Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy via RSS

Dear Mary,

I’m the general counsel of an organization and have recently started getting involved in the cybersecurity side of things. As I’m getting my bearings, I’ve noticed that our security team doesn’t always involve the legal department when an incident is suspected. While I understand that not every incident requires our involvement, I’m concerned that we’re being left out of matters that do need legal oversight, and when we are involved, it’s often too late. What can I do to help address this?

– Living in FOMO

In 2024, the landscape of state attorneys general (AGs) is poised for significant change, with numerous elections and regulatory actions reshaping priorities and enforcement strategies. This dynamic environment reflects the critical role AGs play in addressing key issues across various sectors, from environmental regulations and consumer protection to health care and privacy. As state AGs continue to influence policy and legal frameworks, their actions will have far-reaching implications for businesses and consumers alike. Troutman Pepper’s State AG team is pleased to provide you with this mid-year review summarizing the activities in this regulatory space over the past six months.

In an unusual move, attorneys general (AG) from 30 states and the District of Columbia filed a bipartisan amicus brief in the Ninth Circuit supporting efforts to revive a proposed class action against payment processor Shopify. The amici back plaintiff-appellant Brandon Briskin in his effort to convince the Ninth Circuit to overturn en banc a three-judge panel decision affirming the dismissal of his data privacy suit for lack of personal jurisdiction.

Dear Mary,

I am the privacy compliance officer at a cloud-based software company. We recently experienced an incident where, although none of our client’s data was compromised, it appears that our employees’ information may have been copied and removed from our environment. This information includes employees’ full names, salaries, and salary schedules. All of our employees reside in California, and given the CCPA’s broad definition of personal information, I am assuming notification will be required?

– Frowning in Fresno

Dear Mary,

One of our employees recently fell victim to a phishing attack, allowing unauthorized access to their email account for a brief period. To be safe, we reset everyone’s passwords and terminated all active sessions. We’re now in the process of hiring a law firm to determine if we need to notify anyone about the incident. It’s taking a little longer to get them engaged, but I’m hoping to have this done soon. In the meantime, is there anything else we should be considering?

– Not Entirely Clueless in Connecticut

California Attorney General (AG) Rob Bonta and Los Angeles City Attorney Hyde Feldstein Soto recently settled a lawsuit with Tilting Point Media, LLC (Tilting Point) related to a SpongeBob Square Pants-themed app. In the complaint, Tilting Point is accused of collecting, using, and sharing the personal information of children in violation of the Children’s Online Privacy Protection Act (COPPA).

Dear Mary,

One of our critical service providers recently suffered a cyberattack. It’s all over the news, and our business operations are severely impacted. We’re losing money every day, and we have no idea how long this will last. Do you have any suggestions on what to do? The lack of information from our service provider is incredibly frustrating.

– Frustrated in Dallas