The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose

The European Union’s General Data Protection Regulation (“GDPR”) is well known as the toughest privacy and security law in the world, as it has a wide reach and imposes heavy fines against those who violate its privacy and security standards (which are quite broad). The impact of the GDPR has already been felt in the United States since it went into effect in 2018, and now U.S. lawmakers in numerous states are moving to enact similar legislations. The California Consumer Protection Act (“CCPA”) was the first instance of the GDPR’s impact in the United States, as California put in place a statute and regulations that mirrored the GDPR in several respects. Now Virginia has set in motion what could be a year-long string of states enacting similar legislation. In particular, Washington and New York have proposed legislation following the framework of the CCPA. This article will compare the CCPA to the newly enacted and proposed privacy laws in the United States.
Continue Reading GDPR in the USA? New State Legislation Is Making This Closer to Reality

Business man on laptopLast month, the California Attorney General approved the final set of regulations interpreting the requirements of the California Consumer Privacy Act (Cal. Civ. Code Sections 1798.100 et seq.) (the “CCPA”).

What does it include?

The final CCPA regulations include a number of points of clarification such as what it means to provide “notice at collection,” the methods to provide a consumer with access to a business’s privacy policy and what content is required to be disclosed in that privacy policy, and the methods by which a company must provide consumers with a right to opt out from the sale of their personal information.
Continue Reading What do the final CCPA regulations mean for you?

GavelOn April 24, 2019, the U.S. Supreme Court issued an important decision touching a number of hot button issues and litigation threats facing American businesses — including class actions, arbitration agreements and data privacy.

The case, Lamps Plus, Inc. v. Varela, 17-988, 2019 WL 1780275 (U.S. Apr. 24, 2019), stemmed from a data breach in which a hacker posing as a company official “tricked” a Lamps Plus employee into disclosing the tax information of approximately 1,300 workers.  Among those 1,300 workers was Frank Varela, the named plaintiff.  Id. at *2.  Following the data breach, Mr. Varela became the victim of identity theft when a fraudulent federal income tax return was filed in his name. 
Continue Reading SCOTUS Catapults Class Arbitration Onto the Endangered Species List

Business man on laptopOne of the most common things we discuss with clients is the need to ensure that privacy policies accurately reflect the actual procedures in place for handling confidential information.  The SEC reiterated that point last week in a Risk Alert that encouraged SEC-registered companies to review their written policies and procedures to ensure adequate implementation and compliance with the law.  In the Risk Alert, the Office of Compliance Inspections and Examinations (“OCIE”) published a list of issues under Regulation S-P (the privacy rule) it has seen in the context of exams.
Continue Reading SEC: Practice What You Preach on Privacy

Overview of the Ruling

On March 16, 2018, just before tip-off in the first round of the NCAA tournament, the D.C. Circuit provided the TCPA defense bar with a new playbook of sorts, in the form of a decision that will surely change the game for TCPA litigation. The case, of course, is ACA International v. FCC, and the ruling came down nearly 18 months after oral arguments. ACA Int’l et al. v. FCC, No. 15-1211, Doc. No. 1722606 (D.C. Cir. Mar. 16, 2018). It appears to be worth the wait as the D.C. Circuit slam dunked the former definition of automated telephone dialing equipment (“ATDS”) and the “one-call safe harbor” rule for reassigned numbers.


Continue Reading ACA v. FCC Close to a Slam Dunk for TCPA Defendants

GDPR CalendarWhat Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.


Continue Reading 100 Days Until GDPR … Are You Ready?

A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response.  Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country.  The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. 
Continue Reading Data Breach Notification Revisions in North Carolina Would Bring Radical Change

As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place.  The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.

We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:


Continue Reading Getting Ready for GDPR Compliance in the New Year