The BR Privacy & Security Download: February 2022
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
California Attorney General Issues Notices to Businesses Regarding CCPA Violations
California Attorney General Rob Bonta issued a press release regarding the California Attorney General’s Office’s (“CA AG”) investigations of businesses operating loyalty programs for noncompliance with the California Consumer Privacy Act (“CCPA”). Under the CCPA, businesses that offer a financial incentive or price or service difference for the collection of personal information, such as through a loyalty program, are required to provide consumers a notice describing the material terms of the financial incentive program before obtaining prior opt-in consent from consumers to participate in the program. The CA AG announced that it had sent letters to major corporations in the retail, home improvement, travel, and food services industries for their failure to provide notices of their financial incentive programs. These businesses will have 30 days to cure their violations of the CCPA before enforcement action is initiated.
Amendments Proposed to Virginia’s Consumer Data Protection Act
Following the Virginia Consumer Data Protection Act (“CDPA”) Work Group’s release of its Final Report in November 2021 outlining the Work Group’s recommendations for implementing the CDPA, Virginia legislators introduced seven bills at the start of 2022 to amend Virginia’s new consumer privacy statute. The bills address several critical aspects of the CDPA, including the right to delete, the definition of “nonprofit organization,” the ability of businesses to cure alleged violations of the CDPA, and the ability of the Virginia attorney general to seek actual damages for aggrieved consumers.
New York Privacy Act Reintroduced
The New York Legislature re-introduced the New York Privacy Act (Senate Bill S6701A and its companion Assembly Bill A680A) (“NYPA”). Similar to the comprehensive privacy laws of California, Virginia, and Colorado, the NYPA provides New York residents rights to access, obtain, delete, and correct their personal data, and to know how their personal data is being used, processed, and shared. The NYPA goes a bit further than existing comprehensive privacy laws by also requiring data controllers (i.e., the entity that determines the purposes and means of the processing of personal data) to collect opt-in consent before processing personal data for any purpose with certain exceptions, as well as make disclosures about their automated decision-making activities. The NYPA also imposes a duty of loyalty and care on controllers, with the latter requiring an annual risk assessment of all of the controller’s processing activities. The NYPA would be enforced by the New York attorney general but also provides for a private right of action for certain violations of the law. If passed, the NYPA would take effect immediately.
Florida Legislature Introduces Two Comprehensive Privacy Bills
The Florida Privacy Protection Act (SB 1864) (“FPPA”) was introduced in the Florida Senate. As with other state comprehensive privacy laws, the FPPA would provide Florida residents the rights to know, delete, correct, and opt-out of the sale of their personal information, as well as to opt out of the processing of their personal information for targeted advertising. Like Virginia and Colorado privacy laws, the FPPA also requires opt-in consent to the processing of sensitive data (e.g., mental or physical health diagnosis, racial or ethnic origin, biometric information, personal information of a known child, precise geolocation data). The FPPA would be enforced by the Florida attorney general. There is no private right of action. If passed, the FPPA would become effective December 31, 2022. The Florida House of Representatives also introduced HB 9, which is largely similar to the FPPA. Notable differences include: (i) the threshold for determining the applicability of the bill (HB 9 applies to larger-scale companies); (ii) the effective date (HB 9 would take effect July 1, 2023); (iii) no requirement for opt-in consent to process sensitive data; and (iv) a limited private right of action for certain violations of HB 9.
Two Comprehensive Privacy Bills Introduced in Indiana
The Indiana Legislature has introduced two comprehensive privacy bills (HB 1261 and SB 358) to begin its legislative session. Both bills provide Indiana residents the rights to access, delete, correct, and opt out of the sale of personal information. Both bills also require opt-in consent to selling or sharing the personal information of minors under 16. Notable differences in the bills include the thresholds for the bills’ applicability, as well as HB 1261 providing for the right to opt-out of the sharing of personal information for cross-context behavioral advertising purposes and a private right of action, while SB 358 does not. Additionally, SB 358 provides specific obligations for owners or operators of social media services, including requiring publication on social media service’s website the procedures, standards, policies, algorithms, or other mechanisms used by the owner or operator for determining how content is selected for dissemination to users of the service. If passed, both bills would go into effect July 1, 2022.
