David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.
David A. Zetoony
SEC Files Actions Against 4 Public Companies for Negligent Cybersecurity Disclosures
On Oct. 22, 2024, the SEC announced settled administrative actions against four current or formerly public technology companies, finding that the companies all made materially misleading disclosures to investors in their periodic filings concerning the impact of the 2020 SolarWinds breach on their businesses.
Pharmaceutical Companies May Be the First Targets of the Washington State My Health My Data Act
On April 17, 2023, the Washington State Legislature passed the “My Health My Data Act” (WMHMDA or the Act), which took effect for most companies March 31, 2024. Unlike other modern state privacy laws that purport to regulate any collection of “personal data,” WMHMDA confers privacy protections only upon “consumer health data.” This…
5 Trends to Watch: 2024 Data Privacy & Cybersecurity
- Cybersecurity Rules by the SEC and the EU – Both the Security and Exchange Commission’s public company cybersecurity disclosure and breach notification rules as well as the implementation of the EU NIS 2 Directive will drive increased focus from management and the board on cybersecurity risks, preventive measures, and incident response. Expect to see another
Comparing the definition of ‘consumer health data’ between state statutes
On April 27, 2023, Washington’s Governor signed Washington’s My Health, My Data Act (WMHMDA or the Act).* Starting March 31, 2024, most entities subject to the Act will have certain obligations toward “consumer health data,”[1] including providing consumers with the right to access their information, withdraw their consent to certain processing, and request the…
Are the volume thresholds in privacy statutes triggered by the number of in-state IP addresses that visit an organization’s website?
Probably not.
Most modern state privacy laws attempt to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. While the specific thresholds differ between states, many of the new statutes only apply to organizations that control or process personal information relating to at least 100,000…
Under the GDPR, do organizations need to search the prompts they submitted to an AI in response to a deletion request?
The GDPR allows individuals to request that their information be deleted in the following situations:[1]
- Organizations must delete data upon request if the data was processed based solely on consent. The GDPR recognizes that organizations may process data based on six alternate lawful grounds.[2] One of these is where a person has given
Under the GDPR, do organizations need to search the prompts they submitted to an AI in response to a correction request?
The right of correction (sometimes called the “right of rectification”) refers to a person’s ability to request that an organization fix any inaccuracies in the personal data it holds about them.[1] Correction is sometimes referred to as an absolute right in the context of the GDPR, because unlike some other rights conferred by the…
Under the GDPR, do organizations need to search the prompts they submitted to an AI in response to an access request?
The right to access refers to a person’s ability to request that a controller confirms whether it has personal data about them and to receive information about the processing and a copy of that information. While the GDPR confers a right of access, this right predates the GDPR and can be found within other EU…
Under the GDPR, is an organization required to distribute its privacy notice to every individual whose information is included in an AI prompt?
Not necessarily.
Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place.
If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the…