Eversheds Sutherland Cybersecurity and Privacy Insights Blog
content top

Updata: Your quarterly data privacy and cybersecurity update – April to June 2021 – Edition 12

Welcome to the latest edition of Updata – the international update from Eversheds Sutherland’s dedicated Privacy and Cybersecurity team. Updata provides you with a compilation of privacy and cybersecurity regulatory and legal updates from our contributors in the US and around the globe over the past quarter. The most recent edition is full of newsworthy items, including the new Colorado privacy law and new European guidelines on the targeting of social media users, China’s Personal Data Protection Law, proposed legislation in Russia, and more. Learn more.
Continue Reading

Colorado’s new privacy law: How it stacks up against other US privacy laws

Companies compliant with the GDPR and similar US state laws will have a substantial headstart with the Colorado Privacy Act. Recognizing the key differences will enable organizations with a well-designed compliance program to efficiently accommodate all these laws. The law provides for a mandatory universal consumer opt-out of targeted advertising, data sales and profiling.The Colorado law places new obligations on those businesses not subject to federal privacy laws.Enhanced mechanisms for enforcement make compliance even more important in implementing a robust compliance program. Learn...
Continue Reading

Once more out of the breach: SCOTUS resolves the CFAA circuit split

The United States Supreme Court took a narrow view of what the Computer Fraud and Abuse Act (the federal anti-hacking act) prohibits. SCOTUS ruled last week that the CFAA’s “exceed authorized access” language does not reach those who have authorized access but who use their access for prohibited purposes.The ruling will likely be celebrated by cybersecurity practitioners but may prompt legislative reform from Congress.Given the Department of Justice’s increasing focus on combatting cybercrime, staying abreast of developments in data protection will be ever more important in the coming...
Continue Reading

US House AI Task Force is the latest authority to address algorithms and racism

On May 7, 2021, the US House of Representative’s Task Force on Artificial Intelligence (AI) held a hearing on “Equitable Algorithms: How Human-Centered AI can Address Systemic Racism and Racial Justice in Housing and Financial Services.” 1 It was the latest among several federal, state and international governmental initiatives calling for fair, transparent and accountable AI in the financial and consumer sectors, and urging all AI actors to address inequitable outcomes. This hearing focused on ways that the public and private sectors can use AI to address systemic racism and optimize...
Continue Reading

Vaccinations in the Workplace: The Privacy Conundrum

COVID-19 vaccines are now widely available, signaling an eventual return to work. That is certainly welcome news for employees and employers alike, but employers are finding themselves in an unprecedented quandary—whether they can condition workforce re-entry on proof of employee vaccinations. The Equal Employment Opportunity Commission (EEOC) and state legislatures have generally green-lighted employer vaccination programs, so long as employers comply with other statutory and contractual (such as union) considerations. For example, New York employers are required to provide up to four paid...
Continue Reading

Getting back when HACT: Congress’s idea to provide redress to recent cyberattacks

Amidst the ever-worsening onslaught of cyberattacks, companies are longing to go on the offensive, whether by “hacking-back” or by going after malicious actors in US courts. While Congress has previously refused to enable the former, it now appears more open to the latter, particularly with the introduction of the Homeland and Cyber Threat Act (the HACT Act): The HACT Act, if passed, risks opening the doors to suits against the US Government, while the likelihood of success against foreign governments for cyberattacks in US courts will remain small.The Supreme Court earlier this year...
Continue Reading

Your quarterly privacy & cybersecurity update

Welcome to the tenth edition of Updata! Updata is our US and international update on the most important privacy and cybersecurity regulatory and legislative developments from the past quarter, October to December 2020. Full of newsworthy items from our global team members, this edition includes updates on: COVID testing and remote working guidance across multiple jurisdictions;Increase in privacy enforcement action and litigation across many jurisdictions;California voters passed sweeping amendments to the California Consumer Privacy Act;The rampant SolarWinds hack, including the New York...
Continue Reading

