School is in session and companies are preparing for the slew of new data privacy laws taking effect through 2023 into 2024 but California piled on more homework for those companies handling data of minors. On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”).[1] Modeled from UK’s Age-Appropriate Design Code, the Act imposes novel legal obligations on entities that provide “an online service, product, or feature likely to be accessed by children.” The obligations stem from the common belief that “children are particularly vulnerable from negotiating perspective with respect to their privacy rights.” [2]

Continue Reading Another Brick in the Wall: California’s Age-appropriate Design Code Act

Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.

What were the partial exemptions?

Continue Reading CCPA/CPRA Set To Cover Employee, Job Applicant, and Business Personal Information: A Trap for the Unwary?

Note: This story featuring commentary from Dykema’s Cinthia Granados Motley was originally published by Bloomberg Gov

  • Critical infrastructure industries would have to report hacks
  • Spending deal heading for House vote later on Wednesday

By Maria Curi | March 9, 2022, 5:31AM ET

Cybersecurity legislation that would impose new hack and ransomware reporting requirements on businesses was included in a spending bill lawmakers unveiled early Wednesday.

The Senate passed the cyber reporting requirements on March 1 under a bill (S. 3600) from Sen. Gary Peters (D-Mich). Peters previewed their inclusion in the spending bill Tuesday. Continue Reading Cyberattack Reporting Requirements Included in Spending Deal

The Illinois Supreme Court unanimously ruled on Thursday that the Illinois Biometric Information Privacy Act (BIPA) is not preempted by the Illinois Workers’ Compensation Act (IWCA).

This decision clears the way for employees to pursue BIPA statutory damages ($1,000 for each negligent violation or $5,000 for each intentional or reckless violation), a significant and costly defeat for employers in a case that was followed closely by attorneys on both sides of the bar.

Continue Reading BIPA Lives On: Illinois Supreme Court Rejects Common Employer Defense of Workers’ Comp Preemption

It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors. Continue Reading Cybercriminals Finding Success In Targeting New Industries

On August 11, 2021, the Federal Financial Institutions Examination Council (the “FFIEC”) issued new guidance on risk management principles for access to and authentication of electronic funds transfers for the first time in over a decade, titled Authentication and Access to Financial Institution Services and Systems (the “New Guidance”).[1] The New Guidance effectively replaces the FFIEC’s prior guidance on this topic, including its original guidance issued in 2005, Authentication in an Internet Banking Environment (the “Original Guidance”), and the supplement issued in 2011 in response to increased fraud in Internet-based financial transactions (the “Supplement,”[2] and together with the Original Guidance, the “Guidance”). The Guidance was intended to set regulatory expectations for financial institutions offering Internet-based financial services to both commercial and consumer customers.

Continue Reading An Enhanced Standard of Commercial Reasonableness for Security Procedures? The FFIEC Updates Its Authentication Guidance for Internet-Based Financial Services

The Federal Trade Commission’s increased activity in the data security arena continues, as the FTC has ordered nine social media and video streaming companies—including Facebook, Twitter, TikTok, and Reddit—to provide data on their data privacy practices. The orders seek to discover on (i) how these companies collect, use and present personal information, (ii) their advertising, (iii) their user engagement practices, and (iv) how their practices affect children and teenagers.

In issuing the orders, the FTC focused on social media’s monetization of users’ activities and “the industry’s increasing intrusion into our private lives.” In a joint statement, the FTC wrote: Continue Reading FTC Launches Investigation Into Facebook, Twitter, and Other Social Media Sites

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning that malicious cyber actors are targeting kindergarten through twelfth-grade (K-12) educational institutions. These actors are initiating ransomware attacks, data thefts, and general disruption of distance learning efforts. The agencies expect these attacks to continue through the 2020-21 academic year.

Among other things, cyber actors have launched ransomware attacks against school computer systems, rendering them inaccessible for distance learning and other basic functions. They have also stolen and threatened to leak confidential student data and personal information unless the institutions paid a ransom. In August and September 2020, 57 percent of ransomware incidents reported to MS-ISAC involved K-12 school, compare to 28 percent of such incidents from January through July. Continue Reading Cyber Actors Hit K-12 Distance Learning Efforts With Ransomware and Phishing Attacks

Last week FireEye announced publicly that it had suffered a cyber-attack by  a “highly sophisticated state-sponsored attacker utilizing novel techniques.”[1] FireEye is a leading cybersecurity firm whom provides information security services and tools, including forensic investigation services, to high profile clients worldwide. In its public disclosure of the breach, FireEye reported the threat actor specifically targeted its Red Team tools. FireEye then preemptively released the means and methods to detect those Red Team tools. In its investigation of the incident, FireEye discovered that a widely used IT service provider, SolarWinds®, had also been hacked. The threat actor infiltrated SolarWinds and then packaged a malicious trojan into a normal SolarWinds update. SolarWinds believes as many as 18,000 clients may have download the update with the malicious trojan. Continue Reading CISA Issues Warning to Mitigate Widespread Vulnerability

While public attention focused on the federal and state elections, Michigan voters made an important decision—they adopted Proposal 20-2, which amended Michigan’s Constitution to extend its protection from unreasonable searches and seizures to electronic data and communications. With the proliferation of personal electronic devices and storage of business information on computers used at home in the past few decades, federal and state courts, including the Supreme Court, have grappled with how to apply Fourth Amendment protections against unreasonable searches and seizures in a digital age. Although Proposal 20-2 might not change investigative practice, it clarifies that electronic data and communications are subject to the same protection against unreasonable search and seizure as other “traditional” information, such as paper records. Continue Reading Michigan Voters Add Constitutional Protections for Electronic Data and Communications