Robinson Cole LLP
High Contrast Mode

Benjamin Jensen has extensive experience handling complex commercial litigation matters and regulatory proceedings. 

Commercial Litigation

Ben represents business clients in complex litigation matters nationwide. His experience includes patent infringement litigation in the Eastern District of Texas and the Southern District of New York. He has also managed major litigations in federal courts involving contract disputes under the Uniform Commercial Code, theft of trade secrets, trademark infringement, software license disputes and copyright infringement. In addition to intellectual property litigation, he has handled other specialized subject matter including defense of class actions, complex construction litigation, commercial lease disputes, foreclosure proceedings and probate litigation. His litigation experience includes jury and bench trials in state and federal courts.

Regulatory Proceedings + Administrative Litigation

Ben regularly represents clients in Connecticut regulatory proceedings and related administrative appeals, with a principal focus on representing health care entities in proceedings before the Office of Health Strategy and Departments of Public Health and Social Services, including Medicaid audits. 

Data Privacy + Cybersecurity

As a member of the Data Privacy + Cybersecurity team, Ben represents clients in litigation matters arising from data breaches and in cases involving cyber fraud. He assists clients in developing policies and procedures to comply with international data privacy and security laws and regulations, with a particular focus on the European General Data Protection Regulation (GDPR). He counsels clients on compliance programs relating to data privacy and security and negotiates third-party contracts concerning data privacy and cross-border data transfer issues. In 2022, he achieved the Certified Information Privacy Professional / Europe (CIPP/E) certification from the International Association of Privacy Professionals.

In addition to his legal practice, Ben is actively involved in the local business and philanthropic communities. He currently serves on the Board of Directors of the Connecticut Entrepreneurs Forum and is the Co-Chair of the Steering Committee for Connecticut Children’s Connection, an initiative of the Connecticut Children’s Medical Center dedicated to funding medical research projects.

  • University of Connecticut School of Law (Juris Doctor)
  • Indiana University (Bachelors)
    • B.A.

  • State of Connecticut
  • U.S. District Court, District of Connecticut

Presented with the 2024 U.S.A. Deal of the Year award, in the small markets category, as part of the Global M&A Network's 15th Annual Americas and Global Markets M&A Atlas Awards in recognition of the acquisition of Medacist Solutions Group by Bluesight, the Medication Intelligence™ Company.

Selected to the Connecticut Super Lawyers list from 2013 to 2022

Selected as a Rising Star to the Connecticut Super Lawyers list from 2010 to 2012

Named a Connecticut Law Tribune 2019 "New Leader in the Law"

Hartford Business Journal, 2019 "Forty Under 40" Honoree

American School for the Deaf
Former Board of Directors

Connecticut Bar Association

Hartford County Bar Association

Hartford Young Professionals and Entrepreneurs
Chairman (2008 - 2009)

Connecticut Bar Foundation James W. Cooper Fellow

Connecticut Entrepreneurs Forum
Board of Directors

Connecticut Children’s Connection 
Co-Chair of Steering Committee Member

Experience


Construction Defect Case

Represented general contractor in five-week jury trial in construction defect case, obtaining favorable verdict for client.

International Pharmacy Retailer Medicaid Audits

Represented major international pharmacy retailer in connection with multiple Medicaid audits. Obtained only successful administrative appeal brought in Superior Court challenging the Department of Social Service’s administration of its sampling and extrapolation methodologies for determining overpayments.

Read More

Claims Brought By Landlord For Breach of Lease

Successfully defended business owner in claims brought by commercial landlord for breach of lease. Following bench trial, the court ruled in client’s favor on defense of constructive eviction and awarded damages on counterclaim against landlord.

Read More


Publications


August 22, 2023

Conn. Ruling Highlights Keys To Certificate-Of-Need Appeals

Law360 Expert Analysis

Referencing a July 25, 2023 opinion issued by the Connecticut Supreme Court in High Watch Recovery Center Inc. v. Department of Public Health, the “Expert Analysis” article emphasizes the importance of “[u]nderstanding the distinction between mandatory and discretionary public hearings…for parties to CON proceedings to avoid foreclosing potential appellate rights.” The authors indicate that the ruling is “significant in that it rejects a rigid application of the statutes governing CON procedures and instead focuses on the substance of the public hearing at issue in assessing whether a matter qualifies as a contested case.” Conor, Ben and Michael provide background on the case, examine the decision and offer some key takeaways. View the article.

Health Law Diagnosis teaser
August 3, 2023

Health Law Diagnosis

Legal Update: Section 1782: Discovery in Support of a Foreign Proceeding teaser
May 18, 2022

Legal Update: Section 1782: Discovery in Support of a Foreign Proceeding

August 22, 2023

Conn. Ruling Highlights Keys To Certificate-Of-Need Appeals

Law360 Expert Analysis

Referencing a July 25, 2023 opinion issued by the Connecticut Supreme Court in High Watch Recovery Center Inc. v. Department of Public Health, the “Expert Analysis” article emphasizes the importance of “[u]nderstanding the distinction between mandatory and discretionary public hearings…for parties to CON proceedings to avoid foreclosing potential appellate rights.” The authors indicate that the ruling is “significant in that it rejects a rigid application of the statutes governing CON procedures and instead focuses on the substance of the public hearing at issue in assessing whether a matter qualifies as a contested case.” Conor, Ben and Michael provide background on the case, examine the decision and offer some key takeaways. View the article.

Health Law Diagnosis teaser
August 3, 2023

Health Law Diagnosis

Legal Update: Section 1782: Discovery in Support of a Foreign Proceeding teaser
May 18, 2022

Legal Update: Section 1782: Discovery in Support of a Foreign Proceeding

Intellectual Property + Technology Group Out + About teaser
February 23, 2022

Intellectual Property + Technology Group Out + About

Legal Update: FTC’s New Prior Approval Policy Affects Merging Parties and Buyers of Divested Assets teaser
December 2, 2021

Legal Update: FTC’s New Prior Approval Policy Affects Merging Parties and Buyers of Divested Assets

IP + T: Intelligence teaser
Q1 2021

IP + T: Intelligence

IP+T Group: Out + About teaser
December 2020

IP+T Group: Out + About

Data Privacy + Cybersecurity Insider teaser
August 8, 2019

Data Privacy + Cybersecurity Insider

July 30, 2019

Designing Around a Patent as an Alternative to a License

IPWatchdog.com

The piece offers insight into re-designing a product or service as an approach to avoiding patent infringement, which is “encouraged under the law as being beneficial to further innovation.” View the article.



Intellectual Property + Technology Group Out + About teaser
February 23, 2022

Intellectual Property + Technology Group Out + About

Legal Update: FTC’s New Prior Approval Policy Affects Merging Parties and Buyers of Divested Assets teaser
December 2, 2021

Legal Update: FTC’s New Prior Approval Policy Affects Merging Parties and Buyers of Divested Assets

IP + T: Intelligence teaser
Q1 2021

IP + T: Intelligence

IP+T Group: Out + About teaser
December 2020

IP+T Group: Out + About

Data Privacy + Cybersecurity Insider teaser
August 8, 2019

Data Privacy + Cybersecurity Insider

July 30, 2019

Designing Around a Patent as an Alternative to a License

IPWatchdog.com

The piece offers insight into re-designing a product or service as an approach to avoiding patent infringement, which is “encouraged under the law as being beneficial to further innovation.” View the article.


News


February 28, 2024

Robinson+Cole Deal Team Recognized During Global M&A Network's 2024 15th Annual Americas and Global Markets M&A Atlas Awards

A Robinson+Cole deal team was recognized for their work on the acquisition of Medacist Solutions Group by Bluesight, the Medication Intelligence™ Company as part of Global M&A Network's 2024 15th Annual Americas and Global Markets M&A Atlas Awards hosted in New York City on January 30, 2024. The annual awards honor the best value-creating deals, outstanding firms, and legendary leaders-dealmakers from the North and Latin America corporate, investor and transactional communities. Robinson+Cole won U.S.A. Deal of the Year in the small markets category. In conjunction with the event, Business Transactions Group lawyer Taylor Shea was recognized during the 6th Annual Americas Rising Star Dealmaker Awards ceremony. Robinson+Cole served as legal counsel to Medacist, a pioneer in drug diversion monitoring, in its acquisition by Thoma Bravo, a leading software investment firm in a strategic growth investment in Bluesight, the Medication Intelligence™ Company, which closed July 17, 2023. The complex deal was led by Transactional Health Law Group co-chair Les Levinson and Business Transactions Group partner Adam Anderson, supported by a cross-disciplinary team of R+C lawyers, including Jackie Scheib, Michael Kearney, Virginia McGarrity, Natale DiNatale, Ben Jensen, Chris Homsy, Jon Cabot, and Nicole Diodati. Read more in the press release. Taylor’s America’s Rising Dealmaker Award is a distinction that singularly recognizes brilliant and exceptional young dealmakers from the North and South American private equity, growth investing, lending, M&A and restructuring transactional communities for their achievements, dedication, and talents for closing value creating transactions.

Global M&A Network
Robinson+Cole Deal Team Recognized During Global M&A Network's 2024 15th Annual Americas and Global Markets M&A Atlas Awards teaser
August 24, 2023

Conor Duffy, Ben Jensen and Michael Lisitano Co-Author Law360 Article on Certificate-of-Need Appeals

Law360
July 18, 2023

Robinson+Cole Represents Medacist in its Acquisition by Thoma Bravo

February 28, 2024

Robinson+Cole Deal Team Recognized During Global M&A Network's 2024 15th Annual Americas and Global Markets M&A Atlas Awards

A Robinson+Cole deal team was recognized for their work on the acquisition of Medacist Solutions Group by Bluesight, the Medication Intelligence™ Company as part of Global M&A Network's 2024 15th Annual Americas and Global Markets M&A Atlas Awards hosted in New York City on January 30, 2024. The annual awards honor the best value-creating deals, outstanding firms, and legendary leaders-dealmakers from the North and Latin America corporate, investor and transactional communities. Robinson+Cole won U.S.A. Deal of the Year in the small markets category. In conjunction with the event, Business Transactions Group lawyer Taylor Shea was recognized during the 6th Annual Americas Rising Star Dealmaker Awards ceremony. Robinson+Cole served as legal counsel to Medacist, a pioneer in drug diversion monitoring, in its acquisition by Thoma Bravo, a leading software investment firm in a strategic growth investment in Bluesight, the Medication Intelligence™ Company, which closed July 17, 2023. The complex deal was led by Transactional Health Law Group co-chair Les Levinson and Business Transactions Group partner Adam Anderson, supported by a cross-disciplinary team of R+C lawyers, including Jackie Scheib, Michael Kearney, Virginia McGarrity, Natale DiNatale, Ben Jensen, Chris Homsy, Jon Cabot, and Nicole Diodati. Read more in the press release. Taylor’s America’s Rising Dealmaker Award is a distinction that singularly recognizes brilliant and exceptional young dealmakers from the North and South American private equity, growth investing, lending, M&A and restructuring transactional communities for their achievements, dedication, and talents for closing value creating transactions.

Global M&A Network
Robinson+Cole Deal Team Recognized During Global M&A Network's 2024 15th Annual Americas and Global Markets M&A Atlas Awards teaser
August 24, 2023

Conor Duffy, Ben Jensen and Michael Lisitano Co-Author Law360 Article on Certificate-of-Need Appeals

Law360
July 18, 2023

Robinson+Cole Represents Medacist in its Acquisition by Thoma Bravo

December 21, 2022

Data Privacy + Cybersecurity Team Named “Go-To Thought Leader” by National Law Review

National Law Review
October 11, 2022

Robinson+Cole Lawyers Recognized in 2022 Super Lawyers®

October 12, 2021

Robinson+Cole Lawyers Recognized by Super Lawyers®

October 14, 2020

Robinson+Cole Lawyers Recognized by Super Lawyers®

Super Lawyers
October 17, 2019

Robinson+Cole Lawyers Recognized by Super Lawyers®

October 9, 2019

Robinson+Cole Lawyer Named to Hartford Business Journal’s 2019 “40 Under Forty” Class


December 21, 2022

Data Privacy + Cybersecurity Team Named “Go-To Thought Leader” by National Law Review

National Law Review
October 11, 2022

Robinson+Cole Lawyers Recognized in 2022 Super Lawyers®

October 12, 2021

Robinson+Cole Lawyers Recognized by Super Lawyers®

October 14, 2020

Robinson+Cole Lawyers Recognized by Super Lawyers®

Super Lawyers
October 17, 2019

Robinson+Cole Lawyers Recognized by Super Lawyers®

October 9, 2019

Robinson+Cole Lawyer Named to Hartford Business Journal’s 2019 “40 Under Forty” Class


Events


Past

Evolving Data Privacy Laws

Feb 6 2020
CLE Event
Past

Privacy, Cybersecurity, and the Health Care Industry: Threats, Risks and Mitigation

Mar 22 2019
2019 Health Law Symposium presented by the Massachusetts Bar Association
Past

Evolving Data Privacy Laws

Feb 6 2020
CLE Event
Past

Privacy, Cybersecurity, and the Health Care Industry: Threats, Risks and Mitigation

Mar 22 2019
2019 Health Law Symposium presented by the Massachusetts Bar Association
Past

Blockchain: More Than Cryptocurrency

May 15 2018
MIT Enterprise Forum of Connecticut
Past

Blockchain: More Than Cryptocurrency

May 15 2018
MIT Enterprise Forum of Connecticut

Data Privacy + Cybersecurity Insider


Below is an excerpt of Data Privacy + Cybersecurity Insider blog posts authored by Benjamin.

Utah to Test Blockchain Voting Through Mobile Apps

As we head toward 2020, expect significant public debate relating to smartphone applications designed to increase turnout and participation in upcoming elections. The Democratic Party has dipped its toe in the water, announcing in July plans to allow telephone voting in lieu of appearing for neighborhood caucus meetings in the key early primary states of Iowa and Nevada. Given concerns regarding security and reliability of submitting votes over the internet, jurisdictions around the country have begun to test solutions involving blockchain technology to allow absentee voters to submit voting ballots. Following initial pilot programs in Denver and West Virginia, Utah County, Utah will be the next jurisdiction to utilize a blockchain-based mobile in connection with its upcoming municipal primary and general elections. The pilot program, which will utilize the mobile voting application “Voatz”, will allow active duty military, their eligible dependents, and overseas voters to cast absentee ballots. Eligible voters will need to apply for an absentee ballot with the county clerk and then download the mobile application. The ballot itself will be unlocked using the smartphone’s biometric data (i.e., a fingerprint or facial recognition) and then will be distributed into the blockchain framework for tabulation.

Visit Blog

California AG’s Office Begins CCPA Rulemaking Process with Series of Public Forums

On January 8, 2019, the California Department of Justice hosted the first in a series of six public forums on the California Consumer Protection Act (CCPA). The forums offer the public an opportunity for comment in advance of the drafting of regulations by the state Attorney General’s office. These regulations are seen as being particularly significant given the rushed legislative process resulting in a perceived lack of clarity in several key provisions of the CCPA. Based on reports from the initial public forum, while the Department of Justice representatives did not respond to any inquiries or make public comments on the law, they did identify seven areas on which the rulemaking process will focus: Identifying the categories of personal information subject to the CCPA; Defining “unique identifiers” under the CCPA; Exceptions to CCPA where necessary to comply with federal or state law; Submitting and complying with requests by consumers; Uniform opt-out logo or button to promote consumer awareness of rights under CCPA; Notices and information to consumers; and Verifying consumers requests under CCPA. In addition to the topics identified above, public comments during the initial forum also focused on the CCPA’s prohibition on discriminating against consumers that exercise their rights under the law, including whether businesses are permitted to offer ad-free services in exchange for higher charges. Under an amendment to the CCPA passed last year, the law goes into effect on January 1, 2020 and enforcement actions by the Attorney General can commence July 1, 2020 or six months after the final regulations are published, whichever is sooner.

Visit Blog

UK Information Commissioner’s Office Issues Guidance on Use of Encryption and Passwords in Connection with GDPR

The “security principle” under the General Data Protection Regulation (GDPR) requires that organizations process personal data securely by means of “appropriate” technical and organizational measures. This month, the United Kingdom’s Information Commissioner’s Office (ICO) issued new guidance focused on two specific measures the ICO recommends that companies consider in complying with the GDPR security requirements: encryption and passwords. With respect to encryption, the ICO guidance notes that encryption is a tool that is both widely available and that can be deployed at relatively low cost. Further, the ICO notes that in numerous data security breaches, the harm caused could have been reduced or even avoided if encryption had been used. Accordingly, the guidance recommends the use of encryption for storage and transmission of personal data and suggests that the loss or destruction of unencrypted personal data may trigger regulatory action by the ICO. In implementing an encryption policy, the ICO recommends that companies consider four factors: (1) choosing the right encryption algorithm (and regularly assessing whether the encryption method remains appropriate); (2) choosing an encryption key size that is sufficiently large to protect against an attack over the lifetime of the data; (3) choosing encryption software that meets current standards; and (4) keeping the encryption key secure, including having processes in place to generate new keys when necessary. With respect to passwords, the ICO provides guidance on how organizational password policies can adhere to the security principle under GDPR. Among the topics addressed in the ICO guidance are recommendations for the following: How to store passwords? Recommendation: Do not store passwords in plaintext –use a suitable hashing algorithm (or other mechanism). How users should enter passwords? Recommendations: Ensure that login pages are protected with HTTPS or an equivalent level of protection. Make sure password hashing is carried out server-side, not client-side. Do not prevent users from pasting passwords – while often seen as a security measure, preventing pasting of passwords impedes people from using password managers effectively. What requirements should be set for passwords? Recommendations: Set a minimum password length, but not a maximum length. Allow the use of special characters, but do not mandate it. Utilize “password blacklisting” to prevent users from setting a common, weak password. What should be done about password expirations and resets? Recommendations: Do not set password expirations unless absolutely necessary – having passwords that regularly expire encourages the use of a series of weak passwords. Ensure that the password reset process is secure, that passwords are not sent over email, and that there are time limits on password reset credentials. What defenses can be put in place against attacks? Recommendations: Rate limit or “throttle” the number and frequency of incorrect login attempts. Consider use of “CAPTCHAs”, whitelisting IP addresses, and time limits or time delays after failed authentications.

Visit Blog

French Data Protection Authority Issues Guidance on Interaction of Blockchain Technology with GDPR

Last month, the French data protection authority (the CNIL) issued initial guidance addressing issues that applications utilizing blockchain technology should consider in order to comply with the European General Data Protection Regulation (GDPR). As recognized by the CNIL, there are certain natural conflicts between GDPR and blockchain technology. A critical feature of the blockchain is its immutability – the fact that once information is entered into the public ledger regarding a transaction, that information cannot be changed or removed from the ledger. The benefits of providing a transparent and permanent public ledger will have to be reconciled with the data subject rights granted by GDPR, including the right to be forgotten and principles of data minimization. Blockchain applications also raise thorny questions about whether participants in the network are acting as data controllers or processors, subject to the GDPR’s requirements. Additionally, how can a worldwide network of computers involved in data processing activities comply with GDPR requirements related to cross-border data transfers outside of the EU? The CNIL’s guidance begins with a simple premise: “When a blockchain contains personal data, the GDPR is applicable”. While acknowledging that there are various different types of blockchain applications that may present different compliance concerns, the CNIL guidance offers the following analysis and potential solutions to actors wishing to use blockchain to process personal data and still comply with GDPR: Who is a data controller / processor? Generally, participants who have the right to write on the chain and decide whether to send data for validation by miners, are considered as data controllers under GDPR. Miners who are validating transactions submitted by participants are not data controllers under GDPR. Smart contract developers who process personal data on behalf of a participant and miners who validate transactions may both be considered as data processors. CNIL is continuing to explore the issue of whether miners in a public blockchain qualify as data processors. How can actors minimize risks for data subjects? If using a blockchain technology is not necessary for a particular processing activity, the CNIL recommends that alternative solutions that allow for full compliance with GDPR be considered. Use of permissioned blockchains allows for better control over personal data governance and, in particular, transfers of data outside of the EU. While visible public keys are essential to the blockchain’s proper functioning, blockchain applications should implement solutions to ensure that any additional personal data is not stored on the blockchain in cleartext format. How can blockchain applications ensure data subject rights? The CNIL guidance indicates that the rights of data subjects to information and to portability are compatible with blockchain technology. While it is technically impossible to grant requests for erasure of personal data registered on a blockchain, use of cryptological solutions can make such data practically inaccessible and closer to the goal of ensuring the right of erasure.

Visit Blog

New York AG Warns Investors of Risks of Trading on Cryptocurrency Exchanges

As part of its Virtual Markets Integrity Initiative, on September 18, 2018,  the New York Attorney General’s Office issued a report reviewing the platforms of various cryptocurrency exchanges. The initiative arose from the recognition that online virtual currency exchanges perform functions markedly similar to traditional stock exchanges and broker-dealers, but are generally not registered under state or federal securities or commodities laws and often have not implemented standards designed to protect investors. The report details factual findings resulting from responses provided by 9 major trading cryptocurrency platforms in response to questionnaires issued by the Attorney General’s Office. While the report characterizes participation in the fact-finding inquiry as “voluntary”, the four trading platforms that declined to participate (claiming that they did not allow trading from New York) were referred to the New York Department of Financial Services for potential violation of virtual currency regulations. The report is broken down into five sections, addressing the following topics: Location and access policies of each platform Where is the platform headquartered? How do customers sign up for the platform? Does the platform accept fiat currency? What are the fee structures? Trading policies and market fairness What trading rules are in place? What protections are there to ensure fairness for retail investors? Availability of margin trading? Policies on automated or algorithmic trading? Managing conflicts of interest What conflicts may arise between trading platforms, their employees and customers? Security, insurance and protecting customer funds Is independent auditing of holdings performed? Security testing of platforms? Insurance available to safeguard customer funds? Access to customer funds, suspensions and outages Policies regarding customer transactions and withdrawals? Policies for suspending trading activity? Notification to customers of outages and system maintenance? Based on the responses provided by the nine participating platforms, the report details the following key findings: There are significant potential conflicts of interest between various business lines of operational roles of trading platforms In certain situations, platforms serve as: (i) venues of exchange, (ii) in a role traditional to traditional broker-dealers, representing traders and executing trades on their behalf, (iii) as money-transmitters, transferring virtual and fiat currency and converting it from one form to another, (iv) as proprietary traders, buying and selling for their own accounts, (v) as owners of large virtual currency holdings, and (vi) as issuers of virtual currency, with a direct stake in its performance. Additionally, platform employees, who often trade on their own, have access to significant non-public information regarding customer accounts and trades. Platforms have not implemented serious efforts to impede abusive trading activity Platforms lack capabilities to identify and stop suspicious trading patterns Concentration of virtual currency in hands of relatively small number of major traders leaves platforms susceptible to abuse Protections for customer funds are limited or illusory Generally accepted methods for auditing virtual assets do not exist Difficult or impossible to independently audit virtual currency purportedly in their possession Customers are highly exposed in the event of a hack or unauthorized withdrawal No deposit insurance for virtual currency losses Serious questions about scope and sufficiency of commercial insurance that certain platforms purport to carry to cover virtual asset losses The report concludes in recommending that customers considering trading on cryptocurrency trading platforms ask the following questions: What security measures are in place to stop hackers from unlawfully accessing the platform or particular customer accounts? What insurance or other policies are in place to make customers whole in event of a theft of virtual or fiat currency? What guardrails or other policies does the platform maintain to ensure fairness for retail investors in trading against professionals? What controls does the platform maintain to keep unauthorized or abusive traders off the venue? What policies are in place to prevent the company and its employees from exploiting non-public information to benefit themselves at the expense of customers? How does the platform notify customers of a site outage or suspension, the terms under which trading will resume, and how customers can access funds during an outage? What steps does the platform take to promote transparency and to subject its security, its virtual and fiat accounts, and its controls to independent auditing or verification? Is the platform subject to, and registered under, banking regulations or a similar regime – for instance, the New York BitLicense regulations?

Visit Blog

New York Department of Financial Services Cybersecurity Regulation 18-month Compliance Deadline Arrives

On September 4, 2018, the third stage of compliance deadlines under the New York Department of Financial Services’ (DFS) expansive cybersecurity regulation went into effect. This deadline, scheduled for implementation 18 months after the regulation (23 NYCRR 500) initially went into effect in March 2017 triggers Covered Entities’ obligations under the regulation to: Maintain systems that include audit trails that can detect and respond to security incidents; (b) establish procedures (Section 500.06); Include in their cybersecurity program written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house applications and to evaluate the security of externally developed applications (Section 500.08); Establish policies and procedures for the periodic disposal of nonpublic information no longer necessary for business operations or for other legitimate business purposes (Section 500.13); Implement risk-based policies, procedures and controls designed for training and monitoring authorized users of systems (Section 500.14(a)); and Based on the company’s risk assessment, implement controls, including encryption, to protect nonpublic information both in transit over external networks and at rest (Section 500.15). As noted in Section 500.15, the requirement to implement encryption for nonpublic data both in transit and at rest is dependent on the company’s risk assessment. The regulation requires that each Covered Entity develop its cybersecurity program around. To the extent the company determines that encryption is not feasible, the regulation permits Covered Entities to implement alternative controls reviewed and approved by the Company’s Chief Information Security Officer. Under the regulation, Covered Entities are required to certify compliance on an annual basis, with the next scheduled certification deadline set for February 15, 2019. The final deadline under the regulation is scheduled for implementation on March 1, 2019, and will require Covered Entities to implement a Third-Party Service Provider Security Policy as mandated under Section 500.11 of the regulation.

Visit Blog

State and Local Governments Test Blockchain Applications

Proponents of blockchain technology, the distributed ledger system underlying bitcoin and other cryptocurrencies, view the technology’s applications as potentially offering significant efficiencies to the provision of government services. Two pilot projects currently underway are geared toward exploring the technology’s potential in two key areas of services provided by state and local governments: real property recording and voting. On August 28, the Franklin County Auditor’s Office in Ohio tested a blockchain application developed by the Columbus, Ohio-based startup SafeChain. The test involved transfer of 37 properties sold through a forfeiture auction. Potential buyers were required to register through the digital system and the ownership transfer involved adding a barcode to the paper document with the remaining documents accessible on the blockchain. This pilot project follows on the heels of the Ohio Legislature passing a law this summer explicitly recognizing the legitimacy of blockchain transactions. Meanwhile, in West Virginia, the state is extending its trial use of a blockchain-powered mobile voting application developed by the Boston-based startup Voatz. The trial, which is largely limited to military service members serving abroad who are covered by the Uniformed and Overseas Citizens Absentee Voting Act, was originally tested in two West Virginia counties during primary elections and will now be extended through November for the midterm elections. Despite the relatively narrow scope of the trial, the use of mobile applications for voting purposes in the midterm elections has raised significant concerns about the security of the system. As blockchain-based applications continue to develop and mature, the potential benefits to the provision of government services make it likely we will see more frequent public-private collaborations of the sort currently being tested in Ohio and West Virginia.

Visit Blog

Industry Groups Push for Modifications to California Consumer Privacy Act

As previously detailed, the California Consumer Privacy Act of 2018 was hastily passed by the California legislature as a compromise designed to avoid a more far-reaching ballot initiative. Recognizing the need to clarify various drafting errors, the drafters are currently working on Senate Bill 1121, intended to clarify certain provisions of the Act and to make other technical corrections. Advocates for the business community have seized on this opportunity to push for more significant changes to the Act. In a letter to the bill’s sponsor, Senator Bill Dodd, dated August 6, 2018, dozens of business groups from the advertising, technology, retail, health, and banking sectors recommend substantive changes to the Act that go well beyond the “technical” corrections phase contemplated by the Senate Bill 1121. The changes advocated by the industry groups include: (1) delaying implementation of the Act (currently set for January 1, 2020) until 12 months after the Attorney General’s office completes its rulemaking process; (2) narrowing the definition of “personal information” to exclude de-identified and aggregate consumer information and to align with the notion of that is reasonably linkable to a particular person; and (3) clarifying the definition of a “consumer” subject to the Act to exclude employees of a business and those involved in business-to-business transactions. Consumer advocacy groups have pushed back in a response letter dated August 13, arguing that the proposals from the industry groups would fundamentally weaken the protections of the Act. While changes to the Act are inevitable, the most interesting battle will likely occur over the definition of “personal information” and whether the legislature will heed the call from the technology advertising sector to exclude data used for ad targeting, such as cookies, IP addresses and web tracking information.

Visit Blog

States Race to Embrace Blockchain Technology

Add Connecticut, Ohio and Vermont to the list of states passing legislation focused on the potential disruptive impact of blockchain – the technology underlying cryptocurrencies such as Bitcoin. As federal regulators continue to monitor and offer guidance in the cryptocurrency space, with particular focus on Initial Coin Offerings (ICOs), state legislatures around the country are looking to favorably position their respective states to attract businesses developing blockchain-based applications. In Connecticut, the state legislature passed Special Act 18-8, which was signed by the governor on June 6, 2018, and which commissions the formation of a blockchain working group. Under the law, the working group is tasked with developing a “master plan for fostering the expansion of the blockchain industry” in Connecticut and with recommending  “policies and state investments to make Connecticut a leader in blockchain technology.” The working group’s findings and recommendations are scheduled to be submitted by January 1, 2019. In Ohio, the legislature passed Senate Bill 220, which, in part, confirms that transactions recorded by blockchain technology are enforceable. The bill, passed on June 27 and awaiting signature from Governor John Kasich, is similar to bills previously passed in Arizona, Nevada and Vermont and grants legal recognition to blockchain transactions as being explicitly covered by the State’s Uniform Electronic Transactions Act. Meanwhile, Vermont passed additional legislation directed to blockchain business models. Act No. 205 went into effect on July 1, 2018, and includes provisions authorizing the creation of “Blockchain-Based Limited Liability Companies” (BBLLCs), defined in the Act as a business that utilizes blockchain technology for a “material portion of its business activities.” If designated as a BBLLC, the business may use blockchain technology in performing corporate governance functions, including adopting voting procedures using smart contracts carried out on the blockchain. The law also tasks the Vermont State Archives and Records Administration and other public agencies with evaluating blockchain technology as a means for the “systematic and efficient management of public records” and to report on its findings and make legislative recommendations by January 15, 2019.

Visit Blog

California Enacts “GDPR-Esque” Privacy Law

On June 28, 2018, the California State Legislature passed, and Governor Jerry Brown signed, the California Consumer Privacy Act of 2018, bringing to the United States many of the rights and compliance obligations currently being applied by the European Union through its General Data Protection Regulation (GDPR). Effective January 1, 2020, the Act gives California residents broad rights to discover what personal information businesses collect, the purposes for collecting the data, whether the data are disclosed or sold to third parties, and the right to opt out from the sale of their personal information. The passage of the Act was a compromise between the legislature and the proponents of a ballot initiative that was set to be voted upon by California residents during elections this November. Due to the challenges of changing laws passed through California’s direct ballot initiative – which would require a separate ballot initiative – the legislature worked quickly to cobble together the Act in exchange for an agreement by proponents to withdraw the ballot initiative. Given the rushed legislative process and the delayed effective date, it seems likely that more changes to the laws will take place in the next 18 months to clarify the Act’s requirements. The Act applies to companies that do business in California and which meet any of the following three criteria: (1) annual gross revenue in excess of $25 million; (2) annual purchases, receipt or sales of the personal information of 50,000 or more California residents; or (3) companies that derive 50% or more of annual revenue from selling consumers’ personal information. Below is a summary of the key takeaways from the Act, as passed: Broad definition of personal information The Act defines “personal information” extremely broadly to include the following categories of non-public information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household...”: Identifiers, such as name, address, IP address, email, Social Security number, etc.; Characteristics of protected classifications, such as race, religion, sexual orientation, etc.; Commercial information, such as records of purchases, consuming tendencies, etc.; Biometric information; Internet or other electronic network activity, such as browsing or search history, website interaction, etc.; Geolocation data; Professional or employment-related info; and Education data. This definition goes well beyond the definitions of personal information under other privacy laws in the United States. GDPR-esque rights of California residents to their data Business and legal practitioners dealing with the implementation of GDPR over the past months will find familiar several of the rights granted to California residents with respect to their personal information, including: Right to request information from businesses about the personal data collected, including the sources of the information, the purpose for collecting, and whether the data were disclosed or sold to third parties; Right to request that a business delete personal information, including a requirement that this request be passed down to the business’ vendors; Right to data portability, meaning that businesses are obligated to produce data in a portable format that would allow the consumer to transmit information to another entity; and Right to refuse to permit businesses to sell personal data. The consumer’s right to refuse to permit the sale of their personal data presents a significantly more lax approach than under GDPR. Rather than requiring affirmative consent for collecting, processing and storing personal data (i.e., requiring an opt in), the Act gives consumers only the right to opt out of the sale of personal information. This right does not extend to the disclosure (as opposed to sale) of personal information to third parties. Additionally, the Act retreats from the more aggressive provisions in the original ballot initiative by permitting, under certain circumstances, businesses to offer financial incentives to consumers in exchange for permitting the sale of their personal information. Note that for consumers under the age of 16, affirmative consent (opt in) is required for the sale of personal information. Private right of action for data breaches  In addition to enforcement by the California Attorney General’s office, the Act creates a private right of action by California residents in connection with data breaches resulting in the “exfiltration, theft, or disclosure” of non-encrypted or non-redacted personal information and providing for statutory damages of $100 to $750 per incident. Prior to bringing suit, consumers would have to provide the business with 30 days advance written notice and an opportunity to cure. While it seems unlikely that the Act is a finished product, California’s passage of sweeping data privacy legislation is a strong indicator that more stringent data privacy laws at the state (and possibly federal) level are coming to the United States. Whether due to a need to comply with GDPR or in anticipation of new U.S. laws, businesses will need to continue making review of their data privacy practices a priority.

Visit Blog

California Consumer Privacy Act Likely to Appear on Ballot in November

Businesses are understandably focused this week on the looming effective date for the European Union’s General Data Protection Regulation (GDPR). For U.S. businesses, however, a proposed law closer to home would raise similar compliance burdens and create potential litigation risks. This November, voters in California will likely vote on whether to pass a ballot initiative, titled “The Consumer Right to Privacy Act of 2018.” Proponents of the Act, which would broadly expand California residents’ rights to their personal data, announced this month that they submitted 625,000 signatures to the California Secretary of State in support of the measure. Assuming the secretary of state certifies that enough signatures are valid (approximately 366,000 signatures are required to qualify), California voters will be in position to directly pass the Act into law. The California measure would grant consumers three principal rights: (1) the right to ask companies to identify the personal data they collected on the consumer; (2) the right to demand that personal data not be sold or shared for business purposes; and (3) the right to sue companies that violate the law or that experience data breaches. The law would apply to companies that do business in California and which: (1) have $50 million or more in annual gross revenue; (b) sell the personal information of 100,000 or more consumers or devices; or (c) derive 50 percent or more of their annual revenue from selling consumers’ personal information. Among the notable features of the proposed law is its expanded definition of personal information, which includes both traditional identifiers such as name, email, Social Security number, etc., as well as commercial information such as usage data, browsing or search history and purchasing tendencies. Businesses subject to the Act would be required to give consumers the right to opt out of the sale of such personal information and would be barred from discriminating against consumers that opt out. As noted, the Act would create a private right of action both for violations of the Act and in connection with data breaches. Further, the Act provides that a breach of a consumer’s personal data constitutes an injury-in-fact, with statutory damages available in amounts from $1,000 to $3,000 per violation. This would likely prevent class action defendants from seeking dismissal of claims where plaintiffs could not establish actual harm. Should the Act pass in November, the law would go into effect immediately, but would provide a nine-month grace period for compliance.

Visit Blog

Wyoming Enacts Comprehensive Blockchain Legislation

As numerous states propose and enact legislation focused on blockchain technology and cryptocurrencies, in 2018, no state has been more aggressive in this space than Wyoming. In March, the state legislature passed several bills impacting cryptocurrency businesses, each of which is designed to position Wyoming as a blockchain-friendly environment for businesses. B. 0019: This bill removes a significant hurdle by amending the Wyoming Money Transmitter Act to exempt the buying, selling, issuing or taking custody of virtual currency from licensing requirements. “Virtual currency” is defined in the bill as digital representations of value that are used as a medium of exchange, unit of account or store of value, and which is not recognized as legal tender by the United States government. B. 0070: House Bill 0070, known as the “Utility Token Bill,” provides exemptions from state securities and money transmissions laws for developers, sellers and persons who facilitate the exchange of “open blockchain tokens.” To qualify for the exemption, the token cannot be marketed as an investment and must only be exchangeable for goods, services or content. F. 0111: This bill exempts virtual currencies from property taxation. B. 0101: House Bill 0101 amends the Wyoming Business Corporations Act to authorize corporations to use a blockchain or other distributed electronic database to create, record and store corporate records. B. 0126: This bill authorizes the formation of a “series” limited liability company (LLC) in Wyoming. This allows an LLC to create subsidiary entities for asset classes to shield each sub-LLC from the risk of liability from the others. Among the more noteworthy elements of these new laws is House Bill 0070’s exemption from state securities and money transmission laws for utility tokens – referred to in the act as “open blockchain tokens.” Much of the attention at the federal level has focused on regulation of cryptocurrencies and tokens marketed through initial coin offerings (ICOs) by the Securities Exchange Commission (which considers such coins securities) or by the U.S. Commodity Future Trading Commission (which regulates such coins as commodities). The Wyoming act instead focuses on utility tokens that are specifically used as a medium of exchange and not marketed as an investment, treating such tokens as a distinct asset class that is neither a security nor money. While federal regulators will continue to closely monitor developments in the cryptocurrency space, states like Wyoming are seeking to fill the void and position themselves as offering a pro-blockchain regulatory environment to attract businesses and facilitate innovation.

Visit Blog

New York Financial Services Cybersecurity Regulations Deadline Looming This Week

On March 1, 2018, the one year transition period within which banks, insurance companies, and other financial services institutions and licensees regulated by the New York Department of Financial Services (“Covered Entities”)  must have implemented a cybersecurity program ends. By March 1, the Covered Entities must be in compliance with the following requirements: 23 NYCRR 500 §§: 04(b): Chief Information Security Officer (“CISO”) – Each Covered Entity must have designated a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. 05:  Penetration Testing and Vulnerability Assessments – The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s risk assessment. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessment. 09: Risk Assessment – Each Covered Entity shall conduct a periodic risk assessment of the Covered Entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. 12: Multi-Factor Authentication –  Based on its risk assessment, each Covered Entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access. Multi-factor authentication shall be used for any individual accessing the Covered Entity’s internal networks from an external network. 14(b): Training and Mentoring – Each Covered Entity shall provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its risk assessment. A PDF containing detailed descriptions for each requirement is found here.

Visit Blog

New York’s Landmark Cybersecurity Regulation Compliance Deadlines Looming

On February 15, 2018—that is, today—banks, insurance companies and other financial services institutions and licensees regulated by the New York Department of Financial Services (DFS) are required to file their first certification of compliance with DFS’s far reaching cybersecurity regulation (23 NYCRR Part 500) (the “Regulation”). The Regulation, which became effective on March 1, 2017, is touted as being the first cybersecurity regulation in the nation, requiring significant operational, technology and reporting changes in order for entities covered by the Regulation (Covered Entities) to comply. Covered Entities are required to electronically file a certification statement through the DFS cybersecurity portal confirming the company’s cybersecurity program met the Regulation’s requirements for the prior calendar year. The deadline is today. Have you filed? For more information on the Regulation and additional upcoming deadlines, click here.

Visit Blog

Nationwide, State Legislators Push Blockchain-friendly Legislation

As previously reported, state legislatures throughout the country continue to propose legislation designed to facilitate the use of blockchain-based technology by businesses within their states. In recent weeks, legislatures in Florida and Nebraska have each proposed laws streamlining the transaction of business electronically and through use of distributed ledgers on blockchain applications. In Arizona, the state senate just passed a bill allowing residents to pay income taxes through a cryptocurrency such as Bitcoin. Given this flurry of legislative activity, one would reasonably assume that widespread implementation of blockchain technology had already occurred. In fact, as recognized by the January 31, 2018 Final Report from the Illinois General Assembly Blockchain and Distributed Ledger Task Force, Bitcoin remains the only successful, scalable implementation of blockchain and distributed ledger technology to date. While recognizing that most blockchain applications remain in early development stages, the Illinois task force report expresses significant optimism for governmental applications of blockchain, concluding that “it is clear that distributed ledgers can begin a transition to a smarter, cheaper and safer way to administer government.” In particular, the task force envisions blockchain as a means for government to transition to being a verifier, rather than a custodian, of residents’ identity information – a shift that would allow for highly-secure methods for interacting with the government, promote the use of paperless records, increase data accuracy, and provide increased cybersecurity protection. The report considers various governmental applications for blockchain technology, including social benefits distribution, public transportation, waste management, and disaster recovery grant distributions. Given the nascent state of the technology, the task force generally steered clear of recommending broad legislative action to regulate blockchain technology. Instead, the final report focuses specifically on overhauling archaic property law standards to clear the way for use of blockchain and other digital applications to modernize the property recording process.

Visit Blog