On Friday, January 25, 2019, California Attorney General Xavier Becerra’s Office held the fourth of its six public forums in connection with its rulemaking process for the California Consumer Privacy Act (“CCPA”). The purpose of the open forum, which was held in Los Angeles at the Ronald Reagan State Building, was to provide an initial opportunity for the public to participate in the CCPA rulemaking process. The formal rulemaking process is scheduled to begin later this year.

As noted in a prior Firewall blog post, the recently-enacted CCPA grants California consumers the right to know what information companies collect about them, the right to “opt out” from allowing companies to sell their personal information, the right to demand that companies delete collected information, and the right to receive equal service even if consumers exercise their “opt out” right. As required by the CCPA, the Attorney General must adopt its regulations on or before July 1, 2020. Businesses, however, must comply with the CCPA even before then, starting on January 1, 2020.  Continue Reading Different Viewpoints Represented at the Latest California Attorney General’s Office Public Forum on the California Consumer Privacy Act

Over the last several years, the emphasis on privacy and data protection has grown significantly. With the amount of data collected by companies and technology skyrocketing, the need to protect personal information has been at the forefront of states’ legislative agendas. While all 50 states now have breach notification statutes, states are now taking a closer look at issues such as tracking online behavior and the use of biometric data. What used to be futuristic props in sci-fi media, face and fingerprint scanners, are now part of everyday life and consumer transactions. Despite the increase in the use of biometric data, only three states, Washington, Texas and Illinois have passed legislation addressing biometric data. Continue Reading Illinois’ BIPA’s Rollercoaster Ride to the Illinois Supreme Court

In February of this year, the Securities Exchange Commission issued its updated Statement and Guidance on Public Company Cybersecurity Disclosures.  In April, the SEC issued an Order that, among other things, levied a $35 million fine against Yahoo! Inc. for failing to properly report a 2014 data breach.  These actions support the view that the SEC is consciously committing attention and resources to cybersecurity issues affecting public companies.

Here are some key takeaways from both the Guidance and from the Yahoo! Order:  Continue Reading SEC Takes Aim at Cybersecurity Disclosures

Not long ago, financial technology (FinTech) startups were all seeking to disrupt the market for financial services and compete directly with financial institutions (FIs) for customers. But as these startups have grown into more mature companies, cooperation with FIs has come to replace disruption for many FinTech firms. These companies have realized that FIs can help scale their technology to larger bases of potential users, and can also help FinTechs raise capital by showing strong partnerships and FI distribution channels.

In turn, FIs now recognize that FinTech firms offer more than competition, representing potentially valuable partnerships with better technology and an improved user experience. By collaborating with FinTechs, FIs can improve product offerings and increase efficiency, all without the FIs committing significant resources to create new solutions themselves.  Continue Reading Access vs. Security: Takeaways For U.S. Financial Institutions from the European PSD2 Open API Framework

When a data breach occurs, the guilty party—a fraudster or criminal syndicate— is often nowhere to be found. Who bears the loss from a breach perpetrated by a fraudster: the consumer whose data was compromised, the financial institution where the data was used, or the business that failed to protect the data? Often, the loss initially falls on the financial institution through account or card agreement provisions or deadlines imposed by statutes or regulations. Can a financial institution recover these losses from a business with whom it has no contract? This depends on which law applies. Continue Reading Recovering Data Breach Losses from Non-Contractual Parties

While U.S. companies focused on the imposition of burdensome data protection laws being implemented overseas, California was hard at work on revamping its own laws. As of June 25, 2018, the home of big technology, Silicon Valley, Facebook, and Google, was prepared to consider the California Consumer Personal Information Disclosure and Sale Initiative (“Initiative”) on the November 2018 ballot. The Initiative sought to enact a version of the California Consumer Privacy Act of 2018, requiring businesses to disclose, on a consumer’s demand, the personal information a business collects, the purpose for which it is used, and to whom it is sold or shared with. The Act also allows individuals to restrict the sharing of their information. Finally, the Act provides a simple path to recovery for violations. Although companies like Facebook and Google dropped their opposition to the Initiative, concerns remained among the business community, so California lawmakers stepped in. Continue Reading CLIENT ALERT: At Rocket Speed – The California Consumer Privacy Act of 2018 Signed into Law Yesterday