yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr's Privacy and Data Security Group, and Practice Leader of the firm's E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation's Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

In the latest episode in our monthly webcast series, Privacy and Data Security practice co-leaders Phil Yannella and Greg Szewczyk give a comprehensive rundown of the American Data Privacy and Protection Act (ADPPA), including: The status of the bill, key components, the private right of action, and the bill’s differences from state laws. Phil

In a class action with potentially significant impact on data sharing disclosures that companies routinely provide in online privacy policies, the Third Circuit recently ruled that NaviStone, a third party marketing service, was not a “direct party” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA) and thus was potentially subject to liquidated damages

The CFPB recently published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the August 11, 2022 circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.

Continue Reading  CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds “the deployment of ransomware

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant

The FTC recently reported that over $650 mm worth of cryptocurrency was stolen by hackers last year.  Thus far, over $320 mm in cryptocurrency has been stolen by hackers this year.  Not surprisingly, this surge in crypto breaches has led to litigation.  In our monthly webcast series, Ballard partners Phil Yannella, Greg Szewczyk and

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act