For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2010. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation. Continue Reading Analyzing the California Consumer Privacy Act’s Private Right of Action

The U.S. Supreme Court’s grant this week of the petition for certiorari in a case involving the Telephone Communication Protection Act (TCPA) prohibition on unsolicited fax advertisements could have significant implications for the Federal Communication Commission’s (FCC) anticipated ruling on what constitutes an automatic telephone dialing system (ATDS) under the TCPA.

The petitioner in PDR Network v. Carlton & Harris Chiropractic sent a fax in 2013 to a West Virginia chiropractor offering a free copy of the Physicians’ Desk Reference. The chiropractor declined the offer and sued PDR in West Virginia federal court, alleging that PDR had violated the TCPA by sending it an unsolicited fax advertisement. PDR moved to dismiss, arguing that the fax was not an “unsolicited advertisement” because it offered the desk reference for free rather than for purchase. The chiropractor disagreed, arguing that the fax was an “unsolicited advertisement” because a 2006 FCC rule interpreted the term to include “facsimile messages that promote goods or services even at no cost.” Continue Reading SCOTUS Decision in Unsolicited Fax Case Could Have Broader TCPA Implications

On November 13, 2018, Ballard Spahr lawyers presented a webinar on the SEC’s recent “Report of Investigation” into “business email compromises” affecting public companies.

As noted in our prior blog post, the Report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” (See our prior alert and blog post regarding the Interpretive Guidance). Continue Reading Listen to Our Webinar on “The SEC’s Special Report on Business Email Compromises: What It Means and What You Should Do”

The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in “business email compromises” that are victimizing organizations across industry sectors.

On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.”  In particular, the report focuses on certain types of “business email compromises” (BEC), in which a bad actor uses spoofed or compromised email accounts to trick an organization’s personnel into effectuating wire transfers to financial accounts controlled by fraudsters. Continue Reading SEC Special Report: Rampant Business Email Compromises Require Reassessment of Internal Accounting Controls

The Federal Election Commission (FEC) released a draft advisory opinion (draft AO) yesterday, holding that a nonprofit corporation providing certain cybersecurity services to candidates and political parties are not in-kind contributions.

Defending Digital Campaigns, Inc. (DDC) is a nonprofit corporation under Washington, D.C., law, exempt from federal income tax under § 501(c)(4). Its stated purpose is “to provide education and research for civic institutions on cybersecurity best practices and assist them in implementing technologies, processes, resources, and solutions for enhancing cybersecurity and resilience to hostile cyber acts targeting the domestic democratic process.” DDC’s request for an AO seeks the FEC’s guidance on whether the Federal Election Campaign Act, 52 U.S.C. §§ 30101-45 allows DDC to provide certain cybersecurity services, software, and hardware to candidates for federal office and political parties for free or at a reduced cost, or whether those actions would constitute in-kind contributions. Continue Reading FEC: Cybersecurity Services to Candidates, Political Parties Not In-Kind Contributions

This month marks 15 years of observing National Cyber Security Awareness Month (NSCAM) in October.

The program was started way back in 2004, by the U.S. Department of Homeland Security and the National Cyber Security Alliance to educate Americans about ways to stay safer and more secure online.

Technology has transformed most aspects of daily life since 2004, when:

  • Smartphones didn’t exist (Blackberry’s don’t count).
  • Thefacebook.com was born in a Cambridge dorm room.
  • Google launched a new product called “gmail” – and went public.
  • “Blog” was Merriam-Webster’s word of the year.
  • Twitter, YouTube et al. did not exist.
  • Netflix was a mail-order, DVD-rental business.
  • California was the only state that had enacted a data breach notification law.

Continue Reading Welcome to National Cybersecurity Awareness Month

Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business. Continue Reading GLBA and the California Privacy Act: Analyzing SB 1121’s Change to the Financial Institution Carve-Out Provision

Please join Ballard Spahr on October 4, 2018 in New York City for “Concordant Crossroads: Regulation and Innovation in the Automotive Industry,” presented by the Thomson Reuters Legal Executive Institute. Co-chaired by Ballard Spahr partners Neal Walters and Philip N. Yannella, this conference offers a practical and robust examination of the disruption that autonomous technology and regulation pose to transportation and the automotive industry. Continue Reading Join Us at Concordant Crossroads: Regulation and Innovation in the Automotive Industry

The Office of Civil Rights of the Department of Health and Human Services has announced settlements with three different Boston-area hospitals for allegedly compromising the privacy of protected health information by inviting documentary film crews on premises without first obtaining patient authorization.  The three settlements call for a total of almost $1 million in penalty payments and require each of the hospitals to undertake corrective action.  The corrections are not the same for each hospital and range from workforce education and communication to the establishment of specific procedures, for example, for deciding when to allow media access and for putting safeguards in place to monitor film crew activity. Continue Reading Beware the Bright Lights

On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). To date, most organizations under PIPEDA’s purview have not been subject to mandatory privacy breach notification requirements. While organizations in the United States are familiar with breach notification statutes, organizations both within and outside of Canada will need to pay careful attention to the new requirements imposed under PIPEDA and assess any changes that need to be made to ensure compliance when the final regulations go into effect on November 1, 2018. Continue Reading Mandatory Data Breach Notification in Canada: Understanding Your New Obligations