Last week, the Department of Justice (“DOJ”) announced the launch of its Civil Cyber-Fraud Initiative (“the Initiative”) aimed at combating “new and emerging cyber threats to the security of sensitive information and critical systems” specifically targeting accountability of cybersecurity obligations for federal contractors and federal grant recipients, by way of the False Claims Act.  The Initiative will be led by the Civil Division’s Commercial Litigation Branch – Fraud Section.

The False Claims Act imposes liability on persons and entities that defraud governmental programs. The Initiative will hold persons and entities accountable, via the False Claims Act, for several practices related to cybersecurity practices including: 1) putting U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, 2) knowingly misrepresenting cybersecurity practices or protocols, and 3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Lisa O. Monaco in her announcement of the Initiative.

Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fiscal and public trust.

As detailed in Deputy General Monaco’s announcement, benefits of implementing the Initiative will include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

Notably, that same day, the DOJ also announced a 2nd cybersecurity related initiative, the National Cryptocurrency Enforcement Team (“the Team”), which will address activities by entities such as virtual currency exchanges that misuse cryptocurrency for criminal activity, including ransomware attacks.  The Team, in addition to prosecuting such violations, will help recover lost cryptocurrency payments, including those to ransomware groups.

The DOJ is strategically increasing focus on cybersecurity, as the Biden Administration makes cybersecurity a top priority. The U.S. government has continued to ramp up efforts to strengthen its cybersecurity in the past year, and we can expect states to continue to legislate and regulate in this area. Businesses across all sectors will likely experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

With health-related data and how to protect it at the forefront of discussion since the start of the COVID-19 pandemic, this week California Governor Gavin Newsom signed into law two bills related to genetic data.  First, AB 825, will expand the definition of personal information to include genetic data, for data breach notification requirements for businesses and government agencies, as well as reasonable safeguard requirements for businesses. Second,  SB 41, will establish the Genetic Information Privacy Act, requiring a direct-to-consumer genetic testing company to provide a consumer with notice and consent regarding its genetic data collection, use and disclosure policies.

Below is a breakdown of each law:

  • AB 825 – Unanimously approved by the Senate on September 8th, and Assembly back in May, AB 825, will expand the definition of personal information to include genetic data and define genetic data to mean any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified. This expanded definition of personal information will apply to three existing laws: 1) the Information Practices Act of 1977 which requires an agency that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was compromised, 2) Civil Code 1798.81.5 which requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices, and 3) Civil Code  Section 1798.82 which requires a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach.
  • SB 41 – Also passed unanimously by both the Senate and Assembly in September, SB 41 will establish the Genetic Information Privacy Act, which will require a direct-to-consumer genetic testing company to provide a consumer with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. In particular, the new law will provide consumers with the right to revoke consent in accordance with certain procedures, and a requirement for companies to destroy a consumer’s biological sample within 30 days of revocation of consent. The bill will further require a direct-to-consumer genetic testing company to comply with all applicable laws for disclosing genetic data to law enforcement without a consumer’s express consent, implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data. The law will impose civil penalties for violations of the law, and enforcement of such actions will be exclusive to the Attorney General, district attorney, county counsel, city attorney, or city prosecutor.

Both laws will take effect January 1, 2022. Whether an organization is a health care provider, a genetic testing company, an employer, or other company that potentially collects genetic data, it should review its policies and practices concerning genetic tests and genetic information.

The Federal Trade Commission (“FTC”) recently issued an important policy statement to health apps and other connected devices that collect or use consumers’ health information.  The FTC’s policy statement effectively clarified the position that health apps and related connected devices are subject to the Health Breach Notification Rule (“the Rule”), which requires vendors of personal health records (“PHR”) and PHR-related entities to notify U.S. consumers, the FTC, and in cases of certain breaches involving over 500 consumers, the media, if there has been a breach of unsecured identifiable health information.  The FTC’s commissioners voted 3-2 to approve the policy statement.

The FTC’s Rule helps account for entities that are not subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), but nonetheless collect and use sensitive health information.  The FTC notes in its policy statement that while the Rule was established more than a decade ago, “the explosion in health apps and connected devices” particularly with the onset of the COVID-19 pandemic, and a spike in cyberattacks in this space, has made the Rule’s obligations “more important than ever.”  Health apps include everything from fitness, sleep and diet trackers, to apps that help individuals track their disease, diagnosis, medications, mental health, other vital areas and more.