Virginia is for lovers (of privacy)—The Consumer Data Protection Act passes into law

On March 2, 2021, Governor Northam signed the Virginia Consumer Data Protection Act (CDPA), making it the country’s second, enhanced state privacy law. It will likely not be the last. Set to take effect on January 1, 2023, the CDPA requires businesses to make significant enhancements to their privacy policies and to provide covered consumers with substantial rights.  Many obligations and rights are similar—but not necessarily identical—to those required by other enhanced privacy laws like the California Consumer Privacy Act (CCPA) or Europe’s General Data Protection...
Continue Reading

2021 Foresight: Key lessons from 2020 to help navigate the future of cybersecurity and data privacy

When it comes to privacy and cybersecurity, the uncertainty and volatility of 2020 will not soon relent — but neither will its invaluable lessons. In this article for Thomson Reuters, Partners Michael Bahar and Paula Barrett look back on the tumult of 2020 and reveal five key lessons to help manage the inevitable uncertainty and volatility going forward, and emerge stronger and more resilient. Learn more.
Continue Reading

The ePrivacy Regulation

Europe’s movement to replace the 2002 ePrivacy Directive with a new ePrivacy Regulation picks up steam, signaling the potential need for US companies to add further privacy protections over electronic communications that may reach users in the EU.  What’s the significance? If agreed to, the ePrivacy Regulation will repeal the 2002 ePrivacy Directive and update existing rules on the protection of privacy and confidentiality in the use of electronic communication services.Does this apply to me? The ePrivacy Regulation will apply when end-users are in the EU regardless of...
Continue Reading

US Cybersecurity and Data Privacy review and update: Looking back on our 2020 articles and planning ahead for 2021

2020 was a tumultuous year for privacy and cybersecurity, and further uncertainty is all but guaranteed. To help with an agile and holistic data strategy, it is worthwhile to heed the lessons of 2020. Trends of new and upcoming data laws suggest that adopting a high watermark approach to compliance will put companies in good position to stay in front of new obligations.An explosion of enforcement actions and litigation in 2020 demonstrates the value in litigators and compliance lawyers working together proactively.Granular understanding of a company’s data practices remains key to...
Continue Reading

Taking a stand on standing in data breach cases

At the crossroads of the California Consumer Privacy Act and Article III standing: Plaintiffs continue to test the boundaries of the CCPA’s Private Right of Action for data breaches;Courts, however, are standing firm on Article III standing requirements;That said, the costs of data breaches are rising with increased litigation and regulatory risk, so to reduce the chances of a breach, and to mitigate the effects of any that do occur, businesses should consider carefully reviewing their cybersecurity plans; remaining abreast of the latest threats and regulatory expectations; and engaging in...
Continue Reading

Standard Contractual Clauses and EDPB Recommendations

The European Data Protection Board (EDPB), a collective of representatives from European data privacy regulators, published important recommendations on the Schrems II judgment, the seismic European decision that invalidated the EU-US Privacy Shield and called into question the continuing viability of personal data transfers from the EU and UK to third countries, particularly the US.  The Recommendations provide a useful tool to assess the legality of cross border transfers, and they hold out the prospect for a more uniform approach among EU regulators (even potentially for the UK...
Continue Reading

A Cybersecurity Storm and Winds of Change: NY DFS requires all New York financial institutions to report effects of SolarWinds hack

The New York Department of Financial Services (NY DFS) issued an alert on Friday, December 18, 2020, requiring all NY DFS regulated entities to immediately report whether they have been affected in any way by the massive, state-sponsored security breach of SolarWinds.  NY DFS’s request for immediate notification from all affected entities goes beyond what is normally required under NY DFS’s cybersecurity regulations, which generally only requires entities to report attacks that may cause material harm to a material part of their normal operations. NY DFS emphasized the...
Continue Reading