Tag: Michelle Hon Donovan

Posted on by Michelle Hon Donovan

New York Department of Financial Services Issues Cybersecurity Threat Alert as Malicious Activity Rises

The New York Department of Financial Services (DFS) published an alert directed to all DFS-regulated entities specifically warning of a widespread cybersecurity threat involving social engineering of regulated institutions’ IT help desk personnel and call center personnel.

According to the alert, DFS has detected a trend in which threat actors have targeted IT personnel as a part of schemes to gain system access through password resets and diversion of multi-factor authentication (MFA) to new devices. According to DFS, threat actors have employed tactics including voice-altering technology and leveraging information found online about identities of individuals, in attempts to convince IT personnel at help desks and call centers to comply with fraudulent access requests.

DFS cautions all regulated entities to be on “high alert for suspicious communications” based on the observed threat actors’ recent activity. Entities are encouraged by DFS to:

  • implement secure controls for password changing and  MFA device configurations;
  • exercise caution in authenticating the identity of anyone who tries to change a password or MFA device; and
  • remain vigilant when receiving requests from individuals and vendors regarding system access. 

DFS included a link to guidelines published by the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA). The guidelines from CISA (CISA: Avoiding Social Engineering and Phishing Attacks) identify best practices to protect against these cyber threats, including:

  • Distinctions between common methods of social engineering employed by threat actors
  • Common indicators of malicious activity disguised as a legitimate communication
  • Proactive measures to minimize the risk of disclosing information and/or permitting access to threat actors
  • Guidance and resources on handling a cybersecurity compromise

In addition to the CISA guidelines, NYDFS has a publicly available Cybersecurity Resource Center with more information and guidance for DFS-regulated individuals and entities.

For More Information

If you have any questions about this blog post, please contact Michelle Hon DonovanAriel SeidnerMilagros Astesiano, any of the attorneys in the Privacy and Data Protection Group, or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This blog post has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm’s full disclaimer.

Posted on by Duane Morris

Changes to Illinois Biometric Data Law Lower Liability, but the Stakes Remain High

In recent years, a heavy question mark has weighed on companies that process biometric information as part of their standard operating procedures: What is our risk exposure?  On August 2, 2024, Illinois Governor J.B. Pritzker signed into law a bill passed by the Illinois Legislature in May to amend BIPA in a way that is expected to limit the risk exposure associated with violations. The amended text of BIPA now indicates that violations essentially occur on a per-person basis, not a per-scan basis. This is expected to yield a marked decrease in the number of violations for which a company may be liable, though penalties of up to $5,000 may still add up quickly where thousands of individuals or more are implicated. Read the full Alert on the Duane Morris website.

Posted on by Duane Morris

Colorado Privacy Act’s Universal Opt-Out Provision Goes Into Effect July 1, 2024

While the Colorado Privacy Act (CPA) has already been in effect, as of July 1, 2024, companies that meet the threshold compliance criteria for CPA and that engage in the processing of personal data for purposes of targeted advertising or the sale of personal data (“covered entities”) must implement a universal opt-out mechanism, which allows users to more easily exercise their opt-out rights with these covered entities. Specifically, a universal opt-out mechanism allows a user to configure their internet browser settings, and as a result, the websites the user visits from that browser automatically receive the user’s opt-out signal. As of July 1, 2024, covered entities must recognize and honor a user’s opt-out preferences where communicated through a universal opt-out mechanism.

Read the full Alert  on the Duane Morris LLP website.

Posted on by Duane Morris

Attorney General Submits Final CCPA Regulations for Approval

On June 1, 2020 the California Attorney General (AG) submitted the final text of the CCPA regulations to the California Office of Administrative Law (OAL) for approval.  The final regulations appear to be unchanged from the latest draft published on March 11, 2020.

