Eversheds Sutherland Cybersecurity and Privacy Insights Blog
content top

Your quarterly privacy & cybersecurity update

Welcome to the tenth edition of Updata! Updata is our US and international update on the most important privacy and cybersecurity regulatory and legislative developments from the past quarter, October to December 2020. Full of newsworthy items from our global team members, this edition includes updates on: COVID testing and remote working guidance across multiple jurisdictions;Increase in privacy enforcement action and litigation across many jurisdictions;California voters passed sweeping amendments to the California Consumer Privacy Act;The rampant SolarWinds hack, including the New York...
Continue Reading

Virginia is for lovers (of privacy)—The Consumer Data Protection Act passes into law

On March 2, 2021, Governor Northam signed the Virginia Consumer Data Protection Act (CDPA), making it the country’s second, enhanced state privacy law. It will likely not be the last. Set to take effect on January 1, 2023, the CDPA requires businesses to make significant enhancements to their privacy policies and to provide covered consumers with substantial rights.  Many obligations and rights are similar—but not necessarily identical—to those required by other enhanced privacy laws like the California Consumer Privacy Act (CCPA) or Europe’s General Data Protection...
Continue Reading

2021 Foresight: Key lessons from 2020 to help navigate the future of cybersecurity and data privacy

When it comes to privacy and cybersecurity, the uncertainty and volatility of 2020 will not soon relent — but neither will its invaluable lessons. In this article for Thomson Reuters, Partners Michael Bahar and Paula Barrett look back on the tumult of 2020 and reveal five key lessons to help manage the inevitable uncertainty and volatility going forward, and emerge stronger and more resilient. Learn more.
Continue Reading

The ePrivacy Regulation

Europe’s movement to replace the 2002 ePrivacy Directive with a new ePrivacy Regulation picks up steam, signaling the potential need for US companies to add further privacy protections over electronic communications that may reach users in the EU.  What’s the significance? If agreed to, the ePrivacy Regulation will repeal the 2002 ePrivacy Directive and update existing rules on the protection of privacy and confidentiality in the use of electronic communication services.Does this apply to me? The ePrivacy Regulation will apply when end-users are in the EU regardless of...
Continue Reading

US Cybersecurity and Data Privacy review and update: Looking back on our 2020 articles and planning ahead for 2021

2020 was a tumultuous year for privacy and cybersecurity, and further uncertainty is all but guaranteed. To help with an agile and holistic data strategy, it is worthwhile to heed the lessons of 2020. Trends of new and upcoming data laws suggest that adopting a high watermark approach to compliance will put companies in good position to stay in front of new obligations.An explosion of enforcement actions and litigation in 2020 demonstrates the value in litigators and compliance lawyers working together proactively.Granular understanding of a company’s data practices remains key to...
Continue Reading

Taking a stand on standing in data breach cases

At the crossroads of the California Consumer Privacy Act and Article III standing: Plaintiffs continue to test the boundaries of the CCPA’s Private Right of Action for data breaches;Courts, however, are standing firm on Article III standing requirements;That said, the costs of data breaches are rising with increased litigation and regulatory risk, so to reduce the chances of a breach, and to mitigate the effects of any that do occur, businesses should consider carefully reviewing their cybersecurity plans; remaining abreast of the latest threats and regulatory expectations; and engaging in...
Continue Reading

Standard Contractual Clauses and EDPB Recommendations

The European Data Protection Board (EDPB), a collective of representatives from European data privacy regulators, published important recommendations on the Schrems II judgment, the seismic European decision that invalidated the EU-US Privacy Shield and called into question the continuing viability of personal data transfers from the EU and UK to third countries, particularly the US.  The Recommendations provide a useful tool to assess the legality of cross border transfers, and they hold out the prospect for a more uniform approach among EU regulators (even potentially for the UK...
Continue Reading

A Cybersecurity Storm and Winds of Change: NY DFS requires all New York financial institutions to report effects of SolarWinds hack

The New York Department of Financial Services (NY DFS) issued an alert on Friday, December 18, 2020, requiring all NY DFS regulated entities to immediately report whether they have been affected in any way by the massive, state-sponsored security breach of SolarWinds.  NY DFS’s request for immediate notification from all affected entities goes beyond what is normally required under NY DFS’s cybersecurity regulations, which generally only requires entities to report attacks that may cause material harm to a material part of their normal operations. NY DFS emphasized the...
Continue Reading

Only YOU can prevent IoT network shutdowns

As tens of billions of additional Internet of Things (IoT) devices are poised to enter the market and infuse our supply chains, on December 4, 2020, President Donald Trump signed the first ever federal law governing IoT devices. The IoT Cybersecurity Improvement Act (the Act) will result in new national rules for federal procurement of IoT devices which, along with California and Oregon’s IoT laws, will likely also help solidify IoT security standards more generally.The Act builds upon and helps unify the varying cybersecurity standards within federal procurement...
Continue Reading

Once more unto the breach: The Supreme Court weighs in on a circuit split on what constitutes a hack

The United States Supreme Court hears arguments to decide the reach of the Computer Fraud and Abuse Act (CFAA). The Court is poised to decide whether to “exceed authorized access” constitutes a hack.The CFAA’s ambiguous language has created a circuit split the Supreme Court will now resolve.This decision will have far reaching implications for employers, employees, and cybersecurity researchers. Learn more.
Continue Reading

California’s new privacy law, the CRPA, was approved: Now what?

On November 3, 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), by approximately 56-44%. This act will substantially amend the California Consumer Privacy Act (CCPA), once it goes into effect on January 1, 2023. Key points on this law:  Builds on the existing framework of the CCPA, while bringing the CCPA closer to Europe’s GDPR;imposes significant new obligations on businesses, which will require advance planning; and establishes the nation’s first agency dedicated to privacy regulation and enforcement, the California Privacy Protection...
Continue Reading

Your quarterly privacy & cybersecurity update

Welcome to the ninth edition of Updata!  Updata is our US and international update on the most important privacy and cybersecurity regulatory and legislative developments from the past quarter, July to September 2020.   Full of newsworthy items from our global team members, this edition includes updates on:  the Schrems II court decision, which invalidated the EU-US Privacy Shield and now requires additional due diligence before using the Standard Contractual Clauses;changes to data breach notification laws in several US states, including Indiana, Louisiana and Virginia;...
Continue Reading

Quarterly Aerospace, Defense and Security Sector Briefing—Q2 2020

1. When it comes to managing future risk, there’s no time like the present Aerospace and defense companies are continuing to experience a number of supply chain challenges as they look to manage risk long-term. With the world changing and budgets set to be considerably impacted over the coming years. More than ever management teams must rethink and redesign existing approaches to go beyond short-term recovery and set a long-term strategic supply chain vision, in order to protect a company’s interests. 2. Reshaping the global trade landscape Global lockdowns and border closures have...
Continue Reading

No rest for the weary: cybersecurity and privacy enforcement actions heat up

A recent wave of cybersecurity and privacy enforcement actions cautions businesses dealing in personal data to strengthen their security and compliance plans. The New York Department of Financial Services recently announced its first enforcement action under its cybersecurity regulation. The California Attorney General began enforcement-related inquiries under the newly enacted California Consumer Privacy Act just as plaintiffs bring the first wave of class actions under the same. These actions give businesses the opportunity to incorporate key lessons and update digital strategies to...
Continue Reading