Specifically, the Rule states that:

each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall:

  • Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and
  • Notify the Federal Trade Commission.

In addition, the Rule requires third-party service providers of such vendors, following the discovery of a breach of security, to provide notice of the breach to an official of the vendor designated in writing, and if no such designation is made, to a senior official of the vendor.

PHR is defined as an electronic record or individually identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for an individual.

Notably, the policy statement emphasizes that a health app is subject to the Rule if it is capable of drawing information from multiple sources, even if the health information comes from only one source. The FTC provides the example of a blood sugar monitoring app that draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar) – such an app is covered under the Rule.

The FTC’s policy statement further clarifies that when a health app discloses sensitive health information without user consent, a “breach of security” is triggered under the Rule, and such a breach is not limited to “nefarious behavior”.  “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.” Entities that fail to comply with the Rule are subject to monetary penalties of up to $43,792 per violation, per day.

The Rule has generated significant confusion for entities offering PHRs, particularly since the onset of the COVID-19 pandemic. It is important to emphasize that the FTC’s rule does not apply to HIPAA-covered entities. The preamble of the Rule, for example, addresses whether the Rule would cover PHRs that a HIPAA-covered entity offers its employees. The preamble explicitly notes that “because the FTCs rule does not apply to HIPAA-covered entities, it does not apply to PHRs that such entities offer their employees”.   The overarching goal is to “harmonize” HHS and FTC data breach notification reporting requirements, and compliance with certain HHS rule requirements in turn satisfies compliance under the FTC rule.  There are, however, situations where an entity may have “dual or overlapping” coverage under the HHS and FTC rules.  Here are a couple examples: 1) A vendor with a dual role as both a business associate under HIPAA and a provider of PHRs to the public through its own website (reporting requirements under HHS for its functions related to qualifying as a business associate, and requirements under the FTC rule for its role as a provider of PHRs to the public), 2) PHRs offered to families (a HIPAA covered group health plan would have data breach reporting requirements under HHS Rule for the employee covered by the plan, but not for a spouse who has a PHR under the plan, but is insured by the a different provider, for which the FTC Rule would be applicable). As a result, it is crucial for an entity that provides services and functions to varying categories of individuals, to carefully parse out applicability under each of the rules.

The health app industry is booming. It brings innumerable potential benefits as well as significant data privacy and security risks. Organizations that collect, use, and store medical data face increasing compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

When use or disclosure of an individual’s health information or medical records is at issue, the assumption seems to be, much more often than not, that the HIPAA privacy and security rules apply. This has certainly been the case during the COVID-19 pandemic. Of course, it is true that in most healthcare settings, HIPAA is the primary law governing the use and disclosure of individually identifiable health information. However, HIPAA is often incorrectly applied in workplace settings.

Today, in an effort to clarify some of these issues as they relate to COVID-19 vaccination data, the Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA privacy and security rules (the “HIPAA rules”), issued this guidance. We have summarized some of the key points below.

Do the HIPAA rules prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

The OCR’s answer is clear – No.

The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

It is important to remember that the HIPAA rules apply only to covered entities and business associates. In general, covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. But, HIPAA does not apply to entities functioning in their role as employers or to employment records.

The OCR also reminds organizations that even if HIPAA applies, it regulates the use and disclosure of protected health information (PHI), not the ability to request information. Thus, the HIPAA rules do not prohibit a covered entity from receiving COVID-19 vaccination information about an individual. Of course, organizations that receive such information, including employers, still may have a duty to safeguard that information and keep it confidential.

Do the HIPAA rules prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

This is a popular question these days. The OCR’s answer, “No.”

OCR reminds readers that the HIPAA rules do not apply to employment records:

including employment records held by covered entities or business associates in their capacity as employers.

The OCR also observed that:

federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.

But, again, once collected, vaccination information must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA). And, group health plans sponsored by employers are, in most cases, HIPAA covered entities. This means that COVID-19 vaccination information maintained in connection with those plans, such as claims information, would be PHI subject to the HIPAA rules.

Do the HIPAA rules prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

Another popular question and, again, the OCR’s answer is no.

