yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr's Privacy and Data Security Group, and Practice Leader of the firm's E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation's Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant

The FTC recently reported that over $650 mm worth of cryptocurrency was stolen by hackers last year.  Thus far, over $320 mm in cryptocurrency has been stolen by hackers this year.  Not surprisingly, this surge in crypto breaches has led to litigation.  In our monthly webcast series, Ballard partners Phil Yannella, Greg Szewczyk and

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act

In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently.  The proposed amendments were initially made public on May 27 in a package of materials to be considered by the CPPA at its upcoming June 8 meeting.  The proposed amendments—which in effect are the draft CPRA regulations—were

The California Privacy Protection Agency (“CPPA”) scheduled a Board Meeting for June 8th, in which it will be discussing and possibly taking action with regard to the much anticipated CPRA enforcing regulations.  To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. This draft

In this initial episode of Ballard Spahr’s new privacy and data security webcast series, Phil Yannella and Greg Szewczyk – co-chairs of the Privacy & Data Security Group – discuss regulatory scrutiny concerning the use of “dark patterns” to steer website visitors into purchasing products or making online choices they otherwise would not make. 

Connecticut is the next in a growing list of states to pass comprehensive data privacy legislation.  Last Friday, the Connecticut legislature passed, by large margins, Senate Bill 6 — which we are referring to as the Connecticut Data Privacy Act (CTDPA).  The law now awaits the Governor’s signature.

The CTDPA follows the form and content of other privacy laws passed in the prior year, including the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Privacy Act (UPA).  California, of course, passed the California Consumer Privacy Rights Act (CPRA) via ballot initiative in 2020.  All of these laws will become effective in 2023.
Continue Reading  Connecticut Poised To Become Fifth State to Enact a Privacy Law

The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting

In a series of recent statements and releases, Lina Khan, the Chair of the FTC, made clear the Commission’s intention to revamp its oversight of consumer data privacy and establish more substantive limits on commercial data collection and processing activities. This plan is motivated in part by the increased adoption of workplace surveillance technologies as well as the “growing recognition that the ‘notice-and-consent’ framework” traditionally used by U.S. businesses may not be sufficient to protect consumer and employee rights. Chairperson Khan hopes to obtain additional funding to help recruit the talent required to develop this new framework, which is designed to bring the FTC “in line with similar agencies internationally.” However, the FTC plans to update its approach to “keep pace with new learning and technological shifts” regardless of whether funding is ultimately obtained. 
Continue Reading  FTC Chair Announces New Privacy Approach

The California AG recently released its first Opinion interpreting the California Consumer Privacy Act (CCPA), highlighting a brewing conflict over the inferences that businesses generate about their consumers. This Opinion addresses the question of whether Right to Know requests extend to these inferences.  It states that businesses are obligated to disclose inferences (1) derived from either public or private personal information (2) that are used by the business for the purpose of creating a profile about the consumer. While the Office of the Attorney General acknowledged that the CCPA does not require businesses to reveal trade secrets, the Opinion raised serious questions as to whether inferences may qualify as trade secrets and, if so, the scope of a business’s compliance obligations.
Continue Reading  Are Inferences Trade Secrets Under the CCPA?