Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

The California Invasion of Privacy Act (CIPA) was enacted in 1967 to “protect the right of privacy by, among other things, requiring that all parties consent to a recording of their conversation.” Whether intentional or not, from these modest origins CIPA has become a giant—create substantial liability risk for thousands of companies every year.

Continue Reading Mini-Series on CIPA – Part 4: How Big is the Risk?

Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

The California Invasion of Privacy Act (CIPA) penalizes those “who willfully and without the consent of all parties to the communication . . . read, or attempt to read, or to learn the contents or meaning of any message, report, or communication.” Cal. Penal Code § 631 (cleaned up).

This rule seems sensible when applied to someone surreptitiously eavesdropping on a phone conversation. The law was passed in the 1960s to protect phone conversations from wiretaps, and if I am secretly listening in on your phone call, then my conduct may fall under the law.

Continue Reading Mini-Series on CIPA – Part 3: Can I Eavesdrop on My Own Conversation?

Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

The California Invasion of Privacy Act (CIPA) penalizes unauthorized eavesdropping on communications “carried on among the parties in the presence of one another or by means of a telegraph, telephone, or other device, except a radio. . .” Cal. Penal Code § 632.7(a). Recently, plaintiffs have pressed courts to include internet-enabled communications on smartphones within the auspice of § 632.7(a). But is a smartphone communication over the internet a phone under this section of CIPA?

Continue Reading Mini-Series on CIPA Part 2: What is a ‘Phone’?

Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

Companies have websites to reach customers, share products and services, and communicate brands. But websites can also create legal risks. Recently, litigation has surged against website owners for violating the California Invasion of Privacy Act (CIPA). This 1960s phone-wiretapping law is now used against websites that collect and share visitor data with third-party vendors. The legal theory, in part, is that when a user visits a website and their information is processed, the third-party vendor listens in on this communication without notice or consent from the website user.

Continue Reading Mini-Series on CIPA – Part 1: What is a ‘Communication’ Anyway?

Key Takeaways

1. New cybersecurity measures and requirements are introduced by the EU for companies.

2. Contractual provisions with the supply chain may need to be revised.

3. High penalties and liability for management, including personal liability.

Continue Reading The NIS2 Directive is on the Edge of Enforcement: What Now for EU/US Companies?

Text messages and other non-email, electronic communications have become increasingly important in securities fraud matters. These communications are often sent from personal mobile devices and often provide key evidence.  It has become clear that the most interesting, and sometimes most problematic, communications often do not take place via email.

Continue Reading Text Messages Lead to $4.47B Liability in Securities Fraud Case

The U.S. Securities and Exchange Commission (“SEC”) adopted a final rule on July 26, 2023 that requires public companies to disclose material cybersecurity incidents under new Item 1.05 of Form 8-K. Since its adoption, public companies have faced practical challenges in determining whether and when a cybersecurity incident warrants disclosure under Item 1.05.

On May 21, 2024, roughly six months after the final rule’s effective date, Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued a statement signaling that public companies should consider disclosing incidents in a different fashion under a Form 8-K.  Specific points of note:

Continue Reading SEC “Encourages” Public Companies to Disclose “Immaterial” Cybersecurity Incidents Under Item 8.01 of Form 8-K

On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.

Continue Reading DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule

Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.

Continue Reading FBI Offers Pathway to Request Delay of SEC Cybersecurity Incident Disclosures

On November 9, 2023, the European Parliament has adopted the final version of the Data Act, marking a significant milestone in the evolving landscape of digital regulation. The Data Act is part of the European Commission’s broader strategy to shape Europe’s digital future (see our earlier posts here and here).

The widespread use of internet-connected products (the so-called Internet of things or “IoT”) has notably increased the volume and potential value of data for consumers, businesses, and society at large. Recognizing that barriers to data sharing hinder optimal data allocation for societal benefit, led to the drafting of the Data Act. Initially proposed by the European Commission in February 2022, the Data Act is designed to regulate data sharing and usage within the EU.

The Data Act, which applies to both personal and non-personal data, encompasses several key elements designed to foster an efficient, fair, and innovative data economy:

  • It facilitates data sharing, particularly data generated by connected devices and used by related services. This spans all sectors, underscoring the significance of non-personal data sharing for societal and economic benefits;
  • Itestablishes mechanisms for data transfer and usage rights, with a special focus on cloud service providers and data processing services. This facilitates a more fluid and secure data sharing environment;
  • It introduces interoperability standards to ensure data can be accessed, transferred, and used across different sectors, which is crucial for innovation and competitive markets;
  • It reinforces the right to data portability, allowing users to move their data across different service providers, which enhances user autonomy and promotes competition;
  • It mandates that providers of data processing services, such as cloud and edge services, implement reasonable measures against unauthorized third-party access to non-personal data, thereby fostering trust in data;
  • It aims to balance the availability of data with the protection of trade secrets;
  • It recognizes the need for public sector bodies, the Commission, the European Central Bank or Union bodies to use existing data to respond to public emergencies or in other exceptional cases; and
  • It provides protections against unfair contractual terms that are unilaterally imposed.

These elements collectively aim to enhance data accessibility and utility, protect individual and business interests, and foster a more competitive and innovative digital market in the EU.

The adopted text now needs formal approval by the Council to become law. Once finalized, the Data Act will enter into force on the 20th day following its publication in the Official Journal of the European Union and will apply from 20 to 32 months from the date of entry into force. The timeline for complete enforcement is thus expected to span several years, allowing businesses and stakeholders adequate time to adapt to the new requirements.

As always, we will continue to monitor the developments in this matter and keep you informed of any further updates.