2021 may be the year that privacy legislation explodes across the US. Already, several states including New York, Virginia, and Washington have introduced some form of privacy legislation (many are re-introducing bills that did not pass in 2020).
Many businesses devoted substantial resources to privacy compliance in 2020, thanks to the California Consumer Privacy Act (CCPA). They will be rewarded for that effort: during the fall election, Californians approved a ballot initiative that will strengthen the CCPA, dedicate billions of state dollars to privacy enforcement, and create a new enforcement agency for personal privacy rights.
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have published a warning regarding attacks to certain VPN products by a known threat actor based in Iran. The CISA warning is here for reference. Once it has attacked the specified vulnerabilities, the threat actor is able “to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence,” according to CISA.
News emerged this week that the Irish data authority will order Facebook to stop use in the US of data and information about Irish residents. This development is part of a long-running saga between the EU and the US about what constitutes “adequate” protection of personal data about European individuals. If your company has employees, customers, or suppliers in Europe and relies on contracts, government certification, or other formal mechanisms to allow you to use data about those individuals on systems located in the US, the Facebook news and related issues may be relevant.
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning regarding a new “voice phishing” scam arising from the massive shift to teleworking during the pandemic. Under the new scheme, threat actors posing as the company IT department call workers and request usernames and passwords for the company’s systems in order to log into a new VPN link. The “bad guys” then have access to the company’s existing VPN and log in as if they are legitimate employees.
Earlier this summer, the Attorney General of California issued draft regulations to clarify and expand certain parts of the California Consumer Privacy Act (CCPA). On August 14, the draft regulations took effect. This means that, two years after its tumultuous drafting and passage, the full CCPA and its associated regulations are in effect. In addition, the Attorney General now has a full set of rules to enforce regarding how companies collect, use, and store “personal information” of California residents.
July 1 has arrived, which means that the California Attorney General (AG) may now enforce the state’s recently-enacted privacy statute, the California Consumer Privacy Act (CCPA). Because of the breadth of the law, and the multiple evolutions of its requirements, this is a good time to check in on your compliance – even if you did some footwork at the end of 2019 in anticipation of the new law – to ensure that you are up to date with all the new elements of the CCPA.
The swift proliferation of Zoom and similar teleworking tools, due to the enforced work-at-home environment, has brought a number of security headaches with it. In addition to security, there are also other areas of risk to think through and manage. Below is a list of some of those areas, and recommended steps to mitigate associated risks.
With at least one in four Americans living under lockdown orders due to the Covid-19 pandemic, a new question has started to affect many US companies: can my company stay open during a lockdown?
The Covid -19 pandemic has brought into focus issues relating to workplace health and safety and their interplay with employee privacy. An employer is required to maintain a safe workplace pursuant to the Occupational Safety and Health Act (“OSH Act”).