Earlier this year, we wrote about the SEC’s cybersecurity priorities. Since then, the SEC announced a settlement with First American Title Insurance and Services (“First American”) for violating Rule 13a-15(a) of the Exchange Act, and issued a voluntary request for information to a number of companies in connection with the SolarWinds cyber attack (“Voluntary Request”). In this Debevoise Data Blog…

On July 19, 2021, California Attorney General Rob Bonta announced his first-year enforcement update on the California Consumer Privacy Act (“CCPA”), and unveiled a tool to help the Attorney General’s office (“CAAG”)—the primary enforcer of the CCPA until the California Privacy Protection Agency takes over—identify CCPA violations. Over a year ago, on July 1, 2020, the first day of enforcement,…

Companies face increasing risk to their operations resulting from a cyber breach of a critical vendor. We have recently written about creating a sensible cybersecurity and AI risk framework for critical vendors, and regulators have issued both formal and informal guidance addressing vendor cybersecurity risk management: The SEC, the New York’s Department of Financial Services, the FTC, FINRA, the CFTC/NFA…

The big news in June were the EU Standard Contractual Clauses for cross-border data transfers to non-EEA countries.  There were also significant developments for companies engaging in employee surveillance, ad tech, data scraping and the use of AI. Here are our highlights: European Commission adopts new Standard Contractual Clauses What happened:  As reported in our blog post, the European Commission…

This is Part 2 of a two-part article on the recent U.S. Supreme Court TransUnion decision.  In Part 1, we discussed the implications of the decision for standing in cyber cases. On June 25, 2021, the Supreme Court issued a significant opinion on standing in the context of consumer class actions in TransUnion LLC v. Ramirez. The Supreme Court affirmed…

Colorado has just adopted a brand-new data privacy law and Nevada has just significantly amended its law. These changes add rights for consumers, and compliance obligations for businesses, that take the U.S. further in the direction of European-style privacy law. Colorado and Nevada join California and Virginia in adding to the growing patchwork of disparate state laws — making it…

This is Part 1 of a two-part article on the recent U.S. Supreme Court TransUnion decision.  In Part 2, we will discuss the implications of the decision for efforts to defeat class certification. Individuals whose personal information was compromised in a data breach have had mixed success in bringing lawsuits in federal court against the companies that held their data.…

What’s happened? The European Commission has finalised its new standard contractual clauses (“SCCs”) for the transfer of personal data from EEA member states to the many “third countries” – most notably the U.S. – that have not been granted an “adequacy decision” that would permit such transfers in the ordinary course. Companies will only be able to enter into new…

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a…

On Monday, June 14, 2021, the Board of the California Privacy Protection Agency (“Agency”) hosted its first inaugural public meeting. As discussed in a prior posting, the California Privacy Rights Act (“CPRA”) established the Agency, which is governed by a five member Board and is tasked with adopting additional implementing regulations and enforcing the CCPA. While the meeting focused on…