2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below
Continue Reading

Momentum is building for federal privacy legislation, with several different proposals circulating in Washington.  Ohio’s new cybersecurity law offers an interesting approach for incentivizing companies to protect their customers’ personal data.

We have written previously on two competing models for cybersecurity regulation—“standards” versus “rules.”  The standards-based approach, historically
Continue Reading

Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws.  These developments have businesses concerned that they will face a patchwork
Continue Reading

On November 1, Canada provided the U.S. with another model for a national breach law:  the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  Under that law, companies are required to notify Canada’s Privacy Commissioner and affected individuals as soon as feasible if they experience “any breach of security safeguards
Continue Reading

A recent SEC Order should be a reminder to registered entities, including small- and medium-sized firms, that the SEC is monitoring the reasonableness of their cybersecurity policies and procedures, and that it may take action in the event of a breach, even in the absence of economic harm.

The SEC’s
Continue Reading

As we have previously discussed, public companies face a variety of legal issues following large-scale data breaches, which increasingly include federal securities class action litigations.  In the past few weeks, two new such actions were filed.  One lawsuit was filed against Chegg, Inc., an education technology company that provides
Continue Reading

In Part 1 of this blog post, we discussed some key contractual provisions that lawyers should consider when entering into agreements with cloud service providers (“CSPs”).  In this Part 2, we discuss some additional contractual considerations to keep in mind, as well as some post-contract practices to consider in order
Continue Reading

Companies have good reasons to limit business-related communications to devices and applications (“apps”) controlled by the company, and to avoid having sensitive company information on the personal devices and apps of employees:

  • Security: The company does not control the cybersecurity and privacy on employees’ personal apps on personal devices,


Continue Reading