The Bowery Mission welcomed the JW Michals NYC team to lend a hand prepping and preparing food at their Tribeca campus. This amazing organization has served homeless and hungry New Yorkers since 1879.

Each year, The Bowery Mission provides more than 558,726 warm meals, 140,658 nights of shelter and distributes 100,334 articles of clothing. It was an honor to help. Can’t wait to do it again!

Celebrating another outstanding year, over 30 people earned a spot at the 9th annual JW Michaels & Co Atlantic City Incentive Trip, to enjoy a weekend filled with great times with great people, and tons of sweet A.C. perks. Jason Wachtel, Managing Partner of JW Michaels & Co. kicked off the casino fun with a heartfelt congratulations to the team and a toast to continued success in 2020.

In a recent press release Global law firm Hogan Lovells LLP announced that Suzanne Filippi has joined the firm’s Boston office as a corporate partner in the Life Sciences and Health Care Industry Group.

Filippi’s arrival continues the firm’s aggressive expansion in Boston following the additions of partners Kristin Connarn, and Bob Underwood, and senior counsel David Walsh earlier this year. The firm recently moved its Boston office to 125 High Street to support its expanded headcount and future growth.

“I’ve worked closely with Hogan Lovells lawyers for years and am excited to have the opportunity to play a key role in expanding the firm’s preeminent life sciences practice in Boston,” said Filippi. “The firm’s global presence and deep industry experience offers me the ideal platform to make an impact—helping life sciences companies deliver innovative medical solutions to the patients whose lives depend on them.”

Prior to joining Hogan Lovells, Filippi served as VP, Corporate Counsel Consultant at both Sage Therapeutics and Aegerion Pharmaceuticals, and as Senior Securities and M&A Counsel at TripAdvisor. At TripAdvisor, Filippi spearheaded the company’s US$9 billion spinoff from Expedia and its subsequent IPO.

“We are thrilled to welcome Suzanne. Her experience with complex corporate and M&A transactions, business acumen, and insight into the strategic objectives of companies in the life sciences industry offers uncommon advantages to our clients,” said David Gibbons, Global Head of the Corporate Practice at Hogan Lovells.

Filippi brings to Hogan Lovells deep experience handling general corporate matters and a business-minded approach to clients doing business in a range of industries and at all stages of development. In her life sciences practice, she has advised on global clinical trials, in-licensing/out-licensing and collaboration, R&D, asset portfolio strategy, pharma-covigilance, and general data protection regulation (GDPR) and privacy issues.

Click here to read the full press release

Richard Zakin, Gary Weiss and everyone at JW Michaels, congratulate Hogan Lovells and Suzanne Filippi on this exciting new chapter.

About Richard Zakin

Richard Zakin leads the partner placement group at JWM, having more than 10 years of experience in the industry placing partners and groups of partners (and even playing the lead role in potential and completed law firm mergers). Before joining the search industry, he practiced as a real estate attorney at Skadden and Morrison & Foerster and as a real estate partner with Bryan Cave and Dorsey. He is a graduate of Dartmouth College and Columbia Law School (where he also received a Masters in Journalism degree.).
Click here to connect with Richard on LinkedIn.

About Gary Weiss

Gary Weiss is a Director in the Legal Group of JWM and has been in the legal search business for 14 years. Gary focuses on in house placements with a wide variety of asset managers, including private equity finds and hedge funds in addition to placing partners and associates with AmLaw 100 and boutique law firms. He also works with and has placed attorneys with a wide variety of Fortune 500 companies. Gary is a graduate of Rutgers University.
Click here to connect with Gary on LinkedIn.

There’s a new and growing region in the tech sector poised to spawn a second California-based legal services ecosystem. For those firms with a national reach that may have missed the boat on courting clients during the first tech boom in Silicon Valley, including the more traditional “Wall Street” players, the opportunity to get in on the action might be difficult to resist.

