During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to become a reality for some. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings poses some unique challenges.

By taking proactive measures, a business can transform the personal data it holds from a reorganization liability into an asset. However, the issue of whether or not personally identifiable information (PII) can be sold (and under what terms) is a common way privacy issues come into play during liquidation and reorganization proceedings. As further discussed below, the GDPR and the CCPA, along with the prior positions taken by the FTC and various State Attorneys General, are all factors for companies to consider to ensure that data does not lose its value as part of the bankruptcy process.
Continue Reading Privacy During Bankruptcy Proceedings: Why It Matters

Next Tuesday is election day, and this year, California voters are deciding whether to support another statewide privacy initiative – the California Privacy Rights Act (CPRA) (Proposition 24).

This measure would expand on the California Consumer Privacy Act (CCPA), which went into effect earlier this year, in several important ways, including (among others):
Continue Reading Proposition 24: California’s Ever-Evolving Privacy Landscape

With a little time to consider the finalized California Consumer Privacy Act regulations released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some thoughtful additional analysis) took place that led to some unexpected changes. The lion’s share of the regulation requirements have been discussed in depth, so let’s just focus on the following noteworthy changes:
Continue Reading Twists in the Plot: California AG Releases Final CCPA Regulations

A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom, as it becomes a significant part of American daily life during the COVID-19 pandemic.

Among those legal issues was an inquiry by the New York State Attorney General into Zoom’s privacy practices, and particularly into its measures to detect and prevent hackers or other outside parties attempting to observe or interfere with online meetings. In several incidents, the third parties interrupted meetings with disturbing messages or images. In fact, two other states – Connecticut and Florida – joined the New York probe after state government officials fell victim to “zoombombing.” Based on perceived security flaws, on April 6, 2020, the New York City Department of Education implemented a ban on public schools’ use of Zoom for classes and educational purposes.
Continue Reading Zoom Successfully Addresses New York’s Privacy and Security Concerns

Various state laws require data breach notification and different state laws have different triggers for when notification is required and who must be notified. In California, for example, a breached company must give notice to each affected California resident, but the California AG need be notified only if the breach affected 500 or more individuals in California. In New York, on the other hand, AG notification is required if any NY residents were affected by the breach.

While all such laws generally address notification of affected parties, the AG, credit reporting agencies, other holders of the data, and certain other constituents, they are not the only word in disclosure requirements.
Continue Reading Data Breach Disclosure Requirements Implicate More Than Privacy Law

It was recently discovered that a certain software product, in this case used by numerous cannabis companies around the country, was not secure and allowed access to consumer data of companies using the software. You can read more about it in this linked article. This isn’t the first time a security vulnerability was introduced by the use of third-party software, and it won’t be the last. The CCPA requires “reasonable security measures” be taken to protect consumer data. It is likely that employing vulnerable software will be seen to violate this standard (it has yet to be tested), but will it lead to liability of the company employing the software?  I think it will.

So what is a company to do when purchasing third-party software that will store or otherwise have access to consumer data?
Continue Reading Data Security: Are you looking at your third party software?