Keypoint: Although they are only draft regulations and not part of the formal rulemaking process, the drafts demonstrate the Agency’s intent to create extensive obligations for businesses subject to these regulations.

In connection with its September 8, 2023 Board meeting, the California Privacy Protection Agency (“Agency”) published draft regulations on risk assessments and cybersecurity audits. The drafts were provided as meeting materials for a CPRA rules subcommittee update.

The drafts specifically state that they are intended “to facilitate Board discussion and public participation” and are “subject to change.” To that end, the drafts identify specific text for the Board to discuss and, in some instances, identify multiple options for Board consideration. The drafts also note that the Agency “has not yet started the formal rulemaking process for cybersecurity audits, risk assessments, or automated decisionmaking technology.”

Although these are only drafts, they nonetheless provide an initial insight into the Agency’s thought process for these new and significant rulemaking topics. In short, the drafts indicate the Agency’s intent to create extensive obligations for businesses subject to these regulations. In the below post, we provide a high-level summary and analysis of some of the more notable parts of the drafts.

Continue Reading CPPA Releases Draft Regulations on Risk Assessments and Cybersecurity Audits

Numerous states passed laws on consumer, health, and children’s data privacy during the 2023 state legislative session. These new laws create additional compliance challenges for entities already trying to drive compliance with existing state laws.

On September 14, 2023, members of Husch Blackwell’s data privacy team will host a webinar to provide an overview of these new laws and how they will impact your privacy compliance efforts. During the webinar, we will:

  • Provide an overview of the state consumer privacy laws passed in 2023, including the laws in Texas, Florida, Oregon, and Montana, and how they fit into the existing state laws.
  • Analyze the health data privacy laws passed in Washington, Nevada, and Connecticut, and how those laws may impact entities.
  • Compare the new children’s privacy laws enacted in Connecticut and Florida, and how they relate to the California Age-Appropriate Design Code Act passed in 2022.
  • Identify and explain the data broker bills passed in Texas and Oregon.

Click here for more information and to register.

Key Point: The decision making processes to determine whether a cybersecurity incident is material or not, should include documenting the factors behind each determination and should be practiced before an incident occurs.

In Parts I and II of this blog series, we discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures and offered registrants suggestions for preparing the new disclosure required in their annual reports. In Part III, we offer planning suggestions for determining whether a cybersecurity incident is material and needs to be disclosed on a Current Report on Form 8-K, or whether the incident is not material.

Continue Reading Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules: Part III

Key Point: Drafting the material cybersecurity risks disclosures in registrants’ annual reports will require careful planning to avoid giving malicious cyber actors a blueprint of the corporate network.

Part I of this blog series discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures. In Part II, we offer ideas for preparing the disclosure required in the registrant’s annual report about the registrant’s material cybersecurity risks and the governance structure used to assess and manage these risks.

Continue Reading Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules: Part II

Key Point: To avoid inadvertently increasing enforcement and litigation risks, companies should consider these suggestions to minimize headaches with the SEC’s final rules that mandate (a) disclosures in annual report of corporate procedures to address material risks from cybersecurity threats, and (b) the filing of a Form 8-K disclosure within four business days after determining a material cybersecurity incident occurred.   

In a 3-2 vote on July 26, 2023, the U.S. Securities Exchange Commission (the “SEC”) adopted new cyber incident disclosure rules for publicly traded companies (“registrants”). Although the final rules (the “adopting release”) impose similar disclosure requirements on foreign private issuers, this article focuses on domestic issuers. The SEC intends for the new rules to enhance and standardize registrants’ cybersecurity risk management, strategy, governance, and incident response disclosures, thereby giving investors access to better information. However, there is a strong possibility that the final rules will cause companies to file cautionary disclosures, forcing investors to sift through more noise to find meaningful information.

To minimize the risk of SEC enforcement actions and litigation, registrants must develop plans and procedures for (1) updating the disclosure in their annual reports and (2) determining whether a cybersecurity incident affecting the organization is material or not.

Part I of this series discusses the compliance dates and the SEC’s new definitions pertaining to cybersecurity. Parts II and III will offer suggestions for making disclosures in annual reports and material cybersecurity incidents, respectively.

Continue Reading Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules: Part I

Keypoint: In July 2023, plaintiffs have been busy opposing motions to dismiss in chat wiretapping, session replay, and VPPA cases while testing claims against a new technology.

This is the sixth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends in the past month. In this post we look at dismissed chat wiretapping and session replay cases and VPPA cases overcoming the motion to dismiss stage.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Continue Reading U.S. Privacy Litigation Update: July 2023

On July 31, 2023, the California Privacy Protection Agency announced a review of data privacy practices by connected vehicle (CV) manufacturers and related CV technologies. According to the Agency, “[t]hese vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”

Agency Executive Director Ashkan Soltani said that the “Enforcement Division is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.”

The Agency’s announcement comes approximately two weeks after the California Attorney General’s Office announced an investigative sweep focused on how large California employers are handling the expiration of the CCPA’s employee and job applicant data exemptions.

Key Point: The EEOC released guidance to employers on how to assess adverse impacts when using artificial intelligence (AI) in the employment decision-making process.

The Equal Employment Opportunity Commission (EEOC) recently issued a technical assistance document to help employers avoid discriminating against job applicants and employees when using AI for employment decisions. In the technical assistance, the EEOC highlights that employers may violate Title VII of the Civil Rights Act of 1964 (Title VII) if their algorithmic decision-making tools have an adverse impact on protected classes, even where those tools are designed or administered by third parties.

Continue Reading EEOC Issues Guidance on Assessing AI Employment Tools Under Title VII