Photo of Cinthia Granados Motley

Cinthia Granados Motley is the Director of Dykema’s Global Data Privacy and Information Security practice group. She has an active national and international practice assisting clients implement effective information security practices, address current and emerging regulatory compliance issues, including cross-border data transfer and information governance, as well as litigation readiness and regulatory inquiry matters. She routinely acts as incident response counsel to national and multi-national entities, as well as privacy litigation counsel. In her litigation practice, Cinthia handles consumer and privacy litigation, international contract disputes, directors and officers liability, ERISA, e-discovery and  professional liability matters. She routinely counsels clients in complex commercial disputes both domestically and abroad.

Colorado just became the first U.S. state to pass a law (Senate Bill 24-205 “SB 24-205” or the “CAIA”) regulating consumer harms arising out of artificial intelligence (“AI”). While the CAIA will not go into effect until February 2026, it is part of a growing trend in the U.S., including, most notably, the White House’s guidance on “Algorithmic Discrimination Protections” published at the end of 2023.Continue Reading Colorado’s Artificial Intelligence Act (CAIA) – The First U.S. State Law Regulating Consumer Harms Arising Out of AI

The Department of Justice recently announced a “disruption campaign” against the Blackcat ransomware group (aka ALPHV or Noberus), including seizing the group’s darknet website and releasing a decryption tool for victim entities to recover their systems.Continue Reading ALPHV/Blackcat Ransomware Group Announces New Rule: No Rules…Anything, Anywhere

The Big Apple now demands big commitments from financial institutions regarding cybersecurity practices. Yesterday, the New York State Department of Financial Services (“NYDFS”) adopted its second set of amendments to its 2015 “Cybersecurity Requirements For Financial Services Companies” (“Amended Cybersecurity Regulation”), with some amendments immediately going into effect. The law requires “covered entities,” including but limited to financial institutions or insurance providers authorized to conduct business in New York, to implement and maintain a cybersecurity program, to report cybersecurity events, and to annually certify their compliance with the law. The Amended Cybersecurity Regulation now requires:Continue Reading Security State of Mind: Amendments to NYDFS’s Cybersecurity Regulation Go Live

The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cyber risk management, strategy, governance, and incidents. These rules build upon previous interpretive guidance issued by the SEC.Continue Reading SEC Adopts New Cybersecurity Disclosure Requirements

Iowa became the sixth state to pass a comprehensive data privacy law, joining California, Colorado, Connecticut, Utah, and Virginia. Instead of standing out from the crowd, the Iowa legislature passed a law that imposes attenuated obligations stated in those other states’ laws . Below are some highlights from the Act relating to consumer data protection (the “Iowa Act”):Continue Reading If You Pass It, They Will Comply (Someday): Iowa Becomes Latest State to Pass Comprehensive Data Privacy Law

School is in session and companies are preparing for the slew of new data privacy laws taking effect through 2023 into 2024 but California piled on more homework for those companies handling data of minors. On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”).[1] Modeled from UK’s Age-Appropriate Design Code, the Act imposes novel legal obligations on entities that provide “an online service, product, or feature likely to be accessed by children.” The obligations stem from the common belief that “children are particularly vulnerable from negotiating perspective with respect to their privacy rights.” [2]
Continue Reading Another Brick in the Wall: California’s Age-appropriate Design Code Act

Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.

What were the partial exemptions?

Continue Reading CCPA/CPRA Set To Cover Employee, Job Applicant, and Business Personal Information: A Trap for the Unwary?

Hackers delight in targeting U.S. companies during the holiday season triggering a year-end spike in cyber-attacks, with Carbon Black reporting a 57.5 percent increase in attempted cyber-attacks during past holiday seasons. This year we can expect that threat actors across the globe will remain online throughout the holiday season, looking to capitalize on the distraction of the holidays and the increased internet traffic that comes with online holiday shopping.

Accordingly, now, more than ever, companies should remain alert to the possibility of a cyber-attack on their information systems, especially ransomware attacks, which have more than doubled this year alone according to McAfee Labs. The FBI has also gone so far as to issue a private bulletin to automotive companies warning of “a wide range of cyber threats and malicious activity in the near future,” according to an FBI report obtained by CNN. The FBI indicates that cyber-attacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks.” 
Continue Reading ‘Tis the Season to Be on Heightened Alert: FBI Warns of Targeted Cyber Attacks

As businesses and privacy professionals were holding their breath awaiting the California Governor’s signature on pending amendments to the much anticipated California Consumer Privacy Act (“CCPA”), California’s Attorney General took the spotlight yesterday by releasing the similarly anticipated CCPA Regulations, Cal. Code Regs. tit. 11, .§999.300, et seq. (“Regulations”). Since the passage of the CCPA in June 2018, the regulations to accompany the CCPA have been touted as “guidance” on how to comply with the CCPA. Although only in draft form, some may argue that the newly released regulations increase the CCPA compliance burden, while others may argue the Regulations merely provide much needed detail on how to comply with the CCPA.

On October 10, 2019, California’s Office of the Attorney General released a notice of proposed rulemaking action, text of the proposed regulations, initial statement of reasons, and economic impact statement. The deadline to provide comments is December 6, 2019. 
Continue Reading The Regs are In! California’s Attorney General Releases the Long Awaited CCPA Regulations

Last Friday, the Illinois Supreme Court delivered the highly anticipated Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, opinion. Businesses and consumers alike watched for the Court’s opinion regarding whether mere technical violations of the Illinois Biometric Information Privacy Act (“BIPA”) gave plaintiffs the requisite standing to seek damages under the statute. The Court heard the case after the Second District Appellate Court of Illinois ruled that an individual was not a “person aggrieved” by a technical violation and several other courts, both state and federal were split over the issue.  Rosenbach v. Six Flags Entertainment, 2017 IL App (2d) 170317.  In a fairly short opinion, focusing on statutory construction and the common meaning of the word “aggrieved,” the Illinois Supreme Court reversed the Appellate Court.  2019 IL 123186, ¶ 1. The Illinois Supreme Court held that an individual was in fact an “aggrieved person” under the statute where they are unable to show actual damage, but there has been a violation of the statute. The Court held, where there is no actual harm, the individual is entitled to statutory relief for each violation. In short, a technical violation is a violation.  The Illinois Supreme Court took a strong stance in that individuals should not have to wait for actual harm with respect to their biometric information and that businesses would lack the requisite motivation to comply with statutes like BIPA without such an interpretation. 
Continue Reading Illinois Supreme Court’s Rosenbach Ruling Likely to Expand BIPA Litigation