Anjali C. Das Partner

The Utah Consumer Privacy Act, once signed into law, will take effect December 31, 2023, and make Utah the fourth state with a comprehensive consumer privacy law. The Act provides consumers with broad protection and rights concerning the collection, use, processing, sharing and sale of their personal information. Businesses that fail to comply may be subject to significant fines and penalties.

Last year, cyber threats on global supply chains were in the spotlight following the unprecedented cyber-attacks on Colonial Pipeline, JBS and SolarWinds, attacks that had far-reaching consequences for downstream businesses, customers and individual consumers. The current geopolitical climate and escalating crisis in Ukraine is amplifying concerns about the increased cyber threat to global supply chains already strained by the COVID-19 pandemic..

China’s new Personal Information Protection Law affords the country’s residents greater protection and rights over their personal data. Domestic and foreign organizations are subject to the heightened requirements, and failure to comply may subject organizations to substantial regulatory fines and penalties, revocation of business licenses, legal action and even personal liability.

Blissful ignorance is not a viable defense to an organization’s third-party cyber risk, and its supply chain is one of the most vulnerable areas when it comes to data security. As ransomware attacks increase, regulators are directing their scrutiny toward companies’ information security programs. While management has responded by increasing their information security program budgets, supply chain risk departments continue to be ignored. Supply chain cyber risk is a large task, but it can be brought under control by focusing on a few key steps to manage third-party risk.

On September 21, 2021, the U.S. Department of the Treasury issued an updated advisory cautioning companies against the potential to incur sanctions by making ransom payments to cybercriminals, putting pressure on companies not to pay.

Any organization that conducts business in the state of California, collects or processes personal information, and meets one or more select criteria should assess their compliance with the California Privacy Rights Act, set to take effect on January 1, 2023. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.

Following in the footsteps of the Illinois Biometric Information Privacy Act, the City of New York has enacted its own Biometric Identifier Information Act. Like its root, this new law is designed to protect and limit the use of consumers’ biometric data, which is highly personal and irreplaceable. Companies that fail to adhere to the new law may be subject to lawsuits and sizeable statutory damages.

The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents.

On October 1, 2020, the U.S. Department of the Treasury issued an advisory on potential risks of sanctions for organizations that facilitate ransom payments. Companies, their cyber insurers and third parties that assist in facilitating payments to cybercriminals might be subject to liability and hefty penalties under federal laws.

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) recognizes and enforces California consumers’ right to privacy and control over their personal information.

As the year draws to a close, it’s an especially good time to review your businesses’ cybersecurity policies and procedures as they relate to electronic protected health information under HIPAA regulations.

Public hearings were scheduled for the first week in December to receive comments on proposed regulations to the California Consumer Privacy Act, which goes into effect on January 1, 2020. Written comments will be accepted by the California Attorney General until 5:00 p.m. on December 6, 2019. The final regulations are expected to be released in early 2020 and will be enforced beginning in July 2020.

The Illinois Supreme Court gave the state’s Biometric Information Privacy Act more “punch” in a recent opinion holding that an individual does not need to prove harm to recover − a technical violation of the Act is sufficient to constitute standing.

Businesses that seek to obtain and preserve contracts with the U.S. government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations. These include the Defense Federal Acquisition Regulation Supplements, which impose stringent minimum security requirements and reporting obligations, and the International Traffic in Arms Regulations, which contain approval, registration and records maintenance requirements.

The extra-territorial reach of the EU’s new General Data Protection Regulation means that non-EU companies that collect, store, transfer or otherwise process personal data of EU residents may be required to obtain express consent to use an individual’s personal data, in addition to maintaining internal records of the company’s personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents.

Under Australia’s Notifiable Data Breach Scheme, organizations, not limited to Australian companies, will be forced to promptly respond to and investigate actual or suspected data breaches concerning personal information. Failure to do so may result in the commencement of a regulatory action and/or the imposition of civil penalties. Companies with potential exposure are encouraged to become familiar with the new legal requirements.

On November 1, 2018, the long-awaited amendments to Canada’s Personal Information Protection and Electronic Documents Act will go into effect. These amendments and related regulations impose new mandatory notification obligations on companies in the event of a breach involving the personal information of Canadians.

