In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle. Here is a high-level summary of the key points addressed in each bill: READ MORE
Maria Rouvalis’s practice focuses on privacy, cybersecurity, and consumer protection. Maria regularly defends clients before federal and state regulators, including the Federal Trade Commission and state attorneys general. She also helps clients develop global privacy and security compliance programs and respond to security incidents.
Maria provides guidance on issues relating to the California Consumer Privacy Act (CCPA), Section 5 of the Federal Trade Commission Act, the European Data Protection Regulation (GDPR), and state data breach notification laws. She also advises clients on strategies for reducing the risk of privacy and security incidents, including by coordinating across business units and by analyzing real-time data flows against the current regulatory landscape.
Maria earned the Certified Information Privacy Professional/United States (CIPP/US) designation. Prior to joining Orrick, Maria worked as an associate at a boutique litigation firm, where she defended companies in a variety of business disputes. Maria’s law school experience included an internship with the Massachusetts Appeals Court, a law clerk position with Liberty Mutual, where she analyzed European Union data privacy laws, and an assistant producer position with Neil Chayet's “Looking at the Law” program on CBS Radio.
Posts by: Maria Rouvalis
On January 30, 2020, the U.S. Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”) framework (CMMC overview here; CMMC Version 1.0 and appendices here). By 2026, DoD plans to require CMMC certification for all defense contracts. For companies looking to play a role – any role – in the defense industry supply chain, now is the time to develop, assess, and augment cybersecurity practices.
Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE
While the California Consumer Privacy Act (“CCPA”) has inspired many states to consider their own consumer privacy bills, including Nevada which recently enacted a new law, not to be lost in the CCPA-focused frenzy is the fact that states continue to revise their data breach notification statutes. In recent weeks, the new Massachusetts breach notification amendment has gone into effect, New Jersey, Maryland, Oregon, Texas, and Washington have enacted their own breach notification amendments, and Illinois has proposed a bill that is poised to become law in the near term. READ MORE