The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from OCR make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Do the HIPAA rules prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?

Here, the answer is generally, yes. The doctor’s office is a HIPAA covered entity and the HIPAA rules prohibit covered entities from using or disclosing an individual’s (patient’s) PHI except with the individual’s authorization, unless an exception applies. Exceptions include, for example, disclosures made for treatment, payment, or health care operations. Absent an exception, the doctor’s office will need a written authorization in order to disclosure the records.

Note, however, if the physician that owns the practice, while functioning as an employer, has COVID-19 vaccination information about an employee of the practice, the HIPAA rules generally would not apply to prohibit the physician from disclosing that information. But, other laws could apply, such as the ADA.

The OCR provides some additional examples:

  • A covered physician is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
  • A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, provided all of the following conditions are met:
    • The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
    • The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
    • The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose
    • The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

Organizations across the country are struggling with COVID-19 related regulations and the impact on their operations – screening requirements, vaccination mandates, how to incentivize vaccinations, responding to customer demands for vaccination status information about employees, maintaining adequate staffing levels, arranging for COVID-19 testing, etc. This OCR guidance should help to some degree by clarifying some questions regarding whether an often-cited set of rules – the HIPAA rules – apply to limit the use and disclosure of information necessary to carry out some of these activities. As explained above, the HIPAA rules often are not applicable.

On September 17, 2021, a three-judge panel of the Illinois Appellate Court for the First Judicial District issued a long-awaited decision regarding the statute of limitations for claims under the state’s Biometric Information Privacy Act (“BIPA”) in Tims v. Black Horse Carriers, Inc. The Tims decision marks the first appellate guidance regarding this issue.  Although the BIPA is silent as to the applicable statute of limitations, the panel concluded that claims brought under section 15(a), (b), and (e) of the statute, which are the claims requiring companies to have a publicly available policy, obtain informed consent, and reasonably safeguard biometric data, are subject to a five-year limitations period.  BIPA claims brought under sections 15(c) and (d) of the statute, which are the claims which prohibit profiting from the use of biometric data or disclosure of biometric data are subject to a one-year statute of limitations.

In reaching its split decision regarding the applicable statute of limitations, the panel noted that each duty under the BIPA is “separate and distinct,” and that a private entity “could violate one of the duties while adhering to others.”  The panel further opined that “a plaintiff who alleges and eventually proves violation[s] of multiple duties could collect multiple recoveries of liquidated damages.” The panel looked to the text of the BIPA without consideration of the legislative history of the statute, and precedent, including the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., in reaching its conclusion.

Section 13-201 of the Illinois Code of Civil Procedure provides that there is a one-year statute of limitations for “actions for slander, libel or for publication  matter violating the right of privacy,” while section 13-205 has a five-year “catchall” statute of limitations for “all civil actions not otherwise provided for.”  The panel concluded that 13-201 does not apply to all privacy actions, but rather only privacy actions “where publication is an element or inherent part of the action.”  On these grounds, the panel determined that section 13-201’s one-year statute of limitations only applies to BIPA claims under sections 15(c) and (d) of the statute, which prohibit entities from “sell[ing], leas[ing], trad[ing], or otherwise profit[ing] from” or disclosing biometric data. With respect to those claims, the panel held that “publication or disclosure of biometric data is clearly an element of an action.”

Conversely, the panel concluded that claims under sections 15(a), (b), and (e) “have absolutely no element of publication or dissemination,” and thus, the five-year “catchall” statute of limitations applies.

In Tims, the First District was not asked, nor did it decide, the issue of when a claim under the BIPA accrues.  However, the accrual issue is currently the subject of an appeal before the federal Seventh Circuit Court of Appeals in Cothron v. White Castle.  The Seventh Circuit heard oral argument in Cothron on September 14, 2021, and has been asked by the plaintiff-appellant to certify the accrual issue to the Illinois Supreme Court for consideration.  In Marion v. Ring Container, the Illinois Appellate Court for the Third Judicial District is set to decide whether a one-year, two-year, or five-year statute of limitations applies to claims under the BIPA.  The Marion appeal is currently stayed pending a decision in McDonald v. Symphony Bronzeville, in which the Illinois Supreme Court will decide with finality whether BIPA claims arising in the employment context are preempted by the Illinois Workers’ Compensation Act.

