Photo of Pamela L. Marcogliese

Pamela L. Marcogliese’s practice focuses on corporate and financial transactions, particularly capital markets matters and corporate governance matters.

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1] The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions.  The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers.  Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”

Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach

The consequences of a cybersecurity incident can be severe. The economic loss associated with an incident can often be compounded by reputational damage, loss of trade secrets, destruction of assets, operational impairment, lost revenue following the announcement of the cybersecurity incident and the expense of implementing remedial measures. The timing and content of any public communication about a suspected or confirmed cybersecurity incident can exacerbate this loss and have a significant impact on the trading price of the issuer’s securities.[1] The disclosure considerations become even more complex when a company is subject to overlapping, and potentially conflicting, regulatory obligations in multiple jurisdictions, including the United States and the European Union (“EU”). This issue is now at the forefront with the EU’s new data security and privacy regime, the General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.

Continue Reading Untangling the Tangled Web of Cybersecurity Disclosure Requirements: A Practical Guide

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database.  The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents.  Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.

Please click here to read the full alert memorandum.

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) published a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”).  NIST is a non-regulatory federal agency within the Department of Commerce, with a mission to promote innovation and industrial competitiveness in the United States by advancing measurement science, standards and technology in beneficial ways.  The Framework was initially developed as a result of the issuance of Executive Order 13636 in 2013 (“Executive Order”), which specifically addressed the cybersecurity of critical infrastructure (defined below) and directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to such critical infrastructure.  Therefore, the Framework provides nonbinding guidance, and compliance is not mandatory.  In practice, the Framework is used as the basis for best practices by many companies in the United States that have cybersecurity policies and procedures.  The Framework has generally been praised as a successful example of cooperation between the public and private sector and is cited by many as a more effective approach than prescriptive regulatory requirements. Continue Reading NIST Proposes Fine-Tuning of its Framework for Improving Critical Infrastructure Cybersecurity