cybersecurity.jmbm.comCybersecurity Lawyer Forum — Published by JMBM’s Cybersecurity and Privacy Group — Jeffer Mangels Bu

tler & Mitchell LLP Contact Us Tap Here To Call Us Phone: +1.310.785.5331 Phone: +1.310.201.3529 cyberlawyer@jmbm.com Cybersecurity Lawyer Forum Published By Jeffer Mangels Butler & Mitchell LLP Navigation Home Our Team What We do JMBM LLP Subscribe Contact Us CONTACT US: 310.201.3553 January 12, 2024 Time to Update your Privacy Policy by Robert E. Braun and Stuart Tubis In 2024, privacy laws adopted by Montana, Oregon, Texas and Utah will become effective. While the laws have much in common (and are similar to the laws already in effect), they each have special characteristics, and companies will need to evaluate how they impact operations, disclosures and policies. What do they have in common? Each of the new laws provides similar rights to consumers: The right to opt out of data collection and processing The right to correct inaccuracies in their personal data The right to access a copy of their data The right to delete their personal data The right to opt in, or opt out, of processing sensitive personal data The right to opt out of the sale of personal data, profiling, or profiling personal information for targeted advertisements The statutes also impose similar obligations on businesses: Publish a privacy notice and description of business’s data collection and processing practices, and whether data is shared with third parties Recognize opt-out preference signals, which could allow consumers to opt out of data collection and processing without having to verify their identities Perform and document data protection assessments (DPAs) for high-risk processing activities None of the new state laws provides for a private right of action like California’s (which allows users to sue violating companies), but each of them has an enforcement mechanism that includes penalties for noncompliance. Enforcement will generally be carried out by the attorney general of these states. Continue reading by Robert E. Braun and Stuart Tubis Posted in: Policies and Procedures and Privacy Regulations January 12, 2024 Updated: January 16, 2024 2:59 pm July 31, 2023 Time is Short – Reporting your Data Breach by Robert E. Braun Companies that are subject to the registration and disclosure requirements of the United States Securities Act and Securities Exchange Act face the challenge of complying with a broad variety of detailed regulations addressing their disclosure and reporting obligations. The Securities Exchange Commission recently adopted regulations which will have an impact on publicly traded companies that suffer a data breach. Because the SEC’s standards for disclosure often set a standard for private companies as well, the regulations are likely to have an impact on other companies. Breach Notifications for the Past 20 Years. Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach. The SEC Acts. Regulators have stepped in and identified time frames for public notification of a data breach. Most recently, the Securities Exchange Commission issued a final rule that reduces the time for reporting companies (companies whose securities are registered with the SEC) to disclose cyberattacks publicly. As has been widely reported, with some exceptions, a company that is the victim of a cyberattack now has four days to publicly disclose the impact of the attack. Cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage will likely require disclosure under the regulations. Continue reading by Robert E. Braun Posted in: Policies and Procedures and Privacy Regulations July 31, 2023 Updated: July 31, 2023 10:21 am June 13, 2023 State of Play – State Privacy Laws in the United States by Robert E. Braun Congress has managed not to adopt a federal privacy law, leaving it to the Securities Exchange Commission, the Federal Trade Commission, and other regulators to fill the void – something that will take years to implement and will be subject to challenges. We now have, however, ten state privacy laws – five adopted in just the past two months. While the laws have commonalities, none of them are entirely consistent with each other; businesses, particularly those with operations in multiple states, will have to consider how to comply in an efficient and effective manner. This will be no easy task, since in addition to the ten existing state laws, there are nine additional states with active bills. When state legislatures return, it is entirely likely that we will need to revisit this issue. Creating a privacy regime requires an individual analysis of each company, including the data it collects, how it uses it, and who has access to it. Ten separate laws make the job much more difficult, but we start here on three points – who is covered, what rights are granted, and key similarities and differences. Continue reading by Robert E. Braun Posted in: Privacy Regulations June 13, 2023 Updated: June 13, 2023 9:29 am May 23, 2023 Is it Time to Analyze Analytics? by Robert E. Braun and Michael A. Gold Website analytics are a key part of understanding whether a website works,” and how to improve it; they arose almost at the same time that companies began using websites to transact business. For the most part, and for a long time, website analytics were seen as benign – a way to track information without trampling on an individual’s privacy rights. But the multitude of ways in which companies collect information on websites without a user’s knowledge make it more and more likely that a website owner can find itself in violation of privacy laws. More than that, analytics have become a security issue. The tools used to collect visitor data – cookies, pixels, beacons, and other technologies – have created a risk surface that can allow bad actors to identify targets and breach defenses. At the same time, the nature of these tools makes them one of the risks that companies can manage, allowing them to comply with privacy mandates and reduce cyber risk. In the Beginning . . . Originally, analytics were limited. Cookies and other devices allowed a website recognize a user, and to smooth the operations of the website. This little piece of code on your computer made it easier to log on to a website, to complete a purchase, and to see the information you look for. Although cookies did allow the website to recognize a user – essentially, to collect personal information – they were generally limited to the website; they were also typically session cookies” used to facilitate a single user session, or persistent cookies,” allowing the site to differentiate a new visitor from a prior visitor. Since then, the tools used to identify website visitors and their actions have exploded in both numbers and potency, creating opportunities and challenges for website owners. Continue reading by Robert E. Braun and Michael A. Gold Posted in: Privacy Regulations May 23, 2023 Updated: May 23, 2023 11:24 am October 24, 2022 The CPPA Speaks Again – Five Takeaways by Robert E. Braun On Monday, October 17, 2022, the California Privacy Protection Agency Board issued revised regulations to the California Consumer Privacy Act of...