In a long-awaited final decision, the UK Information Commissioner’s Office (the “ICO”) has issued a fine of £20m to British Airways (“BA”) following a data breach that took place in 2018.  Although by some way the largest fine ever issued by the ICO, this represents a significant reduction from the £183.39m fine initially proposed by the ICO in July 2019,…

On October 13, 2020, Anna Gressel and Avi Gesser from Debevoise’s Data Strategy and Security Group, along with their special guest, Jon Godfread, North Dakota Commissioner of Insurance and Chair of the National Association of Insurance Commissioners (NAIC) Artificial Intelligence Working Group, had an insightful conversation concerning the NAIC AI Working Group’s Principles on Artificial Intelligence, including: Implementing systematic risk management…

On October 1, 2020, the French data protection authority, the CNIL (“Commission Nationale de l’Informatique et des Libertés”) issued guidelines on the use of cookies and trackers (the “Guidelines”). These Guidelines are meant to clarify applicable law and to help public and private entities establish good practices for their use of cookies and similar technologies in France. The CNIL also…

Earlier this year, we shared a list of 13 technical and nontechnical measures companies can adopt to mitigate the risks of ransomware attacks. With ransomware and other malicious cyber-related attacks continuing to grow in frequency, scope and sophistication, two divisions within the U.S. Treasury Department issued advisories last week detailing risks and considerations regarding financial transactions related to these events. …

Throughout September, companies, regulators and policymakers have continued to respond to the fallout from Schrems II.  Since our last update we have also seen the second largest fine to date under the GDPR, the start of a major class action against YouTube, as well as a raft of new policy developments covering topics ranging from artificial intelligence to antitrust in…

The business-to-business (“B2B”) and human resources (“HR”) exemptions to the California Consumer Privacy Act (“CCPA”) have been extended for a full year, and will now expire no sooner than January 1, 2022 – and a further one-year extension seems likely. The B2B and HR exemptions have thus far permitted businesses to omit these types of data from their CCPA compliance…

We have recently written about the persistence of the three most common cyber attacks: Ransomware, Phishing and Business Email Compromises (BECs), and the increased regulatory scrutiny that companies face when they fall victim to these attacks. Two recent developments demonstrate that credential stuffing is yet another serious cybersecurity risk that is on the rise and has the attention of regulators. First,…

As businesses and government offices ramp up their on-site operations, they are turning to smartphone applications to help keep track of the health status of persons entering their buildings. In this Part 1 of our two-part blog post on back-to-work apps, we provide a checklist of issues to consider for health questionnaires.  In Part 2, we will do the same…

Reproduced with permission. Published Sept. 10, 2020. Copyright 2020 The Bureau of National Affairs, Inc. 800-372-1033. For further use, please visit http://www.bna.com/copyright-permission-request/ There’s been dramatic growth in the role lawyers play in cybersecurity. When we started practicing in the area of artificial intelligence, we heard many of the same questions that we faced about cybersecurity years ago: What do the…

August proved to be another busy month for data protection developments in Europe, fuelled in part by the aftermath of the Court of Justice of the European Union’s (“CJEU”) decision in the “Schrems II” case. Enforcement The most noteworthy GDPR enforcement-related developments from August include: Marriott indicates potentially significant decrease in anticipated ICO fine. The ICO had announced in July…