Over the past seven years, Silicon Beach – the region generally known to comprise the coastal strip that spans the north-south distance between LAX and the Santa Monica Mountains – has become home to a slew of innovative companies. A range of factors appear to be spurring this Silicon Valley defection: its capping construction on new office space; talent burnout and competition; tax and reduced rent incentives being offered by the city of Los Angeles (and its environs); and a lower cost of living. The region is now considered the 3rd biggest tech hub in the country (behind only Silicon Valley and New York City, and ahead of Austin and the Route 128 corridor), boasting more than 500 companies, including Snap, Inc, Hulu, The Honest Company, Whisper, Nasty Gal and Buzzfeed. According to a recent study by marketing agency Mediakix, which analyzed 177 companies headquartered in Los Angeles County, the area’s tech industry has an aggregate estimated value in excess of more than $155B.

Since 2012, Cooley, Orrick, Fenwick, and, just last month, Goodwin, have all planted their flags there. This would appear to give these Silicon Beach pioneers a clear advantage, at least an initial one, as, unlike Silicon Valley, where established tech-focused law firms have long been cultivating lawyers in the emerging companies’ space, the major indigenous law firms in Los Angeles aren’t known for practices tailored to that client base. With tech startups in immediate need of specialized legal talent to handle the myriad rules and regulations associated with technology today, populating a name-brand satellite office in that region with well-seasoned transactional attorneys seems to offer the promise of cultivating a thriving tech practice that can grow with the region just as those practices did in Silicon Valley when it was still a mid-stage market a decade ago.

We have several more predictions that arise from the growth of tech-oriented legal needs in Silicon Beach:

• The Los Angeles market is ripe for the kind of entertainment lawyer that can meet more holistic needs, including privacy and data security, IT issues and consumer regulations. With the increasing blur of the line between technology company and content company, there appears to be a market for the growth of a “hybrid” practice that integrates an expertise in tech with an expertise in entertainment and media, already native to the Los Angeles market.
• As more AmLaw100 firms pack LA offices with tech transactions and deal lawyers, talent rivalries will heat up and lawyers in traditional power centers like New York, Silicon Valley and Boston – all well-staffed with EC/VC specialists – will be lured to new places.
• The shifts in California may presage the emergence of more robust legal markets in several other “hip,” lower-cost cities similarly poised to spawn a market of emerging companies that seek to solidify a relationship with local counsel.
• From “Silicon Slopes” (Utah’s Salt Lake City, Provo and Odgen), which has given rise to at least five companies valued at more than $1 billion and is only a 2 hour flight from the eponymous Californian valley, to Silicon Desert (Phoenix, Arizona), which offers the combination of low living costs and high numbers of students, colleges and universities, and is currently home to 41 of Inc.’s 5000 companies (including Tuft & Needle, Carvana and GoDaddy), and to Silicon Hills (Austin, Texas), where a growing number of startups and tech companies are popping up in the rolling hills of Austin’s west side, there’s an opening for the elite firms without existing ties to Silicon Valley to make a mark by opening outposts where a practice can latch-on at an earlier stage of client access.

Times are changing, and when traditional power centers shift, you can be sure that BigLaw will follow.

ABOUT RICHARD ZAKIN

Richard Zakin leads the partner placement group at JWM, having more than 10 years of experience in the industry placing partners and groups of partners (and even playing the lead role in potential and completed law firm mergers). Before joining the search industry, he practiced as a real estate attorney at Skadden and Morrison & Foerster and as a real estate partner with Bryan Cave and Dorsey. He is a graduate of Dartmouth College and Columbia Law School (where he also received a Masters in Journalism degree.)

In one of the largest lateral group departures from Kasowitz Benson Torres, 15 real estate transactional lawyers are leaving the litigation firm to join Vinson & Elkins, a major expansion for the Texas-based firm’s footprint in New York. The announcement, made by Vinson & Elkins on Monday morning, comes just over a week after ALM reported that New York-based partners Wallace Schwartz, Adam Endick and Julia Sanabria were poised to make the move. Their new firm said that they will be joined by nine associates, three counsel and three paralegals.

