Illinois’ Attorney General Wants to Know About Data Breaches

Possibly adding to the list of states that have updated their privacy and breach notification laws this year, the Illinois legislature passed Senate Bill 1624 which would update the state’s current breach notification law to require most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, to notify the State’s Attorney General of certain data breaches. The state’s current statute already requires notification of a data breach to the Attorney Generals’ office, but only in the event of data breach affecting state agencies, and only if those breaches affect more than 250 Illinois residents.

Under the Senate Bill, if a data collector is required to notify more than 500 Illinois residents as a result of a single data breach, that data collector also must notify the Illinois Attorney General’s office. Similar to the requirements in other states requiring Attorney General notification, the law requires certain content be included in the notification:

  •      A description of the nature of the breach of security or unauthorized acquisition or use.
  •      The number of Illinois residents affected by such incident at the time of notification.
  •      Any steps the data collector has taken or plans to take relating to the incident.

In addition, if the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector must inform the Attorney General of the date of the breach as soon as possible. Note, some states have more extensive content requirements, such as Massachusetts, which requires covered entities that experience a breach to inform the Attorney General (and the Commonwealth’s Office of Consumer Affairs and Business Regulation) about whether the organization maintains a written information security program. The change in Illinois would exclude covered entities or business associates that are subject to the privacy and security regulations under HIPAA, provided they are compliant with those regulations. Of course, covered entities and business associates would still have to notify the federal Office of Civil Rights in the event of a data breach affecting unsecured protected health information.

The change would require the notification to be made in the most expedient time possible and without unreasonable delay, but not later than when the data collector provides notice to individuals affected by the breach. Also joining some other states, such as Massachusetts and New Hampshire, the Senate Bill provides that the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.

Should these changes become law, the patchwork of state breach notification laws continues to grow more complex, particularly for organizations that experience multistate data breaches. It is critical, therefore, that organizations are prepared with an incident response plan, one that not only addresses steps to drive systems-related investigations and recovery, but also a timely and compliant communication and notification strategy.

 

 

CCPA Update – Maybe Employees Are “Consumers” After All – Employee PI is Still In Play

Employers, you are not out of the CCPA woods yet.

If you have been tracking the proposed amendments to the California Consumer Privacy Act (CCPA), you know that businesses and stakeholders have been clamoring to shape the new sweeping law in a number of ways. We reported earlier this year on some of the potential changes approved by the California Assembly Privacy and Consumer Protection Committee, which moved on for further consideration. Upon arrival at the Senate Judiciary Committee, several of these business-friendly changes met some resistance, including AB 25 which generally would have excluded employee personal information from being covered under the CCPA.

While employers had hoped AB 25 would amend the CCPA to exclude information gathered in the employment context outright, on July 9, 2019, the California Senate Judiciary Committee clarified that will not be the case.

As we previously noted, the Privacy and Consumer Protection Committee in April unanimously approved AB 25 which sought to modify the definition of “consumer” under the CCPA to exclude “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.”

A coalition in opposition to AB 25 expressed concerns that the exemptions go too far in eroding the rights of employee consumers, especially in light of current and future workplace monitoring practices. In response to these concerns, the bill’s author, Assemblymember Ed Chau, agreed to amend AB 25 to clarify that while employee data would be excluded from many of the CCPA’s requirements (including permitting consumers to request: the deletion of their personal information; the categories of personal information collected; the sources from which personal information is collected; the purpose for collecting or selling personal information; and the categories of third parties with whom the business shares personal information), employers subject to the CCPA would still be required to inform consumers (including employees) as to the categories of personal information they collect and the purposes for which such personal information shall be used.

Notably, AB 25’s exemption for employee data would not apply to the CCPA’s subdivision which establishes a private right of action, including those brought as a class action, for any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. This private right of action establishing statutory damages permitting the recovery of damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

To afford business and consumer groups time to develop additional legislation to address concerns about employee personal information, Assemblymember Chau further revised AB 25 to specify that the exemption for employee data would only be effective for the 2020 calendar year and would be inoperative on or after January 1, 2021.

