log in
Print | Back

Lowenstein Sandler LLP

Edgar R. Hidalgo CIPP/US

Edgar R. Hidalgo CIPP/US

Counsel

Expertise

  • The Tech Group
  • Privacy & Cybersecurity
  • Technology & Media Transactions

WSG Practice Industries

Activity

Lowenstein Sandler LLP
New York, U.S.A.

Profile

Edgar’s practice is primarily focused on privacy and data security, intellectual property, technology, and related commercial transactions. He has significant experience in representing clients in the retail, publishing, media, technology, advertising, and pharmaceutical sectors across the United States and internationally. He also has experience in licensing, First Amendment law, supply chain, distribution and logistics transactions, mergers and acquisitions, and general corporate representation.

Prior to rejoining Lowenstein Sandler in 2019, Edgar was in-house senior counsel at Simon & Schuster, Inc., the book publishing division of CBS Corporation, and the toy retailer and manufacturer Toys “R” Us, Inc. He began his legal career as a corporate associate at an Am Law 50 law firm. 

Edgar was also a volunteer law clerk for the U.S. District Court for the Southern District of Florida in 2010 and a law clerk for the Recording Industry Association of America in 2008. Prior to law school, he worked in marketing in the financial services and automotive industries. 

Passionate about applying his legal skills outside of the firm, Edgar provides pro bono legal services in support of the arts as well as to nonprofit organizations providing services to the LGBT community. He is also an adjunct professor of business law at Montclair State University.

Bar Admissions

    New York
    New Jersey

Education

Georgetown University Law Center (J.D. 2010); Dean’s List; Journal of Law and Public Policy
Georgetown University McDonough School of Business (M.B.A. 2010); Community Service Fellow Award
University of Miami (B.B.A. 2004), cum laude
Areas of Practice

Privacy & Cybersecurity | Technology & Media Transactions | The Tech Group

Professional Career

Significant Accomplishments

Speaking Engagements

In-house lawyers in industries far beyond the tech world–such as financial services, pharmaceuticals, insurance, and consumer electronics, to name only a few–need practical guidance on the many ways that cybersecurity and privacy issues can affect all stages of business, from the valuation of data as an asset to the allocation of risk.

In response to this need, Lowenstein Sandler has expanded our annual program to include an even deeper dive into cybersecurity issues of special interest to GCs, CPOs, and CIOs. Our interdisciplinary group of privacy and data security specialists has teamed with in-house counsel to develop programming aimed to help corporations and executives navigate the potential risks, regulations, and benefits at stake, as well as best practices to address these issues.

Topics include:

  • Data Protection Law Developments: A Year in Review and What to Expect in 2020
  • Artificial Intelligence: Preparing for the Future of Business
  • Cyber Insurance: What It Covers, Why You Need It, and How To Get It
  • Blockchain Promises Solutions Across Industries, But Will it Deliver?
  • Telehealth and Telemedicine: The Future of Health care?
  • Biometric Data: From Finger Scans to Facial Recognition, a Deeper Dive into Artificial Intelligence
  • State Privacy Laws: A Deeper Dive into New and Amended U.S. State Privacy and Cybersecurity Laws

Program time: 7:30 a.m.-2:15 p.m. 

Program location: Lowenstein Sandler LLP, One Lowenstein Drive, Roseland, New Jersey 07068; 973.597.2500. 

CLE credit available.

Wi-Fi access and conference space will be available to take phone calls and stay connected to your workday.


Articles

California Attorney General Submits Final Regulations for the California Consumer Privacy Act
Lowenstein Sandler LLP, June 2020

What You Need To Know: The final California Consumer Privacy Act regulations are now under review by the California Office of Administrative Law, and there will be no additional opportunities for public comment. The California Attorney General has requested expedited review of the CCPA regulations, bypassing an executive order issued by the Governor of California extending administrative review periods due to the COVID-19 pandemic...

Contradictory Responses by Privacy Regulators Post-COVID-19: Balancing the Economy With Cybersecurity in a Changed World
Lowenstein Sandler LLP, June 2020

What You Need To Know: The CCPA is currently set to become enforceable on July 1. If your business is regulated by the CCPA, you have 30 days from publication of this alert to comply. Government authorities have pursued different, frequently contradictory, approaches to enforcing data privacy and cybersecurity regulations during the COVID-19 pandemic...