Washington Privacy Act Re-Introduced along with Competing Bill
The Washington state Senate re-introduced the Washington Privacy Act (SB 5062) (“WPA”), which provides Washington residents the rights to access, correct, delete, and opt-out of the sale of personal data, as well as the right to opt-out of the processing of personal data for the purposes of targeted advertising and certain profiling. If passed, the WPA would take effect July 31, 2022. The WPA went through several iterations in the last three Washington state legislative sessions but ultimately failed to pass due to debates over enforcement and the lack of a private right of action. The Washington House of Representatives introduced a competing bill entitled the Washington Foundational Data Privacy Act (HB 1850). The bill is similar to the WPA in several respects, including the bill’s applicability thresholds, the rights afforded to consumers, and the effective date, but contains an annual registration requirement, creates the Washington State Consumer Data Privacy Commission (similar to the California Privacy Protection Agency), and contains a private right of action.
Privacy Amendment to Maine Constitution Introduced
A bill was introduced in the Maine legislature that would amend the state’s constitution to add privacy as a natural right for citizens of Maine. The proposed amendment addresses privacy in the digital age by prohibiting searches and seizures of an individual’s electronic data or electronic communications without a warrant and specifically states that a person’s interaction with the Internet, communication, or other electronic data service does not diminish a person’s reasonable expectation of privacy. Codification of the privacy right as written in the bill would seem likely to prevent Maine state courts from reaching holdings similar to a case from the Arizona Supreme Court from early 2021 that held Arizona citizens have no reasonable expectation of privacy in IP addresses or subscriber information held by third party Internet service providers under the Arizona or federal constitutions.
Two Comprehensive Privacy Bills Introduced in Vermont
Two bills were introduced in the Vermont House of Representatives. Full text of the bills has not yet been released, but short forms of the bills provide that the bills enhance data privacy protection for consumers, “give Vermonters more control over the amount and type of data that personal device manufacturers and service providers collect about them, and adopt other protections provided in the CCPA.” Both bills have been referred to the Vermont House Committee on Commerce and Economic Development.
Mississippi Senate Introduces the Mississippi Consumer Data Privacy Act
The Mississippi Senate introduced the Mississippi Consumer Data Privacy Act (SB 2330) (“MCDPA”). The MCDPA closely resembles the CCPA and provides consumers the rights to access, delete, and opt-out of the sale of personal information. The MCDPA also follows the CCPA in requiring a “Do Not Sell My Personal Information” link for consumers to be able to submit their opt out requests. Like the CCPA, the MCDPA also provides for a private right of action in the event of a data breach and provides for a 30-day cure period. If passed, the MCDPA will take effect on July 1, 2023 and before its effective date, the Mississippi attorney general is to adopt regulations to implement and further the purposes of the MCDPA.
Uniform Personal Data Protection Act Introduced in Nebraska
Nebraska has become the first state to introduce comprehensive privacy legislation based on the Uniform Personal Data Protection Act (“UPDPA”) developed by the Uniform Law Commission. The UPDPA varies in significant ways from existing state comprehensive privacy legislation in California, Colorado, and Virginia. For example, the definition of “personal data” is more limited in scope than existing state privacy laws. Another significant difference is that the UPDPA only provides data subjects the right to copy and correct personal data. The UPDPA does not include a private right of action and leaves enforcement to the state attorney general.
Competing Models of Comprehensive Privacy Legislation Introduced in Hawaii
Two comprehensive consumer privacy bills have been introduced in the Hawaii Senate (SB 2797) and House of Representatives (HB 2051). The bills would provide rights for consumers relating to their personal data, including rights to confirm processing, correct inaccuracies, delete personal data, and opt-out of the use of their personal data for targeted advertising, sales of personal data, and certain profiling activities, and would require data controllers to provide notice to consumers regarding their data practices. The proposed senate bill largely follows the model of the Virginia CDPA and the Colorado Privacy Act, while the house bill is modeled closely on the California Consumer Privacy Rights Act (“CPRA”), which amended the CCPA. However, the house bill does not provide for a private right of action like the CPRA.
