In the latest episode of Regulatory Oversight, Troutman Pepper Partner Judy Jagdmann and Counsel Gene Fishel are joined by Sam Kaplan, assistant general counsel for public policy for Palo Alto Networks. They engage in an insightful conversation revolving around the government response to cyber incidents and the potential role of AI in combating cybersecurity threats.
This article was originally published on February 14, 2024 in Reuters and Westlaw Today. It is republished here with permission.
As we discussed in part three of this series, “Navigating the Complexities of Regulatory Data Incident Investigations,” when an organization is the subject of regulatory data incident investigations, it must navigate a tangled regulatory web. Extricating itself from that web is the ultimate goal. But what form does that take?
In an era where privacy, security, and artificial intelligence are at the forefront of many business operations, staying informed about the latest developments is crucial. Our 2023 Privacy Year in Review is an in-depth analysis of the past year’s significant advancements and challenges in these areas.
On January 16, New Jersey became the first state this year to enact a comprehensive privacy law, S332, which applies to businesses conducting operations in the state or targeting its residents. As noted in this article by our privacy team, similar to other state comprehensive privacy laws, S322 grants consumers the right to confirm, correct, delete, obtain a copy of their personal data, and opt out of its processing for targeted advertising, sale, or profiling. Controllers and processors are obligated to limit data collection, establish security practices, and provide a privacy notice. They are also required to conduct a data protection assessment for processing activities that pose a heightened risk of harm to consumers. The New Jersey Attorney General’s Office has exclusive authority to enforce violations, treating them as “unlawful practices” under the New Jersey Consumer Fraud Act. The law takes effect on January 16, 2025, with an 18-month grace period for organizations to correct violations before enforcement actions are taken.
This article was originally published on December 12, 2023 in Reuters and Westlaw Today. It is republished here with permission.
It is indeed a tangled regulatory web woven to potentially trap an organization in the wake of a data incident. Navigating this web can involve significant resources, time, and stress. As we discussed in part two of this series, “Your organization has suffered a data incident: Now here are the regulators it will likely encounter,” Reuters Legal News and Westlaw Today, Oct. 16, 2023, there is no shortage of regulators likely to come calling. Organizations therefore have little margin for error when assessing and responding to an incident.
In the latest episode of Regulatory Oversight, Gene Fishel and Mike Lafleur welcome Pat Moore and Jared Rinehimer from the Massachusetts Attorney General’s (AG) Office to discuss online sports wagering. They cover the recently enacted Massachusetts Sports Wagering Act, the associated role of the Massachusetts Gaming Commission, related rules addressing advertising and data privacy, and the overall concerns of the AG’s office.
The U.S. Environmental Protection Agency (EPA) has formally withdrawn cybersecurity rules it promulgated in March requiring that states report cybersecurity threats to their public water systems (PWS). The reversal comes in the wake of lawsuits filed in the Eighth Circuit in July by Missouri, Arkansas, and Iowa (the states), along with intervenors American Water Works Association and National Rural Water Association (the water associations). As a result of the withdrawal, the states and water associations filed to dismiss their suits.
This article was originally published on October 16, 2023 in Reuters and Westlaw Today. It is republished here with permission.
Government regulators are seemingly as numerous as the stars nowadays, especially in the universe of data incidents. When organizations experience a data incident, they will need to quickly assess what happened, why it happened, and who (e.g., clients, consumers, vendors, employees) was affected. They will also need to chart a course by which they resolve the incident while limiting their legal exposure.
This article was originally published on August 24, 2023 in Reuters and is republished here with permission.
In the burgeoning realm of data incidents, it is a truism that such incidents are not created equal. Indeed, a data incident is not necessarily a data breach.
An incident is any “occurrence that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system,” or an event that constitutes a violation of an organization’s computer security or acceptable use policies. National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems, FIPS 200, at 7 (Mar. 9, 2006) (nist.gov). A breach is an incident that imposes statutory and regulatory obligations on an affected organization when it holds or controls certain consumer information.