Numerous states passed laws on consumer, health, and children’s data privacy during the 2023 state legislative session. These new laws create additional compliance challenges for entities already trying to drive compliance with existing state laws.

On September 14, 2023, members of Husch Blackwell’s data privacy team will host a webinar to provide an overview of

Lock Illustration

Key Point: The decision making processes to determine whether a cybersecurity incident is material or not, should include documenting the factors behind each determination and should be practiced before an incident occurs.

In Parts I and II of this blog series, we discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures and offered registrants suggestions for preparing the new disclosure required in their annual reports. In Part III, we offer planning suggestions for determining whether a cybersecurity incident is material and needs to be disclosed on a Current Report on Form 8-K, or whether the incident is not material.

Lock Illustration

Key Point: Drafting the material cybersecurity risks disclosures in registrants’ annual reports will require careful planning to avoid giving malicious cyber actors a blueprint of the corporate network.

Part I of this blog series discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures. In Part II, we offer ideas for preparing the disclosure required in the registrant’s annual report about the registrant’s material cybersecurity risks and the governance structure used to assess and manage these risks.

Lock Illustration

Key Point: To avoid inadvertently increasing enforcement and litigation risks, companies should consider these suggestions to minimize headaches with the SEC’s final rules that mandate (a) disclosures in annual report of corporate procedures to address material risks from cybersecurity threats, and (b) the filing of a Form 8-K disclosure within four business days after determining a material cybersecurity incident occurred.   

In a 3-2 vote on July 26, 2023, the U.S. Securities Exchange Commission (the “SEC”) adopted new cyber incident disclosure rules for publicly traded companies (“registrants”). Although the final rules (the “adopting release”) impose similar disclosure requirements on foreign private issuers, this article focuses on domestic issuers. The SEC intends for the new rules to enhance and standardize registrants’ cybersecurity risk management, strategy, governance, and incident response disclosures, thereby giving investors access to better information. However, there is a strong possibility that the final rules will cause companies to file cautionary disclosures, forcing investors to sift through more noise to find meaningful information.

To minimize the risk of SEC enforcement actions and litigation, registrants must develop plans and procedures for (1) updating the disclosure in their annual reports and (2) determining whether a cybersecurity incident affecting the organization is material or not.

Part I of this series discusses the compliance dates and the SEC’s new definitions pertaining to cybersecurity. Parts II and III will offer suggestions for making disclosures in annual reports and material cybersecurity incidents, respectively.

Keypoint: In July 2023, plaintiffs have been busy opposing motions to dismiss in chat wiretapping, session replay, and VPPA cases while testing claims against a new technology.

This is the sixth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends in the past month. In this post we look at dismissed chat wiretapping and session replay cases and VPPA cases overcoming the motion to dismiss stage.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

On July 31, 2023, the California Privacy Protection Agency announced a review of data privacy practices by connected vehicle (CV) manufacturers and related CV technologies. According to the Agency, “[t]hese vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically

employee-scaled.jpeg

Key Point: The EEOC released guidance to employers on how to assess adverse impacts when using artificial intelligence (AI) in the employment decision-making process.

The Equal Employment Opportunity Commission (EEOC) recently issued a technical assistance document to help employers avoid discriminating against job applicants and employees when using AI for employment decisions. In the technical assistance, the EEOC highlights that employers may violate Title VII of the Civil Rights Act of 1964 (Title VII) if their algorithmic decision-making tools have an adverse impact on protected classes, even where those tools are designed or administered by third parties.

Keypoint: The Attorney General’s investigatory sweep focuses on how large California employers are handling the expiration of the CCPA’s employee data exemption.

On July 14, 2023, the California Attorney General announced a new CCPA investigatory sweep focused on employee data. The Attorney General’s Office reported that it had sent inquiry letters “to large California employers requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.”