Lex Indicium

  • My Friends Call Me Murphy … You Call Me RoboCallAugust 05, 2021

    Pesky telemarketing calls that plagued consumers in the 1990s were severely reined in through a combination of technology, such as caller ID, and legislation, such as the Telephone Consumer Protection Act of 1991 (“TCPA”). The TCPA regulates unsolicited marketing activities directed at residential telephones, including land lines and mobile phones by voice call or text. Among other things, the TCPA, as amended over the years:

    1. Established the national Do Not Call registry whereby consumers may register their numbers and organizations may be fined for directing unsolicited marketing activities to those registrants’ phones;
    2. Restricts the time periods during which unsolicited marketing calls and texts may be sent;
    3. Prohibits the use of pre-recorded phone contacts, such as robocalls and robotexts; and
    4. Prohibits the use of automated dialing technologies, such as autodialers.

    Importantly, there are several phone and text activities that are exempt from TCPA regulation. Unsolicited marketing contact by phone from charities, political groups, debt collectors, surveys, and companies the recipient has either recently done business with or has given written permission may be exempted from certain TCPA regulations. In addition, if the nature of the unsolicited contact is not to market goods and services to consumers, it would not run … Keep reading

  • Less Than Two Months Until New Chinese Data Security Law Goes Into EffectJuly 22, 2021

    Earlier this June, China passed the Data Security Law (“DSL”), which will go into effect on September 1, 2021. Unlike many international data security laws, the DSL is not restricted to personal information and instead regulates data broadly to include any record of information in electronic or other forms. However, consistent with many international privacy and data security laws passed post-GDPR, the DSL will have extraterritorial reach.

    Specifically, the DSL applies not only to processing personal data within China but also to any personal data processing activities that occur outside of China that threaten Chinese national security, public interest, or the lawful interests of its citizens or organizations. If this describes something your organization engages in, here are the top operational requirements covered by the DSL:

    1. Establish a data security management system across the organization. This should include providing data security training, implementing appropriate measures to safeguard data, and designating a data security officer if the organization processes important data.
    2. Actively monitor data security risks. When a risk is discovered, such as data security defects or leaks, the organization must take immediate remedial actions. When a data security incident occurs, the organization must immediately take responsive measures, notify users,
    Keep reading

  • State of US State Comprehensive Privacy LawsJuly 06, 2021

    Following the lead of California and then Virginia, Colorado recently became the third U.S. state to pass a comprehensive law providing its residents with personal data privacy rights. While there is significant overlap between how each of these state laws defines who it applies to and what consumer rights are granted, there are several key differences, including the scope of consumers’ opt-out rights:

    These states make up a combined 16% of the U.S. population, making it increasingly difficult for even strictly U.S.-focused organizations to fall out of scope of comprehensive data security and privacy laws requiring, for example, the use of data protection assessments.

    The U.S. regulatory landscape continues to evolve on a nearly weekly basis. Indeed, similar comprehensive bills have already been introduced in Massachusetts, New York, and Illinois. As more states pass legislation related to collecting personal information, it remains imperative for businesses to stay updated on how each state regulates this activity.… Keep reading

  • EU’s New Standard Contractual Clauses Go into Effect This WeekJune 16, 2021

    A year ago, the Court of Justice of the European Union invalidated the U.S. Privacy Shield framework as an adequate safeguard under the General Data Protection Regulation (GDPR), which had previously been a popular safeguard mechanism to cover the export of personal data from the EU to the U.S. While the same decision also held that another GDPR-sanctioned cross-border transfer safeguard mechanism – Standard Contractual Clauses (SCCs) – remained valid, the Court took the opportunity to note in its decision that the then-current SCCs may not go far enough to safeguard the rights of European data subjects.

    SCCs are pre-approved contractual terms between an EU controller or processor to a non-EU processor or sub-processor. By adopting them into a contractual arrangement where an EU party is transferring personal information to another country, the international transfer is said to have adopted “adequate safeguards” under Article 46 and should avoid running afoul of the GDPR’s restriction on such transfers. The SCCs the Court opined on pre-dated the GDPR, and there has been a push to update them since the GDPR went into effect on May 25, 2018. On June 4, 2021, the European Commission announced it had finally approved new versions … Keep reading

  • Supreme Court Ruling Limits CFAA Application for “Insider” Authorization MisuseJune 04, 2021

    Does the Computer Fraud and Abuse Act (CFAA) and its harsh penalties apply to employees who exceed their authorized access to computer systems for personal reasons? The Supreme Court has now said no.

    The Supreme Court issued a 6-3 decision this week limiting the application of the CFAA against company “insiders” who exceed the scope of their authorization to access company data. The CFAA, generally speaking, provides both civil relief and criminal penalties against individuals who “access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Prior to this decision, there was a circuit split where some courts interpreted “unauthorized access” as including access to data that exceeded a limited scope of authorization provided to an individual, and other courts interpreted “unauthorized access” more narrowly to mean that the CFAA only applied to individuals who had no scope of authorized access.

    In Van Buren vs. U.S., police sergeant Nathan Van Buren accessed a law enforcement database through his police-issued laptop to provide license plate information to a third-party for non-law enforcement purposes for money. The transaction was part of a … Keep reading

Email Confirmation

Thank you for your interest in Burns & Levinson LLP. Please be aware that unsolicited e-mails and information sent to Burns & Levinson though our web site will not be considered confidential, may not receive a response, and do not create an attorney-client relationship with Burns & Levinson. If you are not already a client of Burns & Levinson, do not include anything confidential or secret in this e-mail. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not authorized to do so.

By clicking "OK" you acknowledge that, unless you are a current client, Burns & Levinson does not have any obligation to maintain the confidentiality of any information you send us.