On January 6, 2021, a bipartisan group of state legislators introduced the “Biometric Privacy Act,” (Assembly Bill 27), which would make New York only the second state with a private right of action against entities that improperly use or retain biometric information.  This is the third time that New York lawmakers have proposed such a bill.

The bill would protect individuals’ biometric identifiers, defined as fingerprints, voiceprints, retina or iris scans, and scans of face or hand geometry, as well as information based on such identifiers used to identify an individual.[1]

Under the bill, private entities in possession of biometric identifiers or information would need to develop and comply with publicly available written policies establishing retention schedules and guidelines for permanently destroying the identifiers or information when the initial purpose for collecting or obtaining them has been satisfied or within three years of the individual’s last interaction with the entity, whichever occurs first.  Private entities would also be required to store, transmit, and protect from disclosure all biometric identifiers and information using the reasonable standard of care in their industry, and in a manner that is the same as or more protective than the manner in which they store, transmit, and protect other confidential and sensitive information.
Continue Reading New York Lawmakers Introduce Biometric Privacy Bill with Private Right of Action

Patchwork and continually changing regulation continues to be the trend in data privacy law, with 2020 adding new legislation to the fray and striking down some existing privacy structures. 2021 will likely be a time of reflection for businesses trying to adjust to impending new requirements in the face of an increasingly remote workforce and customer base.
Continue Reading The Privacy Law Plot Continues to Thicken: Compliance Considerations for 2021

In July 2019, the UK Information Commissioner’s Office (“ICO”) issued two notices of intent (“NOIs”) to fine British Airways (“BA”) and Marriott International Inc. (“Marriott”) for violations of the EU General Data Protection Regulation (“GDPR”), both related to high-profile personal data breaches. The NOIs proposed staggering fines of £183.39 million and £99.2 million, respectively, which would have constituted the largest penalties levied under the GDPR to date. More than a year later, the UK ICO finally issued the long-awaited penalty notices in relation to both investigations, imposing in both cases fines that, while still significant, were greatly reduced from what had initially been indicated – £20 million in the case of BA (a massive reduction of more than £163 million), and £18.4 million in the case of Marriott (an equally surprising reduction of more than £79 million).
Continue Reading UK ICO Data Breach Fines – What Can We Learn From British Airways and Marriott?

Main Takeaways

Recommendations 01/2020 of the European Data Protection Board (the “EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Recommendations”)[1] attempt to provide a step-by-step roadmap to help EU data exporters transfer personal data outside the EU to third countries in a manner consistent with the judgment of the Court of Justice of the European Union (the “CJEU”) handed down on July 16, 2020, in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, further described in Section 1 below).[2] The Recommendations were published on November 11, 2020 and can be relied upon immediately, even though they are subject to public consultation, with comments being due prior to December 21, 2020.
Continue Reading Recommendations of the EDPB Further to the CJEU’s Schrems II Judgment: One Step Forward, Two Steps Back?

On Monday, November 9, 2020, the U.S. Federal Trade Commission announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, regarding allegations that Zoom misrepresented its data security practices to users and designed its product to circumvent certain embedded security features of third-party software.  The proposed settlement requires Zoom to undertake a range of specific remedial measures related to its data security practices.  It also imposes multiple layers of reporting and certification requirements.
Continue Reading FTC Announces Settlement with Zoom Regarding Data Security Practices

In the wake of one of the largest reported medical ransomware attacks in U.S. history,[1] the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues.[2]  Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.[3]
Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments

Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).
Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach