yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr's Privacy and Data Security Group, and Practice Leader of the firm's E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation's Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

California continues to be at vanguard of data privacy rights.  The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians.  The law seeks to expand on the deletion and opt-out rights provided under the CCPA, which currently requires a Californians to submit their deletion and opt-out requests on a company-by-company basis.… Continue Reading

The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues.  Although the CPPA has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the  process moving forward. … Continue Reading

On June 28, a group of plaintiffs filed a class action lawsuit against OpenAI—creator and publisher of the generative artificial intelligence (AI) tool ChatGPT—as well as OpenAI’s primary investor, Microsoft.  The 151-page complaint is the first significant U.S. class action to assert that generative AI tools violate consumer privacy rights.

The Complaint, filed in the Northern District of California, challenges the core of the generative AI models. … Continue Reading

Following recent Senate testimony in which OpenAI CEO Sam Altman proposed additional Congressional oversight for the development of artificial intelligence (AI), Colorado Senator Michael Bennet has re-introduced the Digital Platform Commission Act, a bill that would enable the creation of a federal agency to oversee the use of AI by digital platforms. … Continue Reading

In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information.  The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements.  Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards. … Continue Reading

The CFPB  has taken a significant step towards issuing regulations to implement Section 1033 of the Dodd-Frank Act by releasing an outline of the proposals it is considering in preparation for convening a small business review panel (Panel).  Section 1033 authorizes the CFPB to issue rules requiring “a covered person [to] make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information related to any transaction, or series of transactions, to the account including costs, charges, and usage data.”… Continue Reading

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours. … Continue Reading

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment. … Continue Reading

Breaking in

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. … Continue Reading

In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently.  The proposed amendments were initially made public in a package of materials to be considered by the CPPA at its upcoming June 8 meeting.  The proposed amendments—which in effect are the draft CPRA regulations—were issued without advance notice, ahead of the schedule previously announced by the CPPA. … Continue Reading