Legislation

Nevada Passes Opt-Out Law, Effective October 2019 – Three Months Before the CCPA

Following in California’s footsteps, Nevada has passed a new privacy law providing consumers the right to opt out of the sale of their personal information. Senate Bill 220 (SB-220), signed into law by Governor Steve Sisolak on May 29, 2019, amends Nevada’s existing online privacy statute, NRS 603A.340, to include a requirement that online operators provide consumers with a means to opt out of the sale of specific personal information collected by websites or online services. The act goes into effect on October 1, 2019 – three months ahead of the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) – which may force companies to fast track implementation efforts for opt-out requests in particular. READ MORE

Orrick Launches Automated Tool to Assess Readiness for California Consumer Privacy Act

Today, Orrick announced the launch of our automated CCPA Readiness Assessment Tool which helps businesses globally determine whether they are covered by the California Consumer Privacy Act (CCPA) and, if yes, their readiness to comply with the new law that is revolutionizing the United States privacy landscape. This free tool is available to all organizations and takes 10-30 minutes to complete.  It segments the CCPA into five workable themes and guides users through a series of dynamic questions relating to each theme. Upon completion of the questionnaire, the tool provides a free and comprehensive readiness assessment tailored to the business’s unique positioning and individual needs.

READ MORE

State Legislators Joining the Consumer Privacy Protection Party: Introduced CCPA-Like Bills

In 2018, the California legislature made headlines with its game-changing data protection law: the California Consumer Privacy Act of 2018. Other state legislators across the country appear to be hot on its heels as a flurry of CCPA-like bills have been introduced across the United States. While it is too early to predict which of these bills, if any, will be enacted, this increased focus on privacy in the state legislatures is clearly a sign that the privacy landscape—and consequent compliance challenges for companies—is going to get more complicated. READ MORE

The CLOUD Act, Explained

The Clarifying Lawful Overseas Use of Data (“CLOUD”) Act was enacted into law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries – a key question in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27.[1] Both the government and Microsoft recently agreed that the closely watched case is now moot following the CLOUD Act. READ MORE

Orrick Launches Automated GDPR Readiness Tool for Companies

Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE

New York DFS Cyber Rules Go Live: Here’s Your Roadmap

August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”).  The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments.  While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool.  Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.

While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS.  For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE

EU Proposes Overhaul to Privacy and Electronic Communications

NIS Directive

January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.

The draft Regulation, which goes beyond the scope of the current e-Privacy Directive in significant ways, would apply directly without the need for Member States to implement local law in the same way as the General Data Protection Regulation (“GDPR”). Like the e-Privacy Directive, the Regulation sets out rules on, among others, the use and confidentiality of electronic communications and metadata, use of cookies and direct marketing by electronic means.

The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).

READ MORE

DFARS and DIB: Compliance Steps for DoD’s Newly Finalized Cybersecurity Rules for Contractors

Department of Defense Finalized Cybersecurity Rules for Contractors and Other Awardees. The First rule amends the Defense Federal Acquisition Regulation Supplement and went into effect on October 21, 2016 (“DFARS Rule”). The other rule modifies the previously voluntary DoD cybersecurity information sharing program (“DIB Rule”) and is set to come into effect on November 3, 2016. Aerial view of the Pentagon, the Department of Defense headquarters in Arlington, Virginia

For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the interim rules promulgated in late 2015. The first rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS Rule”) and went into effect on October 21, 2016.  The second rule modifies the previously voluntary DoD cybersecurity information-sharing program in connection with the Defense Industrial Base (“DIB Rule”) and went into effect on November 3, 2016.

We previously explained the changes brought about by the interim rules. Here, we explain what changed after the rules’ comment periods, and provide suggestions for compliance.

READ MORE

EU Breach Notification Requirements Under the GDPR and NIS Directive: Are You Ready?

EU General Data Protection Regulation data breach notification requirements Network and Information Security (NIS) Directive security incident notification requirements

Data breach notification requirements are going global. By spring 2018, companies operating in the European Union must comply with the new General Data Protection Regulation’s (GDPR) data breach notification requirements and the Network and Information Security (NIS) Directive’s security incident notification requirements. Stricter and more far-reaching notification obligations underscore the importance of establishing a proactive Security Incident Response Policy to analyze potential legal obligations and prepare to respond to incidents long before they occur.

READ MORE

Is Your Data Safe? National Cybersecurity Awareness Month

Cyber Security Keyboard Button National Cybersecurity Awareness Month

Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.

Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.

READ MORE