Kentucky Legislature Introduces BIPA Copycat Bill
For three years now, Illinois’ Biometric Information Privacy Act (“BIPA”) has maintained its status as the hottest new class action trend, spurring an onslaught of bet-the-company litigation fueled by the law’s minimal requirements for establishing liability and high statutory damages awards. Taking note of the increased commercial use of biometric technologies today, lawmakers in Kentucky started out the 2022 legislative session with the introduction of HB 32—a carbon copy of BIPA. If enacted, Kentucky’s BIPA-copycat bill would bring with it an avalanche of class litigation similar to what companies have been facing in connection with Illinois’ biometric privacy statute. And from a broader perspective, if successful, HB 32 would likely generate further momentum for other states and municipalities to enact similar biometrics laws of their own.
Maryland Legislature Introduces Revised, Hybrid Biometric Privacy Bill
On the heels of Kentucky’s introduction of HB 32, Maryland recently became the second state in 2022 to propose targeted biometrics legislation with the introduction of its Maryland Biometric Identifiers Privacy Act bill (HB0259) (the “Act”). In both 2020 and 2021, proposals to adopt a carbon copy of Illinois’ well-known BIPA were unsuccessful. In 2022, however, Maryland lawmakers are considering legislation that departs significantly from its previous biometric privacy bills. Instead of closely following the same blueprint as BIPA, the Act incorporates only portions of the provisions that have become common components of today’s biometric privacy regulation, while at the same time also integrating a range of privacy principles ordinarily confined to broader consumer privacy laws like the CCPA. If enacted, the Maryland bill could cause a noteworthy shift in the biometric privacy legal landscape by introducing an entirely new set of compliance obligations pertaining to the collection and use of biometric data. In turn, the Act would significantly increase the compliance burdens faced by companies that utilize biometrics in their operations today.
Florida Legislature Considers Amendment to State’s “Mini Telephone Consumer Protection Act (TCPA)”
Florida lawmakers made headlines last summer when they amended the state’s Telephone Solicitation Act in a way that expanded the definition of an autodialer beyond the scope of the U.S. Supreme Court’s decision in Facebook v. Duguid, leading many to dub the Florida law as the “Mini TCPA.” The months that followed were marked by a sharp uptick in the number of cases filed under the Florida law. Now, the state is considering legislation that would amend the definition of an autodialer to make it more consistent with the federal definition and would apply the change retroactively. Noting that the 2021 change resulted in at least 100 class action complaints, the state Senate Committee on Commerce and Tourism recently voted 10-0 to recommend the amendment. Similar legislation is currently being considered by the state House Civil Justice & Property Rights Subcommittee.
FEDERAL LAWS & REGULATIONS
U.S. Chamber of Commerce Encourages Congress to Pass Federal Privacy Legislation
The Chamber of Commerce and other organizations requested Congress (via letter) to pass “comprehensive privacy legislation” due to the varying state legislations. The letter notes that California passed a privacy bill three years ago and other states have passed legislation. Broadly, Congress tends to agree there is a need for federal legislation but disagrees on the substance and whether it would preempt state privacy laws.
U.S. Representatives Send Letters to COPPA Safe Harbor Organizations
Two members of the U.S. House of Representatives, Reps. Kathy Castor (D-FL) and Jan Schakowsky (D-IL), recently sought information from all operators of third-party Safe Harbor organizations under the Children’s Online Privacy Protection Act (“COPPA”) to evaluate the effectiveness of their efforts to protect the privacy and security of children’s data. The inquiries come in response to concerns raised that the Safe Harbor organizations as they currently exist fail to adequately protect children’s online privacy, including comments made by former Federal Trade Commission (“FTC”) Commissioner Rohit Chopra that Congress must take action to enhance the level of monitoring of the COPPA Safe Harbor Program. In addition, the Representatives have also sought comments on how Congress can best strengthen COPPA and the COPPA Rule. The requests for information follow the FTC’s removal of Aristotle International, Inc. in 2021 from the list of Safe Harbor organizations for not sufficiently monitoring compliance.
