Photo of Karla Ballesteros

Karla is an associate in the firm's Privacy + Cyber practice. Her daily work includes counseling insureds on the initial incident response, potential ransom payment, restoration, data mining, and notification segments of the incident response practice. She also leads efforts to identifying and remediating shortcomings in cybersecurity and privacy practices of firm clients.

Editor’s Note: In recent regulatory and enforcement developments, the White House announced a new executive order aimed at strengthening cybersecurity at U.S. ports, and another executive order was issued to protect sensitive personal information. Additionally, the FCC prohibits using AI to clone voices. Data breach litigation continues to surge with one company striking a class action settlement agreement with payments of up to $75,000 per class member. In an interesting twist, the beauty company L’Occitane is suing a law firm seeking declaratory judgment that California’s wiretapping law is unconstitutional. Internationally, the Canadian government investigates a breach of its own agency, and ASEAN and the EU published a joint guide on cross-border contractual clauses.

Editor’s Note: As the summer months come to an end, there has been no shortage of privacy news and updates. Oregon signed both a comprehensive privacy law and data broker law, and the SEC adopted new rules regarding the disclosure of cybersecurity incidents. Online tracking technologies continue to be a source of both regulatory concern and litigation, with the FTC and HHS jointly sending a letter to hospitals about online tracking and numerous companies grappling with wiretapping claims. Internationally, India finally passed a comprehensive privacy law, and several data protection authorities issued a joint statement on data scraping.

On July 26, the Securities and Exchange Commission (SEC) adopted, by a 3-2 margin, a final rule to require more immediate disclosure of material cybersecurity incidents by public companies. In addition, the final rule requires annual disclosure of material information regarding a public company’s cybersecurity risk management strategy and cybersecurity governance.