On June 30, 2022, the New York Office of the Attorney General announced a $400,000 agreement with Wegmans Food Markets, Inc. in connection with a cloud storage security issue.
Continue Reading Wegmans Agrees to Pay $400,000 Penalty After Cloud Security Lapse
New York
China Issues Draft Provisions on Standard Contract for Cross-Border Transfer of Personal Information
On June 30, 2022, the Cyberspace Administration of China (the “CAC”) issued a draft Provision on the Standard Contract for Cross-border Transfer of Personal Information (“Draft Provisions”) and a draft of the Standard Contract for Cross-border Transfer of Personal Information (“Standard Contract”) for public comments. Per Article 38 of the Personal Information Protection Law (“PIPL”), if the data handler is not required to conduct a government security assessment, it may choose either to conduct certification by a qualified third institution or to execute the Standard Contract for cross-border transfer of personal information. Certification might be more commonly used for cross-border transfer within a group, whereas the Standard Contract may be more popular under other scenarios of cross-border transfers.Continue Reading China Issues Draft Provisions on Standard Contract for Cross-Border Transfer of Personal Information
NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches
On June 24, 2022, the New York State Department of Financial Services announced it had entered into a $5 million settlement with Carnival Corp., the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation in connection with four cybersecurity events between 2019 and 2021, including two ransomware events. …
Continue Reading NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches
North Carolina Becomes First State to Prohibit Public Entities from Paying Ransoms
On April 5, 2022, North Carolina became the first state in the U.S. to prohibit state agencies and local government entities from paying a ransom following a ransomware attack. …
Continue Reading North Carolina Becomes First State to Prohibit Public Entities from Paying Ransoms
Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices
On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court.
Continue Reading Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices
New York Attorney General Announces 1.1 Million Accounts Compromised in Credential Stuffing Attacks
The New York Office of the Attorney General recently announced the results of an investigation into “credential stuffing,” which uncovered 1.1 million compromised accounts from cyberattacks on 17 well-known companies. The announcement included a “Business Guide for Credential Stuffing Attacks,” detailing the attacks and providing tips for businesses to protect themselves.
Continue Reading New York Attorney General Announces 1.1 Million Accounts Compromised in Credential Stuffing Attacks
NYC to Regulate Artificial Intelligence-Based Hiring Tools
On November 10, 2021, the New York City Council passed a bill prohibiting employers and employment agencies from using automated employment decision tools to screen candidates or employees, unless a bias audit has been conducted prior to deploying the tool. The Bill takes effect on January 2, 2023.
Continue Reading NYC to Regulate Artificial Intelligence-Based Hiring Tools
New York State Requires Private Employers to Notify Employees of Electronic Monitoring
On November 8, 2021, New York Governor Kathy Hochul signed into law A.430/S.2628, which requires private employers with a place of business in New York State to provide their employees prior written notice, upon hiring, of any electronic monitoring, as defined in the Act, to which the employees will be subjected by the employer.
Continue Reading New York State Requires Private Employers to Notify Employees of Electronic Monitoring
Fight Against Robocalls Is Coming for Telemarketing Text Messages
As reported on the Hunton Retail Resource Blog, on October 20, 2021, a new wave in the fight against “robocalls” is targeting telemarketing text messages. In the past six months, there has been an uptick in activity at both the state and federal level to reign in telemarketing text messages. …
Continue Reading Fight Against Robocalls Is Coming for Telemarketing Text Messages
New Jersey Acting Attorney General Announces Data Breach Settlement with Fertility Clinic
On October 12, 2021, New Jersey Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced a settlement with Diamond Institute for Infertility and Menopause, LLC over a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The Division of Consumer Affairs alleged that the fertility clinic violated the New Jersey Consumer Fraud Act and the federal HIPAA’s Privacy and Security Rules by removing protected health information safeguards.
Continue Reading New Jersey Acting Attorney General Announces Data Breach Settlement with Fertility Clinic