As amended, AB 25 unanimously passed through the Senate Judiciary Committee and will now go to the Senate Appropriations Committee, and if passed, to a full Senate for a final vote. AB 25’s amendments highlight the growing recognition of privacy interests in the employment context and the need for businesses to continue to prepare for the CCPA’s effective date.

Maine and Nevada Sign into Law Consumer Privacy Laws

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most robust state privacy law in the United States. The CCPA seems to have spurred a flood of similar legislative proposals on the state level, and started a shift in the consumer privacy law landscape. Many of these proposals end up dying somewhere along the rigorous legislative process, but in the last few weeks both Maine and Nevada signed into law bills that, although much more narrow than the CCPA, certainly bear resemblance.

Maine

Maine Governor Janet Mills recently signed into law the Act to Protect the Privacy of Online Consumer Information, LD 946, which imposes data privacy requirements on Internet service providers (ISPs). This law requires ISPs to obtain customer consent before “using, disclosing, selling or permitting access” to their data with a third party. In addition, an ISP is prohibited from refusing to serve a customer based on their refusal to consent to the data usage terms. Finally, ISPs will also be required to take “reasonable measures” to protect customer personal information from “unauthorized use, disclosure, sale or access”. The law is applicable to all ISPs that service customers physically based and billed for within the State. The Maine law will take effect July 1, 2020.

Nevada

 In late May, Nevada Governor Steve Sisolak signed into law an act relating to Internet privacy, SB 220. Nevada’s new law prohibits an operator of an Internet website or online service which collects “covered information” from consumers from selling that information to a third party without prior consent. “Covered information” is limited to “personally identifiable information” which includes a first and last name, home or other physical address, e-mail address, telephone number, social security number, an identifier that allows a specific person to be contacted either physically or online, and any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. The law takes a limited approach to “sale” which is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons”. The law includes several exemptions including financial institutions subject to GLBA, institutions subject to HIPAA, motor vehicle manufacturers and third parties that host or manage Internet websites or online services on behalf of their owners. Notably, the Nevada law will take effect October 1, 2019 (sooner than the CCPA, which becomes effective January 1, 2020).

While both the Maine and Nevada law are much more limited in scope than the CCPA, these types of laws signify how complicated the patchwork of laws will become as more states enact their own privacy laws which are inconsistent and often include mutually exclusive requirements from one another. Other states that are considering or have recently considered consumer privacy legislation include Connecticut, Hawaii, Illinois, Maryland, Massachusetts, New Jersey, New Mexico, North Dakota, Texas and Washington. Needless to say, the compliance challenges for affected organizations will only continue to grow with the passage of each state bill.

 

 

Upward Trend in Cyberattacks Targeting Senior Executives

Verizon recently published its 2019 Data Breach Investigations Report. This report is the 12th edition and contains an analysis of 41,686 security incidents with 2,013 confirmed breaches from 73 sources, including public and private entities. Included among its many findings, the report found high-level executives are twelve times more likely to be the target of social incidents, when an information asset is compromised, and nine times more likely to be the target of social breach, a confirm unauthorized disclosure of data, as compared to past years. It explained that senior executives, who typically face a great deal of time pressures and stress, are more likely to unknowingly click on sham emails, which could compromise their data security systems. Moreover, a successful attack on a senior executive can reap large rewards as a senior executive likely has access to critical systems and unchecked approval authority. Indeed, the report notes that financial gain is the primary motivator for all data breaches, representing 71% of breaches. As a close second, espionage accounts for 25% of all breaches.

The report also found an increasing number of cybersecurity attacks on cloud-based environments as many companies and organizations move their data to the cloud. That being said, ransomware attacks continue to be a significant threat, accounting for 24% of all malware incidents.

“Enterprises are increasingly using edge-based applications to deliver credible insights and experience. Supply chain data, video, and other critical – often personal – data will be assembled and analyzed at eye-blink speed, changing how applications utilize secure network capabilities” comments George Fischer, president of Verizon Global Enterprise. “Security must remain front and center when implementing these new applications and architectures.”

In addition to these types of cyberattacks, the report highlights that everyone is susceptible to cybersecurity incidents. In fact, small businesses account for nearly 43% of all cybersecurity victims.