FCC Chair Explores Increasing Requirements for Internet Services Providers to Report Data Breaches
Federal Communications Commission (“FCC”) Chair Jessica Rosenworcel has a proposal to modify reporting requirements for breaches of customer proprietary network information held by telecommunications carriers to reflect the “evolving nature of data breaches and the real-time threat they pose to affected consumers.” The proposal includes removing the current mandatory waiting period (seven business days) for carriers to notify customers of a breach, requiring notification of inadvertent breaches, and requiring carries to notify the FCC of all reportable breaches.
Senators Introduce Terms-Of-Service Labeling, Design, and Readability Act
U.S. Senators Bill Cassidy (R-LA) and Ben Ray Luján (D-NM), and U.S. Representative Lori Trahan (D-MA), introduced the Terms-of-Service Labeling, Design, and Readability Act (“TLDR Act”) to require company websites and mobile apps to post a simple summary of their terms of service agreements. Small businesses, as defined in the Small Business Act, are exempt from the proposed requirements. Representative Trahan said “For far too long, blanket terms of service agreements have forced consumers to either ‘agree’ to all of a company’s conditions or lose access to a website or app entirely. No negotiation, no alternative, and no real choice,” and noted there is a “potential for abuse” in designing unnecessarily long contracts. The Act requires the summaries to include specific pieces of information, including the word count or approximate time required to read the statement, the categories of sensitive information that the company processed, and historical versions of the terms of service and change logs.
Introduction of Banning Surveillance Advertising Act
U.S. Representatives Anna Eshoo (D-CA), Jan Schakowsky (D-IL), and Senator Cory Booker (D-NJ) introduced the Banning Surveillance Advertising Act of 2022, which bans “advertising facilitators” (defined as entities who receive consideration for disseminating advertisements and collect or process personal information in connection with such dissemination) from using personal information for targeted advertising. The goal is to end the use of “surveillance advertising” online. It would also prohibit targeting ads based on information classifying individuals as a protected class (i.e., race, gender). Not all targeted advertising would be banned. The bill empowers the FTC and state attorneys general with the authority to enforce the bans.
FTC Releases New Guidance for Compliance with the Health Breach Notification Rule
The FTC published two new resources to help companies comply with the Health Breach Notification Rule (“HBNR”): The Health Breach Notification Rule: The Basics For Business, which provides a brief overview of the HBNR and what it requires, as well as Complying with the FTC’s Health Breach Notification Rule, which provides more detail regarding the applicability of the HBNR, what triggers notification, and what measures are required in the event of a breach. The “Complying with the FTC’s Health Breach Notification Rule” publication also provides FAQs that provide information on the HBNR, including but not limited to penalties for violating the HBNR and the relationship between the HBNR and state breach notification laws. Entities covered by the HBNR must notify their customers, the FTC, and, in some cases, the media if there’s a breach of unsecured, individually identifiable health information. In September 2021, the FTC issued a Policy Statement clarifying that the HBNR applies to makers of health apps, connected devices, and similar products.
U.S. LITIGATION
New Trends Emerging in BIPA Class Action Litigation
As predicted, enterprising plaintiff’s attorneys are again branching out to target a broader range of biometric technologies and uses of those technologies as compared to 2021. Trends we are monitoring at the beginning of 2022 include the targeting of facial recognition-powered cameras used to monitor vehicle fleets and drivers, as well as facial recognition- and voice-powered timekeeping systems, which have been the focus of a wave of new BIPA filings during the first month of the year.
Second Circuit Rules Unsolicited Fax Requesting Survey Participation Not Unsolicited Advertisement under TCPA
The Second Circuit recently held in Katz v. Focus Forward that an unsolicited fax offering an honorarium in exchange for the recipient’s participation in a survey is not an “unsolicited advertisement” within the meaning of the TCPA. The court confirmed that a communication which attempts to poll the recipient for information does not meet the statutory definition of an “unsolicited advertisement” because it does not promote the commercial availability or quality of any property, goods, or services. The court cautioned that “[t]his is not to say that any communication that offers to pay the recipient money is thereby not an advertisement. One could imagine many examples of communications, including faxed surveys, offering the recipient both money and services, that might incur liability under the TCPA.” The Second Circuit’s decision stands in contrast to a 2020 ruling by the Third Circuit, in which a split panel held that such faxes are advertisements, reasoning that an offer of payment in exchange for participation in a market survey is a commercial transaction.
U.S. ENFORCEMENT
FTC Issues Warning to Companies to Remediate Log4j Vulnerability
The FTC issued a public notice instructing companies to remediate the serious vulnerability recently discovered in the popular Java logging package Log4j. The statement follows similar warnings from the U.S. Department of Health and Human Services and other governmental entities. The FTC warned that deployment of the available updates to the software to remediate the vulnerability are necessary to prevent consumer harm and avoid FTC legal action, and stated that the FTC “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” In addition to any steps required to remediate the Log4j vulnerability in their (and their service providers’) environments, companies should assess their overall vulnerability and patch management procedures and vendor management and supervision processes to ensure appropriate steps are being taken to timely remediate known vulnerabilities to mitigate the risk of regulatory enforcement action as well as potential litigation from consumers and investors in the event of a security incident.
FTC Reaches Settlement with ITMedia Solutions LLC
Lead generation company ITMedia Solutions LLC recently agreed to pay $1.5 million in civil penalties and face restrictions on their operations as a result of a FTC lawsuit stemming from misleading and deceptive marketing activities employed to collect millions of consumers’ sensitive financial data in violation of the FTC Act and the Fair Credit Reporting Act. According to the FTC, ITMedia operated websites that enticed consumers to provide their financial information under the guise of applying for loans. Unbeknownst to the consumers, the company did not assist them with obtaining loans, but instead sold their data to other entities as marketing leads. In addition to the civil penalty, ITMedia will also be prohibited from selling personal data except under narrow circumstances and must implement procedures to vet and monitor any third parties with whom the company shares financial data.
New York AG Warns of Account Compromise Stemming from Credential Stuffing Attacks
New York Attorney General Letitia James recently issued a report detailing the results of an extensive investigation into “credential stuffing” attacks—which entail repeated, automated attempts to access online accounts using login credentials stolen from other online services—involving 17 well-known companies and over a million compromised online accounts. In addition to detailing the attacks, the report, “Business Guide for Credential Stuffing Attacks,” also offers guidance on how businesses can protect themselves from this increasingly-popular online attack vector. In particular, the New York AG recommends the implementation of safeguards in four primary areas: (1) defending against credential stuffing attacks (e.g., by implementing bot detection software and multi-factor authentication); (2) detecting a credential stuffing breach by monitoring customer activity; (3) preventing fraud and misuse of customer information; and (4) responding to a credential stuffing incident. In addition, the report also offers guidance on the implementation of specific safeguards that have been found to be effective in each of these four areas.
INTERNATIONAL LAWS & REGULATIONS
EDPB Publishes Final Guidelines on Examples of Personal Data Breach Notification
The European Data Protection Board (“EDPB”) published the final version of its guidance on personal data breach notification (“Guidelines”). The Guidelines review 18 case studies relating to commonly encountered security incident scenarios such as ransomware, data exfiltration, internal threat actors, lost or stolen devices and paper documents, misdelivered information, and social engineering attacks. The Guidelines also include information about the risk assessment controllers should undertake in the event of a security incident affecting personal data and examples of mitigating facts and mitigating actions that a controller should take to limit risks to data subjects. Companies subject to the EU General Data Protection Regulation (“GDPR”) should review the Guidelines to determine whether their own incident response policies and procedures appropriately reflect the new guidance.