For Vinson & Elkins, the addition of the Kasowitz group amounts to a significant growth of its New York office, which listed 65 attorneys online as of Monday morning. Cliff Thau, who co-leads V&E’s New York office, said in a statement that he was “committed to strategically expanding here and across the firm.”

“Expanding V&E’s breadth of practice in New York is an important part of our overall growth plan, and we are committed to strategically expanding here and across the firm,” said Cliff Thau, co-head of V&E’s New York office. “The addition of this highly talented real estate team—Wally, Adam, Julia and the excellent team of lawyers joining with them­—is a great example of our focus on growth. We’re thrilled to welcome them to V&E and are confident they will enjoy continued success with us.”

Click here to read the full Vinson & Elkins announcement

The Bowery Mission welcomed the JW Michals NYC team to lend a hand prepping and preparing food at their Tribeca campus. This amazing organization has served homeless and hungry New Yorkers since 1879.

Last year alone, The Bowery Mission provided more than 653,500 warm meals, 167,300 nights of shelter, distributed 46,380 articles of clothing and offered 1,300 onsite medical, dental and optometry exams. It was an honor to help. Can’t wait to do it again!

Celebrating their best year yet, 31 people earned a spot at the 8th annual JW Michaels & Co A.C. Incentive Trip, to enjoy a weekend full of sweet Atlantic City perks. Jason Wachtel, Managing Partner of JW Michaels & Co. kicked off the casino fun with a proud congratulations and a toast to their continued success in 2019.

IAPP New York KnowledgeNet
Date: September 12, 2018
Topic: DPOs Wanted: Making Your Next Move?
Time: 5:30 – 7:30 p.m.

Speakers:
Lawrence Brown, VP, JW Michaels & Co.
H. Leigh Feldman, CIPP/US, CIPM, FIP, Managing Director, Head of U.S. Privacy, Promontory Financial Group, an IBM Company
Jo Ann Lengua Davaris, CIPP/US, CPO, Mercer
Michelle Perez, CIPP/US, CIPM, Head of Privacy, Samsung Electronics of America
Harry Valetk, CIPP/E, CIPP/US, CIPM, Of Counsel, Baker McKenzie

Thank you to our meeting host, Baker & McKenzie, for providing refreshments.
Capacity for this meeting has been reached. If you would like to be added to the waitlist, please email knowledgenet@iapp.org.

About IAPP
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally. To learn more visit: https://iapp.org/

We are honored to welcome Chris Cwalina, Global Co-Head of Cyber Risk and Tristan Coughlin, Associate at Norton Rose Fulbright as guest authors. Chris Cwalina and Tristan Coughlin recently joined the Washington D.C office as part of a rebuild and expansion of the Norton Rose Fulbright’s Global Cyber Risk Group.

A Variety of New Data Breach Laws May Significantly Impact Your Business

Guest post by Chris Cwalina and Tristan Coughlin

While many businesses in the U.S. and around the world have been focused on the EU’s General Data Protection Regulation (“GDPR”),  which came into effect on May 25, 2018, many may have missed the steady trend of U.S. states that have busy amending and enacting more onerous data breach notification and security laws.  While there has not been much activity at the federal level, a number of new state data security and privacy laws have been passed or enacted that will impact businesses (some significantly) doing business in the United States.

California made headlines by recently enacting a sweeping privacy law with GDPR –like privacy controls.  The California Consumer Privacy Act of 2018 ( “CCPA”) gives California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, and a lot can happen between now and then in terms of implementing regulations and State AG Guidance, the law will require U.S. companies to implement substantial compliance regimes and make a number of operational changes (including to disclosures and practices).  The CCPA also provides for a private right of action and statutory damages in the event of a data breach.

