On June 1, 2020, California’s Office of the Attorney General (“AG”) moved one step closer to finalizing the California Consumer Privacy Act (“CCPA”) regulations when the AG submitted proposed final regulations for review and approval by California’s Office of Administrative Law (“OAL”). This submission signals the end of the AG’s CCPA regulation drafting process that began in early 2019. If the OAL approves the proposed final regulations, they will be finalized and enforceable by the AG, subject to any legal challenges.
On April 30, 2020, four Republican Senators announced plans to introduce the COVID-19 Consumer Data Protection Act. The four Senators, John Thune (R-S.D), Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.), are all Members of the Commerce Committee, with Wicker the Committee’s chair.
According to the April 30 Senate press release regarding the COVID-19 Consumer Data Protection Act, the legislation would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” for data processing related to fighting the COVID-19 pandemic. The press release also states that the bill would “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.” Under the bill, covered purposes include “(1) collecting, processing, or transferring the covered data of an individual to track the spread, signs, or symptoms of COVID-19; (2) collecting, processing, or transferring the covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID-19 that are required by federal, state, or local government order; (3) collecting, processing, or transferring the covered data of an individual to conduct contact tracing for COVID-19 cases.” (more…)
The U.S. Departments of State, the Treasury and Homeland Security and the Federal Bureau of Investigation issued a joint advisory (the Advisory) on April 15, 2020, discussing the threat to the international community posed by cyberattacks linked to the Democratic People’s Republic of Korea (North Korea), in particular highlighting concerns for the financial services sector. North Korea has been subjected to comprehensive international sanctions implemented to pressure its government to denuclearize. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has implemented additional unilateral sanctions in response to other North Korean activities, including cyberattacks, human rights violations and money laundering. In addition to broad prohibitions on trade with North Korea, U.S. sanctions bar domestic financial institutions from conducting or facilitating any significant transaction in connection with trade with North Korea or on behalf of any person whose property has been blocked under executive orders imposing sanctions on North Korea. Foreign financial institutions risk secondary sanctions for engaging in the same. (more…)
While the world seems to have ground to a halt in so many ways, time still marches on, and along with it, the California Consumer Privacy Act (“CCPA”) enforcement date (July 1, 2020) inches ever closer. On March 11, 2020, the California Attorney General (“AG”) released the third turn of proposed California Consumer Privacy Act (“CCPA”) regulations. The AG’s revisions make only moderate changes to the last round of regulations issued in February 2020. Businesses will not need to dramatically change compliance plans as the proposed revised regulations seek to refine requirements in prior drafts rather than introduce any wholesale changes to the regulatory framework. (more…)
Social distancing imperatives and the resulting surge in remote work polices have led to increased demand for the use of electronic signatures in commercial transactions. Although the method of execution is just one factor to consider when determining the validity and enforceability of a contract, electronic signatures — when appropriately deployed — can provide a convenient replacement for manual wet-ink signatures in many transactions. The U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN), as well as the widespread adoption at the state level of the Uniform Electronic Transactions Act (UETA) or comparable electronic signature laws, provide that electronic signatures and electronic records cannot be denied legal effect, validity or enforceability solely because they exist in electronic form. As workforces suddenly shift to remote operations with siloed employees lacking access to typical office services, yet still facing the same business needs and time demands, companies are reevaluating their electronic signature and records policies and technologies.
This post seeks to help parties navigate issues arising from COVID-19 risks from an employment and privacy law perspective in both the United States and Europe.
Novel coronavirus (COVID-19) presents significant issues for employers to navigate and significant consequences for employees across industries as COVID-19 reduces consumer spending, disrupts supply chains and presents challenges for managing workforces globally. Employers should be aware of their responsibilities and proactively put in place action plans to address this growing problem. Designing these plans, and addressing requested or mandated leaves and other restrictions on employee work, presents myriad employment law issues that may vary by jurisdiction. Employers are also likely to confront privacy questions as they seek information on employees’ and others’ health and travel across jurisdictions. In developing a plan, employers will want to consider these issues in a holistic and coordinated manner.
On January 31, 2020, the Department of Defense released its latest version of the Cybersecurity Maturity Model Certification (“CMMC”) for defense contractors. Under the CMMC plan, DOD contractors will be required to obtain a cybersecurity rating from Level 1 through Level 5. Self-certification will not be permitted. Given the significant investment of industry resources the CMMC may require, the DOD eased some concerns by announcing that it would roll out the CMMC program out in stages. A new Defense federal Acquisition Regulation Supplement (“DFARS”) clause is expected in the spring of 2020, and CMMC requirements are anticipated to be included in certain limited Requests for Information released starting June 2020. Ultimately, all DOD contracts will include a minimum cybersecurity requirement by 2026. (more…)
Just as companies were starting to recover from their exertions to put in place California Consumer Privacy Act (“CCPA”) compliance programs before the law’s January 1, 2020 entry into force, the California Attorney General (“AG”) provided an early February surprise. CCPA watchers long expected that the AG would revise the CCPA regulations he initially proposed on October 10, 2019. But when the AG actually released his proposed regulations on February 7 – a proposal he subsequently modified slightly on February 10 – both the timing and breadth of the revisions were surprising. In short, the revisions were both sooner and more significant than expected.
The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a report on Cybersecurity and Resiliency Observations based on practices seen in prior exams. OCIE published the overview of practices to help market participants when considering “how to enhance cybersecurity preparedness and operational resiliency,” while acknowledging that there is not a “one-size fits all” approach. The report links cybersecurity to resiliency and business continuity planning, explicitly merging two concepts on which the OCIE has previously focused into a single topic.
While much of the New Year attention has been focused on California due to the effective date of the California Consumer Privacy Act, a new Oregon law also went into effect on January 1, 2020 complicating compliance with data breach obligations. The law is unique among state data breach notification laws in that it imposes a direct obligation on vendors to provide regulatory notice to the state. It also requires vendors to provide notice to the data owner within 10 days. This new regulatory notice requirement may take some control away from data “owners” that typically manage (and often contractually demand sole control over) initial regulator communications with regard to incidents impacting their data. However, the new requirement may also incentivize service providers to take more responsibility for incident response.