Nick Akerman

Prior to private practice Nick served as a federal prosecutor. He was an Assistant United States Attorney in the Southern District of New York, where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski.Nick has over 30 years of experience in helping clients respond to government investigations and prosecutions and assisting corporate clients prevent and respond to internal thefts and outside hackers. He is a nationally recognized expert on computer crime and the protection of competitively sensitive information and computer data. Nick regularly obtains injunctions for his clients under the federal Computer Fraud and Abuse Act in various federal courts around the country requiring computer thieves to return stolen computer data and prohibiting the dissemination of the data to competitors. He also guides clients in developing systems, policies and protocols to protect computer data.Nick speaks and writes regularly on protecting computer data, including in his regular computer data column for the National Law Journal. He has been a featured quoted expert on computer fraud and computer security issues in the New York Times, USA Today, the San Jose Mercury News, the Boston Globe, the St. Louis Dispatch, the Sacramento Bee, Forbes, ComputerWorld, CFO Magazine, CNET, CNET Japan, ZDNet, MSN, Internet Week and the Weekly Homeland Security Newsletter. His blog can be found at http://computerfraud.us.

California Attorney General Issues Draft Regulations for CCPA

On October 11, 2019, the California Attorney General (the “California AG”) issued draft regulations (the “Draft Regulations”) pursuant to his authority under the California Consumer Privacy Act of 2018 (“CCPA”).1 The publication of the Draft Regulations commences the public comment period during which numerous interpretative issues relating to the implementation of the CCPA hopefully will be addressed and resolved.Unfortunately, the California AG chose to limit the Draft Regulations to basic process issues relating to the overall structure of the CCPA, and elected not to address many of the more difficult compliance problems identified by industry participants. More troubling is the inclusion of additional procedural steps that a covered “business”2 must follow when complying with “requests” for “personal information”3 (“PI”). (If ultimately adopted, several of these additional compliance obligations could likely create technical and unintended violations of the CCPA.)4This Alert provides an initial analysis of the approach taken by the Draft Regulations, as well as suggestions for participating in the rule-making process.5

Breathing Room? California Legislature Passes Two Major Amendments to California Consumer Privacy Act (CCPA)

Businesses may receive a bit of breathing room as a result of two amendments to the California Consumer Privacy Act (CCPA) passed on Friday, September 13, 2019, by the California Legislature.  The Legislature gave businesses a one-year moratorium on two significant aspects of the law:  its application to employees, job applicants, owners, officers, directors, medical staff members, and contractors; and its application to business-to-business transactions.  The Governor has until October 13, 2019, to sign or reject the amendments.  Although the amendments provide some of the needed clarifications and error corrections and a significant break from needing to respond to certain data subject requests from employees and B2B contacts, businesses will still need to complete their data mapping (even for these categories of consumers) and will still need to be prepared to offer the rights not exempted on January 1, 2020, even if these amendments are signed by the Governor.For those following the process, five bills passed the Legislature: AB 25, AB 874, AB 1146, AB 1355, and AB 1564.  Proposed amendment AB 846 on loyalty programs was shelved.  In addition to the two widely applicable amendments about employees and business-to-business transactions discussed in detail below, the Legislature also passed a number of minor or narrowly applicable amendments.  The amendments amount to 98 pages of printed material.  We will cover only the more significant of them in this article.

CCPA Requires “Reasonable Security”: but You Can’t have Reasonable Security Without Proper Vulnerability Management

By:  Divya Gupta, Dorsey & Whitney Partner and Coy Wamsley, Dorsey & Whitney Associate

With the California Consumer Privacy Act (“CCPA”) set to take effect on January 1, 2020, and the resulting looming specter of statutory damages and data breach class action litigation for failure to implement “reasonable security” on the near horizon, reducing or mitigating the harms that result from such cyber-attacks is more important than ever.  Since 2015, more than three in five Californians have been a victim of a data breach, making implementation of reasonable security controls now a critical and necessary component of CCPA compliance.1  While the retail industry has had record breaking breaches from malware and hacking, especially with card data, no industry is risk free when it comes to adequate data security.

Managing or mitigating risk, however, requires implementing “reasonable security,” which derives from the Center for Internet Security’s Top 20 Critical Security Controls (CSC 20) per then California Attorney General in 2016, Kamala Harris.  In California’s 2016 Data Breach Report, Harris stated that “[The CSC 20] are the priority actions that should be taken as the starting point of a comprehensive program to provide reasonable security.”