On the security front, as of March 2018, every U.S. state, as well as District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers or citizens if their personal information is compromised.  Data breach laws are well understood but new state data breach laws are being drafted to more broadly encompass the information covered and specifically mandate security requirements are met.

Below is an overview of recently enacted or amended U.S. data notification and security laws which further demonstrates U.S. states are taking action to protect consumer information.

Alabama(SB 318)

Alabama passed its first data breach notification law which went into effect on June 1, 2018. The law applies to the unauthorized acquisition of sensitive personally identifying information in electronic form.  The definition of sensitive personally identifying information is expansive and includes health information, as well as username or email address in combination with a password or security question and answer. Other key provisions of the law include a risk of harm provision, and the requirement that covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information from a breach of security.  The law also contains a data disposal requirement, which requires applicable entities and their third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records no longer need to be retained. In addition, the Alabama law imposes civil penalties of up to $500,000 per breach for any entity that knowingly violates or fails to comply with the notification provisions of the law.

Arizona (H.B. 2145)

On April 11, 2018, Arizona’s governor signed H.B. 2154 to amend the Arizona data breach notification law.  The law was effective upon signing and among other things, amends Arizona’s data breach notification law to expand the definition of personal information, refine the time period in which consumers must be notified, and prescribes circumstances when the Attorney General and Consumer Reporting Agencies (CRAs) must be notified.  The key amendment highlights are as follows:

• Definition of Personal information: Arizona’s previous definition of personal information was limited to an individual’s first and last name or first initial and last name and Social Security number, Driver’s License Number or State-Issued ID Number, or financial account number or credit/ debit card number in combination with any required security code, access code or password that would permit access to the individual’s financial account (together and hereinafter the “Core Categories” of personal information). See Rev. Stat. §18-545. The new law broadened the definition of personal information to  include: (1) an individual’s first name or initial and last name in combination with: (a) a private key that is unique to an individual and is used to authenticate or sign an electronic record, (b) an individual’s health insurance identification number, (c) information about an individual’s medical or mental health treatment or diagnosis by a health care professional, (d) an individual’s passport number, (e) an individual’s taxpayer identification number, or (f) unique biometric data used to authenticate an individual when the individual accesses an online account; and (2) an individual’s username or email address, in combination with a password or security question and answer, that allows access to an online account.
• Consumer Notification Requirements: Companies and government agencies doing business in Arizona must notify individuals affected by a data breach within 45 days. In addition, the amended law requires the consumer notification to include: (1) the approximate date of the breach; (2) a brief description of the personal information included in the breach; (3) toll-free numbers and addresses for the three largest consumer reporting agencies; and (4) the toll-free number, address and website address for the Federal Trade Commission or any other federal agency that assists consumer with identity theft matters.
• Attorney General (“AG”) and Consumer Reporting Agency (“CRA”)[1] Notification: If more than 1,000 Arizona residents are notified, the AG and CRAs must be notified within 45 days.
• Risk of Harm Analysis: The amended law does not require notification to be made if an independent third-party forensic auditor or a law enforcement agency determines that a security breach has not resulted in or is not reasonably likely to result in a substantial economic loss to affected individuals.
• Potential Penalty: The Attorney General may: (1) impose a civil penalty of up to $500,000 for knowing and willful violations of the law relating to a breach or series of breaches; and (2) recover restitution for affected individuals.

California Consumer Privacy Act of 2018 (A.B. 375)

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. While the law is not set to take effect until January 1, 2020, the law will require companies to implement compliance plans similar to those required under the GDPR.  Specifically, the CCPA requires business to disclose to consumers, among other things, the categories and specific types of personal information collected about the consumer, the sources  from which that information is collected, the purpose for collecting or selling such personal information, the categories of personal information sold, and the categories of third parties to whom the personal information is shared.  In addition, the CCPA provides consumers with various GDPR like rights, including but not limited to: (1) the right to access and data portability; (3) the right to opt-out of data sharing; and (4) the right to be forgotten. The CCPA limits private actions by giving the California Attorney General the right to enforce the law, subject to certain exceptions, however, the CCPA does provide for damages in data breach cases of up to $750 per consumer per incident and in proceedings instituted by the Attorney General.  Entities that are found to have intentionally violated the law can face penalties of up to $7,500 per violation.