Generally, the OAL has 30 days to review and determine whether to approve the regulations.  But currently, an executive order has granted an additional 60 days to finalize proposed regulations in light of the challenges agencies are facing due to COVID-19.  Additionally, any regulation that is filed June 1 or later would not typically be effective until October 1.  However, an agency can request an earlier effective date if it can demonstrate good cause, which is what the AG has done here.  The AG has requested the OAL approve the regulations within 30 days and that an exception be made such that the regulations will be effective upon filing with the Secretary of State. Continue reading “Attorney General Submits Final CCPA Regulations for Approval”

Posted on by Duane Morris

Proposed Modifications to CCPA Regulations – Service Providers, Authorized Agents, Minors, Nondiscrimination and Calculating the Value of Consumer Data

Note: This blog post is the last of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data as set forth in the modified regulations are summarized below.

Section 999.314 – Service Providers

  • Removes language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. Clarifies the permitted service provider uses of personal information obtained in the course of providing services to include only the following:
    • Performing the services specified in the written contract;
    • Retaining and employing another servicer provider as a subcontractor;
    • For its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
    • Detecting security incidents or protecting against fraudulent or illegal activities; or
    • Any other purpose enumerated in the CCPA.
  • Clarifies that a service provider is prohibited from selling data on behalf of a business when the consumer has opted out of the sale of their personal information with the business.
  • Clarifies that if a service provider receives a request to know or delete, the service provider must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.

Section 999.317 – Training and Record Keeping Requirements

  • Increases the threshold for triggering certain data analytics and reporting requirements regarding consumer requests received by the business to those businesses that alone or in combination buy, receive for a commercial purpose, sell or share for a commercial purposes the personal information of over 10 million (as opposed to 4 million) consumers in a calendar year (as opposed to annually).

Section 999.326 – Authorized Agent

  • When a consumer uses an authorized agent to submit requests to delete and/or know on the consumer’s behalf, clarifies that the business may require the consumer to (1) provide the agent with written and signed permission to do so, (2) verify their own identify directly with the business and (3) directly confirm with the business that the provided the authorized agent permission to submit the request.
  • Requires authorized agents to implement reasonable security procedures and practices and restrict use of any personal information except to fulfill the consumer’s request, for verification or for fraud prevention.

Section 999.330 – Minors Under 13 Years of Age

  • Requires a business to establish, document and comply with a reasonable method for determining whether the person submitting a request regarding the personal information of a child under the age of 13 is the parent or guardian of that child. The regulations provide several examples of “reasonable methods,” but add language so that the list is not exclusive.

Section 999.336 – Nondiscrimination

  • Clarifies that a business is prohibited from offering a financial incentive or price or service difference if the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show the financial incentive or price or service difference is reasonably related to that value.
  • Confirms that a denial of a consumer’s request to know, delete or opt out for reasons permitted under the CCPA is not discriminatory. Also confirms that a price or service difference that is the direct result of compliance with federal law is not discriminatory.
  • Updates the illustrative examples of discriminatory and nondiscriminatory practices under the CCPA.

Section 999.337 – Calculating the Value of Consumer Data

  • Revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value is no longer an explicitly recognized consideration for determining the value of consumer data. However, there is still a catchall for determining the value of consumer data, which includes any practical and reasonably reliable method of calculation used in good faith.
  • For the purposes of calculating the value of consumer data, the business can consider the value of the data of “all natural persons” and not just consumers.
Posted on by Duane Morris

Proposed Modifications to CCPA Regulations – Consumer Requests and Verification Requirements

Note: This blog post is the second of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for consumer requests and verification in the modified regulations are summarized below.

