Category: Privacy and Data Security

States Step Up Data Privacy and Security Regulation

State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its sale, and to create privacy policies detailing their processes for selling or distributing consumer data....

Gibbons Hosts “Keys to Negotiating Better Software & Software-as-a-Service Agreements” Seminar – October 16-18, 2019

From October 16-18, Peter J. Frazza, a Director in the Gibbons Commercial & Criminal Litigation Department, will lead a seminar in Las Vegas analyzing the negotiation of software licenses and software-as-a-service agreements, including data protection and privacy issues companies face that are specific to software transactions, artificial intelligence, and the Internet of Things (IoT). Mr. Frazza has over 30 years of experience handling complex lawsuits and contract negotiations on behalf of licensees and users in software licensing and software-as-a-service matters. For additional seminar details or to register, visit

New Fair Credit Reporting Act – Summary of Rights Forms

The Consumer Financial Protection Bureau (“CFPB”), the Federal agency that administers the Fair Credit Reporting Act (“FCRA”), just issued new Summary of Rights forms. An employer conducting a background check on an employee or applicant through a consumer reporting agency must provide such employee or applicant a Summary of Rights notice when first obtaining consent to conduct the background check — together with a written disclosure about the use of the background check — and when taking adverse action based on the background check. Starting today, September 21, 2018, the new Summary of Rights form must be used. The CFPB also issued forms called Summary of Consumer Identity Theft Rights that must be provided to consumers by credit reporting agencies when the subject of an identity theft. A new law also requires credit reporting agencies to implement a “national security freeze” at no cost to a consumer that restricts prospective lenders from access to a consumer’s credit report. Other changes include a one year (instead of 90 days) notification of a fraud alert in a consumer’s file. The notification informs a lender that the consumer may have been the victim of identity theft, for which the lender must take additional steps to verify the identity of anyone attempting to obtain credit in the consumer’s name....

New Jersey Poised to Mandate Across-the-Board Information and Data Security Preparedness

The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program. The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include: Designating one or more employees to be in charge of the ISP; Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules; Obligating a company to conduct due diligence when engaging third-party service providers with access to the company’s records containing personal...

Proper Planning Means You Do Not Need to Shed Tears When Hit with the Likes of WannaCry

Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims. The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack. Implement a Written Information Security Program. Knowing how to mitigate the effects of a breach and how to respond upon notice of a breach starts with...

NY Updates Cybersecurity Requirements for Financial Services Companies

On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.

Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else

On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.

Defend Trade Secrets Act of 2016: Signed into Law

On May 11, 2016, President Obama signed the Defend Trade Secrets Act (“DTSA”) into law. President Obama publicly supported this legislation and efforts generally directed to strengthen trade secret protections within the U.S. economy. As we previously reported on May 3, 2016 and November 24, 2015, trade secret misappropriation was formerly treated exclusively as a matter of state law, governed by varied versions of the Uniform Trade Secrets Act as enacted in most states. A lack of uniform enactment of this Act resulted in differences in the application of the law between states, which presented difficulties for trade secret owners seeking to enforce their rights in the general commerce.

Defend Trade Secrets Act of 2015 Passes House, Heads to President Obama’s Desk

On April 27, 2016, the Defend Trade Secrets Act (“DTSA”) passed the House of Representatives with a 410-2 vote. The two no votes were from Rep. Justin Amash (R-MI) and Rep. Thomas Massey (R-KY). Earlier this month, on April 4, the Senate passed the DTSA by a unanimous vote of 87-0. Now, the DTSA heads to President Obama’s desk for his signature.