COVID-19 Era Remote Work Environments Increase Cybersecurity Risks: What You Need to Know and Do
Lowenstein Sandler LLP, April 2020

In response to the COVID-19 pandemic, significant sectors of the global workforce abruptly shifted to working remotely. Private and public businesses, government operations, and educational institutions moved en masse to home-based work environments. This unprecedented disruption stressed not only the millions of individuals involved, but also the complex technology infrastructures that were suddenly required to accommodate massive traffic volumes...

Additional Articles

The COVID-19 pandemic has had a disparate effect on privacy regulators, with varying levels of enforcement advocated by different government entities. The California Attorney General, the U.S. Department of Health and Human Services (HHS), European data protection authorities, and other regulators have taken different, often contradictory, approaches to dealing with the competing interests of a struggling economy and the threat of increased privacy and cybersecurity violations. These contradictions are likely to persist, as competing privacy legislation was recently introduced in Congress to regulate the collection and use of personal information during the COVID-19 pandemic.

Businesses struggling with the virus’s economic impact are striving to allocate resources for maximum financial benefit; simultaneously, risks to personal information and privacy rights have increased in a remote global workforce where phishing, malware, and other cyberattacks proliferate and the political pressure to collect and track medical information regarding COVID-19 infections mounts. With the seemingly competing interests of protecting the bottom line and addressing a heightened threat to privacy, some privacy regulators are responding to these new realities by relaxing enforcement efforts, while others decline to do so in recognition of the current risk to privacy and information security.

Below is an update on how different regulators have responded regarding enforcement since the COVID-19 national emergency was declared.

THE CALIFORNIA ATTORNEY GENERAL REMAINS STEADFAST ON THE CALIFORNIA CONSUMER PRIVACY ACT

The California Attorney General has declared that despite the pandemic, it will not delay enforcement of the California Consumer Privacy Act (CCPA), which is set to begin on July 1.

In late March, as the extent of the COVID-19 pandemic was becoming clear, a joint industry letter by advertising and adtech trade associations asked the Attorney General’s office to delay enforcement of the CCPA until 2021. The letter highlighted that “[t]he public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider trade-offs between decisions that are best for their employees and the world at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement actions.”

In an email to Forbes magazine, an advisor to the Attorney General responded, “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first … We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

On June 2, 2020, the Office of the Attorney General announced that it had submitted the Final Text of the Proposed Regulations to the California Office of Administrative Law (OAL) for approval. The Office of the Attorney General requested an expedited review period of thirty (30) business days which, if approved, means the Final Text of the Proposed Regulations could become effective in mid-July. With less than 30 days until the planned enforcement date, businesses subject to the CCPA should ensure that their CCPA compliance efforts remain on track. As a further incentive to ensure your compliance framework is in place, the California Privacy Rights Act (CPRA), commonly referred to as CCPA 2.0, has garnered enough signatures to appear on the November 2020 ballot in the state of California. Among other measures, the CPRA would create a new enforcement agency (the California Privacy Protection Agency), expand data breach liability, and impose additional obligations on service providers, third parties, and contractors. In a nod to the business community, the CPRA would extent the current moratoriums on certain employee and business-to-business data from 2021 to 2023.

EUROPEAN REGULATORS SIGNAL FLEXIBILITY

The European Data Protection Board (EDPB), an agency created under the General Data Protection Regulation, issued a statement on the processing of personal data in the context of COVID-19. The EDPB stated that even during this pandemic, data controllers and processors must ensure the lawful processing of personal data, but it also noted that an “emergency” might legitimize “the restriction of freedoms provided these restrictions are proportionate and limited to the emergency period.”

The EDPB provided clarification on how public health authorities and employers can process personal data in the context of a pandemic, pointing to legal bases such as processing pursuant to a legal mandate of a public authority and compliance with health and safety obligations that are in the public interest.

The EDPB also issued two new guidelines: (1) "Guidelines 03/2020" on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and (2) "Guidelines 04/2020"on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. "Guidelines 03/2020" allows health data to be processed for the purpose of scientific research with the consent of the data subject, as long as there is not a significant power imbalance, or without consent for the purpose of complying with national legislation. "Guidelines 04/2020" discusses the use and collection of location data to map the spread of the virus and contact tracing for notification purposes. The guidelines provide that contact tracing applications should be voluntary, rely on proximity information regarding users rather than tracing individual movements, and grant preference to processing anonymized data where possible. The EDPB emphasized in its guidance that response to the crisis and protection of the right to privacy are not mutually exclusive.

