A MoFo Privacy Minute Series

Preventing, detecting, and responding to credential-stuffing attacks has always been a challenge for my company, and every company, since the credentials are not actually stolen from us. Yet our customers are still harmed if the credentials are used to access their accounts with us. What measures can companies use to address credential-stuffing attacks?

My company has a location in New York City. What are the requirements for employers under New York City’s new law about automated employment decision tools, and what happens if my business fails to meet the requirements?

During our webinars, our attendees ask us great questions. In this final issue of A MoFo Privacy Minute for the year 2021, we chose three of your questions to answer. Stay tuned for more in 2022! Q: Please explain the difference between pseudonymous and de-identified information under the three laws. Can I consolidate the definitions together and apply one protocol for my business? Q: What is the difference in scope between the HIPAA and GLBA exceptions under the CPRA, VCDPA, and CPA? Q: What must contracts with services providers/processors say about audit rights?

My company is a financial institution subject to the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act and we have an information security program that conforms to the Safeguards Rule that has been in effect for almost two decades. What do we need to add to our program to comply with the revised Safeguards Rule, and how much time to do we have to add it?

My company would like to collect COVID-19 vaccination status of its employees and clients. Is this permitted under HIPAA?

Can a company require proof of a COVID-19 vaccination to visit work sites and/or venues in the EU or the UK?

I think of cookie consent requirements as being driven by European law, specifically the EU ePrivacy Directive. But I recently heard that Russia also has a cookie consent requirement. Is this really the case? If so, do the requirements apply to a business that is not a Russian company?

I heard that the Russian data protection authority (Roskomnadzor) has sent out thousands of inquiries to businesses (including businesses outside Russia) asking them to confirm, within 30 days, that they store personal information of Russian citizens in Russia in compliance with Russia’s data localization law. My company received the letter. What do I need to know? My company is registered with the Russian tax authority, but we did not receive such an inquiry. Should I be concerned?

Who is Lina Khan, and what is the likely impact of her appointment as chair of the Federal Trade Commission?

Do breach notification laws require me to notify regulators or individuals when my business inadvertently sends an email to the wrong person that contains a small amount of personal information about another person?

The new California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) will be operative on January 1, 2023. That seems like a lot of time to prepare, and the CPRA regulations are not out yet. When should I begin, and how can I phase out the work over 2021 and 2022?

We recently notified our lead data protection authority in the EU of a data breach we suffered. Do we need to also notify the UK data protection authority (ICO) or will our lead DPA forward the notification to the ICO as part of an ongoing cooperation?

Our cyber insurance broker is bracing its clients for a tough cyber insurance renewal this year. Is there anything we can do to help make things go more smoothly?