Third Time’s the Charm: CCPA Regulations Finally Approved With Limited Substantive Changes from June 2020 Version

On August 14, 2020, California’s Office of Administrative Law approved and filed with the California Secretary of State final regulations implementing the California Consumer Privacy Act.  The regulations, drafted by California’s Office of the Attorney General (OAG), went through three rounds of changes during the rulemaking process and were finally enacted more than two years after the CCPA was signed into law.  The CCPA is a landmark state privacy law that grants consumers new privacy rights, and requires businesses to enhance disclosures about their data practices and facilitate consumer privacy rights. 

Read More

EmailShare

Historic Charges: First Enforcement Action Filed by New York Department of Financial Services Under Cybersecurity Regulation

On July 21, 2020, the New York State Department of Financial Services (NYDFS or the Department) issued a statement of charges and notice of hearing (the Statement) against First American Title Insurance Company (First American) for violations of the Department’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (Cybersecurity Regulation or Regulation). The First American Statement of charges alleges six violations of the Cybersecurity Regulation and marks the Department’s first action pursuant to the Regulation, which is enforced by the recently created NYDFS Cybersecurity Division.1

NYDFS’s Statement seeks relief against First American, including civil monetary penalties and an order requiring First American to remediate any defined violations. Although the Statement does not include a calculation of the total penalty, the NYDFS explains that the civil monetary fines against First American are to be assessed pursuant to the Financial Services Law, which provides for a maximum civil monetary penalty of $1,000 per violation of the Regulation.2 Because First American’s violations included the exposure of millions of documents containing nonpublic information (NPI), the total penalty potentially could be substantial. The First American hearing is scheduled to occur on October 26, 2020, at the NYDFS.

Read More

EmailShare

Digital Health and Cyber Risk in the “New Normal”

Sidley partnered with Aon’s Cyber Solutions for an exclusive webinar for life sciences organizations to address developments in digital health and cybersecurity in light of some key trends affecting the industry today.

The speakers discussed the latest in digital health and how to better understand and mitigate cyber risk, as well as protect life sciences organizations’ highly valuable and sensitive data.

Read More

EmailShare

Key Takeaways from Sidley’s Privacy and Cybersecurity Monitor-Side Chat Featuring Adam Klein, Chairman of the PCLOB

Posting revised August 13, 2020

On July 2, 2020, Sidley partner Alan Raul, founder and co-head of Sidley’s Privacy and Cybersecurity practice, hosted Adam Klein, Chairman of the Privacy and Civil Liberties Oversight Board (“PCLOB” or “the Board”), for a Monitor-Side Chat.

The discussion focused largely on the Commission’s work since Mr. Klein became Chairman in October, 2018. Key topics of the chat included:

  • Mission, Operation and Access of PCLOB
  • Balancing Counter-Terrorism and Privacy
  • Comparison of U.S. and Foreign Checks and Balances
  • FISA Reform
  • Emerging Technologies

Read More

EmailShare

Schrems II Fallout — Understanding Essential Equivalence and What Businesses Should Do Now

Schrems II — Legal Analysis

With the EU-U.S. Privacy Shield declared invalid as a result of the Schrems II decision, there will be an immediate impact on the future of international data flows and potentially for your business.

Join OneTrust DataGuidance, Sidley, and speakers from industry for a webinar taking a detailed look at the Schrems II decision and discussing what additional safeguards may be required for international transfers following the decision, as well as legal analysis into whether there is essential equivalence between U.S. and EU privacy protections.

Read More

EmailShare

SAMHSA Releases Final 42 CFR Part 2 Revised Rule

On July 13, the Department of Health and Human Services’ Substance Abuse and Mental Health Services (“SAMHSA”) announced final revisions to the Confidentiality of Substance Use Disorder Patient Records regulation codified at 42 CFR Part 2 (so-called “Part 2” regulations).  These regulations—which apply to certain information relating to patients being treated for substance use disorders (“SUDs”)—impose restrictions above and beyond those in the Health Insurance Portability and Accountability Act (“HIPAA”).  While the final rule does not fundamentally change the basic requirements of the Part 2 regulations, it relaxes some of the restrictions the regulations impose on holders of Part 2 information, in particular, to facilitate care coordination.

Read More

EmailShare

EDPB Publishes FAQs on Recent Schrems II Judgment

On July 23, 2020, the European Data Protection Board (the “EDPB”) published a set of important responses to a set of 12 frequently asked questions put forward to supervisory authorities regarding the recent Court of Justice of the European Union (“CJEU”) decision in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) (“FAQs”).

Below is a summary of the key take-aways from the EDPB’s FAQs, which is intended to address a range of topics including the lack of a grace period following the decision and the conditions surrounding the use of certain data transfer mechanisms:

Read More

EmailShare
EmailShare
XSLT Plugin by BMI Calculator