Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

The California Invasion of Privacy Act (CIPA) was enacted in 1967 to “protect the right of privacy by, among other things, requiring that all parties consent to a recording of their conversation.” Whether intentional or not, from these modest origins CIPA has become a giant—create substantial liability risk for thousands of companies every year.

Continue Reading Mini-Series on CIPA – Part 4: How Big is the Risk?

Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

The California Invasion of Privacy Act (CIPA) penalizes those “who willfully and without the consent of all parties to the communication . . . read, or attempt to read, or to learn the contents or meaning of any message, report, or communication.” Cal. Penal Code § 631 (cleaned up).

This rule seems sensible when applied to someone surreptitiously eavesdropping on a phone conversation. The law was passed in the 1960s to protect phone conversations from wiretaps, and if I am secretly listening in on your phone call, then my conduct may fall under the law.

Continue Reading Mini-Series on CIPA – Part 3: Can I Eavesdrop on My Own Conversation?

Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

The California Invasion of Privacy Act (CIPA) penalizes unauthorized eavesdropping on communications “carried on among the parties in the presence of one another or by means of a telegraph, telephone, or other device, except a radio. . .” Cal. Penal Code § 632.7(a). Recently, plaintiffs have pressed courts to include internet-enabled communications on smartphones within the auspice of § 632.7(a). But is a smartphone communication over the internet a phone under this section of CIPA?

Continue Reading Mini-Series on CIPA Part 2: What is a ‘Phone’?

Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions.

Companies have websites to reach customers, share products and services, and communicate brands. But websites can also create legal risks. Recently, litigation has surged against website owners for violating the California Invasion of Privacy Act (CIPA). This 1960s phone-wiretapping law is now used against websites that collect and share visitor data with third-party vendors. The legal theory, in part, is that when a user visits a website and their information is processed, the third-party vendor listens in on this communication without notice or consent from the website user.

Continue Reading Mini-Series on CIPA – Part 1: What is a ‘Communication’ Anyway?

Key Takeaways

1. New cybersecurity measures and requirements are introduced by the EU for companies.

2. Contractual provisions with the supply chain may need to be revised.

3. High penalties and liability for management, including personal liability.

Continue Reading The NIS2 Directive is on the Edge of Enforcement: What Now for EU/US Companies?

Text messages and other non-email, electronic communications have become increasingly important in securities fraud matters. These communications are often sent from personal mobile devices and often provide key evidence.  It has become clear that the most interesting, and sometimes most problematic, communications often do not take place via email.

Continue Reading Text Messages Lead to $4.47B Liability in Securities Fraud Case

The U.S. Securities and Exchange Commission (“SEC”) adopted a final rule on July 26, 2023 that requires public companies to disclose material cybersecurity incidents under new Item 1.05 of Form 8-K. Since its adoption, public companies have faced practical challenges in determining whether and when a cybersecurity incident warrants disclosure under Item 1.05.

On May 21, 2024, roughly six months after the final rule’s effective date, Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued a statement signaling that public companies should consider disclosing incidents in a different fashion under a Form 8-K.  Specific points of note:

Continue Reading SEC “Encourages” Public Companies to Disclose “Immaterial” Cybersecurity Incidents Under Item 8.01 of Form 8-K

“Browsing and location data are sensitive . . .. Full stop,” says the Federal Trade Commission. As is all granular data that can reveal “insights” that “can be attributed to particular people” through a “re-identification” procedure. This is one basis of complaints the FTC filed against Avast, X-Mode Social, and InMarket. A March 4, 2024 FTC blog post titled FTC Cracks Down on Mass Data Collectors: A Closer Look at Avast, X-Mode, and InMarket describes why these three companies’ collection of consumers’ browsing and location data raised concerns for the agency, and looks at two other data governance practices by those companies that also concerned the agency. All companies operating in the United States that collect and use consumer data should understand the themes emerging from the proposed settlements and orders and heed the admonitions from the agency moving forward.

Continue Reading “Browsing and location data are sensitive . . .. Full stop”

On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.

Continue Reading DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule

Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.

Continue Reading FBI Offers Pathway to Request Delay of SEC Cybersecurity Incident Disclosures