Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy via RSS

Dear Mary,

We had a security incident a few weeks backs that luckily turned out to be nothing. I’ll tell you, tension was high around here while the investigation was ongoing because there was a possibility that it was going to be bad. The forensic firm (hired by our outside counsel) figured out that the incident resulted from a misconfiguration in our MFA. We fixed that and now I’m wondering whether we really need a forensic report given the limited impact. I am not sure I understand the need.

– Uncertain in Atlanta

Dear Mary,

I work in the IT department of a mid-sized company that recently detected a security incident. Everyone is freaking out – minus me. My manager asked our IT team to investigate the incident. But the incident is already contained, and business is back to normal. Why do we need to investigate further? Like seriously, why? And if we do need to investigate further, should I be doing this? I’ve been in IT for a while, and I have never been in this situation before.

– Forensic Forgoer in Florida

We are pleased to introduce ‘Dear Mary,’ a new advice column from Troutman Pepper’s Incidents + Investigations team. This column will answer questions about anything and everything cyber-related — data breaches, forensic investigations, responding to regulators, and much more. ‘Dear Mary’ goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to your questions with concise, practical answers. ‘Dear Mary’ can be found here on the firm website, and direct links can be found on our Privacy + Cyber related blogs and newsletters.

On May 8, attorneys general (AG) from 14 states and the District of Columbia sent a letter to Congressional leadership opposing provisions of the recently proposed federal American Privacy Rights Act (APRA). In addition to the District of Columbia, the signatory states include California, Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, and Vermont. Their objections primarily center on the APRA’s preemption clause, which would nullify 16 state comprehensive data privacy laws that have been enacted since 2018.

This article was originally published in American City & County on March 1, 2024.

For years, private companies have struggled to protect the data of consumers against security incidents and cyber-attacks by malicious threat actors. More recently, there has been a growing surge of data breaches impacting the public sector, and local governments face unique challenges in responding to such incidents.

In a recent alert, we reported that California Attorney General (AG) Rob Bonta announced a settlement with DoorDash over allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by selling consumers’ personal information without providing notice or an opportunity to opt out.

This article was originally published on February 14, 2024 in Reuters and Westlaw Today. It is republished here with permission.

As we discussed in part three of this series, “Navigating the Complexities of Regulatory Data Incident Investigations,” when an organization is the subject of regulatory data incident investigations, it must navigate a tangled regulatory web. Extricating itself from that web is the ultimate goal. But what form does that take?

In an era where privacy, security, and artificial intelligence are at the forefront of many business operations, staying informed about the latest developments is crucial. Our 2023 Privacy Year in Review is an in-depth analysis of the past year’s significant advancements and challenges in these areas.

On January 16, New Jersey became the first state this year to enact a comprehensive privacy law, S332, which applies to businesses conducting operations in the state or targeting its residents. As noted in this article by our privacy team, similar to other state comprehensive privacy laws, S322 grants consumers the right to confirm, correct, delete, obtain a copy of their personal data, and opt out of its processing for targeted advertising, sale, or profiling. Controllers and processors are obligated to limit data collection, establish security practices, and provide a privacy notice. They are also required to conduct a data protection assessment for processing activities that pose a heightened risk of harm to consumers. The New Jersey Attorney General’s Office has exclusive authority to enforce violations, treating them as “unlawful practices” under the New Jersey Consumer Fraud Act. The law takes effect on January 16, 2025, with an 18-month grace period for organizations to correct violations before enforcement actions are taken.