4.5 million

By David Kessler (US) and Susan Ross (US) on October 24, 2022 Posted in Cybersecurity, Data breach

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk … Continue reading

California Age-Appropriate Design Code Act

By David Kessler (US), Susan Ross (US) and Daniel Rosenzweig (US) on September 23, 2022 Posted in Privacy law

On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”). The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading

Another Day, another large BIPA Settlement

By Alexis Wilpon (US), David Kessler (US) and Anna Rudawski (US) on August 30, 2022 Posted in BIPA, Compliance and risk management, Privacy law

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”). The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties. Indeed, Snap joins a string of other companies that have already … Continue reading

More New York SHIELD Act guidance

By David Kessler (US) and Susan Ross (US) on July 12, 2022 Posted in Cybersecurity

On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements. Wegmans does not confirm or deny the NYAG’s findings. In brief, on April 5, 2021, a security researcher contacted Wegmans about … Continue reading

Apply the law where breached servers are located?

By David Kessler (US) and Susan Ross (US) on July 8, 2022 Posted in Data breach

On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were located—in this case, Massachusetts. In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JFA, … Continue reading

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

By Anna Rudawski (US), Chris Cwalina (US) and David Kessler (US) on June 8, 2022 Posted in CCPA, Compliance and risk management, Privacy law

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard. Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading

Another fine for over-retention of data

By David Kessler (US) and Susan Ross (US) on April 7, 2022 Posted in Compliance and risk management

A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New … Continue reading

CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline

By Anna Rudawski (US) and David Kessler (US) on February 17, 2022 Posted in CCPA, Compliance and risk management, Privacy law

On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency. They also shared their projected timeline for rulemaking. The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA). The big news is that the Board … Continue reading

Illinois Supreme Court Rules that Compensation Act is not a bar to BIPA Damages

By David Kessler (US), Anna Rudawski (US) and Alexis Wilpon (US) on February 10, 2022 Posted in Compliance and risk management, Dispute resolution and litigation, Privacy law

Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information. It’s also one of the most popular class action suits today – hundreds, if not thousands of … Continue reading

New York SHIELD Act $600,000 settlement

By David Kessler (US) and Susan Ross (US) on February 8, 2022 Posted in Cybersecurity

On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

By David Kitchen (US), Chris Cwalina (US), Anna Rudawski (US), David Kessler (US) and Will Daugherty (US) on December 13, 2021 Posted in Cybercrime, Cybersecurity, Ransomware, Vendor management and transactions

On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

US banking regulators promulgate a final rule for 36-hour notice of breach

By David Kessler (US), David Kitchen (US), Tim Byrne (US) and Susan Ross (US) on November 23, 2021 Posted in Data breach

On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading

Notice of employer electronic monitoring

By David Kessler (US), Susan Ross (US) and Laura Hunt (US) on November 17, 2021 Posted in Privacy law

On November 8, 2021, New York became the third state to require private employers to provide employees with notice of employer monitoring of phone, email, and internet access/usage. New York’s new law (SB 2628) goes into effect on May 7, 2022. New York joins Connecticut and Delaware, whose laws are already in effect. Unfortunately for … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

By David Kessler (US), Susan Ross (US) and Kevin Lefton (US) on October 29, 2021 Posted in Data breach

On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers. In re Blackbaud, Inc. Customer … Continue reading

What dogs can teach companies about privacy and security

By David Kessler (US) and Susan Ross (US) on September 28, 2021 Posted in Cybersecurity

You may not believe that dogs have much to do with privacy and security, but on September 20, 2021, New Jersey’s highest state court ruled that dog owners’ names and addresses were public and therefore not exempt from disclosure by a city dog licensing authority, but other information (such as dog breed and name) raised … Continue reading