There are numerous cybersecurity regulations and requirements for businesses to worry about but they may not be considering their cybersecurity regulations under privacy statutes. California was at the forefront of privacy regulations with the passage of the California Consumer Privacy Act (CCPA). Lawsuits under the CCPA began almost immediately after it was enacted in 2020.
Mary T. Costigan
Mary T. Costigan is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a core member of the firm’s Privacy, Data and Cybersecurity practice group. She holds a Certified Information Privacy Professional/US designation from the International Association of Privacy Professionals (iapp).
Mary advises regional, national and multinational clients across various industries on data privacy and cybersecurity laws and best practices including employee monitoring, internet privacy, biometric data collection, artificial intelligence, the California Consumer Privacy Act (CCPA), HIPAA, and the EU General Data Protection Regulation.
Mary has extensive experience helping clients respond to cybersecurity incidents including ransomware attacks.
Cybersecurity Awareness Month Series: Cybersecurity in the Hoosier State
This year, Indiana joined several other states to pass a comprehensive consumer privacy law, that becomes operative on January 1, 2026. Like other consumer privacy laws, Indiana’s law requires businesses to establish reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data, which implicates cybersecurity concerns.
Transatlantic Transfers of Personal Data: Transferring a Privacy Shield Certification to the New EU-U.S. Data Privacy Framework
Effective July 10, 2023, the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) replaced the invalidated EU-U.S. Privacy Shield framework (“Privacy Shield”). Participating U.S. organizations can now receive personal data transferred from the European Economic Area in compliance with the EU General Data Protection Regulation and without being subject to further conditions.
Similar to the Privacy…
CCPA-Covered Businesses Be On the Look Out for a Letter from the California Attorney General
Though enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA) has been paused for now, the State of California is not resting when it comes to compliance with the CCPA.
On July 14, 2023, California’s Attorney General announced an “investigative sweep” regarding compliance with the CCPA.
Data Protection Update: Q3 Noteworthy Dates
FTC Safeguards Law (and Car Dealerships)
June 9th marked the deadline for financial institutions, including certain non-banking institutions that collect or maintain sensitive customer information (e.g., car dealerships), to implement a comprehensive information security program to comply with the Federal Trade Commission’s updated Safeguards Rule. For additional information, see our post: Reminder: The …
Data Protection Update: Q2 2023
As we round the corner into the second quarter of 2023, the following enforcement dates for new or amended state data protection laws are quickly approaching.
Iowa’s Governor Signs Comprehensive Consumer Privacy Law
On March 28, 2023, Iowa’s Governor signed Iowa’s new statute relating to consumer data protection. Iowa joins California, Colorado, Connecticut, Utah, and Virginia in the ever-growing patchwork of consumer privacy laws across the country.
The new law takes effect on January 1, 2025.
Iowa’s consumer privacy law covers businesses…
Iowa to Be Sixth State to Pass a Consumer Privacy Statute
On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act, which relates to consumer data and privacy protection. Once signed by Iowa’s governor, the statute will become operative on January 1, 2025, and Iowa will join California, Colorado, Connecticut, Utah, and Virginia in passing…
CPPA Starts Rulemaking on Cybersecurity, Risk Assessments, and Automated Decision-making
While the California Privacy Protection Agency (CPPA) only recently approved revised amended regulations pertaining to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), it is already on to its next rulemaking.
On February 10, 2023, the CPPA issued an invitation for preliminary comments on proposed rulemaking pertaining to cybersecurity audits…
California Privacy Protection Agency Passes Revised Regulations
After a significant delay, on February 3, 2023, the California Privacy Protection Agency (CPPA) unanimously approved amended regulations. The new regulations have not yet gone into effect as they must first be approved by the Office of Administrative Law (OAL). The CPPA’s General Counsel advised that there is no guarantee that the regulations would be…