There has been an influx of biometric privacy litigation in recent years. Private entities that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with ever-evolving technology. Creating a robust privacy and data protection program or regularly reviewing an existing one can mitigate risk and ensure legal compliance.

 

Yesterday, Baltimore’s local ordinance prohibiting persons from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology,” became effective.  The new ordinance prohibits the use of facial recognition technology by city residents, businesses, and most of the city government (excluding the city police department) until December 2022. Baltimore joins a growing list of localities regulating private use of facial recognition technology including Portland (Oregon), and New York City.

Specifically, the Baltimore ordinance prohibits an individual or entity from obtaining, retaining, or using facial surveillance system or any information obtained from a facial surveillance system within the boundaries of Baltimore city. “Facial surveillance system” is defined as any computer software or application that performs face surveillance. Notably, the Baltimore ordinance explicitly excluded from the definition of “facial surveillance system” a biometric security system designed specifically to protect against unauthorized access to a particular location or an electronic device, meaning organizations using a biometric security system for employee/visitor access to their facilities would appear to be still be permissible under the bill. The ordinance also excludes from its definition of “facial surveillance system” the Maryland Image Repository System (MIRS) used by the Baltimore City Police in criminal investigations.

Significantly, a person in violation of the law is subject to fine of not more than $1,000, imprisonment of not more than 12 months, or both fine and imprisonment.  Each day that a violation continues is considered a separate offense. The criminalization of use of facial recognition, is first of its kind across the United States.

Businesses in the City of Baltimore should be evaluating whether they are using facial recognition technologies, whether they fall into one of the exceptions in the ordinance, and if not what alternatives they have for verification, security, and other purposes for which the technology was implemented. An earlier post providing details and analysis of the Baltimore prohibition on face surveillance technology is available here.

Watch out! A spike in ransomware attacks may be headed our way over Labor Day weekend. Yesterday, the FBI jointly with the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to be on high alert for ransomware attacks this weekend, after recent targeted attacks over Mother’s Day, Memorial Day and Fourth of July weekends.

“Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time”, the FBI and CISA noted in their alert.

In May 2021, leading into Mother’s Day weekend, malicious cyber attackers deployed the now infamous ransomware attack on Colonial Pipeline, resulting in the Biden Administration issuing a memo specifically addressing critical infrastructure cybersecurity. Shortly after, over Memorial Day weekend, an entity in the food and agricultural sector suffered a similar attack, resulting in a complete shutdown of production. And finally, over July 4th weekend, an entity in the IT sector was hit with an attack affecting hundreds of organizations including multiple managed service providers and their customers.  Needless to say, organizations across all sectors should be on high alert heading into Labor Day weekend.

The FBI’s Internet Crime Complaint Center (IC3), the go-to-source for cyber incident reporting, has tracked ransomware trends in recent years.  In 2020, a record number of complaints (791,790) related to internet crimes were reported to IC3, with reported losses exceeding $4.1 billion. In ransomware specifically, there was a 20% increase during 2020, and a 225% increase in ransomware demands.

The FBI/CISA’s joint ransomware warning for Labor Day, provides several suggestions for preventing and responding to an attack.  Here are a few key takeaways:

  • Make an offline backup of your data. This includes reviewing your organization’s back up schedule to consider the risk of possible disruption during weekends and holidays.
  • Do not click on suspicious links. Implementing an employee/user training program and phishing exercises can go a long way in warding off an attack.
  • If you use RDP-or other potentially risky services-secure and monitor. In particular limit access and monitor remote access, and review review review your third-party vendor’s security policies.
  • Upgrade your OS and Software; scan for vulnerabilities. Continue to review and upgrade your software, regularly patching and updating for the latest available versions that take into account security vulnerabilities.
  • Use strong passwords. Consistent password hygiene can make a world of difference. Ensure strong passwords, that are regularly updated and not used across multiple accounts or stored on the system.
  • Use multi-factor authentication. Where possible, implement multi-factor authentication, particularly for remote/virtual networks.
  • Secure your network (s) and user accounts. This includes securing home networks of remote workers, and regularly auditing user account logs to ensure legitimacy.
  • Have an incident response plan. There are several steps an organization can take to build an incident response plan that minimizes the chance and impact of a successful attack. Here are a few.

Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends, such as spikes in attacks during the holidays.  Increasing awareness among employees to avoid becoming a victim of a phishing attack could be an excellent initial step.

Consumer privacy issues are as a hot as ever, and on the radar of the state and federal legislature alike.  Following in the footsteps of California, and most recently Virginia and Colorado, Ohio  introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (the “Act”). By introducing the Act, Ohio follows the growing nation-wide trend towards stronger state privacy laws related to consumer rights.

Application

The Act primarily applies to businesses in Ohio or business that collect data about consumers in Ohio which fall into one of the following categories:

  • at least $25 million in gross revenue;
  • with 100,000 customers;
  • derives more than 50% of its gross revenue from the sale of personal data and processes; or
  • controls personal data of 25,000 or more consumers.

The Act provides exceptions for certain business and institutions. Exceptions include institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.

Consumer Data Rights

Businesses are expected to provide a “reasonably accessible, clear, and conspicuously posted privacy policy” to inform consumers about the data collected.

The Act specifies the following rights for consumers:

  • to ask companies what personal data they’ve collected;
  • to request corrections to the personal data collected;
  • to request that data be deleted subject to exceptions; and

to request that companies stop selling personal data.

It is also important to note, that as with its counterparts in certain other states, the Ohio bills defines “consumer” as a natural person who is a resident of the Ohio acting only in an individual or household context. The Act states that the definition of consumer does not include a “natural person acting in a business capacity or employment context.”

Anti-Discrimination Provision          

The Act prohibits businesses from engaging in discriminatory conduct related to the price of its products against consumers who exercise any of the above rights. Businesses must have legitimate business reasons for any differences in prices or ranges.

Remedies

Unlike many other states that have implemented consumer privacy protections, the Act does not provide for a private right of action. However, consumers may make a complaint to the Attorney General’s Office who has the sole authority to enforce the provisions of the Act. The Attorney General may seek civil penalties of up to $5,000 for each violation.

For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.

 

Restaurants in New York City will soon gain access to valuable information about their delivery customers.  On July 29, 2021, the New York City Council approved a bill requiring third-party food delivery services (“FDS”), such as Uber Eats, DoorDash, and Grubhub, to share customer data – including names, phone numbers, delivery and mailing addresses, and purchase histories – with restaurants upon request.  This data-sharing requirement does not extend to telephone orders.

The bill requires an FDS to provide notice to its customer that their data may be shared with the restaurant with which the customer is placing its order, and mandates that the FDS provide a mechanism on its website that enables the customer to opt out of that data sharing.  If the customer declines to opt out when placing their order, consent is assumed.

Each FDS will be required to share customer data with restaurants on a monthly basis, and may not limit restaurants’ use of the data for marketing or other purposes.  However, restaurants are prohibited from selling, renting, or disclosing customer data to any other party in exchange for financial benefit without first obtaining written consent from the customer(s) in question.  Also, the restaurant must allow the customer to (1) withdraw that consent and/or (2) request that the restaurant delete their data.

This bill is expected to take effect in the next few months.  In the meantime, restaurants should prepare to avail themselves of this new dataset by developing internal policies to manage their collection, use, disclosure, and retention of this data, as well as to process customer requests to withdraw their consent or delete their data.

Cities step up their efforts to combat the COVID-19 Delta variant. New York City, New Orleans, and San Francisco have all announced requirements for certain persons to produce evidence of COVID vaccination status in order to patronize or work indoors at certain establishments. Adding to an already complex patchwork of COVID-related regulation – screening, social distancing, contact tracing, paid-time off, record keeping, etc. – certain businesses will need to absorb another layer. But while doing so, they should avoid creating new data privacy and security risks.

In general, each of the cities requires businesses in certain industries such as food services (restaurants, bars), fitness, and entertainment (hotels, casinos, music halls) to require employees, patrons, customers, contractors, and others to provide proof of vaccination to go indoors at these establishments. In some cases, proof is required even for certain outdoor activities. For example, in New Orleans, the requirement applies to outdoor events of more than 500 people if total attendance is more than 50% of the outdoor venue’s capacity.