While the California Consumer Privacy Act does not take effect until 2020, it is likely to spur other states – and perhaps the federal government – to enact broader legislative protections for the collection and use of individuals’ personal information. Meanwhile, all entities that do business in California and collect personal information of Californians should take prompt action to review and revise related assets and materials.

The speed of events and the fast-breaking news on the recent Equifax data breach discovered on July 29, 2017, has gone from bad to worse. An investigation revealed that the incident impacted 143 million consumers’ personally identifiable information, including names, social security numbers, dates of birth and driver’s license numbers.

The world recently experienced an unprecedented global cyberattack that targeted the public and private sectors, encrypting and locking electronic files. So far, it is estimated that hundreds of thousands of entities worldwide were victims of WannaCry ransomware; and just as WannaCry is subsiding, a new attack, Adylkuzz, is taking its place, crippling computers by diverting their processing power. Now the world needs to begin building a Cyber Defense Arsenal.

Wilson Elser Chicago partner Anjali Das has compiled a roundup of recent news, including litigation and mega settlements, developments in Delaware D&O law, D&O cyber liability, and recent D&O insurance coverage decisions.

In what appears to be an all-out assault on lax cybersecurity, the SEC has issued a new Alert in connection with its cybersecurity examination of Wall Street firms, entered a Cease and Desist Order against a firm for failing to adopt written policies or procedures to protect customer information, and issued an Investor Alert that highlights actions individuals should take if their personal information is compromised.

The SEC’s new disclosure guidance was intended to bring greater awareness and transparency to actual or potential cybersecurity risk that might be considered material to investors. However, the SEC has acknowledged that this guidance alone might not be sufficient to address investor concerns.

On May 13, 2014, the Court of Justice of the European Union found that an individual has the right to demand that Google remove links about him that he claimed were old and irrelevant. But which approach is best – the right to be forgotten or the right to know? The “right to be forgotten” as currently described by the Court of Justice could create a clash between freedom of speech, which is supported in the United States, and the EU’s broader concept of privacy.

Companies that plan to use social media to communicate material corporate information to investors should make sure they have effective policies, controls and safeguards in place to mitigate potential risk for violations of securities or other laws.

The U.S. Supreme Court’s reaffirmation of heightened standards for future harm may significantly aid corporations in obtaining dismissals for data security and cyber beach lawsuits where plaintiffs frequently cannot show that their personal information will subject them to identity theft or be used in a manner to cause them some other concrete financial harm.

The long-awaited Guidance on potential violations of the Foreign Corrupt Practices Act may provide some relief and useful tips for directors and officers of companies that have been increasingly concerned about potential exposure for successor liability emanating from FCPA violations by the acquired entity. 

Walmart is the latest high-profile target of a string of D&O claims involving the increasingly enforced Foreign Corrupt Practices Act. The SEC and DOJ have maintained an aggressive stance on FCPA violations and enforcement actions, which can lead to shareholder derivative civil actions.

Many China-based issuers have been targeted by regulators and investors alike for purported securities and accounting fraud that could ultimately cost D&O insurers millions in losses.

In light of the potential long arm of the Bribery Act, directors and officers (“D&O”) liability carriers should familiarize themselves with the potential increased exposure to their insureds. In addition, D&O insurers would be well advised to consider potential coverage issues under their policies for claims and investigations under the Bribery Act.

Many financial industry insiders and their insurers have been wondering where the Federal Deposit Insurance Corporation (FDIC) has been during the recent financial industry meltdown. As the appointed receiver of failed banks that are federally insured, the FDIC is expected to be at the forefront of litigation against the directors and officers (D&Os) of failed financial institutions.

Recently enacted sweeping financial legislation embodied in the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Act) creates new concerns for directors and officers of all public companies – not just financial institutions.  D&Os will be subject to heightened public and regulatory scrutiny in connection with corporate governance and executive compensation.  Broad disclosure requirements regarding executive pay, coupled with potentially enormous financial incentives to corporate whistle-blowers, could lead to increased liability exposure for D&Os and their insurers.

A typical claim targeting directors and officers ("D&Os") in the context of a merger or acquisition is that the D&Os breached their fiduciary duties of care and loyalty by failing to get the best deal for shareholders.  However, in a boon to D&Os and their insurers, several recent Delaware court decisions have made it easier for defendants to successfully defend these types of claims.