CNIL Issues Large Fines Relating to Cookie Consent Practices
The French national data protection authority, the Commission Nationale de l'informatique et des Libertés (“CNIL”), announced it had issued massive fines totaling €210 million against prominent U.S. tech companies over the companies’ failure to provide an appropriately simple mechanism to refuse all cookies on their web properties. The CNIL found that while popular web properties of these companies offer a button that allows a user to immediately accept all cookies, they do not provide an equivalent button or other solution to easily refuse all cookies. Specifically, the CNIL found that “several clicks” are required to refuse all cookies against a single click to accept them, negatively affecting a user’s freedom of consent by inappropriately influencing their choice. The enforcement decision follows several months of CNIL focus on this area, including issuance of formal notices to dozens of companies in 2021 regarding cookie consent practices relating to refusal of consent. Companies should review their cookie consent practices to ensure they are providing appropriate mechanisms for French and other EU data subjects’ choice regarding consent to and refusal of cookies.
CNIL Publishes Guidance on Re-Use of Data by Processors
The CNIL published guidance describing when and how data processors may re-use personal data for their own purposes under the GDPR, such as for product improvement or development purposes. According to the guidance, personal data may only be re-used if the new purpose for processing is compatible with the original purpose for which the data was collected. To determine whether the new use is compatible, the processor and controller from whom the personal data is received must conduct a compatibility test prior to re-use of personal data. The compatibility test must take into account the link between the new and original processing purpose, the context in which the personal data was collected, and safeguards that are in place, such as encryption, pseudonymization, and anonymization, among other things. A controller may approve the re-use of personal data only if the test shows the new processing is compatible with the original processing purpose. A data controller may not provide prior or general authorization of any re-use. Rather, approval must be provided on a case-by-case basis and in writing. Processors must be mindful of complying with their obligations as new controllers with respect to any approved re-use, and companies who are original controllers must take care to ensure they are providing data subjects with appropriate notice of the sharing and secondary processing.
Austrian Data Protection Authority Finds Use of U.S.-Based Website Analytics Tool Violates GDPR
The Austrian data protection authority has held that a website’s use of an analytics tool that transmits online identifiers such as IP addresses or other unique identification numbers to the United States violated Chapter V of the GDPR relating to cross-border data transfers. Under the Court of Justice of the European Union’s decision in Schrems II, in which the court invalidated the EU-U.S. Privacy Shield program, data may be exported to the U.S. only if adequate safeguards are in place to protect against access to the data by U.S. governmental agencies conducting surveillance activities. The court found that that because the U.S. service provider had access to the IP address data in plain text, insufficient safeguards had been provided to prevent such access by U.S. agencies. Under the ruling, it would seem that only end-to-end encryption would be sufficient to allow transfers of personal data to the U.S. The ruling may indicate a growing split between European Data Protection Agency guidance, which allows parties to take into account considerations specific to the transfer such as the subjective experience of the data importer and the sensitivity of the data at issue, and EU data protection authority enforcement practice. The Norwegian data protection authority announced that it reached a similar conclusion in cases before it that have yet to be concluded. Similar cases are pending before other European data protection authorities.
LIVE CLE WEBINAR
Future Proofing Privacy Compliance Part III: Operationalizing Opt-Outs, De-identification & Vendor Management
Wednesday, February 16, 2022
1:00—2:00 p.m. ET
10:00—11:00 a.m. PT
The California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (Colo PA) significantly expand the scope of consumer rights and control over their personal information, and mandate new notice and transparency requirements. Key differences between the obligations of these laws and existing obligations under other comprehensive privacy legislation such as the California Consumer Privacy Act and EU General Data Protection Regulation will require companies to carefully assess how they operationalize compliance with these new laws.
Join us for the third installment of Blank Rome’s multi-part webinar series on Future Proofing Privacy Compliance, where knowledgeable attorneys from our Privacy, Security & Data Protection practice group will discuss the intricacies and complexities of responding to opt-out requests, how to handle the opt out of sales of personal information and targeted/cross-context behavioral advertising and sensitive information, contracting with and managing vendors, and the standards for de-identification and aggregation.