New York Expands Data Privacy Protections

New York continued its active legislative session last week, this time by expanding its data breach notification law. The SHIELD Act (Stop Hacks and Improve Electronic Data Security), signed by Governor Andrew Cuomo on July 25, 2019, notably expands the definition of a data breach and the scope of what constitutes personal information. But the law could have gone farther; the state did not enact a private right of action, as has California, and which several other states are considering. New York’s action does, however, contain several other very significant provisions in the context of data breaches involving New York residents.

Nevada’s New Privacy Law – Beating California in the Backstretch

Just as companies are reaching the straightway in their efforts to get ready to comply with the California Consumer Privacy Act (“CCPA”) by January 1, Nevada has burst ahead with a privacy law that will take effect before the CCPA. On May 29, 2019, Nevada Governor Steve Sisolak signed SB 220 into law, amending Nevada’s existing law that requires an operator of an Internet website or online service to provide a privacy notice to consumers detailing certain of the operator’s privacy practices; SB 220 goes into effect on October 1, 2019.1 SB 220 allows consumers to opt-out of operators of Internet websites and online services selling personally identifiable information to other entities for monetary consideration and will require both legal and operational changes for businesses. Operators, as defined by the law, must create a “designated request address” that allows consumers to submit requests prohibiting sale of information collected about the consumer, and operators must respond to the requests within 60 days.

National Financial Institutions—Developing A Project Plan To Comply With The California Consumer Privacy Act

Since its adoption last year, U.S. financial institutions have been confronted with the challenge of planning their compliance with the California Consumer Privacy Act (the “CCPA”)1. The CCPA becomes effective in two stages—January 1, 2020 and July 1, 2020 (or possibly sooner depending upon the date the California Attorney General adopts implementing regulations).2Regrettably, considerable confusion exists within the financial industry about the scope of the CCPA and the obligations it imposes on financial institutions.In an effort to provide our financial intermediary clients and friends with a workable summary of a financial institution’s obligations—and in particular for financial institutions that do not have a physical presence in California—this Alert is intended to assist in identifying coverage considerations, and provide a practical approach to the development of a project plan that will demonstrate reasonable compliance with the CCPA’s admittedly ambiguous set of requirements and obligations.

AB 25 Passes the California Assembly – and Excludes Employee Information from Coverage under the California Consumer Privacy Act (the “CCPA”)

By Joseph Lynyak and Samir Islam On May 29, 2019, the California Assembly took a major step to rationalize the coverage of the CCPA by excluding employee information from the definition of “consumer.”   Specifically, the term “consumer” was amended to exclude  a person whose personal information has been collected by a covered business in the… Read More

SB 561 Held in Committee-Private Right of Action under the CCPA Confined (for Now)

On Thursday, March 16, 2019, the California Senate Appropriations Committee held in Committee SB 561, which would have greatly expanded the private right of action (i.e., the ability to bring private class actions) available under the California Consumer Privacy Act (“CCPA”). SB 561 was introduced in February by California Attorney General (“AG”) Xavier Becerra and Senator Hannah-Beth Jackson. Notably, the bill sought to amend the existing private right of action to cover all violations of the CCPA, as opposed to merely data breaches. Additionally, the bill would have discontinued the 30-day cure period, whereby businesses were immunized from penalization by the AG to the extent they were able to cure an alleged violation within 30-days’ notice thereof, and would have eliminated businesses’ and third parties’ entitlement to seek interpretive guidance regarding compliance from the AG (and instead would authorize the AG to publish general guidance).

Potentially Expanded Private Right of Action Increases Risk of Class Action Exposure Under the California Consumer Privacy Act

As companies were getting up-to-speed on the effects of the European Union’s General Data Protection Regulation (GDPR) last year, California quickly enacted its own privacy law, the California Consumer Privacy Act (“CCPA” or “Act”) last June. We address below the high risk associated with the CCPA and its interaction with regulations in key U.S. industries. The fast-passed legislation was designed to avoid a November 2018 ballot initiative on the subject, and was plagued by errors and ambiguities that require robust clarification.  The Act’s take-away, however, was abundantly clear – California consumers have a right to know what personal data companies are collecting and are empowered to bring a private right of action for a data breach (and even potentially for other violations of the Act). 

Jail Time for Executives? Federal Privacy Proposals Have Teeth

2019 will bring significant privacy law changes in the U.S. These changes will require significant compliance efforts by companies operating in the U.S. this year. It is still an open question as to whether those compliance efforts will be in connection with a new federal privacy law or the California Consumer Privacy Act of 2018 (CCPA). Numerous companies and members of Congress are calling for federal legislation. Momentum is building. However, unless legislative action is immediate in the new Congress, it is time for companies to begin efforts to comply with the CCPA, if they have not already done so.

Post navigation