Photo of Alysa Z. Hutnik

Alysa Z. Hutnik

Subscribe to Alysa Z. Hutnik's Posts

Email
(202) 342-8603
Bio  LinkedIn

Follow: Read more about Alysa Z. HutnikAlysa's Linkedin Profile

As we’ve all been following in the news, the House reconciliation bill to fund “human infrastructure” is still mired in negotiations, ever on the verge of either passing to monumental fanfare, or cratering in failure. Tucked away on page 671 of the 1684-page bill is a short provision that, despite scant attention, has the potential

In a much-anticipated announcement last week, the FTC amended the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and proposed a further amendment requiring certain financial institutions to provide the FTC with notice in the event of certain security events.  Although these changes were announced after FTC Commissioner Chopra left the agency to lead the CFPB, he apparently voted prior to leaving to ensure 3/2 approval of the amendments in a Commission that remains divided.

What is GLBA Safeguards?

For nearly 20 years the Safeguards Rule has required financial institutions to develop, implement, and maintain comprehensive information security programs to protect their customers’ personal information.  Such programs must be appropriate to each entity’s “size and complexity, the nature and scope of [its] activities, and the sensitive of the customer information at issue.” For a generation, the Rule’s requirements have influenced data security standards in other sectors, emphasizing a flexible, process-based approach.  The amended Rule replaces some of that flexibility with more specificity.
Continue Reading GLBA Safeguards Gets a Makeover: Why it Matters for Businesses with Customer Information

Last week, California’s Governor Gavin Newsom signed into law AB 694, which makes a few technical changes to the California Privacy Rights Act (CPRA).  The relevant changes to the CPRA are summarized below.

  • As defined in the CPRA, “personal information” does not include publicly available information or lawfully obtained, truthful information that is a

During last month’s California Privacy Protection Agency Board (CPPA) meeting, the only substantive agenda item, addressed in closed session, was a discussion of two key appointments: the first Executive Director and a Chief Privacy Auditor, as required by CPRA’s 1798.199.30. On October 4, 2021, the five-person CPPA board announced that they appointed

Last week, we wrote about FTC Chair Khan’s memo describing her plans to transform the FTC’s approach to its work. This week, she followed up with a no-less-ambitious statement laying out her vision for data privacy and security, which she appended to an agency Report to Congress on Privacy and Security (“report”). Together, these documents outline a remarkably far-reaching plan to tackle today’s data privacy and security challenges. As noted in the dissents, however, some of the stated goals may exceed the bounds of the FTC’s current legal authority.

Continue Reading FTC Chair Khan’s Vision for Privacy – and Some Dissents

On September 29, 2021, the Senate Commerce Subcommittee held a hearing titled Protecting Consumer Privacy. The senators addressed the potential $1 billion earmarked to strengthen the FTC’s privacy work, the future of a federal privacy and data protection law, and a myriad of other privacy related topics such as children’s privacy.

Prepared Statements. In

As of September 27, 2021, the European Commission requires controllers and processors to rely on the recently updated Standard Contractual Clauses (SCCs) for any new contracts governing personal data transfers from the EEA. (Existing contracts can continue to use old SCCs until December 27, 2022.)  This post provides an overview of what’s in the new

On September 22, the California Privacy Protection Agency (CPPA) issued an invitation for public comments as part of its first “preliminary” rulemaking activities.  Established by the California Privacy Rights Act (CPRA) ballot initiative last November, the CPPA has the authority to write rules that address some of the most technical and controversial topics addressed in

In an aggressive expansion of its security and privacy enforcement programs, on September 15, 2021, the FTC issued what it characterized as a “Policy Statement” reinterpreting an old rule about personal health records.

First, some background. In 2009, Congress directed the FTC to create a rule requiring companies to provide notice when there

The August issue of Kelley Drye’s TCPA Tracker newsletter is here:

TCPA (Telephone Consumer Protection Act) Tracker Newsletter is a cross-practice effort produced to help you stay current on TCPA (and related) matters, case developments and provide an updated comprehensive summary of TCPA petitions pending before the FCC.

Recent News

FCC Opens Proceeding