As evidence by the report, the threat of a cybersecurity attack is not going anywhere. Although data security increasingly progresses, bad actors continue to evolve their tactics to obtain unlawfully sensitive data and information, resulting in significant damages to companies and individuals. The FBI found that the median direct loss for a business email compromise is about $8,000 and about $25,000 for a computer data breach.

The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees, regardless of department or level, have greater awareness of the sensitivity of this information and receive regular training on how to prevent, spot and respond to a cybersecurity attack. This should be a part of any written information security plan.

“Help Me, Help You”: Defense Department Advises Contractors That Cybersecurity Is An Allowable Cost

During a presentation at the Professional Services Council Federal Acquisition Conference on June 13, 2019, a high-ranking Department of Defense (“DoD”) official announced, with dramatic flair, that cybersecurity is an allowable cost:

“I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington [Special Assistant to the Assistant Secretary of Defense for Cyber] . . . security is an allowable cost. Amen, right?”

Channeling Jerry McGuire, Arrington added: “Now what you need to do as industry is help me, help you. I’m not the enemy. I’m literally the one person in government who said, ‘Hi, I’m here to help and I’m legit here to help.’”

Arrington’s June 13 presentation, which was titled “Securing the Supply Chain,” is just the latest indication that the DoD – like other federal and state agencies – is making the cyber hygiene of its contractors a priority. (Some of our previous posts on this topic are available here.)

During a webinar earlier this month, Arrington noted that, “[i]f we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base [(“DIB”)] doesn’t have robust cyber hygiene. Only 1% of DIB companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Arrington, who appears to be actively involved in the DoD’s development of a cybersecurity assessment and certification program, called the Cybersecurity Maturity Model Certification or CMMC, provided additional details about that program during her June 13 presentation.   Specifically, Arrington announced that:

  1. The CMMC will include five levels of certification. The levels will range from “basic” cyber hygiene to “state-of-the-art.”
  2. The CMMC initiative will require DoD contractor information systems to be certified compliant by an outside auditor. Under the new model, third-party cybersecurity certifiers will “conduct audits, collect metrics, and inform risk mitigation for the entire supply chain,” Arrington said. “Every contract that goes out,” she added, “will have a requirement and every vendor on that contract will have to get certified.”
  3. The DoD will hold 12 listening sessions across the country this summer to solicit feedback about the CMMC from industry and other experts.
  4. The DoD aims to complete the CMMC and begin certifying vendors by January 2020; to begin incorporating the CMMC requirements into requests for information by June 2020; and to include the CMMC in solicitations by September 2020.

Driving home her key point that the cybersecurity of its vendors is a major priority for the DoD, Arrington stated that “[c]ost, schedule and performance are only effective in a security environment.” She added that “[w]e cannot look at security and be willing to trade off to get lower cost, better performing product or to get something faster. If we do that, nothing works and it will cost me more in the long run.”

DoD contractors should heed Arrington’s warning that cost, schedule, and performance will not alone suffice to win future DoD contracts. To best position themselves to compete for those contracts, contractors should consider providing feedback to the DoD this summer about the CMMC, and should promptly begin the process of preparing to comply with its mandates.

 

U.S. Supreme Court Leaves Open the Issue of FCC Interpretation of TCPA, For Now

The U.S. Supreme Court issued its long awaited decision in PDR Network LLC v. Carlton, addressing the issue of whether the Hobbs Act requires the district court to accept the 2006 Federal Communication Commission (FCC) Order 2006 (“the Order”), which provides the legal interpretation for the Telephone Consumer Protection Act (TCPA). Unfortunately, the Court did not answer the question presented when it granted certiorari – whether the Hobbs Act required the district court to accept the FCC’s legal interpretation of the TCPA. Instead, the Court held that the extent to which the district court must defer to the FCC depends on two preliminary issues that the Court of Appeals failed to consider: 1) whether the Order is equivalent to a “legislative rule” which has the “force and effect of law” or an “interpretative rule” which does not have the “force and effect of law”, and 2) whether the defendant had the “prior” and “adequate” opportunity to seek judicial review of the Order. As a result, the Fourth Circuit Court of Appeals judgment was reversed, and remanded for the Court to address these issues.

The full length article discussing the Supreme Court’s decision in PDR Network LLC v. Carlton on the Jackson Lewis P.C. website, is available here.

New York Considers Aggressive Consumer Privacy Law

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most robust state privacy law in the United States. The CCPA seems to have spurred a flood of similar legislative proposals on the state level, and it was only a matter of time before the Empire State introduced its own version of the law. The New York Privacy Act (NYPA), s5642, introduced last month by New York Senator Kevin Thomas, the Chair of the Consumer Protection Committee, is considered a more expansive version of its California counterpart.

Similar to the CCPA, the NYPA would provide consumers with greater control over their personal data, and impose substantial duties on businesses that control and process data, however the NYPA is distinct from the CCPA in significant ways. Below are several key features of the NYPA:

  • Application: Unlike the CCPA, which only applies to businesses with a threshold of $25 million annual revenue, the NYPA applies to “legal entities that conduct business in New York” or that produce products or services that “intentionally target” New York residents. This means that small-to-medium size businesses, and potentially even not-for-profit organizations will be subject to the law’s privacy and security obligations. Organizations exempted include state and local governments, and personal data that is regulated by HIPAA, HITECH, GLBA and notably, “data sets maintained for employment records purposes”.
  • Consumer Rights: The NYPA provides consumers a broad set of rights over their personal data. Consumer rights include: the right to access, the right to rectification, right to delete, right to stop processing and right to have data portability.   This extends the rights afforded to consumers by the CCPA, as the CCPA does not include a right to rectification.
  • Privacy and Security Obligations: Under the NYPA, covered businesses would be required to “exercise the duty of care, loyalty and confidentiality . . . with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, . . . in a manner expected by a reasonable consumer under the circumstances.” In addition businesses are required to “reasonably secure personal data from unauthorized access” and “promptly” notify consumers of a breach. Finally, the law prevents businesses from using personal data in a way that “(i) benefits an online service provider to the detriment of an end user; (ii) would result in reasonably foreseeable physical or financial harm to a consumer; or (iii) would be unexpected and “highly offensive” to a “reasonable consumer.”
  • Enforcement: The New York State Attorney General may bring an action in the name of the state, or on behalf of residents of the state, however a private right of action is also available to any person injured by reason of violation of the law. If passed, this enforcement provision would likely create an influx of litigation. A similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute. This is arguably the most significant difference between the CCPA. Despite several attempts to expand the private right of action, in its current form the CCPA only allows for a private right of action in very limited circumstances, if a nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information.

The NYPA is still in the very early stages of the legislative process – it has only been reviewed by the Senate’s Consumer Protection Committee, and is still looking for a co-sponsor from the state Assembly. Nonetheless, such an aggressive bill signifies the seriousness in which New York is considering privacy and security matters.  Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs).

 

Oregon Amends Data Breach Notification Law to Include Vendor Obligations; Expanded Definition of Personal Information

As we recently noted, Washington state amended its data breach notification law on May 7 to expand the definition of “personal information” and shorten the notification deadline (among other changes). Not to be outdone by its sister state to the north, Oregon followed suit shortly thereafter—Senate Bill 684 passed unanimously in both legislative bodies on May 20, and was signed into law by Governor Kate Brown on May 24. The amendments will become effective January 1, 2020.

Among the changes effected by SB 684 is a trimming of the Act’s short title—now styled the “Oregon Consumer Information Protection Act” or “OCIPA” (formerly the “Oregon Consumer Identity Theft Protection Act” or “OCITPA”). Apart from establishing a much more palatable acronym, the amended short title mirrors the national (and international) trend of expanding laws beyond mere “identity theft protection” to focus on larger scale consumer privacy and data rights.

Key substantive changes to the data breach notification law include:

  • Expanding the definition of “breach of security” to cover personal information that a person “maintains or possesses” (where previously only information a person “maintains” was covered);
  • Adding an individual’s account username and password (or other means of account identification and authentication) to the definition of “personal information” sufficient to trigger breach notification obligations—whether or not combined with the individual’s real name;
  • Defining the terms “covered entity” and “vendor,” to replace the cumbersome language in the current statute (g., “A person that owns or licenses personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities and that was subject to a breach shall give notice . . . .” becomes “A covered entity that was subject to a breach shall give notice . . . .”).
  • Creating new obligations for “vendors,” including a requirement to notify the applicable covered entity within 10 days of discovery of a breach, and a requirement that the vendor notify the state Attorney General if said breach affects more than 250 consumers or an undetermined number of consumers (notification to the covered entity was previously only required “as soon as is practicable” after discovery, and vendors had no obligation to notify the Attorney General); and,
  • Specifying that covered entities or vendors in compliance with HIPAA or the GLBA (and subject thereto) are exempt from the state’s data breach notification requirements, and adding that compliance with the data security safeguards set forth in HIPAA or the GLBA may be raised as an affirmative defense in any action alleging that a covered entity or vendor has failed to comply with OCIPA’s own data security safeguarding requirements.

For organizations subject to the new law, including anyone that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information” in the course of business, the biggest change to note is that the disclosure of usernames and passwords alone is not sufficient to trigger breach notification obligations. Companies should also make an effort to determine whether they may be acting as a “vendor” under OCIPA’s new definition (“a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information”), as vendor entities will have new obligations when the amendments go into effect on January 1, 2020.

Sweeping Privacy Changes Stall in the Lone Star State

Per our earlier blog post, Texas was ambitious this legislative session when it proposed two consumer data privacy bills. Both bills made it through committee hearings, but only one made it to the governor’s desk for signature: HB 4390. However, even it arrived there very different than originally drafted.

HB 4390, dubbed the Texas Privacy Protection Act, started as a comprehensive consumer privacy bill, with parts similar to the European Union’s GDPR and California’s Consumer Protection Act. However, through multiple amendments and dilutions, what was left were essentially two things:

The general updates to the TITEPA include:

  • Requirement that affected individuals be notified within 60 days after the breach. This replaces the current language in the statute “as quickly as possible”; and
  • Requirement that the business experiencing the breach notify the state Attorney General if the breach affected at least 250 Texas residents.

These provisions will become effective January 1, 2020.

The Council will study other state and global data privacy laws in advance of the next legislative session and make recommendations. They will present their findings on or before September 1, 2020, and these recommendations will likely form the basis for consumer privacy legislation when the Texas Legislature reconvenes in January 2021.

 

Vermont Court Finds Patient Can Sue Hospital and an Employee for Breach of Confidentiality

In a landmark ruling, the Vermont Supreme Court recently held that a patient had standing to sue both the hospital at which she was a patient and the employee who attended to her, for negligent disclosure of her personal health information to a third-party. Neither the Health Insurance Portability and Accountability Act (HIPAA) nor Vermont law provide for a private cause of action for damages arising from a medical provider’s disclosure of information obtained during treatment.

In this case, the plaintiff claims that the emergency room nurse who cared for her lacerated arm, later informed a police officer that she was intoxicated, had driven to the hospital, and intended to drive home. Ultimately, the Court concluded that “no reasonable factfinder could determine the disclosure was for any purpose other than to mitigate the threat of imminent and serious harm to the plaintiff and the public”.

While this conclusion is not surprising, what is a bit surprising is the Court’s allowance for this private cause of action to proceed in the first place, given that neither HIPAA nor Vermont law allow for such. The Court reasoned that in recognizing this private cause of action on the basis of common law, other courts have correctly relied on the theory of a breach of duty of confidentiality, insofar as “health care providers enjoy a special fiduciary relationship with their patients” such that “recognition of the privilege is necessary to ensure that the bond remains.”

The Court highlighted further that as evidence of sound public policy underlying the recognition of liability for breach of the duty of confidentiality, courts have cited “(1) state physician licensing statutes, (2) evidentiary rules and privileged communication statutes which prohibit a physician from testifying in judicial proceedings; (3) common law principles of trust, and (4) the Hippocratic Oath and principles of medical ethics which proscribe the revelation of patient confidences.”

The Vermont court joins many other jurisdictions across the United States honoring a private right of action in the context of a breach of the duty of confidentiality, on the basis of public policy. This decision further signifies the heightened focus being placed on an individual’s right to privacy and security of their data. Employers across all industries, but particularly healthcare, are advised to revisit their approach to maintaining sensitive personal information confidentially and securely, as legislation and common law continues to strengthen in this area.

 

LexBlog