Data protection authorities in nearly all EU member states and the United Kingdom have issued similar guidance on the processing and sharing of personal data related to COVID-19. Organizations should continue to monitor guidance issued by the EDPB, the United Kingdom, and national data protection authorities in the countries in which organizations have a presence.

DEPARTMENT OF HEALTH AND HUMAN SERVICES RELAXES ENFORCEMENT OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Perhaps the most critical response to the COVID-19 pandemic has been from the Office of Civil Rights in HHS, which is charged with the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). Compounding the conflict between the conservation of resources to protect the bottom line and heightened privacy concerns in the crisis is a third element in play under HIPAA: the critical role of protecting the privacy and security of personal medical and health information as the crisis escalated.

While covered health care entities must continue to comply with the privacy and security rules under HIPAA, HHS has issued guidance and relied on its discretion to relax enforcement and waive penalties for community-based testing sites, public health and health oversight activities conducted by business associates, disclosures made to law enforcement and first responders, and telehealth service providers. With the proliferation of telehealth services during the pandemic, it remains to be seen whether HHS will extend its policy of relaxed enforcement after the emergency has subsided.

FEDERAL TRADE COMMISSION WARNS OF INCREASING THREAT

On May 19, the Federal Trade Commission (FTC) issued a public warning regarding scammers posing as contact tracers hired by state governments to obtain personal information such as Social Security Numbers from unsuspecting individuals. A few days later, in coordination with the Federal Communications Commission, the FTC instructed service providers that enable robocalling to terminate services to any customers exploiting the pandemic to obtain sensitive information from individuals, threatening such providers with “serious consequences” for failure to comply. These recent statements by the FTC follow warnings of surging complaints since the beginning of the year (upward of 18,000 as of mid-April) related to the coronavirus and signals of increased enforcement activity by the agency.

CONGRESS PROPOSES COMPETING COVID-19 PRIVACY LEGISLATION

Reflecting the larger clash of interests, conflicting privacy legislation is currently pending in both houses of Congress. The COVID-19 Consumer Data Protection Act, introduced by Republican senators in May, seeks to regulate the collection and processing of personal health information, geolocation data, identifiers, and other data during the health emergency. Shortly thereafter, Democratic members of the House proposed the Public Health Emergency Privacy Act, which would broadly regulate “data linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device.” Most notably, the House bill includes a private right of action (a right not included in the Senate bill). Then, on June 1, 2020, Senators from both sides of the aisle introduced another Senate bill called the Exposure Notification Privacy Act (ENPA), which would regulate contact tracing and exposure-notification apps. Among other obligations, the ENPA would require affirmative express consent to collect data from an individual including COVID-19 status and geolocation, and includes restrictions on how such data may be used. Despite their differences, the speed at which these three bills were introduced underscores the urgency in Congress to address contact tracing technologies and holding government and businesses accountable for how collected personal information is used. Congress has not yet succeeded in passing national privacy legislation. Nonetheless, given the current exigent circumstances, if any one of the proposed bills is passed, it could form the basis for a future, more expansive general privacy legislation at the federal level.

WHAT YOU NEED TO KNOW

  • The CCPA is set to become enforceable on July 1. If your business is regulated by the CCPA, you have a limited window to comply.
  • Government authorities have pursued different, frequently contradictory, approaches to enforcing data privacy and cybersecurity regulations during the COVID-19 pandemic.
  • It is imperative that you understand the data privacy and cybersecurity regulations applicable to your business and develop creative compliance programs that respect the integrity and security of personal information and maximize its value to your business.
  • If the potential for new federal privacy legislation is realized, additional regulations will be forthcoming, including regulation of contact tracing programs to combat the COVID-19 pandemic.

 

Reprinted with permission from the June 8, 2020, issue of Business Law Today© 2020 American Bar Association. All Rights Reserved. Further duplication without permission is prohibited.

To see our other material related to the pandemic, please visit the Coronavirus/COVID-19: Facts, Insights & Resources page of our website by clicking here.


WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2020