Colorado (H.B. 1128)

Effective September 1, 2018, Colorado’s updated data security and breach notification laws will go into effect.   Among other things, the new law establishes data security and disposal requirements and expands Colorado’s state breach notification law. The key highlights are as follows:

Data Security Requirements

• Definition of Personal Identifying Information: The amended law defines personal identifying information as: (1) a Social Security number (“SSN”); (2) a personal identification number; (3) a password; (4) passcode; (5) official state or government-issued driver’s license or identification card number; (5) government passport number; (6) biometric data; (7) employer, student, or military identification number; or (8) a financial transaction device.
• Covered Entities: The data security requirements apply to any person that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation or occupation.
• Disposal Requirements: The amended law requires covered entities that maintain paper or electronic documents ( together “documents”) during the course of business that contain personal identifying information to develop a written policy for the destruction or proper disposal of such papers and electronic documents. Moreover, when the documents are no longer needed, the covered entity must destroy or arrange for the destruction of such documents by shredding, erasing, or otherwise modifying the personal identifying information in the documents to make the information unreadable or indecipherable.
• Data Security Program: The amended law requires covered entities to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
• Data Security and Third Party Contracts: Unless a covered entity agrees to provide its own security protection or the information it disclosed to a third party, the amended law requires covered entities to require third-party service providers implement and maintain reasonable procedures and practices.

 
Breach Notification Requirements

• Definition of Personal Information: The amended law expands Colorado’s definition of personal information from the Core Categories to include a Colorado resident’s first name or first initial and last name in combination with an individual’s: (1) SSN; (2) student, military, or passport identification number; driver’s license number or identification card number, medical information, health insurance identification number, or biometric data. In addition, the amended definition of personal information also includes a Colorado resident’s: (1) username or email address in combination with a password or security questions and answers, that would permit access to an online account or (2) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
• Notification Time Period: If an investigation determines that the misuse of information about a Colorado resident has occurred, notice must be made not later than 30 days after the date of determination that a security breach occurred.
• Notification Content: The amended law requires the consumer notification letter to include: (1) the estimated date or date range of the security breach; (2) a description of the personal information that was, or reasonably believed to have been acquired; (3) information that the resident can use to contact the covered entity to inquire about the security breach; (4) toll-free numbers addresses, and websites for the consumer reporting agencies; (5) the toll-free number, address, and website for the FTC; and (6) a statement that residents can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes. In addition, if the type of personal information disclosed included a resident’s username or email address in combination with a password or security questions and answers, the notice must also advise the consumer to promptly change their password and security question or answer, or to take other steps to protect the online account with the covered entity and all other online accounts for which the individual whose personal information was breached use the same username or email address and password or security question or answer.
• Notification to the Attorney General: Companies must notify the Colorado Attorney General not later than 30 days after the date that a security breach has occurred, if the security breach is reasonably believed to have affected 500 Colorado residents or more.

Iowa (H.F. 2354)

Effective July 1, 2018, Iowa’s new data security law prescribes requirements for the protection of student personal information. The law applies to “operators” of internet sites, online services, online applications, or mobile applications which have actual knowledge that their site, service, or application is used primarily for kindergarten through grade twelve purposes and was designed and marketed for such purposes.  Among other things, the law prohibits the use of students’ information for certain purposes, as well as sets out information security requirements.