Contact Courtney Litman via e-mail to get more information about the event.
WEBINAR SERIES
Protecting Trade Secrets & Gaining a Competitive Edge in the Digital Age
Join trusted attorneys from Blank Rome’s dynamic Trade Secrets and Competitive Hiring practice with special guests from our cross-disciplines in Labor & Employment, Antitrust Counseling & Litigation, Privacy, Security & Data Protection, and White Collar Defense & Investigations for a special multi-part webinar series on strategies companies can use to curb the heightened risk of loss of trade secret information, valuable customer relationships, and key employees to the competition while retaining their competitive advantage in the age of digital media and remote work.
Recent Developments in Corporate M&A and Commercial Restrictive Covenants
February 8, 2022
12:00-12:30 p.m. ET
9:00-9:30 a.m. PT
A discussion on the growing trend of using and litigating restrictive covenants in business and corporate transactions with added color from our Antitrust Counseling & Litigation practice.
Speakers:
Leigh Ann Buziak, Partner, Trade Secrets & Competitive Hiring
Jeremy A. Rist, Partner, Antitrust Counseling & Litigation
Protecting Information from Insider Threats and External Hackers
February 22, 2022
12:00-12:30 p.m. ET
9:00-9:30 a.m. PT
A timely conversation on the way insiders and external actors have changed their modes of attack to take confidential information with our Privacy, Security & Data Protection group.
Speakers:
Jayme L. Butcher, Partner and Co-Chair, Commercial Litigation
Sharon R. Klein, Partner and Chair, Privacy, Security & Data Protection
High Crimes & Misdemeanors: Litigation & Criminal Enforcement
March 8, 2022
12:00-12:30 p.m. ET
9:00-9:30 a.m. PT
From temporary restraining orders through trial, hear from litigators about strategic options for achieving the best result for the business, which sometimes warrants criminal referrals, with insight from our White Collar Defense & Investigations team.
Speakers:
Anthony B. Haller, Partner, Trade Secrets & Competitive Hiring
Joseph G. Poluka, Partner, White Collar Defense & Investigations
Contact Jennifer Reda via e-mail to get more information about this webinar series.
NOW AVAILABLE ON DEMAND
Future Proofing Privacy Compliance Part II: Operationalizing State Consumer Rights & Notices
Led by Blank Rome Partners Sharon R. Klein, Alex C. Nisenbaum, Jennifer J. Daniels, and Karen H. Shin, this complimentary on-demand webinar provides in-depth analysis of the details and key differences in the consumer rights and transparency requirements of the CPRA, VCDPA, and Colo PA.
RECENT PUBLICATIONS & MEDIA COVERAGE
- Ky. BIPA Copycat Bill Could Usher in Class Action Tsunami (Law360)
- The War Exclusion and State-Sponsored Cyberattacks: The Battle Is Won but Is the War Over? (Policyholder Informer)
- Biometric Privacy in 2022: How to Comply with Emerging Laws (Part 3) (Legaltech News)
- Practical Compliance Tips: Baltimore Private-Sector Facial Recognition Ban (Biometric Privacy Insider)
- Privacy & Cybersecurity Developments (Pratt’s Privacy & Cybersecurity Law Report)
- Complying with Portland’s Private-Sector Facial Recognition Ban (Pratt’s Privacy & Cybersecurity Law Report)
- Practical Guidance for Minimizing FTC Liability Exposure When Using Facial Biometrics (Biometric Update)
- Biometric Privacy in 2022: What to Expect This Year (Part 2) (Legaltech News)
- Privacy, Data Security & Workplace Wearables: Best Practices for Employers (CBA Report)
- Claim Accrual Ruling Could Bring Seismic Shift to Biometric Privacy Landscape in 2022 (Biometric Privacy Insider)
- From Fingerprints to Facial Recognition: Scanning Developments in Biometric Technology (RAIL: The Journal of Robotics, Artificial Intelligence & Law)
- Legal Tech's Predictions for Legal Technology Innovation in 2022 (Legaltech News)