There are several exceptions to these requirements. For example:

  • Persons under 12 do not have to provide proof of vaccination.
  • In New Orleans, a negative PCR test within 72 hours of access can be provided in lieu of vaccination proof. This is not permitted in San Francisco, which requires proof of full vaccination. See FAQs for COVID-19 Health Order C19-07y. NYC requires proof of at least one dose of the COVID-19 vaccination.
  • San Francisco businesses may allow patrons wearing a well-fitted mask to use a restroom indoors without vaccination verification. There is a similar exception in NYC.
  • If an individual in NYC is unable to show proof of vaccination due to a disability, the business must engage in a cooperative dialogue to see if a reasonable accommodation is possible. Reasonable accommodation is not required if the individual would create a direct threat to other customers or employees, or impose an undue hardship on the business. A similar approach is required for employees.

A significant issue for covered businesses, however, is whether they must collect any additional information in order to comply, and how should that information be safeguarded, retained, and/or disclosed, as necessary. Businesses will want to have sufficient proof that they have complied to avoid an enforcement action. In New York City, when enforcement begins on September 13, 2021, noncompliant establishments may be subject to a fine of $1,000, or more for repeated violations. But this does not mean they need to collect sensitive personal information.

The cities provide several ways for individuals to communicate proof of COVID vaccination.

  • In New Orleans, individuals can use the LA Wallet app; an original, digital photograph, or photocopy of CDC vaccination cards (both sides); or an official vaccine record issued by another state, foreign nation or the World Health Organization.
  • In San Francisco, one can show their CDC Vaccination Record Card (CRC), an image of the card saved to one’s smartphones, a digital COVID-19 vaccine record issued by the State of California, or an approved private app.
  • In NYC, any of the following could be a Key to NYC: one’s CDC vaccination card, the NYC COVID Safe App, the New York State Excelsior App, and official vaccine record, or a photo or hard copy of an official vaccination record of a vaccine administered outside the U.S.

In NYC, businesses also must check the ID of each person required to show proof of vaccination who appears to be 18 or older to confirm the individual is the same person as listed on the proof of vaccination. The ID must contain either the person’s name and picture, or name and date of birth. However, ID checks are not required for individuals that can be matched against information the business already maintains, such as employees.

Do I need to check other identification besides proof of vaccination?

Yes. Identification bearing the same identifying information as the proof of vaccination must also be displayed. (underline added)

See NYC’s Key to NYC FAQs. San Francisco has a similar requirement. See San Francisco FAQs (“Businesses subject to this new requirement must cross-check proof of vaccination against each patron’s photo identification.”)

Some of these methods raise privacy and data security issues for individuals, especially for those choosing to use apps. Pennsylvania is just one state reeling from a data breach involving a COVID app that exposed medical information of thousands of its citizens. But there are significant questions for businesses – what information do they have to collect, if any, and what steps should they take to process and safeguard that information.

NYC’s Key to NYC FAQs provides:

Who must display proof of vaccination?

Employees, patrons, interns, contractors, and volunteers at Key to NYC establishments must display proof of vaccination. Businesses may keep a record of people who have previously provided proof of vaccination, rather than require the proof be displayed every time the person enters the establishment. (underline added)…

What documents do I need to maintain?

You must have a written record that describes how you will verify proof of vaccination for staff and patrons. The record must be on site and available for inspection.

Based on the above, covered NYC businesses are not required to collect information from individuals about their vaccination status. They only need to document how they will verify proof. (NYC provides a sample written protocol) The guidance suggests, however, that businesses could maintain a record of persons who already confirmed vaccination status for ease of administration. But, doing so arguably would create confidential personal information.

New Orleans and San Francisco also do not require businesses to collect proof of vaccination information, although businesses in San Francisco should assess whether the California Consumer Privacy Act (CCPA), as amended, applies and whether additional compliance measures should be implemented.

So, the good news is that while there are some additional compliance requirements in these cities concerning COVID, covered businesses should not have to collect personal information from customers or employees in most cases to meet these requirements. When implementing these measures, businesses should consider advising employees to avoid collecting personal information. Of course, in cases where an employee or patron seeks a reasonable accommodation, the business may need additional information to process that request. In that case, there should be procedures in place to minimize the information needed, to safeguard what is collected, and to limit disclosure of what is retained.