The California attorney general recently released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The attorney general also released a notice of proposed rulemaking and an initial statement of reasons that provide drafting insights and outline considerations that will likely continue to guide the rulemaking process. The proposed regulations provide clarifications for businesses and consumers in five key CCPA areas, including privacy notice requirements.
In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The bill requires the newly-formed Department of Homeland Security teams to provide assistance to public and private entities, on request, to prepare for and respond to cyber-related incidents, including (among other things) restoring services after a cyber incident.
The California legislature recently debated several amendments to the California Consumer Privacy Act, eventually passing five bills which now await the governor's signature. Collectively, these bills do not provide the sweeping changes sought by businesses. Instead, the amendments make minor tweaks and postpone for one year some of the more challenging requirements. The passed bills address a range of topics, including providing for a partial, temporary one-year exception for applicant and employee data.
The New York governor recently signed into law a pair of bills establishing new requirements for businesses that process certain personal information relating to New York residents. The changes include expanding the scope of information covered by New York's data breach notification law and defining 'breaches' to include incidents involving unauthorised access to covered information, even where the information is not acquired.
In a long-awaited decision, the Supreme Court was expected to provide greater clarity on the extent to which litigants can challenge the Federal Communications Commission's Telephone Consumer Protection Act interpretations in private litigation. However, instead of deciding that issue, the court vacated the Fourth Circuit's ruling and remanded the case for further development.
Senate Bill 220 was recently signed into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. However, the new privacy law is significantly narrower than the California Consumer Privacy Act (CCPA). For example, it applies only to online activities, defines 'consumer' and 'sale' more narrowly and includes broad exceptions for financial institutions subject to the Gramm-Leach-Bliley Act.
Federal Communications Commission (FCC) Chair Ajit Pai recently announced plans to open a rulemaking proceeding to take a fresh look at the 5.9GHz band. In this new proceeding, the FCC will consider whether and how to allow sharing in the 5.9GHz band between dedicated short-range communication, gigabit Wi-Fi and cellular vehicle-to-everything technologies.
Several legislative proposals seeking to amend the California Consumer Privacy Act are moving forward following a recent hearing before the California Assembly's Committee on Privacy and Consumer Protection in which the bills were approved. The bills will advance to the assembly's Appropriations Committee before being voted on by the full assembly and potentially advancing to the California State Senate for consideration.
A court has expressed concern with the government's "routine outsourcing" of investigations to the targets of those investigations seeking cooperation credit. The court noted the corporate target's "uniquely coercive position" over its employees, who may also be potential targets of the investigation. The decision may profoundly affect the structure and scope of cooperation agreements between the government and the corporate targets of criminal investigations.
In 2018 California passed the California Consumer Privacy Act (CCPA), which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective in January 2020 and may impact companies in the education sector, including large education technology companies. Regulated educational entities should be wary of the CCPA's key requirements, including the deletion of consumers' personal information on request.
Congress recently introduced a bipartisan proposal to enhance cybersecurity for the network of internet-connected devices, commonly known as the Internet of Things (IoT). The IoT Cybersecurity Improvement Act 2019 aims to establish baseline cybersecurity standards for IoT devices. It would also impose limits on the types of IoT device that the US government can purchase.
The Department of Justice (DOJ) recently confirmed the importance of implementing a robust compliance programme that is not only well designed, but also adaptable and able to function effectively. The DOJ's latest guidance makes clear that companies have a strong incentive to maintain an effective compliance programme. Most importantly, these programmes must be fully implemented, account for the structure and scope of a company's business and actually operate effectively.
The Federal Trade Commission recently issued notices seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act, commonly known as the Safeguards Rule and the Privacy Rule. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule focus on technical changes to align the rule with changes in law over the past decade.
The Federal Trade Commission (FTC) recently announced that it had settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children's Online Privacy Protection Act. This action was notable not just for the penalty's size, but also because of the joint statement by two democratic commissioners that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.
Throughout 2018 the Department of Justice (DOJ) continued to ring the clarion call for cooperation and sought to provide some certainty, consistency and coordination regarding the incentives offered to companies that provide voluntary disclosures. In particular, the DOJ centralised its guidance memoranda into what is now known as the Justice Manual. The DOJ's goals were to identify redundancies, clarify ambiguities, eliminate surplus language and update the manual to reflect current law and practice.
Government attorneys now have additional discretion in False Claims Act civil cases to award cooperation credit to a corporation that meaningfully assists the investigation without necessarily identifying every individual person outside of senior management involved in the alleged misconduct. The new policy reflects the reality of modern corporate investigations and encourages realistic cooperation efforts without compromising the Department of Justice's policy of holding individuals accountable.
After the election of President Donald Trump, many observers wondered whether the US Department of Justice (DOJ) would change the way in which it enforces the Foreign Corrupt Practices Act. As the halfway point of Trump's first term in office approaches, it seems that the DOJ has not made any dramatic changes to the enforcement philosophy followed during prior administrations.
When a legal team needs to find the facts behind fraud and corruption allegations in a government investigation, technology can drive substantial new efficiencies. By filtering and evaluating vast amounts of information, artificial intelligence can effectively sort text messages, audio files, emails and other unstructured data into manageable groups; identify potential relationships between parties accused of fraud or corruption; and recognise patterns of frequency or timing, which may support a client's defence.
Compliance officers often report to the legal department or are staffed with qualified lawyers, making it difficult to distinguish when the compliance officer is serving in a legal capacity, rather than a compliance one. However, drawing a clear distinction between these functions, conducting internal investigations under the direction of counsel and making the legal purpose of communications or documents clear will make the best possible record to show that documents should be protected by privilege.
With few Foreign Corrupt Practices Act (FCPA) corruption investigations resolved under the Trump administration's watch, it is too early to weigh up how the administration will affect enforcement or settlements in the long term. On its face, the new FCPA Corporate Enforcement Policy signals a more business-friendly approach by removing the spectre of a monitor in many situations and by committing to a presumption of a declination in certain circumstances.