On September 6, 2024, the U.S. Department of Labor (DOL) issued Compliance Assistance Release No. 2024-01, titled “Cybersecurity Guidance Update.” The updated guidance clarifies that the DOL cybersecurity guidance applies to all ERISA-covered plans, and not just retirement plans, but also health and welfare plans. Also, as a direct response to service providers’ concerns, the DOL expanded its 2021 guidance to emphasize that plan sponsors, fiduciaries, recordkeepers, and participants should adopt cybersecurity practices across all employee benefit plans. With cyber risks continually evolving, the update highlights the importance of implementing robust security practices to protect participant information and plan assets.Continue Reading The Department of Labor’s Expanded Cybersecurity Guidance: What ERISA Plan Sponsors and Fiduciaries Need to Know
Jason Priebe
Surprising Plot Twist: The European Data Protection Supervisor Reprimands the European Union for its use of Microsoft 365
The European Union (EU)’s government organizations are just like any another entity trying to function in a world where global companies and even government entities are reliant on digital platforms for messaging and collaboration. For years, there has been debate about how platforms like Microsoft 365, formerly Office 365, could be deployed in a way that complies with the GDPR processing and transfer restrictions. And it turns out that even the European Commission (EC) itself can apparently get it wrong. In a surprising turn of events earlier this month, the European Data Protection Supervisor (EDPS) concluded its nearly three year investigation into the Commission’s own deployment and use of Microsoft 365, signaling a pivotal moment in the conversation about the GDPR privacy and security requirements for cloud-based messaging and document collaboration platforms.Continue Reading Surprising Plot Twist: The European Data Protection Supervisor Reprimands the European Union for its use of Microsoft 365
Adequacy for the US (kind of) – But What Are the Side Effects?
On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by activists who have vowed to scrutinize the next framework arrangement (thereby maintaining their relevance). Regardless of the legal resiliency of the decision, it poses an interesting set of considerations for US businesses, not the least of which is whether or not to participate in the Framework.
For those who followed the development and demise of the Privacy Shield program and the Schrems II case, it has been apparent for some time that the fundamental objection of the activists and the Court of Justice of the EU (“CJEU”) to the original Privacy Shield was the perception that the US intelligence community had an ability to engage in disproportional data collection without any possibility of recourse by EU residents whose personal information may be swept into an investigation. The actual functioning of the program for the certifying businesses were much less controversial.
Since the structure of the program wasn’t the primary reason for Privacy Shield’s revocation, from a business perspective, the current DPF looks a lot like the old Privacy Shield. For businesses who made the decision to participate in the Privacy Shield program in the past, the operational burden shouldn’t be much different under the new DPF, if they have already taken steps to operationalize the requirements.
What is interesting about the new DPF is how it may impact a company’s decision to choose between the Standard Contractual Clauses (“SCCs”) and the alternative adequacy mechanism for transfers. There is also some interest vis-à-vis the DPF and its interactions with state privacy laws.Continue Reading Adequacy for the US (kind of) – But What Are the Side Effects?
California Courts Give an Independence Day Present – CCPA Regulation Enforcement Delayed
The California Superior Court in Sacramento decided to give businesses in California an early present for the 4th of July. The regulations promulgated by the California Privacy Protection Agency (“CPPA”) back in March will not be enforceable on July 1, 2023. The new enforcement date will be March 29, 2024.
This is a result of the Court finding (account to access required) that it was the intent of the voters to require a 12-month “grace period” for businesses to build out their CCPA compliance programs. As a bit of background, and as we mentioned in our article back in April that you can find here, the California Chamber of Commerce (“the Chamber”) filed suit against the CPPA in March of this year seeking a delay in enforcement. The suit argued that the CCPA regulations passed by the CPPA should only be enforceable only after 12 months from the final promulgation of all the required regulations set out in Proposition 24 and sought injunctive relief to delay CPPA’s enforcement. The Chamber lawsuit was filed the day after the CPPA finalized their regulations across 12 of the 15 areas of the CCPA which rulemaking is required under Proposition 24.Continue Reading California Courts Give an Independence Day Present – CCPA Regulation Enforcement Delayed
Texas Joins the Privacy Party
2023 has brought several states into the privacy limelight. On June 18, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law, making the Lone Star state the eleventh in the U.S. to pass a comprehensive data privacy and security law. The Act provides Texas consumers the ability to submit requests to exercise privacy rights, and extends to parents the ability exercise rights on behalf of their minor children.
The Texas Act provides the usual compliment of data subject rights relating to access, corrections, data portability, and to opt out of data being processed for purposes of targeted advertising, the sale of personal information, and profiling where a consumer may be significantly or legally effected. It also requires that covered businesses provide a privacy notice and other disclosures relevant to how they use consumer data.Continue Reading Texas Joins the Privacy Party
Two New State Privacy Laws – But What is Really New?
Tennessee and Montana are now set to be the next two states with “omnibus” privacy legislation. “Omnibus” privacy legislation regulates personal information as a broad category, as opposed to data collected by a particular regulated business or collected for a specific purpose, like health information, financial or payment card information. As far as omnibus laws go, Tennessee and Montana are two additional data points informing the trend we are seeing at the state level regarding privacy and data protection. Fortunately (or unfortunately depending on your point of view) these two states have taken the model which was initiated by Virginia and Colorado instead of following the California model.
Is there Really Anything New?
While these two new laws may seem to be “more of the same”, the Tennessee law contains some new interesting approaches to the regulation of privacy and data protection. While we see the usual set of privacy obligations (notice requirements, rights of access and deletion, restrictions around targeted advertising and online behavioral advertising, et cetera) in both the Tennessee and Montana laws, Tennessee has taken the unusual step of building into its law specific guidance on how to actually develop and deploy a privacy program in the Tennessee Information Protection Act (“TIPA”).Continue Reading Two New State Privacy Laws – But What is Really New?
Ransomware Attacks – Harmless Annoyances or Catastrophic Events?
Ransomware attacks have become one of the most common and pervasive cybercrimes perpetrated against U.S. companies. A bad actor, often from overseas, will gain access to upload malware onto a company’s network storage or application platforms that encrypts all files it can access. A message or text file is usually left with instructions on how to contact the attacker to pay a ransom for the decryption key. In the worst case, a ransomware attack can freeze the business operations by effectively removing access to the company’s critical systems and rendering them useless. Aside from the business impact, what legal implications are created by a ransomware attack?
Privacy
The greatest legal concern is one of privacy. By definition, ransomware attacks gain access to the internal systems maintained or owned by a business. However, not all ransomware attacks are created equal and privacy obligations differ from one attack to another.Continue Reading Ransomware Attacks – Harmless Annoyances or Catastrophic Events?
California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)
California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really?
Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)
CJEU Invalidates EU-US Privacy Shield Framework
Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.
While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet.
Continue Reading CJEU Invalidates EU-US Privacy Shield Framework
The CCPA Regulations Are Finally Here
Monday, California Attorney General Xavier Becerra submitted of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA. This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.
Continue Reading The CCPA Regulations Are Finally Here