Sections 999.312 and 999.313 – Requests to Know and Requests to Delete

  • Clarifies that exclusively online businesses need only provide an email address for submitting requests to know.
  • Clarifies that a business shall consider the methods by which it “primarily” interacts with consumers when determining which methods to provide for submitting requests to know and delete. A business that operates a website but primarily interacts with customers at a retail location is only required to have two (not three) methods to submit requests.
    • CCPA Example: If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone by which the consumer can call the business’ toll-free number.
  • Clarifies the following deadlines:
    • Confirmation of receipt of a request to know or delete must be provided within 10 business days (as opposed to calendar days). The confirmation may be given in the same manner the request was received.
    • Responses to a request to know or delete must be provided within 45 calendar days, beginning on the day the business receives the request, regardless of the time to verify the request. A business may deny the request if it cannot be verified within the 45 day time period. An additional 45 calendar days is permitted so long as, within the first 45 days, the business provides the consumer with notice and an explanation of the reason the business will take more than 45 days to respond.
  • Clarifies that in responding to a request to know, a business is not required to search for personal information if: (1) the business does not maintain information in a searchable or reasonably accessible format; (2) the business maintains the personal information solely for legal or compliance purposes; (3) the business does not sell the personal information and does not use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search due to meeting these requirements.
  • Adds unique biometric data generated from measurements or technical analysis of human characteristics to the list of sensitive personal information that may not be disclosed in response to a request to know.
  • Clarifies that the categories of third parties to whom personal information is sold or disclosed must be provided for each particular category of personal information identified in response to a request to know categories of personal information.
  • An unverified request to delete is no longer required to be treated as an automatic request to opt out. Instead, a business that sells personal information is required to respond to an unverified consumer request to delete by (1) asking the consumer if they would like to opt out of the sale of their personal information and (2) including either the contents of, or a link to, the notice of the right to opt out.
  • With regard to data stored in backup systems, explains that such data is only required to be deleted if and when it is restored to an active system or accessed or used for a sale, disclosure or commercial purpose.
  • Clarifies that a business must inform the consumer whether it has complied with the request to delete and that it will maintain a record of the request for purposes of ensuring the personal information remains deleted from the business’ records.

Section 999.315 – Requests to Opt Out

  • Mandates that methods for submitting opt-out requests be designed to require minimal steps and be easy to execute.
  • Clarifies that an acceptable method for submitting a request to opt out of the sale of personal information is through a user-enabled “global” privacy setting, including but not limited to a device setting. The use of a global privacy control by a consumer must be treated by the business as a valid request to opt out. Any privacy control must clearly signal that the consumer intends to opt out of the sale of personal information and must require that the consumer affirmatively select their choice to opt out and must not be designed with any preselected settings. If a global privacy setting conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’ financial incentive program, the business must respect the privacy control but may give the consumer notice of the conflict and give the consumer the choice to confirm the business-specific purpose or participation in the financial incentive program.
  • Businesses must comply with a request to opt out as soon as feasibly possible but no later than 15 business days (as opposed to calendar days) from the date the business received the request. The business must direct all third parties to whom it sells personal information to stop selling that information while the business complies with the opt-out request.

Section 999.316 – Requests to Opt In

  • Clarifies that a business may provide a consumer with instructions on how to opt in to the sale of their personal information, if the consumer initiates a post-opt-out transaction or attempts to use a product or service that requires the sale of their personal information to a third party.

Section 999.318 – Requests to Access or Delete Household Information

  • Clarifies that where a household does not have a password-protected account with a business, the business is prohibited from providing specific pieces of personal information about the household in response to a request to know or from deleting personal information in response to a request to delete unless all consumers of the household make the request jointly and the business individually verifies the members of the household, including that each member making the request is a current member of the household. The business is no longer required to provide aggregate information in response to such requests.
  • Clarifies that a business may process requests through existing and compliant business practices when the consumer has a password-protected account with the business.
  • When members of a household are under 13 years of age, requires verified parental consent for disclosure of household information.

Section 999.323 – Verification

  • Prohibits a business from requiring consumers to pay a fee in connection with verification of a request to know or to delete.
    • CCPA Example: A business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of the notarization.

Section 999.325 – Verification for Non-Accountholders

  • Updates the illustrative examples for verification of individuals without an account and clarifies that a business shall deny a request to know specific pieces of information if it cannot verify the identity of the requestor.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress