California Updates its Data Breach Notification Law

On February 21, 2019, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael) announced Assembly Bill 1130 which intended to strengthen and expand California’s existing data breach notification law. On September 11, 2019, the bill passed both houses of the legislature and was presented to Governor Gavin Newsom. Last Friday, October 11, 2019, the Governor signed AB 1130, together with 6 additional California Consumer Privacy Act of 2018 (“CCPA”) related bills into law.

Prior to AB 1130, California’s breach notification law defined personal information in Cal Civil Code Sec. 1798.81.5(d)(1)(A) to include a covered person’s first name (or first initial) and last name coupled with sensitive personal information such as Social Security numbers, driver’s license numbers, financial account numbers, and medical and health information. AB 1130 expands the types of personal information in that section to include biometric information (i.e. fingerprint, retina scan data, iris image) and government identifiers (i.e. tax identification number, passport number, military identification number).

In addition to expanding the elements of personal information that are subject to a notification obligation in the event of a data breach, the change also increases litigation risk following a data breach. This is because, under the CCPA, consumers affected by a data breach can bring an action for statutory damages when the breach is caused by the business’ failure to maintain reasonable safeguards. And, the CCPA specifically incorporates Civil Code Sec. 1798.81.5(d)(1)(A), which AB 1130 expanded. Now, a broader set of personal information that, if breached and not reasonably safeguarded, could expose businesses subject to the CCPA to substantial damages. A consumer can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

Thus, in addition to the costs of notifications a covered business may have to incur under the state’s breach notification law, which could include providing ID theft resolution and credit monitoring services, class action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include biometric information and government identifiers only increases these risks. It would be prudent for businesses subject to the CCPA to ensure reasonable safeguards are in place to protect all of these elements of personal information, and make sure their third-party service providers are doing the same.

CCPA Update: AG Announces Proposed Regulations, Governor Signs Amendments into Law

Lots of action for the California Consumer Privacy Act (CCPA) in the last few days! After much anticipation, on October 10th, 2019, California Attorney General Xavier Becerra (“the AG”) announced the Proposed Regulations for the CCPA.  The next day, California Governor Gavin Newsom signed into law six amendments to the CCPA. Below is a summary of key aspects of the AG’s Proposed Regulations and the Governor signed amendments.

AG Becerra’s Proposed Regulations

The CCPA requires the AG to adopt regulations to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law by July 1, 2020 (Civ. Code, § 1798.185, subd. (a)). The AG’s Proposed Regulations in particular provide compliance guidance for covered businesses, and procedures for facilitating consumer rights.

The AG’s Proposed Regulations are extensive and provide clarity on key issues including:

  • Notice to consumers – the Proposed Regulations promote greater transparency to the public regarding how businesses collect, use, and share personal information and on what businesses must do to comply with the CCPA.
  • Timing and recordkeeping – the Proposed Regulations encourage businesses to provide complete and timely responses to consumer requests.
  • Methods for submitting requests to know and requests to delete – the Proposed Regulations set forth rules and procedures businesses must follow regarding how consumers are to submit these requests.
  • Service providers – the Proposed Regulations harmonize different sections of the CCPA that have caused confusion regarding how the CCPA applies to service providers, addressing concerns raised during the AG’s preliminary public hearings.
  • Discriminatory practices – the Proposed Regulations emphasize that a business may offer a different price or service if it is “reasonably related to the value of the consumer’s data”.
  • Minors – the Proposed Regulations instruct businesses on the implementation process for a parent or guardian to opt-in to the sale of their information.

The AG will hold four public hearings (in Sacramento, Los Angeles, San Francisco and Fresno) to provide all interested parties the opportunity to present statements or comments regarding the Proposed Regulations. This comes in addition to the seven public hearings the AG held prior to preparation of the Proposed Regulations. More information regarding the upcoming public hearings is available here. Interested parties may also submit written comments to the Office of the AG through December 8, 2019.

CCPA Amendments Signed into Law by Governor Newsom

After nearly a year-long legislative process, on October 11th Governor Newsom signed six CCPA amendments into law. Here is a complete list of the recently signed amendments to the CCPA:

  • AB 25 (Employee Personal Information Exemption): Excludes employee personal information from many of the CCPA’s requirements for a one-year period – during which the Legislature would consider more comprehensive employee privacy legislation.
  • AB 874 – (Publicly Available Information Exemption): Removes a limitation on the “publicly available information” exception to the definition of personal information.
  • AB 1355 – (Technical Corrections): Several noteworthy technical corrections and other changes including exemption of deidentified or aggregated consumer information, one-year exemption for B2B communications or transactions and a broadened exemption for businesses subject to the FCRA.
  • AB 1146 (Vehicle Information Exemption): Exempts particular types of vehicle information including warranty and recall information from certain CCPA requirements.
  • AB 1564 – (Consumer Requests for Disclosure Methods): Provides alternatives to the requirement that covered businesses make available to consumers a toll-free number to submit requests for information regarding the use of their personal information.
  • AB 1202 – (Data Broker Registration): Requires data brokers to register with the AG.

A more detailed summary of these CCPA amendments on the blog, is available here.

Conclusion

That’s all for now, but there are still more updates to come! As was the case with the CCPA amendments, the AG’s Proposed Regulations will likely undergo some modifications during the rulemaking process, before adoption in their final form by the July 1, 2020 deadline. We will continue to report on updates to the Proposed Regulations and other CCPA developments as they unfold.  And in case you missed it, we recently released our CCPA FAQs to assist covered businesses with their compliance efforts.

Celebrate National Cybersecurity Awareness Month with CCPA FAQs!

October is National Cybersecurity Awareness Month (NCSAM)! NCSAM is an annual event designed by the U.S. Department of Homeland Security (DHS) and co-led by the Cybersecurity and Infrastructure Security Agency (CISA) and National Cybersecurity Alliance (NCSA). NCSAM is a collaborative effort by both government and industry leaders intended to enhance public awareness regarding cybersecurity . This year’s agenda emphasizes personal accountability and taking proactive steps both at home and in the workplace to enhance cybersecurity. This year’s motto is Own IT. Secure IT. Protect IT – #becybersmart, and focuses on areas such as consumer privacy, consumer devices and e-commerce security.

In honor of NCSAM, we are focused on what is one of the hottest issues of 2019, and present our California Consumer Privacy Act (CCPA) FAQs, for all businesses regardless of size or industry. With its effective date less than three months away, the California Consumer Privacy Act (CCPA), considered the most expansive U.S. privacy law to date, still presents many unanswered questions for businesses, service providers, and other interested parties. However, to avoid costly fines, penalties, and litigation, CCPA compliance needs to begin now. To assist businesses with their compliance efforts, we prepared these CCPA FAQs.

Topics include:

  • Entities subject to the law,
  • The definitions of personal information,
  • Pending exceptions for employees and business contacts,
  • Requirements and penalties for employers under the CCPA,
  • New consumer rights and required website notices, and
  • Litigation and class action exposure for businesses that experience a data breach.

The CCPA continues to evolve. As of this writing, we await action or inaction by Governor Newsom on a number of amendments that have been proposed and passed. Additionally, we are reviewing recently issued proposed regulations from the California Attorney General. Thus, while the January 1, 2020 effective date will come and go, businesses need to remain vigilant and continue to monitor legal developments regarding the CCPA, as well as its influence on similar legislative measures in other states.

In addition to our CCPA FAQS, below are additional resources we’ve prepared to provide businesses with a better understanding of how the CCPA was developed, where it is headed, and how it will impact covered entities:

We hope you will find the CCPA FAQS and other resources helpful in navigating the compliance requirements of this groundbreaking law.

Response to Yelp Review Costs Small Dental Practice $10,000 and Two Years of Monitoring to Settle HIPAA Complaint

No business likes to receive bad reviews on Yelp® or anywhere else in social media. When they do, some feel the need to respond to clarify or rebut the reviews, but they must do so carefully. This is particularly true for HIPAA covered entities, as their responses could include protected health information (PHI). A recent Office for Civil Rights (OCR) settlement with a small dental practice highlights this point.

According to the OCR Resolution Agreement, the dental practice responded to a patient’s less than favorable review on Yelp. The patient complained to OCR alleging that the response:

impermissibly disclosed her PHI when it responded to her post and provided her health information including her last name, details of her treatment plan, insurance and cost information.

The OCR conducted its own review of the practice’s Yelp®review page, and claims to have found similar activity with respect to other patients. Specifically, the OCR found that the practice had “impermissibly disclosed PHI of other patients when it responded to those patients’ [Yelp®] reviews without valid authorizations.” The OCR’s investigation also found the practice did not have (i) a policy and procedure addressing impermissible disclosures that could be applied to social media activity, or (ii) a compliant Notice of Privacy Practices. To settle these potential violations, the practice agreed to pay $10,000, and to adhere to a corrective action plan that includes two years of monitoring by OCR.

Yelp reviews certainly are not the only form of social media with which health and dental practices engage. Many use Facebook pages, YouTube channels, and other platforms to promote their business and to interact with persons they serve and others. In some cases, such as nursing homes and assisted living facilities, healthcare workers build relationships with residents, patients, and their family members that can spill over into social media. If not careful, and in the absence of a clear policy, casual and informal communications between practice staff and patients could expose the practice to significant risk.

So what should small medical and dental practices be doing to address these risks:

  • Get complaint with HIPAA!
  • Develop and maintain a clear social media policy to guide employees (providers and staff) as to company policy and best practices. This policy can and should be included with your HIPAA privacy and security policies and procedures.
  • Train concerning these policies.
  • Maintain a HIPAA Notice of Privacy Practice and post in on the practice’s website, as applicable.
  • Understand the social media channels that the practice engages in and consider periodically monitoring public social media activity by employees.

Nevada Opts Out Before California: A Reminder to Review Website Privacy Statements

The California Consumer Privacy Act takes effect January 1, 2020. Businesses within the scope of the CCPA are taking steps to prepare, including drafting notices to inform California consumers of their right to opt out of the sale of their personal information. However, California will not be the first state to provide a consumer with the right to opt out of the sale of their personal information. As a result of the recently amended Nevada data protection law, effective October 1, 2019 [here] a Nevada consumer will also have the right to opt out of the sale of personal information collected by an online business.

The existing Nevada Security and Privacy of Personal Information Act, NRS 603A, provides numerous privacy and security protections for the personal information of Nevada residents. These include requiring

  • A business to take reasonable measures to ensure the secure destruction of customer records containing personal information when the business decides that it will no longer maintain the records;
  • A data collector to (i) implement and maintain reasonable security measures to protect personal information it maintains regarding a resident of the state from unauthorized access, acquisition, destruction, use, modification, or disclosure and (ii) contractually obligate third parties to whom it discloses personal information to do the same;
  • A data collector to encrypt data for non-invoice transmissions outside of the business and encrypt data storage devices containing personal information when transported beyond the control of the data collector; and
  • A data collector to disclose a breach of the security of system data which includes personal information of Nevada resident where it was or is reasonably believed to have been acquired by an unauthorized person.

The Act also requires an operator of an Internet website or online service to post an online privacy notice regarding the privacy of “covered information” that it collects from a “consumer.” Covered information means one or more of the following items about a consumer when maintained by an operator in an accessible form:

  • A first and last name
  • A home or physical address including the name of a street and city or town
  • An email address
  • A telephone number
  • A social security number
  • An identifier that allows a specific person to be contacted physically or online
  • Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

A “consumer,” for the purpose of providing the privacy notice, means a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operation.

SB 220 recently amended these consumer rights by adding the right to opt out of the sale of personal information collected by an operator of an Internet website or online service. Specifically, SB 220

  • Expands the definition of an operator to include a commercial Internet website or online service that otherwise engages in any activity that constitutes sufficient nexus with the State to satisfy the requirement of the US Constitution. It also expands the categories of entities exempt from this definition to include financial institutions or their affiliates subject to the Gramm-Leach-Bliley Act; entities subject to HIPAA; and manufacturers or persons who service motor vehicles and collect, generate, record, or store certain types of information;
  • Defines the “sale” of consumer personal information as the “exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons;”
  • Requires the operator’s online privacy notice to include a “designated request address” such as an e-mail address, toll-free telephone number or Internet website through which the consumer can submit a verified request; and
  • Requires the operator to respond to a verified consumer request to prohibit the sale of any covered information the operator has collected or will collect about the consumer within 60 days of receipt, subject to a 30-day extension, as reasonably necessary.

While this consumer right to opt out is similar to the CCPA, there are several key differences worth noting. First, SB 220 applies to a much less expansive definition of personal information and a narrower definition of sale. Second, it applies only to personal information collected through online commercial sales. Third, and most significantly, there is no revenue or data collection threshold for determining which businesses are within its scope. It applies to operators of commercial Internet websites or online services who engage in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution, regardless of size or revenue.

The effective date for SB 220 is October 1, 2019 and operators should have their opt out notice and designated address ready. For those businesses preparing for the effective date of the CCPA in January, certain compliance preparations can be leveraged for SB 220. This includes data mapping, creating a designated request address, updating the online privacy policy, and drafting and implementing internal policies and procedures to identify, verify, and respond to a consumer request in a timely manner. Implementation of SB 220 will vary, however, based on differences including its limited application to online data collection, response time, and the definitions of sale and covered information. Finally, although not expressly required, best practices suggest preparing and training employees to identify and properly respond to consumers request.

For those businesses not currently subject to the CCPA or SB 220, data mapping, appropriate safeguards, written information security programs, vendor management, and employee training should be at the forefront of any developing data protection program. To borrow a phrase from the data breach environment, its no longer a question of if your jurisdiction will enact a comprehensive data protection law, but when.

CCPA: Expansive Array of Consumer Rights Imposes Rigorous Compliance Burden

For years now, state laws have required subject organizations to provide notification to affected data subjects and, in some instances, to state agencies, consumer reporting agencies, and the media, when they experience a “breach” of certain categories of information.  And a growing number of states – including California, Colorado, Connecticut, Maryland, Massachusetts, Texas, and, most recently, New York – have gone a step further, requiring subject organizations to develop and implement “reasonable safeguards” to secure the personal information they collect and use.  With the passage of the California Consumer Privacy Act (“CCPA”), California is poised to establish the next frontier in U.S. privacy and data security law.

The CCPA, which is set to take effect on January 1, 2020, imposes on subject organizations not only the obligation to secure data, and to provide notification in the event of a breach, but also an obligation to develop programs to manage the sweeping suite of rights that the CCPA grants to consumers (a category which, as we’ve previously discussed, will likely include employees (at least in certain circumstances)).

The CCPA, which follows in the footsteps of the European Union’s GDPR, has already inspired the proposal of similar legislation in other states – such as Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island – as well as at the federal level.

Access & Portability

One significant right the CCPA grants consumers is the right to request information regarding:

  • the categories of personal information businesses collect about them:
    • identifiers – e.g. real name, address, social security number
    • characteristics of protected classification under California or Federal law;
    • Commercial information – e.g. products purchased, records of personal property
    • Biometric information
    • Internet or other electronic network activity – e.g. browsing history, search history
    • Geolocation data
    • Audio, visual, and similar information
    • Profession or employment related information;
  • the sources from which that personal information was collected (e.g., online order histories, online surveys, tracking pixels, cookies, web beacons);
  • the categories of personal information sold to third parties;
  • the categories of personal information disclosed for business purposes;
  • the categories of third parties to whom personal information was sold or disclosed (e.g., tailored advertising partners, affiliates, social media websites, service providers);
  • the business or commercial purposes for which personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience); and
  • the “specific pieces” of personal information collected.

The CCPA imposes a one-year lookback period from the time of the request, and mandates that, in the event consumers request access to their personal information, the subject business provide responsive materials “in a readily usable format that allows consumers to transmit [the] information from one entity to another without hindrance.”

Deletion

Subject to certain exceptions (e.g., to complete to the transaction for which the personal information was collected; to protect against malicious, deceptive, fraudulent, or illegal activity; or to identify and repair errors that impair existing and intended functionality), the CCPA permits consumers to request that subject businesses delete – and direct service providers to delete – personal information collected about them.

Opt Out

Under the CCPA, consumers are empowered to opt out of the “sale” of their personal information.  To facilitate consumers’ exercise of this right, subject businesses are required to provide a link titled “Do Not Sell My Personal Information” to a web page where consumers can opt out of having their personal information sold to third parties. Similarly, Nevada recently enacted a new online privacy law requiring businesses to offer consumers the right to opt out of the “sale” of their personal information, effective October 1, 2019.

 Non-Discrimination

To protect consumers who exercise their rights under the CCPA, the law generally prohibits subject businesses from charging different prices or rates to consumers, providing different services to them, or denying them goods or services, because they exercised their CCPA rights.  That said, businesses are permitted to charge different prices or rates, or to provide different levels or qualities of goods or services, if those differences “reasonably relate” to the value provided to the consumer by the consumer’s data. Additionally, businesses may, under certain circumstances, offer financial incentives to consumers to entice them to permit the collection, retention, and/or sale of their information.

Privacy Policy

The CCPA requires subject businesses to disclose, and facilitate the exercise of, the above-discussed rights in their privacy policies.  Specifically, businesses should update their existing policies, or develop new polices, to include the following elements:

  • a description of the new rights afforded consumers under the CCPA;
  • a list of the categories of personal information collected by the business in the preceding 12 months;
  • a list of the categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
  • a link to a “Do Not Sell My Personal Information” web-based opt-out tool;
  • a description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a discount to consumers who provide their email addresses for marketing purposes, this incentive should be disclosed in the privacy policy); and
  • two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).

Private Right Of Action

In contrast to many U.S. privacy and data security laws, the CCPA provides consumers a private right of action – albeit a limited one.  Specifically, the law empowers consumers to sue on their own behalves when a subject business’s failure to maintain “reasonable safeguards” results in the breach of their personal information.  Notably, the definition of personal information applicable to the private right of action is narrower than the definition used throughout the rest of the CCPA. A consumer can bring a private right of action under the CCPA only if the the following information is breached: an individual’s name along with his or her social security, driver’s license, or California identification card number; account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account; or medical or health insurance information. While this private right of action does not extend to the rights discussed above – which will be subject to agency enforcement – even this limited private right will, if the recent flood of claims brought under the Illinois Biometric Information Privacy Act is any indication, result in a significant volume of class action litigation.

Takeaways

With the January 1, 2020 deadline less than four months away, subject businesses need to promptly evaluate whether they are prepared to effectively navigate the expansive array of rights the CCPA extends to consumers.  To do so, businesses will need to, among other things: (a) map the personal information about California residents that they collect, use, and sell; (2) design and document policies, procedures, and practices to manage disclosure, access, and deletion requests, and to avoid discriminatory conduct; and (3) train their workforce members to effectively comply with those policies, procedures, and practices.

One final point of note:  The CCPA has been a work in progress over the last year. California’s legislative session ended on September 13th, with some final modifications to bills that would amend certain aspects of the CCPA. Unanimously approved in final form, they now move on to California Governor Gavin Newsom for consideration and final action on the CCPA by mid-October.  We will continue to track these developments.

CCPA Amendments Updated, Finalized, and Moving on to Governor Newsom

The California Consumer Privacy Act is almost here! The groundbreaking law takes effect January 1, 2020. Covered businesses and their service providers have already started preparing, as the CCPA continues to evolve since it was introduced. California’s legislative session ended on September 13th, with some final modifications to bills that would amend certain aspects of the CCPA. Unanimously approved in final form, they now move on to California Governor Gavin Newsom for consideration and final action on the CCPA.

As we’ve reported periodically over the course of the year, businesses and stakeholders have been clamoring to shape the CCPA in a number of ways. In late April, the California Assembly of Privacy and Consumer Protection Committee (“Committee”) introduced several bills addressing a number of issues with the law, such as excluding certain categories of information from personal information or from certain requirements under the law, and clarifying ambiguities. Some survived, and some did not.

Below is a rundown of key substantive amendments:

  • AB 25 (Employee Personal Information Exemption): As we’ve previously reported, AB 25 went through several modifications over the course of the year. In its latest form, employee personal information would be excluded from many of the CCPA’s requirements (including the requirements that permit consumers to request: the deletion of their personal information; the categories of personal information collected; the sources from which personal information is collected; the purpose for collecting or selling personal information; and the categories of third parties with whom the business shares their personal information). But, employees of businesses subject to the CCPA still would be entitled to a privacy notice and able to commence a private right of action in the event affected by a data breach caused by a failure of the duty to maintain reasonable safeguards. Under the privacy notice provision, covered businesses would be required to inform consumers (including employees) as to the categories of personal information they collect and the purposes for which such personal information shall be used. Under the private right of action provision, employees of covered businesses would be permitted to bring an action, including as a class action, in the event their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures. Note: These changes concerning employee personal information are set to sunset on January 1, 2021, on the understanding that during this one-year period, the Legislature would consider more comprehensive employee privacy legislation.

 

  • AB 874 (Publicly Available Information Exception): AB 874 removes a limitation on the “publicly available information” exception to the definition of personal information. If signed into law, publicly available information will be defined as “information that is lawfully made available from federal, state, or local government”. The bill removes the limitation stating that information is not publicly available if it is used for a purpose not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.

 

  • AB 1355 (Technical Corrections): AB 1355 made a number of noteworthy technical corrections and other changes:
    • Relief for certain “business-to-business” (B2B) communication or transactions. Many businesses have been concerned about how to handle the personal information of business contacts. That is, the personal information about individuals who are not acting as “consumers” in the general sense, but engaging with the business to carry out transactions. AB 1355 would provide relief from certain CCPA requirements such as providing notice and granting access and deletion rights for the following personal information:

“Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”

Note, similar to the temporary treatment of employee personal information in AB 25, this relief also is temporary – it lasts until January 1, 2021.

    • Definition of “personal information.” Part of what makes the CCPA so expansive is its definition of personal information. That definition would cover information that is “capable of being associated with” a particular consumer or household. In an attempt to narrow the reach of personal information, AB 1355 inserts “reasonably” before “capable.” In addition, AB 1355 clarifies that personal information does not include deidentified or aggregate consumer information.
    • Clarification of Fair Credit Reporting Act (FCRA) Exception. AB 1355 makes clear that the FCRA exception applies to activity that is authorized by the FCRA and is not limited solely to the sale of personal information from a consumer report. The exception applies to FCRA authorized “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency.”

 

  • AB 1146 (Vehicle Information Exemption): AB 1146 exempts from a consumer’s right to opt out, vehicle or ownership information retained or shared between a motor vehicle dealer and the vehicle’s manufacturer, in anticipation of a vehicle repair covered by warranty or recall. It also exempts from a consumer’s right to request deletion, personal information necessary for a business to maintain to fulfill terms of a vehicle warranty or recall.

 

  • AB 1564 (Consumer Requests for Disclosure Methods): AB 1564 provides alternatives to the current requirement that covered businesses make available to consumers a toll-free number to submit requests for information regarding the use of their personal information. If a business operates exclusively online, it may, in lieu of a toll-free number, provide an email address for submitting requests. This bill was recently narrowed limiting the exception to online businesses that have a direct relationship with California residents from which it collects personal information. Moreover, if an online business maintains a website, the business must provide the consumer with a submission request method via the website.

It also is worth noting that one important bill, AB 846, was removed on September 12th from consideration, with plans to be reintroduced next year. AB 846 addressed loyalty reward, discount and similar programs, including prohibitions on the sale of personal information collected as part of those programs, and a limited exception to that prohibition.

It is expected Governor Newsom will sign the Legislature-approved bills into law. Organizations should be doing their best to determine if they have CCPA obligations either directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business. Efforts toward compliance need to begin now as the CCPA becomes effective January 1, 2020.

Eleventh Circuit Ruling May Impact TCPA Class Actions

Last week, the Eleventh Circuit ruled that a single unsolicited text message doesn’t meet the harm requirement necessary to proceed with a Telephone Consumer Protection Act (TCPA) claim.   The Eleventh Circuit ruling, Salcedo v. Hanna, reverses a decision by a lower court allowing the plaintiff to move forward with a TCPA claim on grounds that he received an unsolicited text message from his former attorney.

“The chirp, buzz, or blink of a cell phone receiving a single text message is more akin to walking down a busy sidewalk and having a flyer briefly [waved] in one’s face,” Circuit Judge Elizabeth L. Branch opined for the Eleventh Circuit three-judge panel. “Annoying, perhaps, but not a basis for invoking the jurisdiction of the federal courts.”

In reaching its conclusion, the Eleventh Circuit panel drew from the legislative history of the TCPA, its own precedent and the Supreme Court’s decision in Spokeo v. Robins which emphasized that in order to meet the Article III standing requirement, a concrete injury must be alleged.

While we often report on the growing circuit split stemming from Spokeo in the context of data breach litigation, due its lack of clarity on what constitutes a concrete injury (see here and here), the Spokeo ruling has generated a similar circuit split in the context of the TCPA. For example, in 2017 the Ninth Circuit concluded that receiving two unsolicited text messages was sufficient to meet the Spokeo standard for a concrete injury. The Eleventh Circuit panel was not persuaded by the Ninth Circuit’s reasoning, highlighting that the Ninth Circuit,

“…stopped short of examining whether isolated text messages not received at home come within that judgment of Congress. Instead, it concluded that ‘Congress identified unsolicited contact as a concrete harm’… We disagree with this broad overgeneralization of the judgment of Congress.”  

The Eleventh Circuit did not quantify how many unsolicited text messages, if any, would be enough to satisfy the concrete harm requirement to establish standing under the TCPA. The Eleventh Circuit decision may suggest that TCPA text messaging class actions are no longer possible, at least in the Eleventh Circuit. However until the Supreme Court weighs in, by clarifying its ruling in Spokeo, we will continue to see a lack of consistency across the circuit courts, both in the TCPA and data breach litigation contexts.

Although the Eleventh Circuit concluded that a single unsolicited text message did not meet the actual harm requirement necessary to sustain a TCPA claim, any organization that uses text messaging for promotional marketing purposes, should be mindful of the legal and regulatory guidelines that govern text message communications. Likewise, when contracting out these services, companies should ensure that their vendors are compliant with all regulatory requirements.

Illinois Enhances Its Data Breach Notification Requirements

In response to trends, heightened public awareness, and a string of large-scale data breaches, states continue to enhance their data breach notification laws. Illinois Governor J.B. Pritzker recently signed into law an amendment to the Personal Information Protection Act (PIPA), SB 1624, effective January 1, 2020. PIPA will now require that most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, notify the State’s Attorney General of certain data breaches. PIPA had already required notification of a data breach to the Attorney Generals’ office, but only in the event of data breach affecting state agencies, and only if those breaches affect more than 250 Illinois residents.

Under the amendment to PIPA, if a data collector is required to notify more than 500 Illinois residents as a result of a single data breach, that data collector also must notify the Illinois Attorney General’s office. Similar to the requirements in other states requiring Attorney General notification, the law requires certain content be included in the notification:

  •      A description of the nature of the breach of security or unauthorized acquisition or use.
  •      The number of Illinois residents affected by such incident at the time of notification.
  •      Any steps the data collector has taken or plans to take relating to the incident.

Furthermore, if the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector must inform the Attorney General of the date of the breach as soon as possible. Note, some states have more extensive content requirements, such as Massachusetts, which requires covered entities that experience a breach to inform the Attorney General (and the Commonwealth’s Office of Consumer Affairs and Business Regulation) about whether the organization maintains a written information security program.

Notification to the Attorney General must be made in the most expedient time possible and without unreasonable delay, but not later than when the data collector provides notice to individuals affected by the breach. Also joining some other states, including Massachusetts and New Hampshire, Illinois now provides that the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.

The update to Illinois law excludes covered entities or business associates that are subject to the privacy and security regulations under HIPAA, provided they are compliant with those regulations. Of course, covered entities and business associates would still have to notify the federal Office of Civil Rights in the event of a data breach affecting unsecured protected health information.

The patchwork of state breach notification laws continues to grow more complex, particularly for organizations that experience multistate data breaches. It is important, therefore, that organizations across the United States continue to evaluate and enhance their data breach prevention and response capabilities.

OCR Recognizes Insider Threats to HIPAA PHI, You Should Too

As we have observed here, news reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk is malicious insiders. On August 29, the Office for Civil Right (OCR) published its 2019 summer cybersecurity newsletter entitled, “Managing Malicious Insider Threats,” acknowledging this threat and providing some best practices to neutralize it.

According to the OCR:

The 2019 edition of Verizon’s Data Breach Investigations Report (DBIR) found that trusted insiders were responsible for 59% of all security incidents and breaches (both malicious and inadvertent)…[with] the primary motivation for incidents and breaches perpetrated by insiders was financial gain.

What do malicious insider threats look like?

Threats from insiders can take many forms. If successful, they can cause substantial, sometimes crippling harm to an organization by intentionally modifying, leaking, selling, or destroying sensitive information. Here are some examples:

  • Employees on the move. Planning to end employment with provider A, workforce member copies provider A’s patient list and shares it with new employer, provider B, in the hope of luring patients to the new provider. If the workforce member is successful, in addition to potential notification obligations, provider A likely will find itself responding to a number of angry patients asking why another provider has their protected health information (PHI). Provider A might even wind up being investigated and fined, as was the case for a provider in New York.
  • Poor performing employees. Some workforce members feel they have been wrongly accused by their employers for providing inadequate patient care, especially when they believe their co-workers engage in the same activity without incident. Anticipating they will be fired, they begin copying, downloading, or otherwise collecting information from patient EMRs and sending it to themselves. Their goal is to support wrongful termination claims they anticipate making when their employment ends. In the process, patient data is compromised and may require notification to patients and the OCR.
  • Curious and criminal employees. Curious workforce members might use their employer’s EMR to access certain patient records for personal purposes: (i) accessing the medical records of celebrities for financial gain or to satisfy the member’s curiosity; (ii) examining the records of a former spouse to gain leverage in a custody dispute, (iii) obtaining patient demographic information to commit fraud and identify theft.

How do malicious insiders get the information?

Malicious insiders already have access to patient information on the expectation that they need access to perform their jobs. In some cases, they only need access to do harm. For example, an insider may want to learn if a family member is pregnant or using illegal substances, and only has to view the medical records. In other cases, the insider will want to exfiltrate the information. This can be accomplished in a number of ways: forwarding the information to the insider’s personal email account, taking pictures of the information using the insider’s smartphone, copying information to a mobile or storage device (e.g., cell phone, USB drive), or unauthorized physical removal or theft of equipment. As the OCR notes, transmitted or copied data could be further hidden using subtle means such as by embedding data within other data to hide it (i.e., steganography).

How do HIPAA covered entities and business associates stop malicious insiders?

Detecting and preventing data leakage by malicious authorized is not easy – remember, these are individuals who frequently are supposed to have access to the data. Identifying potential malicious activity as soon as possible is critical, however, and there are some things that organizations can be doing.

  • Know your data. To protect data, organizations need to know the data they have, where it is stored, what format it is in, who has access to it, and how it flows through the organization. With this information, the organization is better able to develop policies and procedures to access and address risks related to the data.
  • Access management. Workforce members should be able to access only the information they need to perform their jobs. This can be accomplished in a number of ways – physical access controls (e.g., locked doors and cabinets) and network access controls (e.g., role-based access controls for devices, applications, administrator accounts, or data stores).
  • Control mobile device usage. Considering how a workforce member needs to interact with data as the organization may be able to limit the unnecessary utilization of mobile devices to prevent copying. If workers do not need thumb drives to perform their jobs, for example, they should not be available. If thumb drives are needed, they should be more closely tracked and managed.
  • Remain vigilant. The steps above will help, but they may not be sufficient. Organizations need to continuously manage their business and their systems to help detect and prevent suspicious activities:
    • Periodically review system event logs, application audit logs, access reports, and security incident tracking reports.
    • Configure alerts for (i) unexpected downloads of large amounts of data by employees not believed to have a need for such volumes of data, (ii) access to certain sites, such as personal cloud storage accounts; (iii) downloads to external devices.
    • Revise employee access privileges immediately on changes to roles and responsibilities.
    • Enhance the organization’s vigilance for employees who expect their employment will soon be terminated.
    • Terminate physical and electronic access data in advance of a workforce member leaving the organization’s employ.

Again, risks to an organization’s data are not solely from external sources. Insiders have reasons to compromise their organizations’ confidential and personal information. Organizations need to take steps to minimize those ongoing risks.

LexBlog