Regulators’ enforcement priorities evolve alongside technological changes and in response to consumer-impacting activities that are emphasized in news headlines. This trend can be seen in the SEC’s relatively recent focus on monitoring and bringing formal actions against opportunistic stock trading by corporate insiders who have knowledge of enterprise security incidents and data breaches.

As the SEC described in its 2018 guidance intended to assist public companies in preparing disclosures about cybersecurity risks and incidents: “Companies and their directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.”

What follows is an overview of an article published in Cybersecurity Law Report (subscription paywall) last week by Greenberg Traurig’s Darren Abernethy regarding the interplay between corporate insider trading and cybersecurity incidents, including some possible planning steps for businesses to consider with legal counsel.
Continue Reading Insider Trading in the Data Breach Context: Proactive Corporate Planning and Regulatory Enforcement

Despite being in effect since Jan. 1, 2020, the California Consumer Privacy Act (CCPA) continues to generate confusion for employers of California residents. Much attention has been given to the CCPA’s effect on a business’ obligations in collecting, using, and sharing California customers’ data. However, given the CCPA’s broad “consumer” definition includes “employees,” it also imposes duties on any in-scope business that manages California employees’ data. Notably, under the CCPA, “employees” include job applicants. The CCPA thus applies to both California customers and employees/job applicants of any “business,” which is defined as a for-profit organization doing business in California that controls how personal information is processed and: (i) has gross annual revenue exceeding $25 million; (ii) buys, receives, sells, or shares personal information of 50,000 or more California consumers, households, or devices; or (iii) derives 50% or more of its annual revenue from selling personal information of California residents. Civ. Code § 1798.140(c)(1). Importantly, for the CCPA to apply, businesses do not have to be physically in California. Thus, for example, a business that does not have any facilities in California, but employs remote workers in California, could be subject to the CCPA if it meets the CCPA’s “business” definition.
Continue Reading Employers: Stop, Drop, and Ensure CCPA Compliance as to Employees Residing in California

On February 7, 2020, the California Attorney General’s Office (OAG) issued proposed changes to the California Consumer Privacy Act Regulations (Modified Regulations), which were originally issued on October 11, 2019. Organizations have until February 24 to submit written comments on the proposed changes to the regulations implementing the CCPA.

Key Changes

Some of the major

YouTube Content Creators Must Act

As of January 6, 2020, YouTube creators must designate their videos (both new as well as all videos previously posted) as either made for kids or adults. The new requirement has left esport, gaming, musician, vlog, and many other creators scrambling to correctly categorize their videos; otherwise, they face a

In the wake of the California Consumer Privacy Act of 2018 (CCPA) and an updated Nevada privacy law that took effect in October 2019, states are wasting no time in 2020 introducing new privacy laws of their own.

Joining the chorus of Virginia and Florida, this month state lawmakers in New Hampshire,

On October 1, 2019 the Court of Justice of the European Union (CJEU) issued a new judgment on the use of cookies which, under the EU E-Privacy Directive, requires users’ informed consent. The court decided that

  • the cookies consent cannot be obtained by using a pre-ticked consent checkbox; and
  • information must be provided to users