To embed, copy and paste the code into your website or blog:
Welcome to the second post in our Spotlight series, where we talk with a leader in a particular field or emerging area of interest to technology and sourcing lawyers and professionals.
Ezra Church is a partner in Morgan Lewis’s litigation practice who counsels and defends companies in privacy and cybersecurity matters. His practice is at the forefront of issues such as biometrics, artificial intelligence, location tracking, ad tech, and blockchain. Ezra is a Certified Information Privacy Professional (CIPP) and co-chair of the firm’s Class Action Working Group, and he recently helped lead our firm’s Practical Advice on Privacy publication series on the
To embed, copy and paste the code into your website or blog:
Today is World Data Privacy Day, an international event aimed at raising awareness about data privacy and protection. At Bond, we are celebrating by prompting dialogue about changes in the legal landscape of data privacy, encouraging compliance efforts and promoting best practices for the protection of data. We have been counting down the days to World Data Privacy Day by highlighting relevant data privacy matters around the world including international data transfer issues, new U.S. state privacy laws like the California’s Privacy Rights Act (CPRA) and the potential for U.S. federal data privacy legislation, cybersecurity in light of the SolarWinds breach, and the intersection between HIPAA laws and data privacy in light of the COVID-19 pandemic.
Sarbanes-Oxley Act (Sarbox, SOX)
Purpose: Enacted in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. It was enacted after the high-profile Enron and WorldCom financial scandals of the early 2000s. It is administered by the Securities and Exchange Commission, which publishes SOX rules and requirements defining audit requirements and the records businesses should store and for how long.
To whom it applies: US public company boards, management and public accounting firms.
Key points for CISOs: SOX places requirements around maintaining integrity and availability of financial data, and controls for who has access to that data. Specific rules need to be in place for:
The
California Consumer Privacy Act (“CCPA”) to impose enhanced protections. The CPRA enhancements apply to “for profit” companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information (“businesses”).[1] Those businesses must:
provide reasonable cybersecurity safeguards for all categories of personal information;
conduct annual cybersecurity audits and make regulatory filings of risk assessments with the newly created California Privacy Protection Agency if the processing of personal information presents a significant risk to consumers’ privacy or security; and
Keypoint: The Washington Privacy Act is back.
The Washington state legislature will once again consider
consumer data privacy legislation when it convenes on January 11,
2021. On January 5, 2021, Senators Reuven Carlyle and Joe Nguyen
pre-filed the 2021 version of the Washington Privacy Act (WPA) (
Senate Bill 5062). The WPA is scheduled for a public hearing in
the Senate Committee on Environment, Energy & Technology on
January 14, 2021, which committee is
chaired by Senator Carlyle.
In the past two years, versions of the WPA passed the Washington
Senate without issue. However, in 2019, the bill
failed in the Assembly. In 2020, the Assembly
passed an amended version of the bill but the two chambers were