The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues. Although the CPPA has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the process moving forward. … Continue Reading
Kansas Passes an Act Requiring Mortgage Companies, Supervised Lender, and Money Transmitters to Create Information Security Standards Consistent with GLBA’s Consumer Information Safeguard Rule
On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as in effect on July 1, 2023.… Continue Reading
Senator Bennet Proposes Federal Commission to Regulate Artificial Intelligence
Following recent Senate testimony in which OpenAI CEO Sam Altman proposed additional Congressional oversight for the development of artificial intelligence (AI), Colorado Senator Michael Bennet has re-introduced the Digital Platform Commission Act, a bill that would enable the creation of a federal agency to oversee the use of AI by digital platforms. … Continue Reading
California Enforcement Sweep Targets Mobile Apps – With a Focus on Honoring “Permission Slip” App
On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Bonta alleges failed to comply with the California Consumer Privacy Act (CCPA). This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply with consumer opt-out requests or otherwise failed to offer mechanisms for consumers to stop the sale of their personal information. … Continue Reading
FTC extends deadline for updated Safeguards Rule by six months
On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.
The FTC approved changes to the longstanding Safeguards Rule in October 2021. … Continue Reading
NYDFS Announces Updated Cybersecurity Regulation
On November 9, 2022, New York Department of Financial Services (NYDFS) Superintendent Adrienne Harris announced that the NYDFS formally proposed an updated cybersecurity regulation. Although the updates had previously been released in draft form, the formal announcement commences the 60-day comment period.
The proposed regulations would create three different tiers of companies based on their size, operations, and nature of their businesses. … Continue Reading
CPRA’s employee and B2B exemptions appear destined to sunset
The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (“CCPA”) since its inception. As a result, when the the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, employee and B2B data will be treated the same as consumer data. … Continue Reading
FTC Takes Aim at “Commercial Surveillance”
In an active week for federal regulators, the Federal Trade Commission (FTC) joined the CFPB in announcing important initiatives that may change privacy and data security practices in major ways.
On August 11, the FTC released its Advanced Notice of Proposed Rulemaking, seeking public input on a host of questions relating to what it describes as “commercial surveillance”—or “the business of collecting, analyzing, and profiting from information about people”—in order to determine whether to issue a new rule “to protect people’s privacy and information in the commercial surveillance economy.” … Continue Reading
NYDFS Announces Draft Amendments to Cybersecurity Regulation
On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations. The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.
The Amendments contain three significant changes relating to ransomware. First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours. … Continue Reading
Unpacking the FTC’s Recent Blog Post Regarding Breach Notification
The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. … Continue Reading