With Colorado Governor Jared Polis expected to sign the Colorado Privacy Act, SB-190 into law in the coming days, Colorado will join California and Virginia as the third state with a comprehensive data privacy law.1 The Colorado Privacy Act (“CPA”)—which passed with bipartisan support in both the Colorado House and Senate—is similar, but not identical, to the California and Virginia data privacy laws. Although its provisions will not take effect until July 1, 2023, the passage of the CPA grows the patchwork of state privacy regimes and may spur further calls for a uniform federal standard, as compliance for businesses becomes increasingly complicated.
Privacy issues and COVID-19: what do they mean to you and your business? In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss talks with Faegre Drinker’s Reed Abrahamson about the pandemic’s impact on privacy and data security. They examine how organizations are working to balance obligations to simultaneously protect data and their employees’ well-being — along with the risks employers should consider when collecting COVID-related employee information.
Disruptionware attacks have become increasingly more common over the last few months. Just last month, I wrote about a dangerous disruptionware attack against a Florida Water Treatment Center that could have been a mass casualty event. For more information on these types of attacks, please refer to our posts on different types of disruptionware attacks and how disruptionware attacks work.
On April 26, 2021, the Second Circuit Court of Appeals decided the case of McMorris v. Carlos Lopez & Assocs., No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) and addressed one of the most critical issues in private data breach class actions – whether victims of a data breach can establish Article III standing by alleging they are at an increased risk of identity theft or fraud, even if their personal data has not yet been misused.
Although the district court’s ruling that plaintiffs did not establish standing was upheld, the Second Circuit found that victims of a data breach can establish standing based on a risk of future identity theft or fraud. The court also put forward a three-factor test to determine if standing exists when misuse of plaintiffs’ data has not yet occurred.
TikTok is facing a potential legal claim in the U.K. brought by the former Children’s Commissioner for England, Anne Longfield, on behalf of millions of children in the U.K. and EEA who have used the social media app. Claimants in the action could be entitled to over $1 billion pounds in damages.
This action follows fines issued by the U.S. Federal Trade Commission in 2019 and the Korea Communications Commission in South Korea in 2020 for mishandling children’s data. TikTok has also previously been investigated by the U.K.’s Information Commissioner’s Office, which ordered TikTok in 2019 to delete data associated with a linked app and set up an age verification system for that function.
On February 4, 2021, the Eleventh Circuit Court of Appeals issued a critical opinion addressing Article III standing in private data breach actions, which has been the subject of a closely watched circuit split.
The case, Tsao v Captiva MVP Restaurant Partners LLC, originated in the District Court for the Middle District of Florida where the plaintiff filed a class action complaint against the restaurant chain PDQ in connection with a May 2017 data breach. Following the breach, PDQ posted a notice to customers regarding the breach, explaining that customers’ names, credit card numbers, card expiration dates and CVVs may have been exposed.