President Obama signed the Fixing America’s Surface Transportation Act (FAST Act) into law on December 4, 2015. The FAST Act not only provides long-term funding for highway and infrastructure improvements and other transportation projects, but also includes several privacy- and security-related provisions, including an important provision that may reduce consumer confusion and industry compliance costs by eliminating annual privacy notice requirements for financial institutions in certain circumstances.
Continue Reading FAST Act Eases GLBA Compliance Burdens for Many Companies, Addresses Transportation and Infrastructure Privacy and Cybersecurity Issues
Privacy and Data Security Due Diligence
This article is the third in a series of articles that discuss the importance of privacy and data security considerations in the transactional context.
In any transaction in which an entity invests in or acquires another business or its assets, the investing or acquiring entity (the “Acquiror”) should fully evaluate its counterparty (the “Company”), the Company’s assets, and the Company’s liabilities and risks prior to the consummation of the transaction. A spate of significant data security incidents and exposés in the past few years has raised awareness across industries of the need to adequately contemplate privacy concerns and appropriately secure data systems. Businesses, acquirors, and investors increasingly understand that expensive data security incidents, lawsuits, and government investigations can result from basic failures to comply with applicable privacy laws or data processing contracts or, with regard to information security, well-established industry best practices.
Continue Reading Privacy and Data Security Due Diligence
Navigating Public Company Cybersecurity Obligations: Advising Boards and Disclosing to Investors
This article is the second in a series of articles that discuss the importance of privacy and data security considerations in the transactional context.
In light of numerous costly security breaches affecting disparate sectors of the American economy, public companies—ranging from merchants like Target Corporation and The Home Depot to technology firms like Adobe Systems, and from entertainment companies like Sony Entertainment to insurers like Anthem Blue Cross, to name a few examples—are under increased pressure to ensure that cyber risks are appropriately evaluated, addressed, and disclosed to investors. Because of the increasing number and cost of data security incidents, the U.S. Securities and Exchange Commission (SEC) has taken an active role in advising public companies on how to appropriately manage and disclose cyber risks. SEC cyber risk guidance to date, outside of advice specific to the financial services industry, relates to: (i) the responsibilities and duties that boards of public companies must bear with regard to cyber risk; and (ii) the manner in which public companies should disclose (when appropriate) the relevant cyber risks in company filings with the SEC.
Continue Reading Navigating Public Company Cybersecurity Obligations: Advising Boards and Disclosing to Investors
Privacy and Data Security in Transactions: What’s the Deal?
This article is the first in a series of articles that will discuss the importance of privacy and data security considerations in the transactional context.
Data privacy and data security continued to capture headlines and boardroom attention in 2014, as the EU “right to be forgotten” ruling, the Sony cyberattack,1 new laws and lawsuits, and investor pressure on executives and boards regarding cybersecurity issues 2 provided continued worries for legal departments, executives, and directors.3 The ongoing coverage of these incidents has caused many legal departments, executive teams, and boards of directors to become more familiar with data privacy and security risks. Many businesses are taking steps to reduce their risk exposure by reviewing and enhancing their privacy and data security programs, ensuring that they maintain appropriate cyber insurance, and working with service providers, vendors, customers, and employees to minimize the likelihood of becoming the next target of a cyberattack or class action litigation.
Continue Reading Privacy and Data Security in Transactions: What’s the Deal?
Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses
A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.
The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses
Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification
Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal information had been compromised.1 The case and its settlement may have significant implications for businesses that suffer data security incidents requiring notification to affected persons.
Continue Reading Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification