A MoFo Privacy Minute Series
Client AlertA MoFo Privacy Minute Q&A: What Organizations Can Do to Plan for “Steal Now, Decrypt Later” Attacks
I’ve read about “Steal Now, Decrypt Later” attacks. What should we be doing now to respond when “secure data” is compromised?
Client AlertA MoFo Privacy Minute Q&A: New York’s NYHIPA Faces Veto Calls: What Businesses Should Know as 2026 Approaches
The New York Health Information Privacy Act (NYHIPA) was passed by the New York State Assembly and Senate in January 2025 but appears to have stalled. What is its status? And what should we expect as we move into 2026?
Client AlertA MoFo Privacy Minute Q&A: 2026 Updates to State Consumer Privacy Disclosures
I’m aware that there are new state consumer privacy laws coming into effect on January 1, 2026, along with recently approved CCPA regulations. Do I need to update my business’s privacy policy and other privacy-related disclosures before year end?
A MoFo Privacy Minute: Do You Know What AI Tools Are Installed on Your Company’s Systems? (12 Sep 2025)
The use of AI tools without formal approval from a company (referred to as “Shadow AI”) is increasing. What are the risks and how should companies respond?A MoFo Privacy Minute: Neural Data Added to Montana’s Genetic Information Privacy Act (15 Aug 2025)
How does Montana’s amendment to its Genetic Information Privacy Act (“GIPA”) regulate neurotechnology data, and what obligations might my business face compared to the amendments that were passed in Colorado and California?A MoFo Privacy Minute Q&A: Amendments to Texas’s “Mini-TCPA” (13 Aug 2025)
Amendments to Texas’s “Mini-TCPA” take effect on September 1, 2025. How will these changes impact my business’s telemarketing activities?- A MoFo Privacy Minute: Managing Cybersecurity Concerns When Fine-Tuning LLMs (22 Apr 2025)
Our organization wants to fine-tune a Large Language Model (LLM) for a specific domain or area of interest. Does this create any additional cybersecurity risks and how should we approach risk mitigation?
- A MoFo Privacy Minute Q&A: Addressing the Risks of Unstructured Data (22 May 2025)
What risks should companies consider when storing unstructured data? - A MoFo Privacy Minute Q&A: Upcoming January 2025 US State Consumer Privacy Laws (23 Dec 2024)
There are five new state consumer privacy laws coming into effect in January 2025. We already have a compliance program in place for existing consumer privacy laws in Colorado, Texas, Virginia, Oregon, etc. What more do we need to do?
A MoFo Privacy Minute Q&A: CFPB Issues Guidance for Employers on Surveillance of Workers (22 May 2025)
My company uses an AI tool that scores employees based on numerous data sources. How does the CFPB’s recently issued guidance on employee surveillance affect my business?- A MoFo Privacy Minute: Data Security & Quantum Computing: An Area of Concern? (Oct 30 2024)
What are the current data security risks presented by quantum computing, and what should we bear in mind as this technology continues to evolve? - A MoFo Privacy Minute Q&A: California Revises CCPA to Cover Neural Data (Oct 11 2024)
How does the California amendment relating to “neural data” align with Colorado’s recent amendment to its Privacy Act, and what should my business know? - A MoFo Privacy Minute Q&A: HHS Withdraws Appeal of Federal Court Decision Regarding Online Tracking Guidance (30 Sept 2024)
HHS voluntarily dismissed its appeal in the online tracking technology lawsuit; where does that leave the litigation and what should my business know? - A MoFo Privacy Minute Q&A: New York’s Court Officers Get Privacy Rights Under New Judicial Security Act (06 Aug 2024)
The New York Judicial Security Act just came into effect in July 2024. What are my business’ compliance requirements? A MoFo Privacy Minute Q&A: What to Expect with the FTC’s Amended Health Breach Notification Rule Going into Effect (29 Jul 2024)
I heard that the amendments to the FTC’s Health Breach Notification Rule (HBNR) go into effect on July 29, 2024? Is my company subject to the HBNR?A MoFo Privacy Minute Q&A: Protecting the Mind - Exploring Brain Privacy Law (14 May 2024)
Colorado recently amended its state privacy law to cover biological data and neural data. Both California and Minnesota are considering similar laws. I doubt my company is doing anything with biological data or neural data. What kinds of business activities would these new requirements apply to, and what are the requirements of the new law?A MoFo Privacy Minute Q&A: New NY State Employee Social Media Monitoring Restrictions (25 March 2024)
My company does not ask employees or job applicants for access to their personal social media accounts because of workplace social media privacy laws in various states. Does the new workplace privacy law in New York (Senate Bill S2518A), which took effect on March 12, 2024, add any further requirements that we should know about?- A MoFo Privacy Minute Q&A: The UK’s Deadline to Conclude New Standard Contractual Clauses for Existing Contracts Approaches (06 Mar 2024)
My business still relies on the old EU Standard Contractual Clauses under Directive 95/46/EC (“old EU SCCs”) as a data transfer mechanism when transferring personal data subject to the UK GDPR outside the UK (a “restricted transfer”).
By when does my business need to replace the old EU SCCs? - A MoFo Privacy Minute Q&A: The FTC’s Streamlined Process for Investigations into AI Products and Services (04 Dec 2023)
My company is developing an AI product. What should I know about the FTC’s recently streamlined procedure for AI-related investigations? - A MoFo Privacy Minute Q&A: UK BCRs; Is the ICO Making Good on Its Promise? (17 Aug 2023)
Will the ICO develop a more efficient way to approve these types of UK BCRs? - A MoFo Privacy Minute Q&A: How to Avoid Nasty Surprises When Responding to Access Requests in the UK (15 Aug 2023)
How should organizations best respond to access requests in the UK in order to avoid hitting the headlines? - A MoFo Privacy Minute Q&A: New TCPA Requirements For Informational Robo Calls (2 May 2023)
My company makes informational calls using pre-recorded messages or artificial voices. The federal regulation that regulates these calls under the Telephone Consumer Protection Act (TCPA) has been amended, and the new rules become effective on July 20, 2023. What are the new requirements for these kinds of calls?
- A MoFo Privacy Minute Q&A: How to Defend, Detect, Prevent, and Respond to Credential Stuffing (2 February 2022)
Preventing, detecting, and responding to credential-stuffing attacks has always been a challenge for my company, and every company, since the credentials are not actually stolen from us. Yet our customers are still harmed if the credentials are used to access their accounts with us. What measures can companies use to address credential-stuffing attacks?
- A MoFo Privacy Minute Q&A: New York City Enacts New Law Regulating the Use of Artificial Intelligence Tools in Employment Decisions (5 January 2022)
My company has a location in New York City. What are the requirements for employers under New York City’s new law about automated employment decision tools, and what happens if my business fails to meet the requirements?
- A MoFo Privacy Minute Q&A: 14 December 2021
During our webinars, our attendees ask us great questions. In this final issue of A MoFo Privacy Minute for the year 2021, we chose three of your questions to answer. Stay tuned for more in 2022! Q: Please explain the difference between pseudonymous and de-identified information under the three laws. Can I consolidate the definitions together and apply one protocol for my business? Q: What is the difference in scope between the HIPAA and GLBA exceptions under the CPRA, VCDPA, and CPA? Q: What must contracts with services providers/processors say about audit rights?
- A MoFo Privacy Minute Q&A: 11 November 2021
My company is a financial institution subject to the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act and we have an information security program that conforms to the Safeguards Rule that has been in effect for almost two decades. What do we need to add to our program to comply with the revised Safeguards Rule, and how much time to do we have to add it?
- A MoFo Privacy Minute Q&A: 13 October 2021
My company would like to collect COVID-19 vaccination status of its employees and clients. Is this permitted under HIPAA?
- A MoFo Privacy Minute Q&A: 21 September 2021
Can a company require proof of a COVID-19 vaccination to visit work sites and/or venues in the EU or the UK?
- A MoFo Privacy Minute Q&A: 9 September 2021
I think of cookie consent requirements as being driven by European law, specifically the EU ePrivacy Directive. But I recently heard that Russia also has a cookie consent requirement. Is this really the case? If so, do the requirements apply to a business that is not a Russian company?
- A MoFo Privacy Minute Q&A: How to respond to data protection authority inquiries about compliance with Russian data localization rules? (5 August 2021)
I heard that the Russian data protection authority (Roskomnadzor) has sent out thousands of inquiries to businesses (including businesses outside Russia) asking them to confirm, within 30 days, that they store personal information of Russian citizens in Russia in compliance with Russia’s data localization law. My company received the letter. What do I need to know? My company is registered with the Russian tax authority, but we did not receive such an inquiry. Should I be concerned?
- A MoFo Privacy Minute Q&A: Lina Khan, Policymaker Critical of Big Tech’s Privacy Practices, Appointed as New FTC Chair (24 June 2021)
Who is Lina Khan, and what is the likely impact of her appointment as chair of the Federal Trade Commission?
- A MoFo Privacy Minute Q&A: 1 June 2021
Do breach notification laws require me to notify regulators or individuals when my business inadvertently sends an email to the wrong person that contains a small amount of personal information about another person?
- A MoFo Privacy Minute Q&A: 18 May 2021
The new California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) will be operative on January 1, 2023. That seems like a lot of time to prepare, and the CPRA regulations are not out yet. When should I begin, and how can I phase out the work over 2021 and 2022?
- A MoFo Privacy Minute Q&A: 4 May 2021
We recently notified our lead data protection authority in the EU of a data breach we suffered. Do we need to also notify the UK data protection authority (ICO) or will our lead DPA forward the notification to the ICO as part of an ongoing cooperation?
- A MoFo Privacy Minute Q&A: 14 April 2021
Our cyber insurance broker is bracing its clients for a tough cyber insurance renewal this year. Is there anything we can do to help make things go more smoothly?
Data, Cyber + Privacy Practice
Data, Cyber + Privacy Practice
Morrison Foerster's highly respected global data, cyber, and privacy practice group is comprised of more than 60 lawyers in offices in the United States, Europe and Asia.
Resource Centers
U.S. State Privacy Laws Resource Center
U.S. State Privacy Laws Resource Center
Your Resources for the CCPA, CPRA, VCDPA, CPA, CTDPA, and UCPA.
Cybersecurity Resource Center
Cybersecurity Resource Center
We work with clients to help them be aware of critical cyber risks and prepare for incidents.
GDPR + European Privacy Resource Center
GDPR + European Privacy Resource Center
Privacy and data protection compliance in Europe is a C-suite level priority for all organizations.
Whistleblowing Resource Center
Whistleblowing Resource Center
Your Resources for the GDPR and the Whistleblowing Directive
Privacy Library
Privacy Library
MoFo’s database of privacy laws and regulations for more than 90 countries around the world.
China Privacy and Data Security
China Privacy and Data Security
Our China Privacy and Data Security team advises clients on a host of issues.