Photo of Daniel Ilan

Daniel Ilan’s practice focuses on intellectual property law.

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

In the aftermath of the Facebook-Cambridge Analytica data privacy controversy, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a federal data privacy bill on April 10, 2018 titled the Customer Online Notification for Stopping Edge-provider Network Transgressions Act, or the CONSENT Act (the “Act”).  While the Act is unlikely to pass in the near term given the lack of a Republican sponsor, it reflects increasing attention to privacy concerns in the United States, including consideration by both federal and state legislatures of significantly more prescriptive privacy requirements. Continue Reading CONSENT Act: Proposed Legislation a Sign of Potential U.S. Consent to Greater Privacy Protections?

Over the last year, the existential risk posed by cyberattacks and data security vulnerabilities has become one of the top concerns for boards of directors, management, government agencies, and the public.

This memo surveys some of the key cybersecurity and data privacy developments of 2017, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions, with an eye towards what may be in store in 2018.

As the implementation of China’s first comprehensive cybersecurity law (the “CCL”) progresses, concern is mounting in the international business community regarding the law’s expansive scope, prescriptive requirements and lack of clarity on a range of critical issues. Vocalizing such concern, on September 25, 2017, the United States government asked China to halt its implementation of the CCL and highlighted potential issues with the CCL to members of the World Trade Organization. Since the CCL’s passage, several regulations have been released by the principal agency responsible for its implementation that were intended to implement the provisions of the CCL, but in some cases appear to have further expanded its scope while leaving some critical questions unanswered. In the face of such uncertainties, foreign companies operating in China are advised to familiarize themselves with the requirements of the CCL and its implementation rules and adopt measures to enhance their preparedness for the full implementation of the CCL.

Click here, to continue reading.

For additional coverage of topics related to international trade and sanctions, we invite you to subscribe to our International Trade and Sanctions Watch blog, here.

New York’s new cybersecurity regulations (the “Regulations”) become effective on August 28, 2017, marking a significant milestone in what is likely to be a new era in cybersecurity regulation on both a national and international level.

As governments grapple with how best to address cyber threats to their citizens, businesses and national security, there is an increasing focus on the potential use of regulatory requirements to impose minimum cybersecurity standards, particularly in the financial services sector. As more states and nation states adopt cybersecurity requirements, financial institutions are facing increased compliance costs and potentially a diversion of resources away from risk mitigation to compliance with regulatory requirements. As the Regulations come into effect, we briefly take stock of their requirements, their impact on international best practices, and related global developments.

Click here, to continue reading.

On August 1, 2017, the United States Court of Appeals for the D.C. Circuit held that policyholders of the health insurer CareFirst had standing to sue the company after their information was compromised during a cyberattack.

Wading into a vigorously contested area between plaintiffs and companies that have suffered data breaches, the court held that the policyholders’ elevated risk of identity theft and medical fraud was a sufficient injury to bring suit—even without any evidence that plaintiffs had actually suffered such harm. In so holding, the D.C. Circuit came down on one side of a circuit split, which may ultimately need to be resolved by the Supreme Court.

Click here, to continue reading.

Late last month, Target Corporation reached an $18.5 million settlement with the Attorneys General of 47 states and the District of Columbia, resolving the AGs’ investigation into Target’s 2013 data security breach.

Target’s recent settlement, when viewed in conjunction with other recent developments, provides a roadmap for prophylactic measures that companies may implement to limit the likelihood that cyber criminals will successfully obtain sensitive data and potentially limit liability if such an attack occurs.

Click here, to continue reading.

From May 2018, organizations established or providing services in the EU will be subject to new national and EU-wide cybersecurity legislation, as regulators in EU Member States begin to apply both the General Data Protection Regulation and national legislation implementing the Network and Information Security Directive.

These new laws will significantly increase the territorial and sectoral scope of organizations subject to EU cybersecurity obligations and introduce strict data security and breach disclosure obligations with potentially severe penalties for non-compliance.

This tightening of the EU cybersecurity regime coincides with similar developments in other jurisdictions worldwide and reflects a global trend for legislators and regulators to require organizations to observe increasingly stringent cybersecurity practices.  This memorandum considers the key components of the new EU laws and outlines a number of recent cybersecurity developments in other key jurisdictions.

Click here, to continue reading.

On March 1, 2017, the New York Department of Financial Services’ Cybersecurity Regulations entered into effect.

The Regulations impose on financial institutions minimum cybersecurity standards that exceed existing federal standards and introduce new requirements, including obligations to critically evaluate cybersecurity practices, maintain detailed documentation demonstrating compliance and report cyber events to the New York Department of Financial Services.

Click here, to continue reading.

On September 13, 2016, the New York Department of Financial Services issued the first comprehensive state regulatory proposal to address cybersecurity.

Under the proposed regulations, certain banks, insurers and other financial services institutions authorized to operate in New York will be required to assess their cybersecurity risks and establish and maintain a cybersecurity program designed to address such risks.  This alert memorandum covers the key obligations set forth in the state proposal and contrasts them with the obligations required under the federal Gramm-Leach-Bliley Act.

Click here, to continue reading.