RSS FEEDSRecent Posts
- The Death of the Date of Birth
- How the IWCA Impacts BIPA Claims
- European Commission Adopts New Standard Contractual Clauses for Data Transfers from the EU
- Cyber Insurance 101
- NYDFS Provides Best Practices for Third-Party Risk Management
- Recent State Biometric Privacy Bills Put Spotlight On Federal Regulation
- U.S. Supreme Court Curtails FTC’s Authority to Obtain Restitution and Disgorgement
- (Don’t) Send in the Drones
- Utah Becomes Second State to Adopt a Safe Harbor for Compliance with a Written Cybersecurity Program
- Requirements for Businesses under Virginia’s New Consumer Data Protection Act
Steven M. Wernikoff
Co-Leader, Data, Privacy, and Cybersecurity Group
Co-Leader, Autonomous Vehicles Group
Showing 13 posts by Steven M. Wernikoff.
European Commission Adopts New Standard Contractual Clauses for Data Transfers from the EU
Today, the European Commission (“EC”) adopted new standard contractual clauses (“SCCs”) reflecting new requirements under the European Union’s General Data Protection Regulation (“GDPR”). The SCCs are intended to provide standardized templates for companies to utilize to comply with the GDPR’s data protection requirements. More
NYDFS Provides Best Practices for Third-Party Risk Management
In late 2020, a sophisticated adversary used the SolarWinds Orion Platform to plant covert backdoors in the networks of thousands of companies and government agencies. The attack confirms the importance of vigorous third-party risk management. Last month, the New York State Department of Financial Services (“NYDFS”) issued a report on the SolarWinds attack and provided the following steps that companies can take to reduce supply chain risk: More
U.S. Supreme Court Curtails FTC’s Authority to Obtain Restitution and Disgorgement
Yesterday, the U.S. Supreme Court, in AMG Capital Management, LLC v. FTC, sharply curtailed the ability of the Federal Trade Commission to obtain restitution and disgorgement in enforcement actions. In a 9-0 decision, the court found that Section 13(b) of the FTC Act, which authorizes the FTC to seek permanent injunctions in federal court, did not also authorize the Commission to obtain court-ordered monetary relief. More
Utah Becomes Second State to Adopt a Safe Harbor for Compliance with a Written Cybersecurity Program
With the passage of the Cybersecurity Affirmative Defense Act, Utah became the second state – after Ohio’s Data Protection Act in 2018 – to create an affirmative defense to certain causes of action stemming from a data breach. The law provides an affirmative defense under Utah law and in Utah courts to certain tort claims arising out of a data breach if the company demonstrates that it created, maintained, and reasonably complied with a written cybersecurity program. More
Requirements for Businesses under Virginia’s New Consumer Data Protection Act
With Governor Ralph Northam’s signature yesterday, the Consumer Data Protection Act (“CDPA”) became law, making Virginia the second state after California to enact a comprehensive privacy law (with apologies to Nevada, which also has passed more modest privacy legislation). Although similar in many respects to the California Consumer Privacy Act (“CCPA”), which was recently updated by the Consumer Privacy Rights Act (“CPRA”), the law contains terminology more consistent with the European Union’s General Data Protection Regulation (“GDPR”). More
Eleventh Circuit Joins Courts That Have Declined to Find Standing Based on Alleged Substantial Risk of Identity Theft Resulting From a Data Breach
In Tsao v. Captiva MVP Restaurant Partners, LLC, the Eleventh Circuit joined the federal appellate courts holding that a consumer’s exposure to a substantial risk of future identity theft, and efforts to mitigate the risk of future identity theft, are not sufficient to confer Article III standing. The decision highlights federal court’s struggle with the standing requirements in a data breach case, and possibly raises the likelihood that the U.S. Supreme Court will address the issue. More
Ransomware On the Rise: Unwary Victims May Pay Twice
Given the speculation and concern over ransomware attacks impacting the 2020 U.S. election, the recent spate of private companies falling victim to such attacks, and the October 1, 2020 advisory issued by the Department of Treasury (“Advisory”), it is no surprise that ransomware is trending in cybersecurity. More
Federal U.S. Autonomous Vehicle Bill Would Update Safety Standards and Require Detailed Privacy and Cybersecurity Plans
On September 23, 2020, Representatives Bob Latta (R-Ohio) and Greg Walden (R-Ore.) re-introduced the “Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution Act’’ or the ‘‘SELF DRIVE Act” to create a federal framework for autonomous vehicles (“AVs”). The measure lacks bipartisan support and is not expected to reach the floor of the House of Representatives during this session. But the continued effort demonstrates the importance that many lawmakers put on promoting a U.S.-led effort in the development of self-driving vehicles. The matter likely will be among the key transportation themes before the next session of Congress, which convenes in January. On the Senate side, policymakers have not advanced autonomous vehicle bills. In the previous congressional session, an autonomous vehicle policy measure advanced in the House but came up short in the Senate. More
Considerations When Receiving a Civil Investigative Demand
A number of U.S. federal agencies have authority to issue a type of administrative subpoena called a Civil Investigative Demand (“CID”) to obtain relevant information as part of an investigation. For example, both the Federal Trade Commission (“FTC”) and the Consumer Financial Protection Bureau (“CFPB”) have authority to issue CIDs to obtain documents and testimony in investigations related to privacy, data security, deceptive marketing, and financial fraud. This article identifies some items to consider when receiving a CIDs based on my experience issuing and reviewing hundreds of CIDs as an enforcement attorney in the Chicago office of the FTC. More
Privacy Tips for Ed Tech Companies and Schools Conducting Remote Learning
As schools increasingly are adjusting to remote learning and utilizing education technology (“ed tech”) services, both schools and their ed tech service providers need to consider the appropriate collection and usage of student personal information. Here are some tips for protecting students’ privacy and safeguarding personal data: More