On October 7, 2020, The Office of the Comptroller of the Currency (“OCC”) announced that it had assessed a $400 million civil penalty against Citibank, N.A. regarding alleged deficiencies in its enterprise-wide risk management and data governance programs and its internal controls.  In particular, the OCC found violations of 12 CFR Part 30, Appendix D

On June 1, 2020, California Attorney General Xavier Becerra submitted a finalized package of CCPA regulations to the California Office of Administrative Law (OAL).   The package included not only the final text of the regulations, but also the final statement of reasons for amendments to the previous drafts. There have been multiple rounds of drafts

On May 4, the Californians for Consumer Privacy (led by Alistair McTaggart, the real estate investor and activist behind the original ballot initiative that led to the CCPA), announced in a letter that it had collected over 900,000 signatures to qualify the California Privacy Rights Act (“CPRA”) for the November 2020 ballot.  This version of

On March 18, 2020, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) announced steps to ensure that operators of the bulk electric system can focus resources on safety and reliability during the COVID-19 emergency.  FERC and NERC are advising all registered entities that they will consider the impact of

On December 6, 2019, the FTC issued an opinion finding that Cambridge Analytica, they had engaged in deceptive practices to collect personal information from several users of Facebook for purposes of voter profiling and targeting.  In addition, the Commission found that Cambridge Analytica had engaged in deceptive practices regarding its participation in the EU-US Privacy

Yesterday (November 26, 2019), a comprehensive federal privacy bill was introduced that would grant individuals broad rights with respect to their data, impose new obligations on data processors, and expand the Federal Trade Commission’s enforcement authority with respect to privacy, as well as allowing for state attorney general enforcement and individual rights of action. The

Today, the FTC announced that Equifax, Inc. will pay at least $575 million (and potentially up to $700 million) as part of a proposed global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. Their complaint alleges that Equifax failed to take reasonable steps to

On January 21, 2019, the French Data Protection Authority, the Commission Nationale de L’Informatique et de Libertés (“CNIL”) announced a sanction of 50 million euros against Google.  On May 25 and 28, 2018, the CNIL received complaints from two different associations, asserting that Google did not have a valid legal basis for the processing of

On Wednesday, March 28, 2018, the Alabama Data Breach Notification Act of 2018 (SB318) was signed into law by the Governor, making Alabama round out the roster of 50 states with data breach notification laws.  (South Dakota’s data breach notification was signed by its governor on March 21, 2018, making it the 49