Gibbons Law Alert

Gibbons Law Alert

Tagged: Data Privacy

Colorado Is the Latest State to Enact a Data Privacy Law: Here’s What You Need to Know

by and

Posted in General Litigation / Privacy Class Actions

On August 9, 2021

Colorado has become the third state to enact a comprehensive data privacy statute imposing compliance obligations on legal entities that collect or process the personal data of its residents. The Colorado Privacy Act (CPA) is based on and enforces many of the same key concepts as do other data privacy statutes and regulations. As such, companies that are implementing or updating compliance programs for the European Union’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Virginia Consumer Data Protection Act (CDPA) will be familiar with the main provisions of the CPA and likely will have an easier time achieving compliance. There are, however, some important distinctions that companies must consider as part of any ongoing compliance efforts in anticipation of the CPA’s effective date of July 1, 2023. As a threshold matter, the CPA applies to legal entities that (i) conduct business in Colorado or produce or deliver commercial products or services that are “intentionally targeted to residents of Colorado,” and (ii) either (a) control or process personal data of more than 100,000 consumers per year or (b) earn revenue (or receive a discount on goods or services) from the sale of personal data and control or process personal data of more than 25,000 consumers. Notably, the CPA...

States Step Up Data Privacy and Security Regulation

by

Posted in General Litigation / Privacy and Data Security

On November 5, 2019

State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its sale, and to create privacy policies detailing their processes for selling or distributing consumer data....

Proper Planning Means You Do Not Need to Shed Tears When Hit with the Likes of WannaCry

by

Posted in Privacy and Data Security

On May 17, 2017

Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims. The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack. Implement a Written Information Security Program. Knowing how to mitigate the effects of a breach and how to respond upon notice of a breach starts with...

Seventh Circuit Affirms Dismissal of Data Privacy Class Action on Article III Standing Grounds

by and

Posted in Class Action Defense

On March 31, 2017

Since the United States Supreme Court decided Spokeo, Inc. v. Robins in May 2016, lower courts have struggled to consistently determine whether a plaintiff has standing to sue in federal court, which, as the Spokeo court explained, “requires a concrete injury even in the context of a statutory violation.” That is, even when Congress has made something unlawful and authorized an award of statutory damages for the unlawful act, the mere violation of that law is not itself sufficient to confer standing to sue under Article III of the U.S. Constitution. But precisely what is required to demonstrate sufficient “injury” under Article III remains unclear after Spokeo, especially in the data-breach and data-privacy contexts. In Gubala v. Time Warner Cable, Inc., however, a unanimous Seventh Circuit decision, authored by Judge Posner, held that the defendant’s possible failure to comply with a requirement contained in the Cable Communications Policy Act (requiring the destruction of personally identifiable information (“PII”) if the information is no longer necessary for the purpose for which it was collected) did not afford the plaintiff Article III standing to sue for violation of the statute where his personal information was not released or disseminated in any way. The plaintiff in Gubala had subscribed to Time Warner cable services in 2004, which required him to...

Court Finds Lack of Standing in Medical Data Breach Case

by and

Posted in Privacy and Data Security

On February 23, 2015

In Peters v. St. Joseph Servs. Corp., the United States District Court for the Southern District of Texas recently dismissed a class action complaint seeking damages arising out of a data incursion. The Court dismissed the complaint under Federal Rule of Civil Procedure 12(b)(1) for lack of standing without leave to amend, while granting the plaintiff 30 days to raise her state and common law claims in state court.

Connect:

About Gibbons

With 200 attorneys, Gibbons is a leading law firm in New Jersey, New York, Pennsylvania, Delaware, Washington, DC, and Florida, ranked among the nation’s top 200 by The American Lawyer. More…

Subscribe

Archived Blog Posts

Categories