• Prohibited Uses of Student Information: Subject to certain exceptions, the law prohibits operators from: (1) engaging in targeted advertising if the information used for targeting is based on information that operator has acquired because of the use of that operator’s applicable site, service, or application; (2) using information gathered by the operator’s internet site, service, or application, to amass a profile of a student; (3) sell or rent a student’s information; and (4) disclosing personally identifiable information about a student.
• Information Security Requirements: Operators are required to implement and maintain security procedures and practices appropriate and consistent with current industry standards and all applicable state and federal laws, rules, and regulations in order to protect student information from unauthorized access, destruction, use, modification or disclosure. In addition, operators are required to delete a student’s information upon request a school or school district.

Louisiana (Act. No. 382)

Effective August 1, 2018, the Louisiana governor enacted amendments to Louisiana’s Database Security Breach Notification Law. The law broadens Louisiana’s data breach notification law and implements new data security requirements. The key highlights are as follows:

• Definition of Personal Information: The Act broadens Louisiana’s definition of personal information from the Core Categories to include a resident of Louisiana’s first name or initial and last name in combination with: state identification card number; passport number; and “biometric data.”
• Notification Time Period: Any entity must notify affected Louisiana residents within 60 days of determining that a security breach occurred.
• Data Security Requirements: Any entity that conducts business in Louisiana or that owns or licenses computerized data that includes personal information must implement and maintain reasonable security procedures and practices.
• Data Destruction Requirements: Any entity that conducts business in Louisiana or owns or licenses computerized data that includes personal information must take “all reasonable steps” to destroy or arrange for the destruction of all records with personal information if the records no longer need to be retained. Destruction of records with personal information must occur via shredding, erasing, or otherwise modifying the personal information so that it is unreadable or undecipherable.
• Risk of Harm Analysis: If, after a reasonable investigation, the business determines that there is no reasonable likelihood of harm to Louisiana residents, then notification is not required. Such a determination must be documented in writing, with a copy of all supporting documentation, for five years.  This determination must be provided to the Attorney General within 30 days if requested by the Attorney General in writing.

Nebraska (L.B. 757)

Effective July 18, 2018, commercial entities that conduct business in Nebraska and license, own or maintain computerized data that includes personal information of Nebraska residents must implement and maintain reasonable security procedures and practices. In addition, commercial entities must contractually require non-affiliated, third-party service providers to institute and maintain reasonable security procedures and practices.

Oregon (S.B. 1551)

Effective June 2, 2018, Oregon implemented updated data breach notification and information security laws. Among other things, Oregon’s laws were amended to expand the scope of those who must provide notice of a security breach and are subject to the information security laws. The key highlights are as follows:

Data Breach Notification Law

• Definition of Personal Information: Oregon amended the definition of personal information to include a consumer’s first name or initial and last name in combination with “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”[2]
• Expanded Scope: The amendment expands the scope of those who must provide notice under the data breach law to include those who “otherwise possess[]” personal information. The law was previously limited to those who own or license personal information.
• Notification Requirements: The law has been revised to require notice to affected Oregon residents within 45 days of determining that a security breach occurred.
• Credit Monitoring Services: The amended law prohibits entities offering free credit monitoring or identity theft prevention services from conditioning such services on the person providing a credit or debit card number or accepting any other services the person offers to provide for a fee.

 
Information Security Law

• Expanded Scope: The law expands the information security law to apply to any entity that “has control over or access to” data that includes a consumer’s personal information. The law was previously limited to entities that “own, maintains or otherwise possess[]” data that includes personal information.
• Security Requirements: The amended law updates various administrative, technical and physical safeguards required to be included in an applicable entity’s information security program.

Vermont (H. 764)

Effective January 1, 2019, a new Vermont law will regulate data brokers. The law defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”  Among other things the law requires data brokers to: (1) register with the Vermont Attorney General and pay a $100 registration fee; (2) make annual disclosure to the Vermont Attorney General concerning data privacy practices and data breaches; and (3) develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.
 

