Data Retention

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

NIST Not Voluntary in the Volunteer State: Tennessee Privacy Law Requires Comprehensive Written Privacy Program that Conforms to a Voluntary

2023 has swiftly become the year of the U.S. National Cybersecurity Strategy.  On March 2, 2023, the Biden Administration issued its National Cybersecurity Strategy brief, outlining its vision to: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. In furtherance of the goal to defend critical infrastructure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default” (the “Report”), on April 13.

Calling the current state of technology “vulnerable by design,” the Report aims to encourage technology manufacturers to integrate security into their products from the ground up, factoring security into product development beginning at the design phase.  In addition to the CISA, several American security agencies (the National Security Agency and Federal Bureau of Investigation) and international cybersecurity agencies (from Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand) collaborated to provide a unified recommended approach to the development of both software and hardware.  Below, we break down what the Report means for the tech sector.

Continue Reading New CISA Guidelines Lay Out Unified International Principles on Security-by-Design and Security-by-Default

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

New York Releases Data Security Guide to Help Businesses Protect Personal Information | Privacy World

Selfie ID Biometric Verification Vendor’s

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Singapore Appointed as Deputy Chair of the Global Cross-Border Privacy Rules Body | Privacy World

Italian OpenAI : May (A)I?

Following in the footsteps of Europe, U.S. states are codifying obligations to maintain personal data inventories and retention schedules, and to limit retention and use to only what is necessary to meet the purposes disclosed at the point and time of collection, for only so long as that limited purpose continues. A recent study by

Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Federal Trade Commission (“FTC”) that has the potential to redefine the legal bounds of the data sharing and data brokering industries.  Privacy World immediately reported on the FTC v. Kochava, Inc. case the day after the FTC filed its motion for

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Privacy World’s Kristin Bryan talks to Bloomberg Law on the Supreme Court’s In re Grand Jury Dismissal | Privacy World

Privacy World has been talking about the importance of data inventories for years. Why? Because it is next to impossible to build a compliant privacy and data security program without first doing a data inventory. A data inventory will serve as a roadmap to help a company meet various privacy and security compliance milestones. Yet, completing a data inventory is one of the hardest and most daunting parts to building a privacy program. At least it was for Katy when she was in-house as a Global Data Protection Officer. The alternative to proactively creating a data inventory is trying to hastily create one during the middle of an incident response or responding to a regulatory demand, which Katy and Shea have seen numerous times helping clients during a crisis. Indeed, building a data inventory during a time of turmoil is the worst time to confirm a company’s data processing practices, and we want to help you avoid this worst-case scenario as you work to build out your 2023 privacy and data security compliance action plan.
Continue Reading Kick Start Your Data Inventory Project in 7-Steps

In a decision on October 27, 2022, the European Court of Justice has clarified the operators’ obligations regarding consent and the right to object in relation to public directories and information services.

Legal Context

The ePrivacy Directive contains several provisions relating to public directories and information services of telecommunications operators.

In particular, EU Member States

Biometric privacy suits brought under the Illinois Biometric Information Privacy Act (“BIPA”) continue to remain one of the hottest areas of class action litigation today, which can be attributed primarily to the fact that high statutory damages awards can be recovered by large classes of employees, consumers, and similar groups of individuals for mere technical violations of the law. To further compliance matters, many BIPA decisions issued to date have skewed heavily in favor of plaintiffs, which has resulted in a significant expansion of potential litigation risk under the statute. 

In Mora v. J&M Plating, Inc., No. 2-21-0692, 2022 IL App (2d) 210692 (Ill. App. Ct. 2d Dist. Nov. 30, 2022), the Illinois Second District Court of Appeals continued the trend of plaintiff-favorable BIPA decisions in 2022, holding that private entities run afoul of BIPA’s Section 15(a) data retention and destruction disclosure requirements where they fail to have in place a BIPA-compliant data retention/destruction disclosure at the time biometric data is initially possessed, and that subsequent disclosures cannot serve retroactively to remedy prior violations of this component of the law. Importantly, Mora underscores the need for companies to ensure they have satisfied all of the applicable requirements of BIPA prior to the time any biometric data is collected or possessed in order to mitigate the sizeable legal risks associated with legal non-compliance.  

Continue Reading Illinois Appellate Court Issues Key, Plaintiff-Favorable Opinion On BIPA Data Retention Disclosure Requirements