California’s Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give consumers substantial rights regarding the disclosure and use of their personal information collected by businesses subject to the law. Significantly, CCPA/CPRA define the term “consumer” to mean any California resident. This broad definition extends not only a business’s individual customers, but also its employees, job-applicants and even its business-to-business (B2B) contacts. We have previously discussed the compliance requirements of these data privacy laws on organizations doing business in California, and the moratoriums for B2B and employee/applicant data that that the Legislature had put in place exempting covered businesses from complying with certain requirements of the laws.[1] Unless extended by the Legislature (which appears unlikely) or preempted by federal privacy legislation (which appears even more unlikely), the moratoriums will sunset on January 1, 2023. Accordingly, covered businesses should begin  preparing now to meet their upcoming expanded statutory obligations to protect consumers data privacy.

Continue Reading No More Exceptions: What to Do When the California Privacy Exemptions for Employee, Applicant and B2B Data Expire on January 1, 2023

As reported in a June 3, 2022 press release from the House Committee on Energy and Commerce, U.S. Representatives Frank Pallone, Cathy McMorris Rodgers, and Senator Roger Wicker released a “discussion draft” of a federal data privacy bill entitled the “American Data Privacy and Protection Act” (the “Draft Bill”), which would impact the data privacy and cybersecurity practices of virtually every business and not-for-profit organization in the United States.

As further described below, the Draft Bill’s highlights include: (i) a comprehensive nationwide data privacy framework; (ii) preemption of state data privacy laws, with some exceptions; (iii) a private right of action after four (4) years, subject to the individual’s prior notice to the Federal Trade Commission (“FTC”) and applicable state attorney general before commencement of lawsuit; (iv) exemptions for covered entities that are in compliance with other federal privacy regimes such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Gramm-Leach Bliley Act (“GLBA”) solely with respect to data covered by those statutes; (v) exclusions from Act’s requirements for certain “employee data”; and (vi) a requirement for implementation of reasonable administrative, technical and physical safeguards to protect covered data. The Draft Bill would be enforced by the FTC, and violations treated as unfair or deceptive trade practices under the Federal Trade Commission Act, as well as by state attorneys general.

Continue Reading A Recently-Released “Discussion Draft” of the “American Data Privacy and Protection Act” Provides Insight into Recent Bipartisan Efforts to Pass Nationwide Privacy Law

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

Continue Reading President Biden Signs into Law the Cyber Incident and Reporting Act, Mandating Reporting of Cyber Incidents and Ransomware Payments

Next month, New Jersey private employers will need to start informing drivers before using GPS tracking devices in the vehicles they operate. A new state law that becomes effective April 18, 2022, requires employers to provide written notice to employees before using “electronic or mechanical devices” that are “designed or intended to be used for the sole purpose of tracking the movement of a vehicle, person, or device.” The notification requirement applies to both employer-owned or -leased and personal vehicles.

Continue Reading Considering Tracking Employees in Vehicles? New Jersey Now Requires Employers to Provide Notice

As featured in #WorkforceWednesday:  This week, we look at H.R. 4445, new federal legislation that addresses mandatory arbitration of sexual assault and harassment claims.

Continue Reading Video: New Law on Arbitration of Sexual Harassment Claims, Cyber War Ramps Up, Salaried Nonexempt Status – Employment Law This Week

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.

Continue Reading CISA Encourages “Shields Up” to Protect Operations and Workers as Cyber War Ramps Up

As featured in #WorkforceWednesday:  This week, we focus on new developments increasing whistleblower protections across the country and prohibiting mandatory arbitration of sexual assault and harassment claims.

Continue Reading Video: Whistleblower Regulations Increasing, #MeToo Bill Passes, Cyberfraud Risk Mitigation – Employment Law This Week

The  New York State Acting Commissioner of Health has extended the designation of COVID-19 as a highly contagious communicable disease that presents a serious risk of harm to public health under the NY HERO Act until February 15, 2022. Accordingly, the airborne infectious disease exposure prevention plans required under Section 1 of the Act must be kept in place through that date, at which point the Commissioner will review whether the designation should be continued.

Continue Reading Keep Your Safety Plans in Place: New York HERO Act COVID-19 Designation Extended Until February 15, 2022

NYC employers will soon be required to include a minimum and maximum salary on all job postings for positions performed within the City. As we previously reported, the City Council passed Int. 1208-B (Law) on December 15, 2021, and due to new NYC mayor Eric Adam’s inaction within the 30-day veto period, it became a law as of January 15, 2022. Beginning May 15, 2022, the Law requires employers with four or more employees to include a “good faith” minimum and maximum salary range on for all advertised NYC job, promotion and transfer opportunities. Additionally, the Law makes the failure to include salary range an unlawful discriminatory practice under the City’s Human Rights Law.

Continue Reading NYC Job Postings Must Include Salary Ranges Effective May 15, 2022

Recent data thefts and systems intrusions, particularly with respect to ransomware, have assured that cybersecurity is top of mind for corporate executives and compliance officials. We at EBG have tried to keep you up to date with respect to legislative, regulatory and litigation developments and recommended best practices and procedures.

As we close out the year, we all should remain mindful that cyber criminals, especially those who are supported or protected by foreign adversaries, have little incentive to rest up during the holidays.

Continue Reading Best Practices to Protect Against Increased Cyber Threats During the Holiday Season