Virginia (B. 183)

Effective July 1, 2018, Virginia’s data breach notification law was amended to require individuals that prepare tax returns on behalf any Virginia individual to notify the Virginia Department of Taxation without unreasonable delay upon the discovery or notification of unauthorized access to an individual’s “return information” if the tax preparer has a reasonable belief that: (1) the information was accessed and acquired by an unauthorized person; and (2) such access or acquisition will cause or has caused, identity theft or other fraud. “Return information” is defined as a “taxpayer’s identity and the nature source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld assessments, or tax payments.”
 

Conclusion

States are actively strengthening their data privacy and security laws and we expect this trend to accelerate. With California’s enactment of the CCPA, we expect more states to follow California’s lead in expanding consumer data privacy rights.  California was the first US state to enact a mandatory breach notification law in 2002 and now all 50 U.S. states have their own breach notification law.  Should history repeat itself, and should the federal government fail to step in and implement comprehensive legislation regarding data breach notification and data security, we anticipate U.S. states will continue to strengthen their data breach notification and security laws in a piecemeal manner -implementing certain requirements that are similar to the CCPA and the GDPR.

Companies should continually reassess the effectiveness of their risk mitigation controls, as well as their written data protection policies and security procedures. In addition, for laws like the CCPA, companies should consider conducting a gap assessment to determine how their existing procedures will need to be revised in order to comply with new state laws.  Because we expect amendments to the CCPA, as well as other enactments of GDPR-like legislation, it is increasingly important to have legal and compliance teams work closely with the business, marketing, and Information Security teams to monitor changes in the regulatory landscape.

[1] The Consumer Reporting Agencies consist of Equifax, Experian and TransUnion.

[2] Oregon previously had a robust definition of personal information which included an individual’s name and:  (1) SSN; (2) driver license number or state identification card; (3) passport number or other identification number issued by the United States; and/ or (4) financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account. See Or. Rev. Stat. §646A.602(11)(a).

About the Authors

Chris Cwalina | Global Co-Head of Cyber Risk at Norton Rose Fulbright
Chris Cwalina is the Global Co-Head of the Cyber Risk Group and concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations. Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.

Tristan Coughlin | Associate at Norton Rose Fulbright
Tristan Coughlin is an associate in the Washington, DC office.Ms. Coughlin focuses her international practice on cybersecurity, data protection, and privacy matters. Ms. Coughlin helps clients navigate the various state, federal and international laws that govern the protection of data, as well as advises clients on data breach preparation and cybersecurity risk management, including but not limited to conducting information security and privacy program assessments and developing and conducting tabletop exercises. Ms. Coughlin also counsels clients in investigating and responding to events compromising information and systems security, working closely with third-party forensic consulting experts and law enforcement to identify the nature and scope of a compromise. She is also well versed in managing any resulting regulatory inquiries that may follow the discovery of a data security incident.

About Norton Rose Fulbright

Norton Rose Fulbright is a global law firm, providing the world’s pre-eminent corporations and financial institutions with a full business law service. They have more than 4000 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. For more information visit: http://www.nortonrosefulbright.com/

In a recent press release, Norton Rose Fulbright announced a rebuild of its Global Cyber Risk Group with the addition of three prominent privacy and cybersecurity lawyers: Chris Cwalina in Washington, DC, Jeewon Serrato in San Francisco and Steven Roosa in New York. Cwalina joins as the firm’s Global Co-Head of Cyber Risk and Serrato as its Head of Data Protection, Privacy and Cybersecurity in the United States. Roosa will head up the firm’s data lab, enhancing Norton Rose Fulbright’s Global Risk Advisory offering. Click here to read the full press release.

Daryl Lansdale, Norton Rose Fulbright’s US Managing Partner, said:

“Our expanded Global Cyber Risk Group offers coverage around the world in all areas of information risk, including cybersecurity, privacy, e-discovery and governance. These new additions make us stronger than ever in this arena.”

About Norton Rose Fulbright

Norton Rose Fulbright is a global law firm, providing the world’s pre-eminent corporations and financial institutions with a full business law service. They have more than 4000 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa and the Middle East. For more information visit: http://www.nortonrosefulbright.com/